Possible Trojan.Generic Infection

Logmeonto · 03-13-2009, 08:43 PM

Hi,
I need help removing this from my Windows XP Pro SP3 PC.

I read NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help before posting.

I'm having trouble with GMER as it never asks any questions or opens a window and it never stops running. I have to kill the process manually. I can't get this to complete successfully.

Here is DDS.txt:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 21:19:44.39 on Fri 03/13/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.694 [GMT -5:00]

AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://yahoo.sbc.com/dsl
mSearch Page =
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\taskman.lnk - c:\windows\system32\taskmgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = cli c:\windows\system32\yeyapoyu.dll

============= SERVICES / DRIVERS ===============

R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [2009-3-12 181584]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-8-14 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-8-14 334352]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-3-12 49680]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-3-12 492888]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-3-12 677128]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-3-11 17149]
S3 FXDRV;FXDRV;\??\f:\fxdrv.sys --> f:\Fxdrv.sys [?]
S3 NAVAP;NAVAP;\??\c:\program files\navnt\navap.sys --> c:\program files\navnt\NAVAP.sys [?]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20010808.016\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20010808.016\NAVENG.sys [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20010808.016\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20010808.016\NAVEX15.sys [?]
S3 SiSV6306;SiSV6306;c:\windows\system32\drivers\SiS6306p.sys [2009-3-12 68608]

=============== Created Last 30 ================

2009-03-13 18:02 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2009-03-13 18:02 21,504 a------- c:\windows\system32\hidserv.dll
2009-03-13 18:01 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-03-13 18:01 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-03-12 16:18 <DIR> --d----- c:\windows\pss
2009-03-12 15:37 <DIR> --d----- c:\windows\LocalSSL
2009-03-12 15:36 144,912 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-12 15:36 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-03-12 15:36 49,680 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-03-12 15:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2009-03-12 15:34 <DIR> --d----- c:\program files\Trend Micro
2009-03-12 15:30 150,144 ac------ c:\windows\system32\dllcache\sis6306v.dll
2009-03-12 15:30 68,608 ac------ c:\windows\system32\dllcache\sis6306p.sys
2009-03-12 15:30 150,144 a------- c:\windows\system32\SiS6306v.dll
2009-03-12 15:30 68,608 a------- c:\windows\system32\drivers\SiS6306p.sys
2009-03-12 15:30 3,527,168 ac------ c:\windows\system32\dllcache\sisgrv.dll
2009-03-12 15:30 3,527,168 a------- c:\windows\system32\sisgrv.dll
2009-03-12 15:29 252,032 ac------ c:\windows\system32\dllcache\sis300iv.dll
2009-03-12 15:29 101,760 ac------ c:\windows\system32\dllcache\sis300ip.sys
2009-03-12 15:29 252,032 a------- c:\windows\system32\sis300iv.dll
2009-03-12 15:29 101,760 a------- c:\windows\system32\drivers\sis300ip.sys
2009-03-11 14:37 10,240 a------- c:\windows\instsp1.exe
2009-03-11 14:31 1,689,621 ---sh--- c:\windows\system32\ivihisut.ini
2009-03-11 14:31 143,995 a--sh--- c:\windows\system32\vfpmsh.dll
2009-02-14 17:34 1,689,621 a--sh--- c:\windows\system32\avuvagak.ini
2009-02-12 13:51 1,631,029 a--sh--- c:\windows\system32\isinuzof.ini
2009-02-12 01:51 1,733,409 ---sh--- c:\windows\system32\ireladuj.ini

==================== Find3M ====================

2009-03-11 14:37 101,376 a--sh--- c:\windows\system32\jefizaya.dll
2009-03-11 14:31 143,995 a--sh--- c:\windows\system32\punehomi.dll
2009-03-11 14:31 70,839 a--sh--- c:\windows\system32\jamamafo.dll
2009-03-11 14:31 108,734 a--sh--- c:\windows\system32\jevayeyi.dll
2009-03-11 14:31 95,468 a--sh--- c:\windows\system32\tusihivi.dll
2009-02-14 17:34 144,109 a--sh--- c:\windows\system32\bekegoko.dll
2009-02-14 17:34 108,148 a--sh--- c:\windows\system32\dezifamu.dll
2009-02-14 17:34 95,348 a--sh--- c:\windows\system32\kagavuva.dll
2009-02-12 13:51 144,053 a--sh--- c:\windows\system32\reyekabi.dll
2009-02-12 13:51 110,347 a--sh--- c:\windows\system32\yuditiha.dll
2009-02-12 13:51 95,410 a--sh--- c:\windows\system32\fozunisi.dll
2009-02-12 01:51 144,115 a--sh--- c:\windows\system32\kewohewu.dll
2009-02-12 01:51 109,765 a--sh--- c:\windows\system32\tunavawe.dll
2009-02-11 13:51 73,928 a--sh--- c:\windows\system32\tozujozo.dll
2009-02-11 13:51 142,969 a--sh--- c:\windows\system32\tibiyoni.dll
2009-02-11 13:51 142,969 a--sh--- c:\windows\system32\clgtpa.dll
2009-02-11 13:51 109,344 a--sh--- c:\windows\system32\sanitutu.dll
2009-02-11 01:50 140,983 a--sh--- c:\windows\system32\luferake.dll
2009-02-11 01:50 140,983 a--sh--- c:\windows\system32\dngzkd.dll
2009-02-11 01:50 108,263 a--sh--- c:\windows\system32\fayivani.dll
2009-02-10 13:50 143,070 a--sh--- c:\windows\system32\zftwvx.dll
2009-02-10 13:50 143,070 a--sh--- c:\windows\system32\pogawopo.dll
2009-02-10 13:50 108,848 a--sh--- c:\windows\system32\witeyaza.dll
2009-02-10 01:50 142,120 a--sh--- c:\windows\system32\vatikefo.dll
2009-02-10 01:50 142,120 a--sh--- c:\windows\system32\aspopj.dll
2009-02-10 01:50 109,371 a--sh--- c:\windows\system32\fuyubefo.dll
2009-02-09 13:50 74,551 a--sh--- c:\windows\system32\hilozepi.dll
2009-02-09 13:50 140,523 a--sh--- c:\windows\system32\jtjcac.dll
2009-02-09 13:50 140,523 a--sh--- c:\windows\system32\bodalene.dll
2009-02-09 13:50 108,641 a--sh--- c:\windows\system32\jiwofehu.dll
2009-02-09 13:50 102,131 a--sh--- c:\windows\system32\pihimage.dll
2009-02-04 12:59 72,897 a--sh--- c:\windows\system32\zurasujo.dll
2009-02-04 12:59 101,535 -------- c:\windows\system32\poponevi.dll
2009-02-04 12:59 142,555 a--sh--- c:\windows\system32\nopulana.dll
2009-02-04 12:59 142,555 a--sh--- c:\windows\system32\mmxows.dll
2009-02-04 00:59 93,368 -------- c:\windows\system32\vahuyayu.dll
2009-02-04 00:59 99,567 a--sh--- c:\windows\system32\yuzobera.dll
2009-02-04 00:59 134,457 a--sh--- c:\windows\system32\vugtcu.dll
2009-02-04 00:59 134,457 a--sh--- c:\windows\system32\biwifasi.dll
2009-02-03 12:59 91,933 -------- c:\windows\system32\palujanu.dll
2009-02-03 12:59 133,885 a--sh--- c:\windows\system32\wolayuga.dll
2009-02-03 12:59 133,885 a--sh--- c:\windows\system32\msfytl.dll
2009-02-03 12:59 99,967 a--sh--- c:\windows\system32\waziroto.dll
2009-02-03 08:58 98,587 a--sh--- c:\windows\system32\viyezoya.dll
2009-02-03 08:58 63,746 a--sh--- c:\windows\system32\fasapako.dll
2009-02-03 08:58 91,907 -------- c:\windows\system32\hatakuvu.dll
2009-01-16 06:06 131,719 a------- c:\windows\system32\litijihi.dll
2009-01-16 06:06 131,719 a------- c:\windows\system32\ansmbh.dll
2009-01-16 06:06 127,760 a------- c:\windows\system32\zumawuzi.dll
2009-01-16 06:06 86,654 a------- c:\windows\system32\jogekuke.dll
2009-01-15 18:06 131,743 a------- c:\windows\system32\vekefubo.dll
2009-01-15 18:06 131,743 a------- c:\windows\system32\mdwgdy.dll
2009-01-15 18:06 127,771 a------- c:\windows\system32\pamobeto.dll
2009-01-15 18:06 86,145 a------- c:\windows\system32\hakawuha.dll
2009-01-15 16:59 68,767 a--sh--- c:\windows\system32\wirafuya.dll
2009-01-15 04:59 131,691 a--sh--- c:\windows\system32\vurezuda.dll
2009-01-15 04:59 131,691 a--sh--- c:\windows\system32\swlweq.dll
2009-01-15 04:59 86,257 -------- c:\windows\system32\delagowu.dll
2009-01-15 04:59 99,512 a--sh--- c:\windows\system32\jayevaro.dll
2009-01-14 16:59 86,118 -------- c:\windows\system32\bebuvuse.dll
2009-01-14 16:59 131,881 a--sh--- c:\windows\system32\ghqsyt.dll
2009-01-14 16:59 131,881 a--sh--- c:\windows\system32\fukunuhi.dll
2009-01-14 16:59 99,582 a--sh--- c:\windows\system32\vuzutodu.dll
2009-01-14 04:58 87,241 -------- c:\windows\system32\giwaporu.dll
2009-01-14 04:58 100,007 a--sh--- c:\windows\system32\womihute.dll
2009-01-14 04:58 131,724 a--sh--- c:\windows\system32\sbgzdp.dll
2009-01-14 04:58 131,724 a--sh--- c:\windows\system32\hurupodi.dll
2009-01-13 16:58 131,771 a--sh--- c:\windows\system32\vagiwali.dll
2009-01-13 16:58 131,771 a--sh--- c:\windows\system32\ocuibi.dll
2009-01-13 16:58 101,483 a--sh--- c:\windows\system32\lihitove.dll
2009-01-13 16:58 87,304 -------- c:\windows\system32\fibetehe.dll
2009-01-13 04:58 99,613 a--sh--- c:\windows\system32\kejasame.dll
2009-01-13 04:58 87,357 -------- c:\windows\system32\vibotawa.dll
2009-01-12 16:58 99,622 a--sh--- c:\windows\system32\busebayu.dll
2009-01-12 16:58 87,229 -------- c:\windows\system32\neyavutu.dll
2009-01-12 15:58 101,597 a--sh--- c:\windows\system32\dosoyahe.dll
2009-01-12 15:58 63,303 a--sh--- c:\windows\system32\pihovuto.dll
2009-01-12 03:58 102,059 a--sh--- c:\windows\system32\gobekado.dll
2009-01-12 03:58 91,386 -------- c:\windows\system32\kaboyene.dll
2009-01-11 15:58 103,067 a--sh--- c:\windows\system32\jeribejo.dll
2009-01-11 15:58 91,317 -------- c:\windows\system32\bipehozo.dll
2009-01-10 14:56 105,814 a------- c:\windows\system32\gakilime.dll
2009-01-10 14:56 90,863 -------- c:\windows\system32\rinokulo.dll
2009-01-10 14:51 67,169 a--sh--- c:\windows\system32\jasosise.dll
2008-12-29 15:39 97,916 a--sh--- c:\windows\system32\nivibuke.dll
2008-12-29 15:39 85,709 a--sh--- c:\windows\system32\peselura.dll
2008-12-29 15:34 61,440 a------- c:\windows\system32\~.exe
2008-12-25 14:47 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-25 14:46 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-05-27 14:04 20,888 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
0000-00-00 00:00 125,952 a--sh--- c:\windows\system32\jeniyuvo.dll
0000-00-00 00:00 76,800 a--sh--- c:\windows\system32\mekopigo.dll
0000-00-00 00:00 46,080 a--sh--- c:\windows\system32\mofohupu.dll
0000-00-00 00:00 73,928 a--sh--- c:\windows\system32\pejanuru.dll
0000-00-00 00:00 58,368 a--sh--- c:\windows\system32\pihuzura.dll
0000-00-00 00:00 70,839 a--sh--- c:\windows\system32\punawuwu.dll
0000-00-00 00:00 73,928 a--sh--- c:\windows\system32\tilamuga.dll
0000-00-00 00:00 73,928 a--sh--- c:\windows\system32\tomakihe.dll
0000-00-00 00:00 70,839 a--sh--- c:\windows\system32\yeyapoyu.dll.vir

============= FINISH: 21:20:34.54 ===============

tetonbob · 03-14-2009, 04:39 PM

Let's try this special version of gmer.

Download GMER Rootkit Scanner from here.

Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Logmeonto · 03-15-2009, 09:44 AM

This version ran OK. Thanks. See attachment.

tetonbob · 03-15-2009, 09:49 AM

That shows me what I thought I might see....

---------------------------------------------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

---------------------------------------------------------------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download Combofix from any of the links below. You must rename it before saving it. Name it ComFxx Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------

* IMPORTANT !!! Place comfxx.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
Double click on comfxx.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

---------------------------------------------------------------------------------------------

Logmeonto · 03-15-2009, 11:44 AM

hello tetonbob.

I'm having trouble with Combo-Fxx.exe
It won't run on the infected PC.

Here is the message I receive:
Some Installation Files Are Corrupt.
Please download a fresh copy and retry the installation.

I have followed the directions for renaming before I download. I have tried all three download sites referenced in your post with the same results.

FYI - I can run this successfully on another Win XP machine and it runs fine. Also, the infected PC has a DNS problem and resolves most IP addresses to local-host (127.0.0.1) so I can't get to a lot of web sites (I'll bet you expected this). I'm downloading from a PC that is not infected.

tetonbob · 03-15-2009, 12:10 PM

Quote:

I can run this successfully on another Win XP machine and it runs fine.

ComboFix should not be run on just any machine.

That message indicates the download was incomplete. Your protection might have interfered with it. Please try downloading a fresh copy.

tetonbob · 03-15-2009, 12:30 PM

If you still have problems, let me know. I have other tricks up my sleeve.

Logmeonto · 03-15-2009, 01:14 PM

I got it to run by changing the name. I think this may have fooled the Trojan!
BTW - I had previously ensured that I had a backup of my non-infected XP machine to my WHS server before I loaded Combofix on it. Thanks for the advice.

I'm now posting this message from the previously infected XP machine.

Attached is the Combofix log file.

ComboFix 09-03-14.02 - Administrator 2009-03-15 13:58:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.765 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fxxx.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\FunWebProducts
c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
c:\documents and settings\Administrator\Start Menu\Antivirus 2009
c:\documents and settings\Administrator\Start Menu\Antivirus 2009\Antivirus 2009.lnk
c:\documents and settings\Administrator\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\0AC81D1C.urr
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\setting2.htm.bak
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\MyWebSearch\bar\Settings\settings.dat.bak
c:\windows\system32\~.exe
c:\windows\system32\ahuwakah.ini
c:\windows\system32\arulesep.ini
c:\windows\system32\aspopj.dll
c:\windows\system32\avuvaduz.ini
c:\windows\system32\avuvagak.ini
c:\windows\system32\awatobiv.ini
c:\windows\system32\bekegoko.dll
c:\windows\system32\bijigogu.dll.tmp
c:\windows\system32\biniyogi.dll.tmp
c:\windows\system32\biwifasi.dll
c:\windows\system32\bodalene.dll
c:\windows\system32\busebayu.dll
c:\windows\system32\clgtpa.dll
c:\windows\system32\dezifamu.dll
c:\windows\system32\dipakule.dll.tmp
c:\windows\system32\dngzkd.dll
c:\windows\system32\dosoyahe.dll
c:\windows\system32\drivers\TDSSpaxt.sys
c:\windows\system32\egamihip.ini
c:\windows\system32\ehetebif.ini
c:\windows\system32\eneyobak.ini
c:\windows\system32\epokanan.ini
c:\windows\system32\esuvubeb.ini
c:\windows\system32\fasapako.dll
c:\windows\system32\fayivani.dll
c:\windows\system32\fivahofi.dll.tmp
c:\windows\system32\fozunisi.dll
c:\windows\system32\fukunuhi.dll
c:\windows\system32\fuyubefo.dll
c:\windows\system32\ghqsyt.dll
c:\windows\system32\gobekado.dll
c:\windows\system32\hihofuhi.dll.tmp
c:\windows\system32\hilozepi.dll
c:\windows\system32\hurupodi.dll
c:\windows\system32\huyahife.dll.tmp
c:\windows\system32\ieupdates.exe.tmp
c:\windows\system32\ireladuj.ini
c:\windows\system32\isinuzof.ini
c:\windows\system32\ivenopop.ini
c:\windows\system32\ivihisut.ini
c:\windows\system32\jamamafo.dll
c:\windows\system32\jasosise.dll
c:\windows\system32\jayevaro.dll
c:\windows\system32\jeniyuvo.dll
c:\windows\system32\jeribejo.dll
c:\windows\system32\jevayeyi.dll
c:\windows\system32\jiwofehu.dll
c:\windows\system32\jtjcac.dll
c:\windows\system32\kagavuva.dll
c:\windows\system32\kejasame.dll
c:\windows\system32\kewohewu.dll
c:\windows\system32\kirasahi.dll.tmp
c:\windows\system32\lihitove.dll
c:\windows\system32\luferake.dll
c:\windows\system32\matebuhe.dll.tmp
c:\windows\system32\mekopigo.dll
c:\windows\system32\mibayema.dll
c:\windows\system32\mmxows.dll
c:\windows\system32\mofohupu.dll
c:\windows\system32\msfytl.dll
c:\windows\system32\nivibuke.dll
c:\windows\system32\nopulana.dll
c:\windows\system32\nuzepema.dll.tmp
c:\windows\system32\ocuibi.dll
c:\windows\system32\olukonir.ini
c:\windows\system32\oyewatev.ini
c:\windows\system32\ozavagok.ini
c:\windows\system32\ozohepib.ini
c:\windows\system32\pejanuru.dll
c:\windows\system32\peselura.dll
c:\windows\system32\pihimage.dll
c:\windows\system32\pihovuto.dll
c:\windows\system32\pihuzura.dll
c:\windows\system32\pogawopo.dll
c:\windows\system32\punawuwu.dll
c:\windows\system32\punehomi.dll
c:\windows\system32\ralusabi.dll.tmp
c:\windows\system32\reyekabi.dll
c:\windows\system32\sanitutu.dll
c:\windows\system32\sbgzdp.dll
c:\windows\system32\scui.cpl
c:\windows\system32\sisameso.dll.tmp
c:\windows\system32\swlweq.dll
c:\windows\system32\tasazilu.dll.tmp
c:\windows\system32\tasusape.dll.tmp
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSfxmp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\tibiyoni.dll
c:\windows\system32\tilamuga.dll
c:\windows\system32\tomakihe.dll
c:\windows\system32\tozujozo.dll
c:\windows\system32\tunavawe.dll
c:\windows\system32\tusihivi.dll
c:\windows\system32\unajulap.ini
c:\windows\system32\uropawig.ini
c:\windows\system32\utuvayen.ini
c:\windows\system32\uvukatah.ini
c:\windows\system32\uwogaled.ini
c:\windows\system32\uyayuhav.ini
c:\windows\system32\vagiwali.dll
c:\windows\system32\vamibedi.dll.tmp
c:\windows\system32\vatikefo.dll
c:\windows\system32\vfpmsh.dll
c:\windows\system32\viyezoya.dll
c:\windows\system32\vohofude.dll.tmp
c:\windows\system32\vugtcu.dll
c:\windows\system32\vurezuda.dll
c:\windows\system32\vuzutodu.dll
c:\windows\system32\waziroto.dll
c:\windows\system32\wirafuya.dll
c:\windows\system32\witeyaza.dll
c:\windows\system32\wolayuga.dll
c:\windows\system32\womihute.dll
c:\windows\system32\yeyapoyu.dll.vir
c:\windows\system32\yuditiha.dll
c:\windows\system32\yuzobera.dll
c:\windows\system32\zftwvx.dll
c:\windows\system32\zurasujo.dll

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ c:\windows\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ c:\windows\system32\LXASUSCI.INI
2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d-------- c:\program files\NETGEAR
2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-03-15 11:10 . 2005-09-05 11:21 362,944 --a------ c:\windows\system32\drivers\WG11TND5.sys
2009-03-15 11:10 . 2005-07-27 21:15 149,392 --a------ c:\windows\system32\drivers\ar5523.bin
2009-03-13 18:02 . 2008-04-13 18:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-03-13 18:02 . 2008-04-13 18:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-03-13 18:01 . 2008-04-13 12:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-03-13 18:01 . 2008-04-13 12:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-03-12 15:37 . 2009-03-12 15:37 <DIR> d-------- c:\windows\LocalSSL
2009-03-12 15:36 . 2009-03-12 15:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-03-12 15:36 . 2008-08-14 12:23 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-12 15:36 . 2008-08-14 12:23 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-03-12 15:36 . 2008-08-14 12:23 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-03-12 15:34 . 2009-03-12 15:37 <DIR> d-------- c:\program files\Trend Micro
2009-03-12 15:30 . 2007-10-03 17:57 3,527,168 --a------ c:\windows\system32\sisgrv.dll
2009-03-12 15:30 . 2007-10-03 17:57 3,527,168 --a--c--- c:\windows\system32\dllcache\sisgrv.dll
2009-03-12 15:30 . 2001-08-17 14:56 150,144 --a------ c:\windows\system32\SiS6306v.dll
2009-03-12 15:30 . 2001-08-17 14:56 150,144 --a--c--- c:\windows\system32\dllcache\sis6306v.dll
2009-03-12 15:30 . 2001-08-17 12:50 68,608 --a------ c:\windows\system32\drivers\SiS6306p.sys
2009-03-12 15:30 . 2001-08-17 12:50 68,608 --a--c--- c:\windows\system32\dllcache\sis6306p.sys
2009-03-12 15:29 . 2001-08-17 14:56 252,032 --a------ c:\windows\system32\sis300iv.dll
2009-03-12 15:29 . 2001-08-17 14:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll
2009-03-12 15:29 . 2001-08-17 12:50 101,760 --a------ c:\windows\system32\drivers\sis300ip.sys
2009-03-12 15:29 . 2001-08-17 12:50 101,760 --a--c--- c:\windows\system32\dllcache\sis300ip.sys
2009-03-11 14:37 . 2009-03-11 14:37 10,240 --a------ c:\windows\instsp1.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 21:06 --------- d-----w c:\program files\Windows Desktop Search
2009-03-12 20:23 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-12 20:23 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-12 20:19 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-11 20:07 --------- d-----w c:\documents and settings\Administrator\Application Data\MSN6
2008-05-27 19:04 20,888 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2009-03-15 884840]
TASKMAN.lnk - c:\windows\system32\taskmgr.exe [2001-08-30 135680]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2002-09-10 21:26 368706 c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
--a------ 2001-06-14 12:42 53248 c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
--a------ 2001-10-18 10:25 40960 c:\progra~1\LEXMAR~1\ACMonitor_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2005-08-24 07:51 442455 c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
--a------ 2008-08-14 12:44 497008 c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
--a------ 2002-06-27 03:47 36864 c:\windows\system32\spool\drivers\w32x86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-26 13:55 286720 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-25 14:47 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-17 15:51 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-08-14 12:19 970808 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2004-07-01 05:23 67584 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cisvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"TmProxy"=2 (0x2)
"TmPfw"=2 (0x2)
"TMBMServer"=2 (0x2)
"SfCtlCom"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"Security Activity Dashboard Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\LexmarkX83\\ACMonitor_X83.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-03-12 49680]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-08-14 36368]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-03-11 17149]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-08-14 334352]
S3 FXDRV;FXDRV;\??\f:\fxdrv.sys --> f:\Fxdrv.sys [?]
S3 SiSV6306;SiSV6306;c:\windows\system32\drivers\SiS6306p.sys [2009-03-12 68608]
S4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-03-12 181584]
S4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-12 492888]
S4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-12 677128]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{982052b6-033e-11dd-96df-00146c379174}]
\Shell\AutoRun\command - Setup.EXE
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-63627329090068689334119724296972 - c:\program files\Antivirus 2009\av2009.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-b0723812 - c:\windows\system32\judaleri.dll
MSConfigStartUp-CPMb3410b8e - c:\windows\system32\pajuwojo.dll
MSConfigStartUp-nozukipaje - c:\windows\system32\punawuwu.dll

.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 14:02:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1229272821-1500820517-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1108)
c:\windows\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-15 14:04:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-15 19:04:13

Pre-Run: 131,109,531,648 bytes free
Post-Run: 131,031,642,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

339 --- E O F --- 2008-12-27 10:00:58

tetonbob · 03-15-2009, 01:23 PM

Good job.

Looks much better. Still more work to do, but first, I need some information about a file.

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following:

c:\windows\instsp1.exe
Then click the "Send File " button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the results in your next reply.

Logmeonto · 03-15-2009, 01:44 PM

File instsp1.exe received on 03.15.2009 20:33:38 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 15/39 (38.47%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.15 Trojan.Win32.Piptea!IK
AhnLab-V3 5.0.0.2 2009.03.15 -
AntiVir 7.9.0.114 2009.03.13 TR/Crypt.ULPM.Gen
Authentium 5.1.0.4 2009.03.15 -
Avast 4.8.1335.0 2009.03.15 Win32:Virtumonde-SQ
AVG 8.0.0.237 2009.03.15 Downloader.Generic8.AAJR
BitDefender 7.2 2009.03.15 -
CAT-QuickHeal 10.00 2009.03.14 -
ClamAV 0.94.1 2009.03.15 -
Comodo 1057 2009.03.15 -
DrWeb 4.44.0.09170 2009.03.15 -
eSafe 7.0.17.0 2009.03.15 Win32.TRCrypt.Ulpm
eTrust-Vet 31.6.6388 2009.03.09 -
F-Prot 4.4.4.56 2009.03.15 -
F-Secure 8.0.14470.0 2009.03.15 -
Fortinet 3.117.0.0 2009.03.15 -
GData 19 2009.03.15 Win32:Virtumonde-SQ
Ikarus T3.1.1.45.0 2009.03.15 Trojan.Win32.Piptea
K7AntiVirus 7.10.671 2009.03.14 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.03.15 -
McAfee 5554 2009.03.15 -
McAfee+Artemis 5554 2009.03.15 Generic!Artemis
McAfee-GW-Edition 6.7.6 2009.03.13 Trojan.Crypt.ULPM.Gen
Microsoft 1.4405 2009.03.15 Trojan:Win32/Piptea.E
NOD32 3937 2009.03.15 a variant of Win32/TrojanDownloader.Agent.OWQ
Norman 6.00.06 2009.03.13 -
nProtect 2009.1.8.0 2009.03.15 -
Panda 10.0.0.10 2009.03.15 Trj/Downloader.VNL
PCTools 4.4.2.0 2009.03.15 -
Prevx1 V2 2009.03.15 Medium Risk Malware
Rising 21.20.62.00 2009.03.15 -
Sophos 4.39.0 2009.03.15 Mal/TibsPk-A
Sunbelt 3.2.1858.2 2009.03.15 -
Symantec 1.4.4.12 2009.03.15 -
TheHacker 6.3.3.0.282 2009.03.15 -
TrendMicro 8.700.0.1004 2009.03.13 -
VBA32 3.12.10.1 2009.03.15 -
ViRobot 2009.3.13.1648 2009.03.13 -
VirusBuster 4.6.5.0 2009.03.15 -
Additional information
File size: 10240 bytes
MD5...: 6a8c3f52ba4b0d7d09d1c20345464b8c
SHA1..: 11984c93b8a0174d4834fed3280b1d42fb913c37
SHA256: aeb948ff69c8e54e120cc33273de0297f1dfbd4551b3f93026462dadd56212c3
SHA512: 403473c9fa25a494504dd9c35ba922789f22489b2da5f8ec55ee1374284beee8
b95787f016496d90c84e4e561071095e17d7591735f7190c6a7b0299d4ebf254
ssdeep: 192:Mf1EfL2pH9aLncg3yslzHSjEjaKFaWMPpE3GAUtfCMyB2Kdw5vgQezKT6TCo
w:MfCzO9Y3XzHWBKL2EJCfTGw5IQx2Cow

PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2bdd0
timedatestamp.....: 0x49ad977f (Tue Mar 03 20:47:59 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x29000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x2a000 0x2000 0x2000 7.74 d3d89ba4982e8a1f62ea2846d9eb0cd1
.rsrc 0x2c000 0x1000 0x400 3.30 db339f6c2d64fdc20da041e08bdf5f0e

( 1 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess

( 0 exports )

packers (Avast): UPX
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=6a8c3f52ba4b0d7d09d1c20345464b8c' target='_blank'>http://www.threatexpert.com/report.a...d1c20345464b8c</a>
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=31DCD0F100F9416528D700B77A098200A8AC7CB0' target='_blank'>http://info.prevx.com/aboutprogramte...098200A8AC7CB0</a>
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX

tetonbob · 03-15-2009, 01:51 PM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/355850-possible-trojan-generic-infection.html#post2023978

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 

Collect::
c:\windows\instsp1.exe

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. Follow the prompts.
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

Logmeonto · 03-15-2009, 03:06 PM

ComboFix encountered a problem after saying it is going to re-boot

Warning!

Error saving file C:\Windows\erdnt\subs\software!

Continue with the next file?

Regsavekeyex: 1016 - An I/O operation initiated by the registry failed uncoverably. The registry could not read in, or write out, or flush one of the files that contain the system's image of the registry.

YES NO

It is waiting for me to reply YES or No.

sUBs · 03-15-2009, 03:29 PM

Answer NO for each of such queries. ComboFix should reboot your machine & produce a log.

After rebooting, post the log that ComboFix produces.

Logmeonto · 03-15-2009, 03:42 PM

The PC rebooted itself without my answering the YES/NO prompt. It is now re-booted and ComboFix is not running and I have no results.
What next?

tetonbob · 03-15-2009, 03:51 PM

Please ensure security applications are all disabled.

Look to C:\ComboFix\combobatch.bat if present (might be C:\Combo-Fxxx\combobatch.bat); double click on it, and if ComboFix resumes it's run, post the log.

If not, double click on Combo-Fxxx.exe once again to run it, and post the log.

Again, please ensure all security apps are disabled before performing the above.

Logmeonto · 03-15-2009, 03:59 PM

Thanks for the next step information.

Here are ComboFix results:

ComboFix 09-03-14.02 - Administrator 2009-03-15 15:14:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.700 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fxxx.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\instsp1.exe
H:\Autorun.INF

.
((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ c:\windows\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ c:\windows\system32\LXASUSCI.INI
2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d-------- c:\program files\NETGEAR
2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-03-15 11:10 . 2005-09-05 11:21 362,944 --a------ c:\windows\system32\drivers\WG11TND5.sys
2009-03-15 11:10 . 2005-07-27 21:15 149,392 --a------ c:\windows\system32\drivers\ar5523.bin
2009-03-13 18:02 . 2008-04-13 18:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-03-13 18:02 . 2008-04-13 18:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-03-13 18:01 . 2008-04-13 12:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-03-13 18:01 . 2008-04-13 12:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-03-12 15:37 . 2009-03-12 15:37 <DIR> d-------- c:\windows\LocalSSL
2009-03-12 15:36 . 2009-03-12 15:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-03-12 15:36 . 2008-08-14 12:23 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-12 15:36 . 2008-08-14 12:23 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-03-12 15:36 . 2008-08-14 12:23 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-03-12 15:34 . 2009-03-12 15:37 <DIR> d-------- c:\program files\Trend Micro
2009-03-12 15:30 . 2007-10-03 17:57 3,527,168 --a------ c:\windows\system32\sisgrv.dll
2009-03-12 15:30 . 2007-10-03 17:57 3,527,168 --a--c--- c:\windows\system32\dllcache\sisgrv.dll
2009-03-12 15:30 . 2001-08-17 14:56 150,144 --a------ c:\windows\system32\SiS6306v.dll
2009-03-12 15:30 . 2001-08-17 14:56 150,144 --a--c--- c:\windows\system32\dllcache\sis6306v.dll
2009-03-12 15:30 . 2001-08-17 12:50 68,608 --a------ c:\windows\system32\drivers\SiS6306p.sys
2009-03-12 15:30 . 2001-08-17 12:50 68,608 --a--c--- c:\windows\system32\dllcache\sis6306p.sys
2009-03-12 15:29 . 2001-08-17 14:56 252,032 --a------ c:\windows\system32\sis300iv.dll
2009-03-12 15:29 . 2001-08-17 14:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll
2009-03-12 15:29 . 2001-08-17 12:50 101,760 --a------ c:\windows\system32\drivers\sis300ip.sys
2009-03-12 15:29 . 2001-08-17 12:50 101,760 --a--c--- c:\windows\system32\dllcache\sis300ip.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 21:06 --------- d-----w c:\program files\Windows Desktop Search
2009-03-12 20:23 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-12 20:23 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-12 20:19 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-11 20:07 --------- d-----w c:\documents and settings\Administrator\Application Data\MSN6
2009-03-11 19:37 101,376 --sha-w c:\windows\system32\jefizaya.dll
2009-02-04 17:59 101,535 ------w c:\windows\system32\poponevi.dll
2009-02-04 05:59 93,368 ------w c:\windows\system32\vahuyayu.dll
2009-02-03 17:59 91,933 ------w c:\windows\system32\palujanu.dll
2009-02-03 13:58 91,907 ------w c:\windows\system32\hatakuvu.dll
2009-01-16 11:06 86,654 ----a-w c:\windows\system32\jogekuke.dll
2009-01-16 11:06 131,719 ----a-w c:\windows\system32\litijihi.dll
2009-01-16 11:06 131,719 ----a-w c:\windows\system32\ansmbh.dll
2009-01-16 11:06 127,760 ----a-w c:\windows\system32\zumawuzi.dll
2009-01-15 23:06 86,145 ----a-w c:\windows\system32\hakawuha.dll
2009-01-15 23:06 131,743 ----a-w c:\windows\system32\vekefubo.dll
2009-01-15 23:06 131,743 ----a-w c:\windows\system32\mdwgdy.dll
2009-01-15 23:06 127,771 ----a-w c:\windows\system32\pamobeto.dll
2009-01-15 09:59 86,257 ------w c:\windows\system32\delagowu.dll
2009-01-14 21:59 86,118 ------w c:\windows\system32\bebuvuse.dll
2009-01-14 09:58 87,241 ------w c:\windows\system32\giwaporu.dll
2009-01-13 21:58 87,304 ------w c:\windows\system32\fibetehe.dll
2009-01-13 09:58 87,357 ------w c:\windows\system32\vibotawa.dll
2009-01-12 21:58 87,229 ------w c:\windows\system32\neyavutu.dll
2009-01-12 08:58 91,386 ------w c:\windows\system32\kaboyene.dll
2009-01-11 20:58 91,317 ------w c:\windows\system32\bipehozo.dll
2009-01-10 19:56 90,863 ------w c:\windows\system32\rinokulo.dll
2009-01-10 19:56 105,814 ----a-w c:\windows\system32\gakilime.dll
2008-12-25 19:47 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-05-27 19:04 20,888 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-03-15_14.03.19.85 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2009-03-15 884840]
TASKMAN.lnk - c:\windows\system32\taskmgr.exe [2001-08-30 135680]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2002-09-10 21:26 368706 c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
--a------ 2001-06-14 12:42 53248 c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
--a------ 2001-10-18 10:25 40960 c:\progra~1\LEXMAR~1\ACMonitor_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2005-08-24 07:51 442455 c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
--a------ 2008-08-14 12:44 497008 c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
--a------ 2002-06-27 03:47 36864 c:\windows\system32\spool\drivers\w32x86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-26 13:55 286720 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-25 14:47 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-17 15:51 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-08-14 12:19 970808 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2004-07-01 05:23 67584 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cisvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"TmProxy"=2 (0x2)
"TmPfw"=2 (0x2)
"TMBMServer"=2 (0x2)
"SfCtlCom"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"Security Activity Dashboard Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\LexmarkX83\\ACMonitor_X83.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-03-12 49680]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-08-14 36368]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-03-11 17149]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-08-14 334352]
S3 FXDRV;FXDRV;\??\f:\fxdrv.sys --> f:\Fxdrv.sys [?]
S3 SiSV6306;SiSV6306;c:\windows\system32\drivers\SiS6306p.sys [2009-03-12 68608]
S4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-03-12 181584]
S4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-12 492888]
S4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-12 677128]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 16:53:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1229272821-1500820517-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1124)
c:\windows\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-03-15 16:55:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-15 21:55:21
ComboFix2.txt 2009-03-15 19:04:18

Pre-Run: 130,928,283,648 bytes free
Post-Run: 130,960,564,224 bytes free

204 --- E O F --- 2008-12-27 10:00:58

tetonbob · 03-15-2009, 04:07 PM

Not sure how more Vundo got into the machine, but there it is....

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/355850-possible-trojan-generic-infection.html#post2024229

Collect::
c:\windows\system32\jefizaya.dll
c:\windows\system32\poponevi.dll
c:\windows\system32\vahuyayu.dll
c:\windows\system32\palujanu.dll
c:\windows\system32\hatakuvu.dll
c:\windows\system32\jogekuke.dll
c:\windows\system32\litijihi.dll
c:\windows\system32\ansmbh.dll
c:\windows\system32\zumawuzi.dll
c:\windows\system32\hakawuha.dll
c:\windows\system32\vekefubo.dll
c:\windows\system32\mdwgdy.dll
c:\windows\system32\pamobeto.dll
c:\windows\system32\delagowu.dll
c:\windows\system32\bebuvuse.dll
c:\windows\system32\giwaporu.dll
c:\windows\system32\fibetehe.dll
c:\windows\system32\vibotawa.dll
c:\windows\system32\neyavutu.dll
c:\windows\system32\kaboyene.dll
c:\windows\system32\bipehozo.dll
c:\windows\system32\rinokulo.dll
c:\windows\system32\gakilime.dll

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. Follow the prompts.
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

Logmeonto · 03-15-2009, 04:18 PM

ComboFix 09-03-14.02 - Administrator 2009-03-15 17:11:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.702 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fxxx.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ansmbh.dll
c:\windows\system32\bebuvuse.dll
c:\windows\system32\bipehozo.dll
c:\windows\system32\delagowu.dll
c:\windows\system32\fibetehe.dll
c:\windows\system32\giwaporu.dll
c:\windows\system32\hakawuha.dll
c:\windows\system32\hatakuvu.dll
c:\windows\system32\jefizaya.dll
c:\windows\system32\jogekuke.dll
c:\windows\system32\kaboyene.dll
c:\windows\system32\litijihi.dll
c:\windows\system32\mdwgdy.dll
c:\windows\system32\neyavutu.dll
c:\windows\system32\palujanu.dll
c:\windows\system32\pamobeto.dll
c:\windows\system32\poponevi.dll
c:\windows\system32\rinokulo.dll
c:\windows\system32\vahuyayu.dll
c:\windows\system32\vekefubo.dll
c:\windows\system32\vibotawa.dll
c:\windows\system32\zumawuzi.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ c:\windows\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ c:\windows\system32\LXASUSCI.INI
2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d-------- c:\program files\NETGEAR
2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-03-15 11:10 . 2005-09-05 11:21 362,944 --a------ c:\windows\system32\drivers\WG11TND5.sys
2009-03-15 11:10 . 2005-07-27 21:15 149,392 --a------ c:\windows\system32\drivers\ar5523.bin
2009-03-13 18:02 . 2008-04-13 18:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-03-13 18:02 . 2008-04-13 18:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-03-13 18:01 . 2008-04-13 12:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-03-13 18:01 . 2008-04-13 12:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-03-12 15:37 . 2009-03-12 15:37 <DIR> d-------- c:\windows\LocalSSL
2009-03-12 15:36 . 2009-03-12 15:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-03-12 15:36 . 2008-08-14 12:23 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-12 15:36 . 2008-08-14 12:23 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-03-12 15:36 . 2008-08-14 12:23 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-03-12 15:34 . 2009-03-12 15:37 <DIR> d-------- c:\program files\Trend Micro
2009-03-12 15:30 . 2007-10-03 17:57 3,527,168 --a------ c:\windows\system32\sisgrv.dll
2009-03-12 15:30 . 2007-10-03 17:57 3,527,168 --a--c--- c:\windows\system32\dllcache\sisgrv.dll
2009-03-12 15:30 . 2001-08-17 14:56 150,144 --a------ c:\windows\system32\SiS6306v.dll
2009-03-12 15:30 . 2001-08-17 14:56 150,144 --a--c--- c:\windows\system32\dllcache\sis6306v.dll
2009-03-12 15:30 . 2001-08-17 12:50 68,608 --a------ c:\windows\system32\drivers\SiS6306p.sys
2009-03-12 15:30 . 2001-08-17 12:50 68,608 --a--c--- c:\windows\system32\dllcache\sis6306p.sys
2009-03-12 15:29 . 2001-08-17 14:56 252,032 --a------ c:\windows\system32\sis300iv.dll
2009-03-12 15:29 . 2001-08-17 14:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll
2009-03-12 15:29 . 2001-08-17 12:50 101,760 --a------ c:\windows\system32\drivers\sis300ip.sys
2009-03-12 15:29 . 2001-08-17 12:50 101,760 --a--c--- c:\windows\system32\dllcache\sis300ip.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 21:06 --------- d-----w c:\program files\Windows Desktop Search
2009-03-12 20:23 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-12 20:23 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-12 20:19 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-11 20:07 --------- d-----w c:\documents and settings\Administrator\Application Data\MSN6
2009-01-10 19:56 105,814 ----a-w c:\windows\system32\gakilime.dll
2008-12-25 19:47 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-05-27 19:04 20,888 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-03-15_14.03.19.85 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2009-03-15 884840]
TASKMAN.lnk - c:\windows\system32\taskmgr.exe [2001-08-30 135680]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2002-09-10 21:26 368706 c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
--a------ 2001-06-14 12:42 53248 c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
--a------ 2001-10-18 10:25 40960 c:\progra~1\LEXMAR~1\ACMonitor_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2005-08-24 07:51 442455 c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
--a------ 2008-08-14 12:44 497008 c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
--a------ 2002-06-27 03:47 36864 c:\windows\system32\spool\drivers\w32x86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-26 13:55 286720 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-25 14:47 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-09-17 15:51 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-08-14 12:19 970808 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2004-07-01 05:23 67584 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cisvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"TmProxy"=2 (0x2)
"TmPfw"=2 (0x2)
"TMBMServer"=2 (0x2)
"SfCtlCom"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"Security Activity Dashboard Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\LexmarkX83\\ACMonitor_X83.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-03-12 49680]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-08-14 36368]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-03-11 17149]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-08-14 334352]
S3 FXDRV;FXDRV;\??\f:\fxdrv.sys --> f:\Fxdrv.sys [?]
S3 SiSV6306;SiSV6306;c:\windows\system32\drivers\SiS6306p.sys [2009-03-12 68608]
S4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-03-12 181584]
S4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-12 492888]
S4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-12 677128]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 17:13:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1229272821-1500820517-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1124)
c:\windows\system32\NavLogon.dll
.
Completion time: 2009-03-15 17:14:54
ComboFix-quarantined-files.txt 2009-03-15 22:14:51
ComboFix2.txt 2009-03-15 21:55:27
ComboFix3.txt 2009-03-15 19:04:18

Pre-Run: 130,954,321,920 bytes free
Post-Run: 130,933,989,376 bytes free

195 --- E O F --- 2008-12-27 10:00:58

tetonbob · 03-15-2009, 04:35 PM

Outdated Java

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

Java(TM) 6 Update 2
Java(TM) 6 Update 3

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

Leave Java(TM) 6 Update 11 alone, as it has the most recent security updates.

---------------------------------------------------------------------------------------------

Please run this online scan to help look for remnants.

Perform an online scan with Panda ActiveScan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.
Please attach the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

How is the machine behaving?

Logmeonto · 03-15-2009, 06:28 PM

Hey. The machine is running very well. Thanks.

Here are Panda results:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-03-15 19:20:16
PROTECTIONS: 1
MALWARE: 20
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Trend Micro Internet Security Pro 17.0.1224 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00122168 Application/Restart HackTools No 0 Yes No H:\Install\Tools\Restart.exe
00122738 HackTool/ExitWin.A HackTools No 0 Yes No H:\Install\Reboot.exe
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
00444112 Bck/Tdss.C Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046877.sys
00444112 Bck/Tdss.C Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpaxt.sys.vir
00449733 Bck/Tdss.C Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046878.dll
00449733 Bck/Tdss.C Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSofxh.dll.vir
00535464 Adware/Antivirus2009 Adware No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP549\A0042860.dll
00535464 Adware/Antivirus2009 Adware No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP549\A0042848.dll
00535464 Adware/Antivirus2009 Adware No 0 Yes No H:\Utility\Virus Malware Removal\HiJack This\BACKUPS\backup-20090313-135002-668.dll
00578275 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\[4]-Submit_2009-03-15@17.11.zip[pamobeto.dll]
00578275 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\[4]-Submit_2009-03-15@17.11.zip[zumawuzi.dll]
00585661 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\jiwofehu.dll.vir
00585661 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046943.dll
00585748 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046965.dll
00585748 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\vugtcu.dll.vir
00585748 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\biwifasi.dll.vir
00585748 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046989.dll
00585748 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\pihuzura.dll.vir
00585748 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046912.dll
00625638 Trj/Downloader.VNL Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\[4]-Submit_2009-03-15@15.14.zip[instsp1.exe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP554\A0048029.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0047025.EXE
01895148 Malicious Packer SecRisk No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir
01895148 Malicious Packer SecRisk No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046879.dll
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP554\A0048012.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046883.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0047005.sys
03173354 Application/FunWeb HackTools No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP549\A0042225.DLL
03492189 Adware/Xpantivirus2008 Adware No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046898.cpl
03492189 Adware/Xpantivirus2008 Adware No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\scui.cpl.vir
03939310 Adware/UltimateDefender Adware No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir
03939310 Adware/UltimateDefender Adware No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046880.dll
05132781 Trj/Inject.K Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046903.exe
05132781 Trj/Inject.K Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location J4
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description J4
;===================================================================================================================================================================================
;===================================================================================================================================================================================

03-14-2009, 04:39 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan.Generic Infection Let's try this special version of gmer. Download GMER Rootkit Scanner from here. Double click the exe file. If asked to allow gmer.sys driver to load, please consent . If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. Click the image to enlarge it In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Then click the Scan button & wait for it to finish. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop, and post it in reply. Caution Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

03-15-2009, 09:49 AM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan.Generic Infection That shows me what I thought I might see.... --------------------------------------------------------------------------------------------- One or more of the identified infections is a backdoor trojan. This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? --------------------------------------------------------------------------------------------- Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Download Combofix from any of the links below. You must rename it before saving it. Name it ComFxx Save it to your desktop. Link 1 Link 2 Link 3 -------------------------------------------------------------------- * IMPORTANT !!! Place comfxx.exe on your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. Double click on comfxx.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement. ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Click on Yes, to continue scanning for malware. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. --------------------------------------------------------------------------------------------- Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

03-15-2009, 11:44 AM	#5 (permalink)
Logmeonto Registered User Join Date: Aug 2008 Location: Fort Worth TX Posts: 11 OS: VISTA ULTIMATE SP1	Re: Possible Trojan.Generic Infection hello tetonbob. I'm having trouble with Combo-Fxx.exe It won't run on the infected PC. Here is the message I receive: Some Installation Files Are Corrupt. Please download a fresh copy and retry the installation. I have followed the directions for renaming before I download. I have tried all three download sites referenced in your post with the same results. FYI - I can run this successfully on another Win XP machine and it runs fine. Also, the infected PC has a DNS problem and resolves most IP addresses to local-host (127.0.0.1) so I can't get to a lot of web sites (I'll bet you expected this). I'm downloading from a PC that is not infected.

03-15-2009, 12:30 PM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan.Generic Infection If you still have problems, let me know. I have other tricks up my sleeve. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

03-15-2009, 01:23 PM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan.Generic Infection Good job. Looks much better. Still more work to do, but first, I need some information about a file. Please go to: VirusTotal On the page you'll find a "Browse" button. Next to the browse button you'll see a box to enter text. Please copy/paste the following: c:\windows\instsp1.exe Then click the "Send File " button just below. This will scan the file. Please be patient. If you get a message saying File has already been analyzed: click Reanalyze file now Once scanned, copy and paste the results in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

03-15-2009, 01:44 PM	#10 (permalink)
Logmeonto Registered User Join Date: Aug 2008 Location: Fort Worth TX Posts: 11 OS: VISTA ULTIMATE SP1	Re: Possible Trojan.Generic Infection File instsp1.exe received on 03.15.2009 20:33:38 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 15/39 (38.47%) Loading server information... Your file is queued in position: ___. Estimated start time is between ___ and ___ . Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.0.0.101 2009.03.15 Trojan.Win32.Piptea!IK AhnLab-V3 5.0.0.2 2009.03.15 - AntiVir 7.9.0.114 2009.03.13 TR/Crypt.ULPM.Gen Authentium 5.1.0.4 2009.03.15 - Avast 4.8.1335.0 2009.03.15 Win32:Virtumonde-SQ AVG 8.0.0.237 2009.03.15 Downloader.Generic8.AAJR BitDefender 7.2 2009.03.15 - CAT-QuickHeal 10.00 2009.03.14 - ClamAV 0.94.1 2009.03.15 - Comodo 1057 2009.03.15 - DrWeb 4.44.0.09170 2009.03.15 - eSafe 7.0.17.0 2009.03.15 Win32.TRCrypt.Ulpm eTrust-Vet 31.6.6388 2009.03.09 - F-Prot 4.4.4.56 2009.03.15 - F-Secure 8.0.14470.0 2009.03.15 - Fortinet 3.117.0.0 2009.03.15 - GData 19 2009.03.15 Win32:Virtumonde-SQ Ikarus T3.1.1.45.0 2009.03.15 Trojan.Win32.Piptea K7AntiVirus 7.10.671 2009.03.14 Trojan.Win32.Malware.1 Kaspersky 7.0.0.125 2009.03.15 - McAfee 5554 2009.03.15 - McAfee+Artemis 5554 2009.03.15 Generic!Artemis McAfee-GW-Edition 6.7.6 2009.03.13 Trojan.Crypt.ULPM.Gen Microsoft 1.4405 2009.03.15 Trojan:Win32/Piptea.E NOD32 3937 2009.03.15 a variant of Win32/TrojanDownloader.Agent.OWQ Norman 6.00.06 2009.03.13 - nProtect 2009.1.8.0 2009.03.15 - Panda 10.0.0.10 2009.03.15 Trj/Downloader.VNL PCTools 4.4.2.0 2009.03.15 - Prevx1 V2 2009.03.15 Medium Risk Malware Rising 21.20.62.00 2009.03.15 - Sophos 4.39.0 2009.03.15 Mal/TibsPk-A Sunbelt 3.2.1858.2 2009.03.15 - Symantec 1.4.4.12 2009.03.15 - TheHacker 6.3.3.0.282 2009.03.15 - TrendMicro 8.700.0.1004 2009.03.13 - VBA32 3.12.10.1 2009.03.15 - ViRobot 2009.3.13.1648 2009.03.13 - VirusBuster 4.6.5.0 2009.03.15 - Additional information File size: 10240 bytes MD5...: 6a8c3f52ba4b0d7d09d1c20345464b8c SHA1..: 11984c93b8a0174d4834fed3280b1d42fb913c37 SHA256: aeb948ff69c8e54e120cc33273de0297f1dfbd4551b3f93026462dadd56212c3 SHA512: 403473c9fa25a494504dd9c35ba922789f22489b2da5f8ec55ee1374284beee8 b95787f016496d90c84e4e561071095e17d7591735f7190c6a7b0299d4ebf254 ssdeep: 192:Mf1EfL2pH9aLncg3yslzHSjEjaKFaWMPpE3GAUtfCMyB2Kdw5vgQezKT6TCo w:MfCzO9Y3XzHWBKL2EJCfTGw5IQx2Cow PEiD..: - TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x2bdd0 timedatestamp.....: 0x49ad977f (Tue Mar 03 20:47:59 2009) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x29000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x2a000 0x2000 0x2000 7.74 d3d89ba4982e8a1f62ea2846d9eb0cd1 .rsrc 0x2c000 0x1000 0x400 3.30 db339f6c2d64fdc20da041e08bdf5f0e ( 1 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess ( 0 exports ) packers (Avast): UPX ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=6a8c3f52ba4b0d7d09d1c20345464b8c' target='_blank'>http://www.threatexpert.com/report.a...d1c20345464b8c</a> Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=31DCD0F100F9416528D700B77A098200A8AC7CB0' target='_blank'>http://info.prevx.com/aboutprogramte...098200A8AC7CB0</a> packers (Kaspersky): PE_Patch.UPX, UPX packers (F-Prot): UPX

03-15-2009, 01:51 PM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan.Generic Infection Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. Open notepad and copy/paste the text in the quotebox below into it: Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/355850-possible-trojan-generic-infection.html#post2023978 Registry:: [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 Collect:: c:\windows\instsp1.exe Save this as CFScript.txt Referring to the picture above, drag CFScript.txt into ComboFix.exe Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK. Follow the prompts. Ensure your AntiVirus and AntiSpyware applications are re-enabled. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

03-15-2009, 03:06 PM	#12 (permalink)
Logmeonto Registered User Join Date: Aug 2008 Location: Fort Worth TX Posts: 11 OS: VISTA ULTIMATE SP1	Re: Possible Trojan.Generic Infection ComboFix encountered a problem after saying it is going to re-boot Warning! Error saving file C:\Windows\erdnt\subs\software! Continue with the next file? Regsavekeyex: 1016 - An I/O operation initiated by the registry failed uncoverably. The registry could not read in, or write out, or flush one of the files that contain the system's image of the registry. YES NO It is waiting for me to reply YES or No.

03-15-2009, 03:29 PM	#13 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,494 OS: N/A	Re: Possible Trojan.Generic Infection Answer NO for each of such queries. ComboFix should reboot your machine & produce a log. After rebooting, post the log that ComboFix produces. __________________ Question - what have you done for the community today?

03-15-2009, 03:42 PM	#14 (permalink)
Logmeonto Registered User Join Date: Aug 2008 Location: Fort Worth TX Posts: 11 OS: VISTA ULTIMATE SP1	Re: Possible Trojan.Generic Infection The PC rebooted itself without my answering the YES/NO prompt. It is now re-booted and ComboFix is not running and I have no results. What next?

03-15-2009, 03:51 PM	#15 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan.Generic Infection Please ensure security applications are all disabled. Look to C:\ComboFix\combobatch.bat if present (might be C:\Combo-Fxxx\combobatch.bat); double click on it, and if ComboFix resumes it's run, post the log. If not, double click on Combo-Fxxx.exe once again to run it, and post the log. Again, please ensure all security apps are disabled before performing the above. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

03-15-2009, 03:59 PM	#16 (permalink)
Logmeonto Registered User Join Date: Aug 2008 Location: Fort Worth TX Posts: 11 OS: VISTA ULTIMATE SP1	Re: Possible Trojan.Generic Infection Thanks for the next step information. Here are ComboFix results: ComboFix 09-03-14.02 - Administrator 2009-03-15 15:14:51.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.700 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\Combo-Fxxx.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt AV: Trend Micro Internet Security Pro On-access scanning disabled (Updated) FW: Trend Micro Personal Firewall disabled * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\instsp1.exe H:\Autorun.INF . ((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 ))))))))))))))))))))))))))))))) . 2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ c:\windows\Lexmark_ICM.ini 2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ c:\windows\system32\LXASUSCI.INI 2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d-------- c:\program files\NETGEAR 2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d--h----- c:\program files\InstallShield Installation Information 2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield 2009-03-15 11:10 . 2005-09-05 11:21 362,944 --a------ c:\windows\system32\drivers\WG11TND5.sys 2009-03-15 11:10 . 2005-07-27 21:15 149,392 --a------ c:\windows\system32\drivers\ar5523.bin 2009-03-13 18:02 . 2008-04-13 18:11 21,504 --a------ c:\windows\system32\hidserv.dll 2009-03-13 18:02 . 2008-04-13 18:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll 2009-03-13 18:01 . 2008-04-13 12:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys 2009-03-13 18:01 . 2008-04-13 12:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys 2009-03-12 15:37 . 2009-03-12 15:37 <DIR> d-------- c:\windows\LocalSSL 2009-03-12 15:36 . 2009-03-12 15:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro 2009-03-12 15:36 . 2008-08-14 12:23 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys 2009-03-12 15:36 . 2008-08-14 12:23 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys 2009-03-12 15:36 . 2008-08-14 12:23 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys 2009-03-12 15:34 . 2009-03-12 15:37 <DIR> d-------- c:\program files\Trend Micro 2009-03-12 15:30 . 2007-10-03 17:57 3,527,168 --a------ c:\windows\system32\sisgrv.dll 2009-03-12 15:30 . 2007-10-03 17:57 3,527,168 --a--c--- c:\windows\system32\dllcache\sisgrv.dll 2009-03-12 15:30 . 2001-08-17 14:56 150,144 --a------ c:\windows\system32\SiS6306v.dll 2009-03-12 15:30 . 2001-08-17 14:56 150,144 --a--c--- c:\windows\system32\dllcache\sis6306v.dll 2009-03-12 15:30 . 2001-08-17 12:50 68,608 --a------ c:\windows\system32\drivers\SiS6306p.sys 2009-03-12 15:30 . 2001-08-17 12:50 68,608 --a--c--- c:\windows\system32\dllcache\sis6306p.sys 2009-03-12 15:29 . 2001-08-17 14:56 252,032 --a------ c:\windows\system32\sis300iv.dll 2009-03-12 15:29 . 2001-08-17 14:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll 2009-03-12 15:29 . 2001-08-17 12:50 101,760 --a------ c:\windows\system32\drivers\sis300ip.sys 2009-03-12 15:29 . 2001-08-17 12:50 101,760 --a--c--- c:\windows\system32\dllcache\sis300ip.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-12 21:06 --------- d-----w c:\program files\Windows Desktop Search 2009-03-12 20:23 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-03-12 20:23 --------- d-----w c:\program files\Common Files\InstallShield 2009-03-12 20:19 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2009-03-11 20:07 --------- d-----w c:\documents and settings\Administrator\Application Data\MSN6 2009-03-11 19:37 101,376 --sha-w c:\windows\system32\jefizaya.dll 2009-02-04 17:59 101,535 ------w c:\windows\system32\poponevi.dll 2009-02-04 05:59 93,368 ------w c:\windows\system32\vahuyayu.dll 2009-02-03 17:59 91,933 ------w c:\windows\system32\palujanu.dll 2009-02-03 13:58 91,907 ------w c:\windows\system32\hatakuvu.dll 2009-01-16 11:06 86,654 ----a-w c:\windows\system32\jogekuke.dll 2009-01-16 11:06 131,719 ----a-w c:\windows\system32\litijihi.dll 2009-01-16 11:06 131,719 ----a-w c:\windows\system32\ansmbh.dll 2009-01-16 11:06 127,760 ----a-w c:\windows\system32\zumawuzi.dll 2009-01-15 23:06 86,145 ----a-w c:\windows\system32\hakawuha.dll 2009-01-15 23:06 131,743 ----a-w c:\windows\system32\vekefubo.dll 2009-01-15 23:06 131,743 ----a-w c:\windows\system32\mdwgdy.dll 2009-01-15 23:06 127,771 ----a-w c:\windows\system32\pamobeto.dll 2009-01-15 09:59 86,257 ------w c:\windows\system32\delagowu.dll 2009-01-14 21:59 86,118 ------w c:\windows\system32\bebuvuse.dll 2009-01-14 09:58 87,241 ------w c:\windows\system32\giwaporu.dll 2009-01-13 21:58 87,304 ------w c:\windows\system32\fibetehe.dll 2009-01-13 09:58 87,357 ------w c:\windows\system32\vibotawa.dll 2009-01-12 21:58 87,229 ------w c:\windows\system32\neyavutu.dll 2009-01-12 08:58 91,386 ------w c:\windows\system32\kaboyene.dll 2009-01-11 20:58 91,317 ------w c:\windows\system32\bipehozo.dll 2009-01-10 19:56 90,863 ------w c:\windows\system32\rinokulo.dll 2009-01-10 19:56 105,814 ----a-w c:\windows\system32\gakilime.dll 2008-12-25 19:47 410,984 ----a-w c:\windows\system32\deploytk.dll 2008-05-27 19:04 20,888 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( SnapShot@2009-03-15_14.03.19.85 ))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008] c:\documents and settings\All Users\Start Menu\Programs\Startup\ NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2009-03-15 884840] TASKMAN.lnk - c:\windows\system32\taskmgr.exe [2001-08-30 135680] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] 1 [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD] --a------ 2002-09-10 21:26 368706 c:\program files\BroadJump\Client Foundation\CFD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager] --a------ 2001-06-14 12:42 53248 c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor] --a------ 2001-10-18 10:25 40960 c:\progra~1\LEXMAR~1\ACMonitor_X83.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge] --a------ 2005-08-24 07:51 442455 c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE] --a------ 2008-08-14 12:44 497008 c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray] --a------ 2002-06-27 03:47 36864 c:\windows\system32\spool\drivers\w32x86\3\printray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-10-26 13:55 286720 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-12-25 14:47 136600 c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-09-17 15:51 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe] --a------ 2008-08-14 12:19 970808 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] -ra------ 2004-07-01 05:23 67584 c:\windows\SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "cisvc"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "TmProxy"=2 (0x2) "TmPfw"=2 (0x2) "TMBMServer"=2 (0x2) "SfCtlCom"=2 (0x2) "JavaQuickStarterService"=2 (0x2) "gusvc"=3 (0x3) "Security Activity Dashboard Service"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\WgaTray.exe"= "c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"= "c:\\WINDOWS\\system32\\wscntfy.exe"= "c:\\Program Files\\LexmarkX83\\ACMonitor_X83.exe"= "c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"= R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-03-12 49680] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-08-14 36368] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-03-11 17149] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-08-14 334352] S3 FXDRV;FXDRV;\??\f:\fxdrv.sys --> f:\Fxdrv.sys [?] S3 SiSV6306;SiSV6306;c:\windows\system32\drivers\SiS6306p.sys [2009-03-12 68608] S4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-03-12 181584] S4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-12 492888] S4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-12 677128] . . ------- Supplementary Scan ------- . uDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://yahoo.sbc.com/dsl mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/http://www.yahoo.com/search/ie.html uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-15 16:53:54 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1229272821-1500820517-725345543-500\Software\Microsoft\SystemCertificates\AddressBook] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1124) c:\windows\system32\NavLogon.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\windows\system32\wscntfy.exe c:\windows\system32\msiexec.exe . ************************************************************************* . Completion time: 2009-03-15 16:55:25 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-15 21:55:21 ComboFix2.txt 2009-03-15 19:04:18 Pre-Run: 130,928,283,648 bytes free Post-Run: 130,960,564,224 bytes free 204 --- E O F --- 2008-12-27 10:00:58

03-15-2009, 04:07 PM	#17 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan.Generic Infection Not sure how more Vundo got into the machine, but there it is.... Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. Open notepad and copy/paste the text in the quotebox below into it: Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/355850-possible-trojan-generic-infection.html#post2024229 Collect:: c:\windows\system32\jefizaya.dll c:\windows\system32\poponevi.dll c:\windows\system32\vahuyayu.dll c:\windows\system32\palujanu.dll c:\windows\system32\hatakuvu.dll c:\windows\system32\jogekuke.dll c:\windows\system32\litijihi.dll c:\windows\system32\ansmbh.dll c:\windows\system32\zumawuzi.dll c:\windows\system32\hakawuha.dll c:\windows\system32\vekefubo.dll c:\windows\system32\mdwgdy.dll c:\windows\system32\pamobeto.dll c:\windows\system32\delagowu.dll c:\windows\system32\bebuvuse.dll c:\windows\system32\giwaporu.dll c:\windows\system32\fibetehe.dll c:\windows\system32\vibotawa.dll c:\windows\system32\neyavutu.dll c:\windows\system32\kaboyene.dll c:\windows\system32\bipehozo.dll c:\windows\system32\rinokulo.dll c:\windows\system32\gakilime.dll Save this as CFScript.txt Referring to the picture above, drag CFScript.txt into ComboFix.exe Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK. Follow the prompts. Ensure your AntiVirus and AntiSpyware applications are re-enabled. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

03-15-2009, 04:18 PM	#18 (permalink)
Logmeonto Registered User Join Date: Aug 2008 Location: Fort Worth TX Posts: 11 OS: VISTA ULTIMATE SP1	Re: Possible Trojan.Generic Infection ComboFix 09-03-14.02 - Administrator 2009-03-15 17:11:27.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.702 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\Combo-Fxxx.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt AV: Trend Micro Internet Security Pro On-access scanning disabled (Updated) FW: Trend Micro Personal Firewall disabled * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\ansmbh.dll c:\windows\system32\bebuvuse.dll c:\windows\system32\bipehozo.dll c:\windows\system32\delagowu.dll c:\windows\system32\fibetehe.dll c:\windows\system32\giwaporu.dll c:\windows\system32\hakawuha.dll c:\windows\system32\hatakuvu.dll c:\windows\system32\jefizaya.dll c:\windows\system32\jogekuke.dll c:\windows\system32\kaboyene.dll c:\windows\system32\litijihi.dll c:\windows\system32\mdwgdy.dll c:\windows\system32\neyavutu.dll c:\windows\system32\palujanu.dll c:\windows\system32\pamobeto.dll c:\windows\system32\poponevi.dll c:\windows\system32\rinokulo.dll c:\windows\system32\vahuyayu.dll c:\windows\system32\vekefubo.dll c:\windows\system32\vibotawa.dll c:\windows\system32\zumawuzi.dll . ((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 ))))))))))))))))))))))))))))))) . 2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ c:\windows\Lexmark_ICM.ini 2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ c:\windows\system32\LXASUSCI.INI 2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d-------- c:\program files\NETGEAR 2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d--h----- c:\program files\InstallShield Installation Information 2009-03-15 11:10 . 2009-03-15 11:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield 2009-03-15 11:10 . 2005-09-05 11:21 362,944 --a------ c:\windows\system32\drivers\WG11TND5.sys 2009-03-15 11:10 . 2005-07-27 21:15 149,392 --a------ c:\windows\system32\drivers\ar5523.bin 2009-03-13 18:02 . 2008-04-13 18:11 21,504 --a------ c:\windows\system32\hidserv.dll 2009-03-13 18:02 . 2008-04-13 18:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll 2009-03-13 18:01 . 2008-04-13 12:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys 2009-03-13 18:01 . 2008-04-13 12:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys 2009-03-12 15:37 . 2009-03-12 15:37 <DIR> d-------- c:\windows\LocalSSL 2009-03-12 15:36 . 2009-03-12 15:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro 2009-03-12 15:36 . 2008-08-14 12:23 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys 2009-03-12 15:36 . 2008-08-14 12:23 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys 2009-03-12 15:36 . 2008-08-14 12:23 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys 2009-03-12 15:34 . 2009-03-12 15:37 <DIR> d-------- c:\program files\Trend Micro 2009-03-12 15:30 . 2007-10-03 17:57 3,527,168 --a------ c:\windows\system32\sisgrv.dll 2009-03-12 15:30 . 2007-10-03 17:57 3,527,168 --a--c--- c:\windows\system32\dllcache\sisgrv.dll 2009-03-12 15:30 . 2001-08-17 14:56 150,144 --a------ c:\windows\system32\SiS6306v.dll 2009-03-12 15:30 . 2001-08-17 14:56 150,144 --a--c--- c:\windows\system32\dllcache\sis6306v.dll 2009-03-12 15:30 . 2001-08-17 12:50 68,608 --a------ c:\windows\system32\drivers\SiS6306p.sys 2009-03-12 15:30 . 2001-08-17 12:50 68,608 --a--c--- c:\windows\system32\dllcache\sis6306p.sys 2009-03-12 15:29 . 2001-08-17 14:56 252,032 --a------ c:\windows\system32\sis300iv.dll 2009-03-12 15:29 . 2001-08-17 14:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll 2009-03-12 15:29 . 2001-08-17 12:50 101,760 --a------ c:\windows\system32\drivers\sis300ip.sys 2009-03-12 15:29 . 2001-08-17 12:50 101,760 --a--c--- c:\windows\system32\dllcache\sis300ip.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-12 21:06 --------- d-----w c:\program files\Windows Desktop Search 2009-03-12 20:23 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-03-12 20:23 --------- d-----w c:\program files\Common Files\InstallShield 2009-03-12 20:19 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2009-03-11 20:07 --------- d-----w c:\documents and settings\Administrator\Application Data\MSN6 2009-01-10 19:56 105,814 ----a-w c:\windows\system32\gakilime.dll 2008-12-25 19:47 410,984 ----a-w c:\windows\system32\deploytk.dll 2008-05-27 19:04 20,888 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( SnapShot@2009-03-15_14.03.19.85 ))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008] c:\documents and settings\All Users\Start Menu\Programs\Startup\ NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2009-03-15 884840] TASKMAN.lnk - c:\windows\system32\taskmgr.exe [2001-08-30 135680] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] 1 [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD] --a------ 2002-09-10 21:26 368706 c:\program files\BroadJump\Client Foundation\CFD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager] --a------ 2001-06-14 12:42 53248 c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor] --a------ 2001-10-18 10:25 40960 c:\progra~1\LEXMAR~1\ACMonitor_X83.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge] --a------ 2005-08-24 07:51 442455 c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE] --a------ 2008-08-14 12:44 497008 c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray] --a------ 2002-06-27 03:47 36864 c:\windows\system32\spool\drivers\w32x86\3\printray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-10-26 13:55 286720 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-12-25 14:47 136600 c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-09-17 15:51 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe] --a------ 2008-08-14 12:19 970808 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] -ra------ 2004-07-01 05:23 67584 c:\windows\SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "cisvc"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "TmProxy"=2 (0x2) "TmPfw"=2 (0x2) "TMBMServer"=2 (0x2) "SfCtlCom"=2 (0x2) "JavaQuickStarterService"=2 (0x2) "gusvc"=3 (0x3) "Security Activity Dashboard Service"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\WgaTray.exe"= "c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"= "c:\\WINDOWS\\system32\\wscntfy.exe"= "c:\\Program Files\\LexmarkX83\\ACMonitor_X83.exe"= "c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"= R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-03-12 49680] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-08-14 36368] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-03-11 17149] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-08-14 334352] S3 FXDRV;FXDRV;\??\f:\fxdrv.sys --> f:\Fxdrv.sys [?] S3 SiSV6306;SiSV6306;c:\windows\system32\drivers\SiS6306p.sys [2009-03-12 68608] S4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-03-12 181584] S4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-12 492888] S4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-12 677128] . . ------- Supplementary Scan ------- . uDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://yahoo.sbc.com/dsl mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/http://www.yahoo.com/search/ie.html uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-15 17:13:19 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1229272821-1500820517-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1124) c:\windows\system32\NavLogon.dll . Completion time: 2009-03-15 17:14:54 ComboFix-quarantined-files.txt 2009-03-15 22:14:51 ComboFix2.txt 2009-03-15 21:55:27 ComboFix3.txt 2009-03-15 19:04:18 Pre-Run: 130,954,321,920 bytes free Post-Run: 130,933,989,376 bytes free 195 --- E O F --- 2008-12-27 10:00:58

03-15-2009, 04:35 PM	#19 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,761 OS: 2000 Pro; XP Pro; XP Home	Re: Possible Trojan.Generic Infection Outdated Java Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs): Java(TM) 6 Update 2 Java(TM) 6 Update 3 These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this. Leave Java(TM) 6 Update 11 alone, as it has the most recent security updates. --------------------------------------------------------------------------------------------- Please run this online scan to help look for remnants. Perform an online scan with Panda ActiveScan Click on Scan Your PC Now A "pop up" window will appear, or a new tab will open. Click on Register Choose the option you like most, but we recommend the Free Registration. Click on Register Enter your e-mail address, and create a password. Select "I do not want to receive any type of information". (unless you want to receive such information) Click on Send Confirm registration, and continue by entering your user name and password, then click on Enter Select Full Scan, then Click on Scan Now Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser. If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect Please ignore the offer to buy the program. Click on Export To Export the log and save it to your desktop. Please attach the contents of that log to your reply. * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- How is the machine behaving? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

03-15-2009, 06:28 PM	#20 (permalink)
Logmeonto Registered User Join Date: Aug 2008 Location: Fort Worth TX Posts: 11 OS: VISTA ULTIMATE SP1	Re: Possible Trojan.Generic Infection Hey. The machine is running very well. Thanks. Here are Panda results: ;********************************************************************************************************************************************************************************* ANALYSIS: 2009-03-15 19:20:16 PROTECTIONS: 1 MALWARE: 20 SUSPECTS: 0 ;********************************************************************************************************************************************************************************* PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== Trend Micro Internet Security Pro 17.0.1224 No Yes ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00122168 Application/Restart HackTools No 0 Yes No H:\Install\Tools\Restart.exe 00122738 HackTool/ExitWin.A HackTools No 0 Yes No H:\Install\Reboot.exe 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt 00444112 Bck/Tdss.C Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046877.sys 00444112 Bck/Tdss.C Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpaxt.sys.vir 00449733 Bck/Tdss.C Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046878.dll 00449733 Bck/Tdss.C Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSofxh.dll.vir 00535464 Adware/Antivirus2009 Adware No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP549\A0042860.dll 00535464 Adware/Antivirus2009 Adware No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP549\A0042848.dll 00535464 Adware/Antivirus2009 Adware No 0 Yes No H:\Utility\Virus Malware Removal\HiJack This\BACKUPS\backup-20090313-135002-668.dll 00578275 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\[4]-Submit_2009-03-15@17.11.zip[pamobeto.dll] 00578275 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\[4]-Submit_2009-03-15@17.11.zip[zumawuzi.dll] 00585661 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\jiwofehu.dll.vir 00585661 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046943.dll 00585748 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046965.dll 00585748 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\vugtcu.dll.vir 00585748 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\biwifasi.dll.vir 00585748 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046989.dll 00585748 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\pihuzura.dll.vir 00585748 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046912.dll 00625638 Trj/Downloader.VNL Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\[4]-Submit_2009-03-15@15.14.zip[instsp1.exe] 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP554\A0048029.EXE 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0047025.EXE 01895148 Malicious Packer SecRisk No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir 01895148 Malicious Packer SecRisk No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046879.dll 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP554\A0048012.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046883.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0047005.sys 03173354 Application/FunWeb HackTools No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP549\A0042225.DLL 03492189 Adware/Xpantivirus2008 Adware No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046898.cpl 03492189 Adware/Xpantivirus2008 Adware No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\scui.cpl.vir 03939310 Adware/UltimateDefender Adware No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir 03939310 Adware/UltimateDefender Adware No 0 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046880.dll 05132781 Trj/Inject.K Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{DC7F8EF2-1F20-4EB2-A1F2-31382EF78F09}\RP553\A0046903.exe 05132781 Trj/Inject.K Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir ;=================================================================================================================================================================================== SUSPECTS Sent Location J4 ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description J4 ;=================================================================================================================================================================================== ;===================================================================================================================================================================================