|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
|
|
LinkBack | Thread Tools |
10-10-2009, 05:29 PM
|
#1 (permalink) |
|
Registered User
Join Date: Mar 2009
Posts: 6
OS: xp sp2
|
Totally troubled "Security Tool" Malware . Logs Attached
Hello, my system is affected with the "Security Tool" malware, which prevents installation of anti-malware softwares such as malbytes anti-malware.
It has created a random directory in All Users\Application Data and further prevents from running any software. I can run in safe mode, and delete that directory, but it comes up again. Cant install, MBAM still in safe mode. Infact MalwareBytes installs perfectly, but then when I load it up, a dialog box will appear (entitled "Setup"): Unable to execute file.. (directories) CreateProcces failed; code 2. The system cannot find file specified (the file specified being "mbam.exe"). I have tried to rename the setup, no avail. I am running off of Windows XP. I am attaching logs from DDS and GMER. ------------------------------------------------------------------ DDS (Ver_09-09-29.01) - NTFSx86 NETWORK Run by std at 0:15:34.93 on Sat 10/10/2009 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.727 [GMT -7:00] AV: avast! antivirus 4.8.1356 [VPS 091009-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe C:\Documents and Settings\std\Desktop\dds.scr ============== Pseudo HJT Report =============== uDefault_Search_URL = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll TB: FlashGet: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\program files\flashget\fgiebar.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [zapesowez] Rundll32.exe "c:\windows\system32\huhomogi.dll",a mRun: [53291020] c:\docume~1\alluse~1\applic~1\53291020\53291020.exe IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm IE: &WordWeb... - c:\windows\system32\wweb32.dll/lookup.html IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxsrvc.dll Notify: QConGina - QConGina.dll Notify: tphotkey - tphklock.dll AppInit_DLLs: c:\windows\system32\zuzahovo.dll sugefeso.dll c:\windows\system32\huhomogi.dll SSODL: dufamujey - {fda0b390-8213-47b0-ad46-ccd028f1afdb} - c:\windows\system32\zuzahovo.dll SSODL: veroruhov - {eda1e294-3a8a-4260-869a-410ac60e5163} - c:\windows\system32\huhomogi.dll STS: kupuhivus: {fda0b390-8213-47b0-ad46-ccd028f1afdb} - c:\windows\system32\zuzahovo.dll STS: mujuzedij: {eda1e294-3a8a-4260-869a-410ac60e5163} - c:\windows\system32\huhomogi.dll LSA: Notification Packages = scecli tusiheku.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\std\applic~1\mozilla\firefox\profiles\ag98sk9c.default\ FF - prefs.js: browser.startup.homepage - www.gmail.com FF - plugin: c:\documents and settings\std\application data\move networks\plugins\npqmp071500000347.dll FF - plugin: c:\documents and settings\std\local settings\application data\google\update\1.2.183.8\npGoogleOneClick8.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-12-16 59776] R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-12-16 14208] R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-12-16 6016] R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1980-1-1 14336] S1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-12-16 11520] S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-8 114768] S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-12-16 2432] S1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-12-16 4608] S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-12-16 4442] S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-8 20560] S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-10-8 138680] S2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-4-27 63616] S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-10-8 254040] S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-10-8 352920] S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-12-16 12288] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344] =============== Created Last 30 ================ 2009-10-10 00:15 388,608 a------- c:\windows\system32\cmd.exe 2009-10-09 22:52 <DIR> --d----- C:\savw_9_sa 2009-10-09 22:37 <DIR> --d----- C:\test 2009-10-09 20:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\53291020 2009-10-09 10:11 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-09 10:11 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-09 10:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-08 20:51 <DIR> a-dshr-- C:\cmdcons 2009-10-08 20:47 229,888 a------- c:\windows\PEV.exe 2009-10-08 20:47 161,792 a------- c:\windows\SWREG.exe 2009-10-08 20:47 98,816 a------- c:\windows\sed.exe 2009-10-08 20:03 <DIR> --d----- C:\e3fceb7a0f1ba67864346cd4 2009-10-07 23:47 54,156 a---h--- c:\windows\QTFont.qfn 2009-10-07 23:47 1,409 a------- c:\windows\QTFont.for 2009-10-04 15:57 <DIR> --d----- c:\docume~1\std\applic~1\GARMIN 2009-10-04 15:56 <DIR> --d----- c:\program files\Garmin GPS Plugin 2009-10-04 15:56 18,432 a------- c:\windows\system32\drivers\grmngen.sys 2009-10-04 15:56 8,320 a------- c:\windows\system32\drivers\grmnusb.sys 2009-10-04 15:56 <DIR> --d----- c:\program files\Garmin 2009-10-01 17:56 67,804 a---h--- c:\windows\system32\mlfcache.dat 2009-09-16 22:08 153,088 -------- c:\windows\system32\dllcache\triedit.dll 2009-09-16 22:07 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx 2009-09-16 22:05 655,872 -------- c:\windows\system32\dllcache\mstscax.dll 2009-09-16 22:03 1,193,414 -------- c:\windows\system32\dllcache\sysmain.sdb 2009-09-16 22:03 215,552 -------- c:\windows\system32\dllcache\wordpad.exe 2009-09-11 21:00 78,464 a------- c:\windows\system32\drivers\usbvideo.sys 2009-09-11 21:00 78,464 a------- c:\windows\system32\dllcache\usbvideo.sys 2009-09-11 21:00 20,992 a------- c:\windows\system32\dshowext.ax 2009-09-11 21:00 20,992 a------- c:\windows\system32\dllcache\dshowext.ax ==================== Find3M ==================== 2009-08-21 02:46 450,560 -------- c:\windows\system32\dllcache\jscript.dll 2009-08-05 02:11 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-05 02:11 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll 2009-07-28 21:53 119,808 a------- c:\windows\system32\t2embed.dll 2009-07-28 21:53 82,432 a------- c:\windows\system32\fontsub.dll 2009-07-28 21:53 119,808 -------- c:\windows\system32\dllcache\t2embed.dll 2009-07-28 21:53 82,432 -------- c:\windows\system32\dllcache\fontsub.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-18 09:00 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll 2009-07-18 09:00 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll 2009-07-17 11:55 58,880 a------- c:\windows\system32\atl.dll 2009-07-17 11:55 58,880 -------- c:\windows\system32\dllcache\atl.dll 2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll 2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll 2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll 2008-08-18 09:07 0 ac------ c:\program files\New Text Document.txt 2006-02-27 00:47 56 -c-shr-- c:\windows\system32\56DF61AA7A.sys 2009-07-09 08:28 50,688 a--sh--- c:\windows\system32\deporare.dll 2009-07-09 08:28 1,011,194 a--sh--- c:\windows\system32\gigivada.exe 2009-07-09 20:28 88,576 a--sh--- c:\windows\system32\huhomogi.dll 2009-07-09 08:28 50,688 a--sh--- c:\windows\system32\husenafe.dll 2006-02-27 00:47 1,682 ac-sh--- c:\windows\system32\KGyGaAvL.sys 2009-07-09 20:28 1,011,271 a--sh--- c:\windows\system32\rahehuvo.exe 2009-07-09 20:28 37,376 a--sh--- c:\windows\system32\rahuguzi.dll 2009-07-09 08:28 50,688 a--sh--- c:\windows\system32\sugefeso.dll 2009-07-07 23:14 1,050,147 a--sh--- c:\windows\system32\teyodalu.exe 2009-07-09 08:28 50,688 a--sh--- c:\windows\system32\tusiheku.dll 2009-07-09 08:28 38,912 a--sh--- c:\windows\system32\wejureke.dll ============= FINISH: 0:16:51.32 =============== |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-15-2009, 02:10 PM
|
#2 (permalink) |
|
Visiting Teacher/Analyst, Security Team
Join Date: Jun 2008
Location: Finland
Posts: 763
OS: Win XP, Vista 32-bit, Win7 64-bit
|
Re: Totally troubled "Security Tool" Malware . Logs Attached
Hi,
You didn't mention that you've tried to run ComboFix. Please post its report if any was generated. Please download exeHelper to your desktop. Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com) Note: If the window shows a message that says Error deleting file, please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
__________________
 Microsoft MVP Consumer Security 2008 2009 ASAP & UNITE member since 2006 |
|
|
|
|
10-16-2009, 01:48 AM
|
#3 (permalink) |
|
Registered User
Join Date: Mar 2009
Posts: 6
OS: xp sp2
|
Re: Totally troubled "Security Tool" Malware . Logs Attached
Thanks for getting back. In the mean time, I did a couple of more things. For one, I messed up with the registry, so that MBAM is not deleted when its installed. Deleted the random folders in All Users\, then installed MBAM with success. Ran MBAM for a couple of time, with updates, and it did find many trojans and deleted them. Ran combo fix a couple of times, to delete some random DLL's. Finally, installed sophos antivirus (thats what my university gives for free) to see that there are no virus. The system seems to run fine, but still little fearful about it coming back, given the nature of the virus.
Attaching the final combofix log. Do you still think I should be running the exeHelper? ComboFix 09-10-11.01 - std 10/12/2009 12:32.5.1 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.687 [GMT -7:00] Running from: c:\documents and settings\std\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 ))))))))))))))))))))))))))))))) . 2009-10-12 05:32 . 2009-10-12 05:17 33280 ----a-w- c:\windows\system32\rundll32.exe 2009-10-11 18:12 . 2009-10-11 18:12 -------- d-----w- c:\windows\system32\1033 2009-10-10 07:15 . 2004-08-04 13:00 388608 ----a-w- c:\windows\system32\cmd.exe 2009-10-10 05:52 . 2009-10-10 05:52 -------- d-----w- C:\savw_9_sa 2009-10-10 05:37 . 2009-10-12 05:43 -------- d-----w- C:\test 2009-10-09 17:11 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-09 17:11 . 2009-10-09 17:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-09 17:11 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-09 04:02 . 2009-10-09 04:02 -------- d-----w- c:\program files\Alwil Software 2009-10-09 03:03 . 2009-10-09 03:03 -------- d-----w- C:\e3fceb7a0f1ba67864346cd4 2009-10-06 07:16 . 2009-10-06 21:25 -------- d-----w- c:\documents and settings\Downloads\Garmin City Navigator North America (2010) Unlocked 2009-10-04 22:57 . 2009-10-04 22:57 -------- d-----w- c:\documents and settings\std\Application Data\GARMIN 2009-10-04 22:56 . 2009-10-04 22:56 -------- d-----w- c:\program files\Garmin GPS Plugin 2009-10-04 22:56 . 2009-10-04 22:56 -------- d-----w- c:\program files\DIFX 2009-10-04 22:56 . 2007-03-08 23:18 8320 ----a-w- c:\windows\system32\drivers\grmnusb.sys 2009-10-04 22:56 . 2007-03-08 23:18 18432 ----a-w- c:\windows\system32\drivers\grmngen.sys 2009-10-04 22:56 . 2009-10-04 22:56 -------- d-----w- c:\program files\Garmin 2009-10-02 00:56 . 2009-10-02 00:56 67804 ---ha-w- c:\windows\system32\mlfcache.dat 2009-09-27 06:23 . 2009-09-27 06:23 152576 ----a-w- c:\documents and settings\std\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-09-23 06:57 . 2009-09-23 06:57 19506176 ----a-w- c:\documents and settings\Downloads\IE8xp32.exe 2009-09-17 05:13 . 2009-09-17 05:13 -------- d-----w- c:\windows\ServicePackFiles 2009-09-17 05:10 . 2009-03-06 14:00 284160 ------w- c:\windows\system32\dllcache\pdh.dll 2009-09-17 05:10 . 2009-02-09 10:01 401408 ------w- c:\windows\system32\dllcache\rpcss.dll 2009-09-17 05:10 . 2009-02-06 09:54 35328 ------w- c:\windows\system32\dllcache\sc.exe 2009-09-17 05:10 . 2005-07-26 04:20 60416 ------w- c:\windows\system32\dllcache\colbact.dll 2009-09-17 05:10 . 2009-02-09 10:01 473088 ------w- c:\windows\system32\dllcache\fastprox.dll 2009-09-17 05:10 . 2009-02-06 10:22 110592 ------w- c:\windows\system32\dllcache\services.exe 2009-09-17 05:10 . 2009-02-06 09:41 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe 2009-09-17 05:10 . 2009-02-09 10:01 617984 ------w- c:\windows\system32\dllcache\advapi32.dll 2009-09-17 05:10 . 2009-02-09 10:01 715264 ------w- c:\windows\system32\dllcache\ntdll.dll 2009-09-17 05:08 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll 2009-09-17 05:05 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll 2009-09-17 05:03 . 2008-04-21 10:02 215552 ------w- c:\windows\system32\dllcache\wordpad.exe 2009-09-14 01:56 . 2009-09-24 19:19 -------- d-----w- c:\documents and settings\Guest\Application Data\HPAppData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-10 06:40 . 2009-02-06 10:18 -------- d-----w- c:\documents and settings\std\Application Data\HPAppData 2009-10-10 05:32 . 2006-03-24 03:47 -------- d-----w- c:\documents and settings\std\Application Data\Skype 2009-10-10 02:27 . 2009-01-05 07:35 -------- d-----w- c:\documents and settings\std\Application Data\skypePM 2009-10-09 17:35 . 2008-06-19 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-10-07 04:41 . 2007-03-05 06:20 -------- d-----w- c:\program files\FlashGet 2009-10-06 21:13 . 2006-01-03 17:07 -------- d-----w- c:\documents and settings\std\Application Data\uTorrent 2009-10-06 07:26 . 2007-02-10 22:19 -------- d-----w- c:\program files\AP Tuner 2009-10-06 07:25 . 2005-12-16 16:06 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-27 06:26 . 2006-01-30 04:37 -------- d-----w- c:\program files\Java 2009-09-13 03:18 . 2006-05-17 05:59 -------- d-----w- c:\documents and settings\std\Application Data\WinEdt 2009-09-12 04:13 . 2009-01-05 07:35 -------- d-----r- c:\program files\Skype 2009-09-12 04:13 . 2009-09-12 04:13 -------- d-----w- c:\program files\Common Files\Skype 2009-09-12 04:12 . 2006-03-24 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2009-09-06 17:24 . 2009-09-06 17:24 90800616 ----a-w- c:\documents and settings\Downloads\lr_mac.zip 2009-08-30 23:38 . 2008-05-22 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-08-05 09:11 . 1980-01-01 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-29 04:53 . 1980-01-01 08:00 82432 ----a-w- c:\windows\system32\fontsub.dll 2009-07-29 04:53 . 1980-01-01 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-07-25 12:23 . 2009-01-05 03:01 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-07-17 18:55 . 1980-01-01 08:00 58880 ----a-w- c:\windows\system32\atl.dll 2008-08-18 16:07 . 2008-08-18 16:07 0 -c--a-w- c:\program files\New Text Document.txt 2006-02-27 07:47 . 2006-02-27 07:43 56 -csh--r- c:\windows\system32\56DF61AA7A.sys 2009-07-09 15:28 . 2009-07-09 15:28 50688 --sha-w- c:\windows\system32\husenafe.dll 2006-02-27 07:47 . 2006-02-27 07:43 1682 -csha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-10-09_07.19.42 ))))))))))))))))))))))))))))))))))))))))) . + 2009-10-11 06:27 . 2009-10-11 06:27 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2005-12-28 21:23 . 2009-10-11 06:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-12-28 21:23 . 2005-12-28 21:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal] @="{C5994560-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified] @="{C5994561-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict] @="{C5994562-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked] @="{C5994563-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly] @="{C5994564-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted] @="{C5994565-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded] @="{C5994566-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored] @="{C5994567-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned] @="{C5994568-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina] 2005-03-18 11:07 262144 ----a-w- c:\windows\system32\QConGina.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2004-08-13 04:11 24576 ----a-w- c:\windows\system32\tphklock.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk backup=c:\windows\pss\VPN Client.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WordWeb.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WordWeb.lnk backup=c:\windows\pss\WordWeb.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^std^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\std\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^std^Start Menu^Programs^Startup^MagicDisc.lnk] path=c:\documents and settings\std\Start Menu\Programs\Startup\MagicDisc.lnk backup=c:\windows\pss\MagicDisc.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^std^Start Menu^Programs^Startup^Workrave.lnk] path=c:\documents and settings\std\Start Menu\Programs\Startup\Workrave.lnk backup=c:\windows\pss\Workrave.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Macromedia Licensing Service"=3 (0x3) "IDriverT"=3 (0x3) "IBM Rapid Restore Ultra Service"=2 (0x2) "Avg7UpdSvc"=2 (0x2) "iPodService"=3 (0x3) "wuauserv"=2 (0x2) "stisvc"=2 (0x2) "TpKmpSVC"=2 (0x2) "TPHDEXLGSVC"=2 (0x2) "S24EventMonitor"=2 (0x2) "RegSrvc"=2 (0x2) "QCONSVC"=2 (0x2) "PsaSrv"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) "JavaQuickStarterService"=2 (0x2) "idsvc"=3 (0x3) "IBMPMSVC"=2 (0x2) "gusvc"=3 (0x3) "EvtEng"=2 (0x2) "CVPND"=2 (0x2) "avg8wd"=2 (0x2) "avast! Web Scanner"=3 (0x3) "avast! Mail Scanner"=3 (0x3) "avast! Antivirus"=2 (0x2) "aswUpdSv"=2 (0x2) "Adobe LM Service"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"= "c:\\Documents and Settings\\std\\Desktop\\utorrent.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\FlashGet\\flashget.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\MATLAB701\\bin\\win32\\MATLAB.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\ThinkPad\\ConnectUtilities\\QCTRAY.EXE"= "c:\\Program Files\\TortoiseSVN\\bin\\TSVNCache.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [12/16/2005 9:06 AM 14208] R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [12/16/2005 9:06 AM 6016] R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1/1/1980 1:00 AM 14336] S2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [4/27/2005 11:27 AM 63616] S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [12/16/2005 9:32 AM 12288] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2009-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1126639660-1615347922-3890602794-1005Core.job - c:\documents and settings\std\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 05:34] 2009-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1126639660-1615347922-3890602794-1005UA.job - c:\documents and settings\std\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 05:34] 2009-10-09 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-12-16 09:01] . . ------- Supplementary Scan ------- . uDefault_Search_URL = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm IE: &WordWeb... - c:\windows\system32\wweb32.dll/lookup.html IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\std\Application Data\Mozilla\Firefox\Profiles\ag98sk9c.default\ FF - prefs.js: browser.startup.homepage - www.gmail.com FF - plugin: c:\documents and settings\std\Application Data\Move Networks\plugins\npqmp071500000347.dll FF - plugin: c:\documents and settings\std\Local Settings\Application Data\Google\Update\1.2.183.8\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-12 12:40 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1212) c:\windows\system32\tphklock.dll - - - - - - - > 'explorer.exe'(1372) c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll c:\program files\TortoiseSVN\bin\TortoiseStub.dll c:\program files\TortoiseSVN\bin\TortoiseSVN.dll c:\program files\TortoiseSVN\bin\intl3_tsvn.dll . Completion time: 2009-10-12 12:44 ComboFix-quarantined-files.txt 2009-10-12 19:43 ComboFix2.txt 2009-10-12 06:01 ComboFix3.txt 2009-10-12 05:06 ComboFix4.txt 2009-10-11 19:51 ComboFix5.txt 2009-10-12 19:32 Pre-Run: 6,924,193,792 bytes free Post-Run: 6,909,071,360 bytes free 283 --- E O F --- 2009-09-17 08:55 |
|
|
|
|
10-16-2009, 02:13 AM
|
#4 (permalink) |
|
Visiting Teacher/Analyst, Security Team
Join Date: Jun 2008
Location: Finland
Posts: 763
OS: Win XP, Vista 32-bit, Win7 64-bit
|
Re: Totally troubled "Security Tool" Malware . Logs Attached
Hi,
Looks like exehelper is not needed anymore. Post mbam report of your earlier run & a fresh dds log, please.
__________________
Microsoft MVP Consumer Security 2008 2009 ASAP & UNITE member since 2006 |
|
|
|
|
10-17-2009, 03:31 AM
|
#5 (permalink) |
|
Registered User
Join Date: Mar 2009
Posts: 6
OS: xp sp2
|
Re: Totally troubled "Security Tool" Malware . Logs Attached
Thank,
posting fresh MBAM logs after update, and dds log. Also attached, Attach.txt ps1: Just today sophos anti virus gave a trojan warning on c:\windows\system32\husenafe.dll but was unable to clean it up. ps2: Thanks for helping out :) . =================================================== Malwarebytes' Anti-Malware 1.41 Database version: 2973 Windows 5.1.2600 Service Pack 2 10/17/2009 2:29:27 AM mbam-log-2009-10-17 (02-29-27).txt Scan type: Quick Scan Objects scanned: 115881 Time elapsed: 6 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ====================================================== DDS LOGS DDS (Ver_09-10-13.01) - NTFSx86 Run by std at 2:00:46.81 on Sat 10/17/2009 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.481 [GMT -7:00] AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\Explorer.EXE svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe c:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\std\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe C:\Documents and Settings\std\Desktop\dds.scr ============== Pseudo HJT Report =============== uDefault_Search_URL = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll TB: FlashGet: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\program files\flashget\fgiebar.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sophos~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm IE: &WordWeb... - c:\windows\system32\wweb32.dll/lookup.html IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxsrvc.dll Notify: QConGina - QConGina.dll Notify: tphotkey - tphklock.dll AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\std\applic~1\mozilla\firefox\profiles\ag98sk9c.default\ FF - prefs.js: browser.startup.homepage - www.gmail.com FF - plugin: c:\documents and settings\std\application data\move networks\plugins\npqmp071500000347.dll FF - plugin: c:\documents and settings\std\application data\mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\std\local settings\application data\google\update\1.2.183.8\npGoogleOneClick8.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-12-16 59776] R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-12-16 14208] R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-12-16 11520] R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-12-16 2432] R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-10-12 110848] R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-10-12 38528] R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-12-16 4608] R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-12-16 4442] R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-4-27 63616] R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-12 80936] R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2009-10-12 98304] R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-12-16 6016] R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1980-1-1 14336] S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-12-16 12288] =============== Created Last 30 ================ 2009-10-15 13:25 54,156 a---h--- c:\windows\QTFont.qfn 2009-10-15 13:25 1,409 a------- c:\windows\QTFont.for 2009-10-12 13:38 130,104 a------- c:\windows\system32\sdccoinstaller.dll 2009-10-12 13:37 <DIR> --d----- c:\program files\common files\Cisco Systems 2009-10-12 13:37 23,552 a------- c:\windows\system32\sophosboottasks.exe 2009-10-12 13:18 110,848 a------- c:\windows\system32\drivers\savonaccesscontrol.sys 2009-10-12 13:18 38,528 a------- c:\windows\system32\drivers\savonaccessfilter.sys 2009-10-12 13:18 <DIR> --d----- c:\program files\Sophos 2009-10-12 13:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sophos 2009-10-12 12:31 <DIR> --d----- C:\ComboFix 2009-10-11 22:32 33,280 a------- c:\windows\system32\rundll32.exe 2009-10-11 11:12 2,148 a------- c:\windows\system32\wpa.dbl 2009-10-11 11:12 <DIR> --d----- c:\windows\system32\1033 2009-10-10 00:15 388,608 a------- c:\windows\system32\cmd.exe 2009-10-09 22:52 <DIR> --d----- C:\savw_9_sa 2009-10-09 22:37 <DIR> --d----- C:\test 2009-10-09 10:11 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-09 10:11 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-09 10:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-08 20:51 <DIR> a-dshr-- C:\cmdcons 2009-10-08 20:47 236,544 a------- c:\windows\PEV.exe 2009-10-08 20:47 161,792 a------- c:\windows\SWREG.exe 2009-10-08 20:47 98,816 a------- c:\windows\sed.exe 2009-10-08 20:03 <DIR> --d----- C:\e3fceb7a0f1ba67864346cd4 2009-10-04 15:57 <DIR> --d----- c:\docume~1\std\applic~1\GARMIN 2009-10-04 15:56 <DIR> --d----- c:\program files\Garmin GPS Plugin 2009-10-04 15:56 18,432 a------- c:\windows\system32\drivers\grmngen.sys 2009-10-04 15:56 8,320 a------- c:\windows\system32\drivers\grmnusb.sys 2009-10-04 15:56 <DIR> --d----- c:\program files\Garmin 2009-10-01 17:56 67,804 a---h--- c:\windows\system32\mlfcache.dat ==================== Find3M ==================== 2009-08-21 02:46 450,560 -------- c:\windows\system32\dllcache\jscript.dll 2009-08-05 02:11 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-05 02:11 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll 2009-07-28 21:53 119,808 a------- c:\windows\system32\t2embed.dll 2009-07-28 21:53 82,432 a------- c:\windows\system32\fontsub.dll 2009-07-28 21:53 119,808 -------- c:\windows\system32\dllcache\t2embed.dll 2009-07-28 21:53 82,432 -------- c:\windows\system32\dllcache\fontsub.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2008-08-18 09:07 0 ac------ c:\program files\New Text Document.txt 2006-02-27 00:47 56 -c-shr-- c:\windows\system32\56DF61AA7A.sys 2009-07-09 08:28 50,688 a--sh--- c:\windows\system32\husenafe.dll 2006-02-27 00:47 1,682 ac-sh--- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 2:01:43.65 =============== Last edited by nikux; 10-17-2009 at 03:32 AM. |
|
|
|
|
10-17-2009, 04:43 AM
|
#6 (permalink) |
|
Visiting Teacher/Analyst, Security Team
Join Date: Jun 2008
Location: Finland
Posts: 763
OS: Win XP, Vista 32-bit, Win7 64-bit
|
Re: Totally troubled "Security Tool" Malware . Logs Attached
Hi,
Open notepad and copy/paste the text in the quotebox below into it: Code:
File::
c:\windows\system32\husenafe.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
DDS::
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
Save this as CFScript A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.  Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe Then post the resultant log. Is Adobe Acrobat in heavy use or do you use it only for converting documents to PDFs? Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here. Uninstall your current Adobe shockwave player and get the fresh one here if needed. Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop. Double-click ATF Cleaner.exe to open it Under Main choose: Windows Temp Current User Temp All Users Temp Cookies Temporary Internet Files Prefetch Java Cache *The other boxes are optional* Then click the Empty Selected button. If you use Firefox: Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. If you use Opera: Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. Click Exit on the Main menu to close the program. Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
__________________
Microsoft MVP Consumer Security 2008 2009 ASAP & UNITE member since 2006 |
|
|
|
|
10-18-2009, 03:44 PM
|
#7 (permalink) |
|
Registered User
Join Date: Mar 2009
Posts: 6
OS: xp sp2
|
Re: Totally troubled "Security Tool" Malware . Logs Attached
Check List
1*. Ran Combofix Logs attached. 2. I use adobe acrobat to create and edit pdf files, should I delete it? 3. Removed Adober reader and installed foxit w/o toolbar 4. Removed Shockwave 5. Removed Flash, and fresh installed latest version 6. Ran ATF cleaner 7*. Ran Kaspersky (Log attached) 8*. Ran DDS (Log attached). ======================================================= COMBOFIX LOG ---------------- ComboFix 09-10-16.09 - std 10/17/2009 23:04.6.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.526 [GMT -7:00] Running from: c:\documents and settings\std\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\std\Desktop\CFScript.txt AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD} FILE :: "c:\windows\system32\husenafe.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\husenafe.dll . ((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 ))))))))))))))))))))))))))))))) . 2009-10-12 20:38 . 2009-10-12 20:30 130104 ----a-w- c:\windows\system32\sdccoinstaller.dll 2009-10-12 20:37 . 2009-10-12 20:37 -------- d-----w- c:\program files\Common Files\Cisco Systems 2009-10-12 20:37 . 2009-10-12 20:30 23552 ----a-w- c:\windows\system32\sophosboottasks.exe 2009-10-12 20:23 . 2009-10-12 20:23 -------- d-----w- c:\documents and settings\std\Local Settings\Application Data\Sophos 2009-10-12 20:18 . 2009-10-12 20:31 38528 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys 2009-10-12 20:18 . 2009-10-12 20:30 110848 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys 2009-10-12 20:18 . 2009-10-12 20:20 -------- d-----w- c:\program files\Sophos 2009-10-12 20:18 . 2009-10-12 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos 2009-10-12 05:32 . 2009-10-12 05:17 33280 ----a-w- c:\windows\system32\rundll32.exe 2009-10-11 18:12 . 2009-10-11 18:12 -------- d-----w- c:\windows\system32\1033 2009-10-10 07:15 . 2004-08-04 13:00 388608 ----a-w- c:\windows\system32\cmd.exe 2009-10-10 05:52 . 2009-10-10 05:52 -------- d-----w- C:\savw_9_sa 2009-10-10 05:37 . 2009-10-12 05:43 -------- d-----w- C:\test 2009-10-09 17:11 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-09 17:11 . 2009-10-09 17:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-09 17:11 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-09 04:02 . 2009-10-09 04:02 -------- d-----w- c:\program files\Alwil Software 2009-10-09 03:03 . 2009-10-09 03:03 -------- d-----w- C:\e3fceb7a0f1ba67864346cd4 2009-10-06 07:16 . 2009-10-06 21:25 -------- d-----w- c:\documents and settings\Downloads\Garmin City Navigator North America (2010) Unlocked 2009-10-04 22:57 . 2009-10-04 22:57 -------- d-----w- c:\documents and settings\std\Application Data\GARMIN 2009-10-04 22:56 . 2009-10-04 22:56 -------- d-----w- c:\program files\Garmin GPS Plugin 2009-10-04 22:56 . 2009-10-04 22:56 -------- d-----w- c:\program files\DIFX 2009-10-04 22:56 . 2007-03-08 23:18 8320 ----a-w- c:\windows\system32\drivers\grmnusb.sys 2009-10-04 22:56 . 2007-03-08 23:18 18432 ----a-w- c:\windows\system32\drivers\grmngen.sys 2009-10-04 22:56 . 2009-10-04 22:56 -------- d-----w- c:\program files\Garmin 2009-10-02 00:56 . 2009-10-02 00:56 67804 ---ha-w- c:\windows\system32\mlfcache.dat 2009-09-23 06:57 . 2009-09-23 06:57 19506176 ----a-w- c:\documents and settings\Downloads\IE8xp32.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-18 06:14 . 2006-03-24 03:47 -------- d-----w- c:\documents and settings\std\Application Data\Skype 2009-10-18 05:54 . 2009-01-05 07:35 -------- d-----w- c:\documents and settings\std\Application Data\skypePM 2009-10-17 15:23 . 2009-02-06 10:18 -------- d-----w- c:\documents and settings\std\Application Data\HPAppData 2009-10-14 04:49 . 2007-03-05 06:20 -------- d-----w- c:\program files\FlashGet 2009-10-14 04:44 . 2006-01-15 07:39 97136 -c--a-w- c:\documents and settings\std\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-09 17:35 . 2008-06-19 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-10-06 21:13 . 2006-01-03 17:07 -------- d-----w- c:\documents and settings\std\Application Data\uTorrent 2009-10-06 07:26 . 2007-02-10 22:19 -------- d-----w- c:\program files\AP Tuner 2009-10-06 07:25 . 2005-12-16 16:06 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-27 06:26 . 2006-01-30 04:37 -------- d-----w- c:\program files\Java 2009-09-24 19:19 . 2009-09-14 01:56 -------- d-----w- c:\documents and settings\Guest\Application Data\HPAppData 2009-09-13 03:18 . 2006-05-17 05:59 -------- d-----w- c:\documents and settings\std\Application Data\WinEdt 2009-09-12 04:13 . 2009-01-05 07:35 -------- d-----r- c:\program files\Skype 2009-09-12 04:13 . 2009-09-12 04:13 -------- d-----w- c:\program files\Common Files\Skype 2009-09-12 04:12 . 2006-03-24 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype 2009-09-06 17:24 . 2009-09-06 17:24 90800616 ----a-w- c:\documents and settings\Downloads\lr_mac.zip 2009-08-30 23:38 . 2008-05-22 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-08-05 09:11 . 1980-01-01 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-29 04:53 . 1980-01-01 08:00 82432 ----a-w- c:\windows\system32\fontsub.dll 2009-07-29 04:53 . 1980-01-01 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-07-25 12:23 . 2009-01-05 03:01 411368 ----a-w- c:\windows\system32\deploytk.dll 2008-08-18 16:07 . 2008-08-18 16:07 0 -c--a-w- c:\program files\New Text Document.txt 2006-02-27 07:47 . 2006-02-27 07:43 56 -csh--r- c:\windows\system32\56DF61AA7A.sys 2006-02-27 07:47 . 2006-02-27 07:43 1682 -csha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-10-09_07.19.42 ))))))))))))))))))))))))))))))))))))))))) . + 2009-10-18 06:22 . 2009-10-12 20:33 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll + 2009-10-18 06:22 . 2009-10-12 20:33 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll + 2009-10-18 06:22 . 2009-10-12 20:33 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll + 2009-10-18 06:22 . 2009-10-12 20:33 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll + 2009-10-18 06:22 . 2009-10-12 20:33 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll + 2009-10-18 06:22 . 2009-10-12 20:33 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll + 2009-10-11 06:27 . 2009-10-11 06:27 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2005-12-28 21:23 . 2009-10-11 06:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-12-28 21:23 . 2005-12-28 21:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-10-12 20:20 . 2009-10-12 20:40 65536 c:\windows\Installer\{15C418EB-7675-42be-B2B3-281952DA014D}\ARPPRODUCTICON.exe + 2009-10-12 20:38 . 2009-10-12 20:38 25214 c:\windows\Installer\{034759DA-E21A-4795-BFB3-C66D17FAD183}\MainGUIShortcut.exe + 2009-10-12 20:38 . 2009-10-12 20:38 25214 c:\windows\Installer\{034759DA-E21A-4795-BFB3-C66D17FAD183}\ARPPRODUCTICON.exe + 2009-10-18 06:22 . 2009-10-12 20:33 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat + 2009-10-18 06:22 . 2009-10-12 20:33 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll + 2009-10-18 06:22 . 2004-03-18 02:06 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL + 2009-10-18 06:22 . 2004-03-18 02:06 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL + 2009-10-18 06:22 . 2009-10-12 20:33 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll + 2009-10-18 06:22 . 2009-09-04 19:22 162856 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll + 2009-10-18 06:22 . 2009-10-12 20:33 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll + 2009-10-18 06:22 . 2009-10-12 20:33 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll + 2009-10-18 06:22 . 2009-10-12 20:33 663552 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe + 2004-08-09 18:45 . 2009-10-13 05:59 321928 c:\windows\system32\FNTCACHE.DAT - 2004-08-09 18:45 . 2009-09-17 06:25 321928 c:\windows\system32\FNTCACHE.DAT + 2009-10-14 16:09 . 2009-10-14 16:09 288768 c:\windows\Installer\26ae4c8.msi + 2009-10-12 20:40 . 2009-10-12 20:40 1295360 c:\windows\Installer\2779f1.msi + 2009-10-12 20:38 . 2009-10-12 20:38 1728512 c:\windows\Installer\2779a0.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal] @="{C5994560-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified] @="{C5994561-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict] @="{C5994562-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked] @="{C5994563-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly] @="{C5994564-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted] @="{C5994565-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded] @="{C5994566-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored] @="{C5994567-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned] @="{C5994568-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 01:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll c:\documents and settings\All Users\Start Menu\Programs\Startup\ AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-10-12 245760] Sophos AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-10-12 245760] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina] 2005-03-18 11:07 262144 ----a-w- c:\windows\system32\QConGina.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2004-08-13 04:11 24576 ----a-w- c:\windows\system32\tphklock.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk backup=c:\windows\pss\VPN Client.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WordWeb.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WordWeb.lnk backup=c:\windows\pss\WordWeb.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^std^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\std\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^std^Start Menu^Programs^Startup^MagicDisc.lnk] path=c:\documents and settings\std\Start Menu\Programs\Startup\MagicDisc.lnk backup=c:\windows\pss\MagicDisc.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^std^Start Menu^Programs^Startup^Workrave.lnk] path=c:\documents and settings\std\Start Menu\Programs\Startup\Workrave.lnk backup=c:\windows\pss\Workrave.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Macromedia Licensing Service"=3 (0x3) "IDriverT"=3 (0x3) "IBM Rapid Restore Ultra Service"=2 (0x2) "Avg7UpdSvc"=2 (0x2) "iPodService"=3 (0x3) "wuauserv"=2 (0x2) "stisvc"=2 (0x2) "TpKmpSVC"=2 (0x2) "TPHDEXLGSVC"=2 (0x2) "S24EventMonitor"=2 (0x2) "RegSrvc"=2 (0x2) "QCONSVC"=2 (0x2) "PsaSrv"=3 (0x3) "ose"=3 (0x3) "odserv"=3 (0x3) "JavaQuickStarterService"=2 (0x2) "idsvc"=3 (0x3) "IBMPMSVC"=2 (0x2) "gusvc"=3 (0x3) "EvtEng"=2 (0x2) "avg8wd"=2 (0x2) "avast! Web Scanner"=3 (0x3) "avast! Mail Scanner"=3 (0x3) "avast! Antivirus"=2 (0x2) "aswUpdSv"=2 (0x2) "Adobe LM Service"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"= "c:\\Documents and Settings\\std\\Desktop\\utorrent.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\FlashGet\\flashget.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\MATLAB701\\bin\\win32\\MATLAB.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\ThinkPad\\ConnectUtilities\\QCTRAY.EXE"= "c:\\Program Files\\TortoiseSVN\\bin\\TSVNCache.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Documents and Settings\\std\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\std\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [12/16/2005 9:06 AM 14208] R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [10/12/2009 1:18 PM 110848] R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [10/12/2009 1:18 PM 38528] R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [4/27/2005 11:27 AM 63616] R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/12/2009 1:29 PM 80936] R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [10/12/2009 1:30 PM 98304] R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [12/16/2005 9:06 AM 6016] R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1/1/1980 1:00 AM 14336] S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [12/16/2005 9:32 AM 12288] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2009-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1126639660-1615347922-3890602794-1005Core.job - c:\documents and settings\std\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 05:34] 2009-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1126639660-1615347922-3890602794-1005UA.job - c:\documents and settings\std\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 05:34] 2009-10-09 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-12-16 09:01] . . ------- Supplementary Scan ------- . uDefault_Search_URL = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm IE: &WordWeb... - c:\windows\system32\wweb32.dll/lookup.html IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\std\Application Data\Mozilla\Firefox\Profiles\ag98sk9c.default\ FF - prefs.js: browser.startup.homepage - www.gmail.com FF - plugin: c:\documents and settings\std\Application Data\Move Networks\plugins\npqmp071500000347.dll FF - plugin: c:\documents and settings\std\Application Data\Mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\std\Local Settings\Application Data\Google\Update\1.2.183.8\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-17 23:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1368) c:\windows\system32\tphklock.dll - - - - - - - > 'explorer.exe'(2516) c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll c:\program files\TortoiseSVN\bin\TortoiseStub.dll c:\program files\TortoiseSVN\bin\TortoiseSVN.dll c:\program files\TortoiseSVN\bin\intl3_tsvn.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Sophos\AutoUpdate\ALsvc.exe c:\windows\system32\wdfmgr.exe . ************************************************************************** . Completion time: 2009-10-18 23:32 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-18 06:31 ComboFix2.txt 2009-10-12 19:44 ComboFix3.txt 2009-10-12 06:01 ComboFix4.txt 2009-10-12 05:06 ComboFix5.txt 2009-10-18 06:02 Pre-Run: 4,169,728,000 bytes free Post-Run: 4,167,897,088 bytes free 326 --- E O F --- 2009-09-17 08:55 ========================================================= Kaspersky log -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Sunday, October 18, 2009 Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Sunday, October 18, 2009 15:25:19 Records in database: 3025220 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Objects scanned: 217291 Threats found: 1 Infected objects found: 1 Suspicious objects found: 0 Scan duration: 04:41:38 File name / Threat / Threats count C:\Documents and Settings\std\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-5b28771c Infected: Exploit.Java.Gimsh.b 1 Selected area has been scanned. ============================================================= DDS Log DDS (Ver_09-10-13.01) - NTFSx86 Run by std at 13:26:49.45 on Sun 10/18/2009 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.670 [GMT -7:00] AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe c:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Documents and Settings\std\Desktop\dds.scr ============== Pseudo HJT Report =============== uDefault_Search_URL = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll TB: FlashGet: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\program files\flashget\fgiebar.dll StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sophos~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm IE: &WordWeb... - c:\windows\system32\wweb32.dll/lookup.html IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxsrvc.dll Notify: QConGina - QConGina.dll Notify: tphotkey - tphklock.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\std\applic~1\mozilla\firefox\profiles\ag98sk9c.default\ FF - prefs.js: browser.startup.homepage - www.gmail.com FF - plugin: c:\documents and settings\std\application data\move networks\plugins\npqmp071500000347.dll FF - plugin: c:\documents and settings\std\application data\mozilla\firefox\profiles\ag98sk9c.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll FF - plugin: c:\documents and settings\std\application data\mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\std\local settings\application data\google\update\1.2.183.8\npGoogleOneClick8.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-12-16 59776] R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-12-16 14208] R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-12-16 11520] R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-12-16 2432] R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-10-12 110848] R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-10-12 38528] R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-12-16 4608] R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-12-16 4442] R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-4-27 63616] R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-12 80936] R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2009-10-12 98304] R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-12-16 6016] R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1980-1-1 14336] S2 SAVCleanupService;Sophos Cleanup Service;c:\program files\sophos\sophos anti-virus\SAVCleanupService.exe [2009-10-12 90112] S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [1980-1-1 14336] S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-12-16 12288] =============== Created Last 30 ================ 2009-10-18 00:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee Security Scan 2009-10-17 23:58 <DIR> --d----- c:\docume~1\std\applic~1\Foxit 2009-10-17 23:58 <DIR> --d----- c:\program files\Foxit Software 2009-10-15 13:25 54,156 a---h--- c:\windows\QTFont.qfn 2009-10-15 13:25 1,409 a------- c:\windows\QTFont.for 2009-10-12 13:38 130,104 a------- c:\windows\system32\sdccoinstaller.dll 2009-10-12 13:37 <DIR> --d----- c:\program files\common files\Cisco Systems 2009-10-12 13:37 23,552 a------- c:\windows\system32\sophosboottasks.exe 2009-10-12 13:18 110,848 a------- c:\windows\system32\drivers\savonaccesscontrol.sys 2009-10-12 13:18 38,528 a------- c:\windows\system32\drivers\savonaccessfilter.sys 2009-10-12 13:18 <DIR> --d----- c:\program files\Sophos 2009-10-12 13:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sophos 2009-10-11 22:32 33,280 a------- c:\windows\system32\rundll32.exe 2009-10-11 11:12 2,148 a------- c:\windows\system32\wpa.dbl 2009-10-11 11:12 <DIR> --d----- c:\windows\system32\1033 2009-10-10 00:15 388,608 a------- c:\windows\system32\cmd.exe 2009-10-09 22:52 <DIR> --d----- C:\savw_9_sa 2009-10-09 22:37 <DIR> --d----- C:\test 2009-10-09 10:11 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-09 10:11 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-09 10:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-08 20:51 <DIR> a-dshr-- C:\cmdcons 2009-10-08 20:47 236,544 a------- c:\windows\PEV.exe 2009-10-08 20:47 161,792 a------- c:\windows\SWREG.exe 2009-10-08 20:47 98,816 a------- c:\windows\sed.exe 2009-10-08 20:03 <DIR> --d----- C:\e3fceb7a0f1ba67864346cd4 2009-10-04 15:57 <DIR> --d----- c:\docume~1\std\applic~1\GARMIN 2009-10-04 15:56 <DIR> --d----- c:\program files\Garmin GPS Plugin 2009-10-04 15:56 18,432 a------- c:\windows\system32\drivers\grmngen.sys 2009-10-04 15:56 8,320 a------- c:\windows\system32\drivers\grmnusb.sys 2009-10-04 15:56 <DIR> --d----- c:\program files\Garmin 2009-10-01 17:56 67,804 a---h--- c:\windows\system32\mlfcache.dat ==================== Find3M ==================== 2009-09-24 22:49 668,672 a------- c:\windows\system32\wininet.dll 2009-09-24 22:49 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll 2009-09-24 22:49 668,672 -------- c:\windows\system32\dllcache\wininet.dll 2009-09-24 22:49 628,224 -------- c:\windows\system32\dllcache\urlmon.dll 2009-09-24 22:49 474,112 -------- c:\windows\system32\dllcache\shlwapi.dll 2009-09-24 22:49 3,070,976 -------- c:\windows\system32\dllcache\mshtml.dll 2009-09-24 22:49 532,480 -------- c:\windows\system32\dllcache\mstime.dll 2009-09-24 22:49 449,024 -------- c:\windows\system32\dllcache\mshtmled.dll 2009-09-24 22:49 146,432 -------- c:\windows\system32\dllcache\msrating.dll 2009-09-24 22:49 39,424 -------- c:\windows\system32\dllcache\pngfilt.dll 2009-09-24 22:48 81,920 a------- c:\windows\system32\ieencode.dll 2009-09-24 22:48 251,904 -------- c:\windows\system32\dllcache\iepeers.dll 2009-09-24 22:48 96,256 -------- c:\windows\system32\dllcache\inseng.dll 2009-09-24 22:48 81,920 -------- c:\windows\system32\dllcache\ieencode.dll 2009-09-24 22:48 55,808 -------- c:\windows\system32\dllcache\extmgr.dll 2009-09-24 22:48 16,384 -------- c:\windows\system32\dllcache\jsproxy.dll 2009-09-24 22:48 1,054,208 -------- c:\windows\system32\dllcache\danim.dll 2009-09-24 22:48 357,888 -------- c:\windows\system32\dllcache\dxtmsft.dll 2009-09-24 22:48 205,312 -------- c:\windows\system32\dllcache\dxtrans.dll 2009-09-24 22:48 151,040 -------- c:\windows\system32\dllcache\cdfview.dll 2009-09-24 22:48 1,024,000 -------- c:\windows\system32\dllcache\browseui.dll 2009-09-18 02:46 18,432 -------- c:\windows\system32\dllcache\iedw.exe 2009-09-11 07:03 136,192 a------- c:\windows\system32\msv1_0.dll 2009-09-11 07:03 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll 2009-09-04 13:45 58,880 a------- c:\windows\system32\msasn1.dll 2009-09-04 13:45 58,880 -------- c:\windows\system32\dllcache\msasn1.dll 2009-08-26 01:16 247,326 a------- c:\windows\system32\strmdll.dll 2009-08-26 01:16 247,326 -------- c:\windows\system32\dllcache\strmdll.dll 2009-08-21 02:46 450,560 -------- c:\windows\system32\dllcache\jscript.dll 2009-08-05 02:11 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-05 02:11 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll 2009-08-04 05:51 2,185,984 -------- c:\windows\system32\ntoskrnl.exe 2009-08-04 05:51 2,185,984 -------- c:\windows\system32\dllcache\ntoskrnl.exe 2009-08-04 05:49 2,142,720 -------- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-08-04 05:02 2,062,976 -------- c:\windows\system32\ntkrnlpa.exe 2009-08-04 05:02 2,062,976 -------- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-08-04 05:02 2,020,864 -------- c:\windows\system32\dllcache\ntkrpamp.exe 2009-07-28 21:53 119,808 a------- c:\windows\system32\t2embed.dll 2009-07-28 21:53 82,432 a------- c:\windows\system32\fontsub.dll 2009-07-28 21:53 119,808 -------- c:\windows\system32\dllcache\t2embed.dll 2009-07-28 21:53 82,432 -------- c:\windows\system32\dllcache\fontsub.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2008-08-18 09:07 0 ac------ c:\program files\New Text Document.txt 2006-02-27 00:47 56 -c-shr-- c:\windows\system32\56DF61AA7A.sys 2006-02-27 00:47 1,682 ac-sh--- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 13:27:43.18 =============== |
|
|
|
|
10-19-2009, 08:01 AM
|
#8 (permalink) | |
|
Visiting Teacher/Analyst, Security Team
Join Date: Jun 2008
Location: Finland
Posts: 763
OS: Win XP, Vista 32-bit, Win7 64-bit
|
Re: Totally troubled "Security Tool" Malware . Logs Attached
Looking better :)
Show hidden files ----------------- * Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK. Delete C:\Documents and Settings\std\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-5b28771c file if found. Quote:
How's the system running?
__________________
Microsoft MVP Consumer Security 2008 2009 ASAP & UNITE member since 2006 |
|
|
|
|
|
10-20-2009, 12:35 AM
|
#9 (permalink) |
|
Registered User
Join Date: Mar 2009
Posts: 6
OS: xp sp2
|
Re: Totally troubled "Security Tool" Malware . Logs Attached
...deleted the java thing. :)
The system is running perfect. Moreover, the mental security that nothing is wrong with the system, and all loop holes are plugged. Will update adobe. A couple of questions. Feel free not to answer whatever you feel out of context. 1. Sophos AntiVirus gives Troj/Vritum-Gen detection on some files. These could be old detections also. C:\WINDOWS\system32\_husenafe.dll_.vir C:\Qoobox\Quarantine\C\WINDOWS\system32\vusumuje.dll.vir C:\Qoobox\Quarantine\C\WINDOWS\system32\husenafe.dll.vir C:\Qoobox\Quarantine\C\WINDOWS\system32\rawihani.dll.vir C:\Qoobox\Quarantine\C\WINDOWS\system32\rogiwezu.dll.vir C:\Qoobox\Quarantine\C\WINDOWS\system32\sugefeso.dll.vir C:\Qoobox\Quarantine\C\WINDOWS\system32\tusiheku.dll.vir C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP7\A0003006.dll C:\WINDOWS\system32\husenafe.dll C:\Qoobox\Quarantine\C\WINDOWS\system32\rahuguzi.dll.vir I deleted all system restore points. Should I delete the folder Qoobox? Is it created by Combofix? or something else? 2. I can see my self sometimes downloading things from unverified sources, what the best way to avoid virus? If I run it thru a virus scanner, before opening it, will be sufficient? 3. What all things should I regularly update? (Flash/adobe/windows patches...? what else) 4. Dont you think its better to teach someone fishing than to give him fish :).. i mean, where can I learn how to interpret the DDS/Combofix logs? So that next time some of my friend has a virus (I think, I will be safe for a while) he does not trouble you? ;) Finally, thanks a lot taking time and patience helping me out. |
|
|
|
|
10-20-2009, 02:32 AM
|
#10 (permalink) |
|
Visiting Teacher/Analyst, Security Team
Join Date: Jun 2008
Location: Finland
Posts: 763
OS: Win XP, Vista 32-bit, Win7 64-bit
|
Re: Totally troubled "Security Tool" Malware . Logs Attached
1. Kindly run a new scan with Sophos and let me know what it finds. Some of those listed should be gone already.
2. Sorry but the only secure solution is to not download dubious things. 3. Java and Quicktime player should be kept up-to-date too. 4. There's no silver bullet for that. If you want to learn fight malware then you have to apply to one of the hjt schools. If you're going to apply keep in mind that studying will take time. It's not any "few weeks only and I'm a master" thing.
__________________
Microsoft MVP Consumer Security 2008 2009 ASAP & UNITE member since 2006 |
|
|
|
|
11-02-2009, 11:52 AM
|
#11 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,802
OS: 2000 Pro; XP Pro; XP Home
|
Re: Totally troubled "Security Tool" Malware . Logs Attached
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:
NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
| Thread Tools | |
|
|
