An apparent infection

[TheGooseMan]

Hi

I have a machine exhibiting the symptoms of Conficker infection - inability to load pages on Symantec web site, view Microsoft security centre pages on updates related to the infection, etc., though I'm also unable to access pages such as Facebook and IAfrica.com. All display the same symptoms - the page says it's loading, but the load never progresses.

However, two antivirus applications have found no infection (I tried AVG first, then uninstalled that and tried Nod32). In addition, the Symantec, BitDefender and Kaspersky removal tools find no Conficker infection. I'm not sure if there are other viruses or some other malware that has similar symptoms to Conficker or if I've just got a particularly crafty version.

My internet access appears to be entirely normal except for the fact that some addresses are inaccessible.

The machine has been used to run Limewire, but it is no longer installed.

I ran SpySweeper which did find two trojans, one of which was KillAv. I don't remember the name of the other and in my attempts to fix the problem I've uninstalled and reinstalled the SpySweeper software, which lost the logs. I subsequently installed MalwareBytes Anti-Malware application which found two instances of Trojan.Agent and quarantined them. A subsequent sweep by SpySweeper revealed no new malware or spyware.

I then downloaded DDS.scr and gmer.zip and ran them. The DDS log is:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Craigus at 1:09:18.59 on 2009/07/08
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.27.1033.18.2047.1053 [GMT 2:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Desktop Firewall *enabled* {AF0CFAAE-AAB5-450a-8C74-0DEEB429DF50}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PRTG Traffic Grapher\watchdog\prtgwatchdog.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Documents and Settings\Craigus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] "c:\windows\system32\ctfmon.exe"
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
mRun: [Control Center] "c:\program files\asus\wlan card utilities\Center.exe"
mRun: [Kernel and Hardware Abstraction Layer] "KHALMNPR.EXE"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] "c:\windows\vVX3000.exe"
mRun: [NeroFilterCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [RTHDCPL] "RTHDCPL.EXE"
mRun: [Alcmtr] "ALCMTR.EXE"
mRun: [dvd43] "c:\program files\dvd43\dvd43_tray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonSolutionMenu] "c:\program files\canon\solutionmenu\CNSLMAIN.exe" /logon
mRun: [CanonMyPrinter] "c:\program files\canon\myprinter\BJMyPrt.exe" /logon
mRun: [<NO NAME>]
mRun: [Webroot Desktop Firewall] "c:\program files\webroot\webroot desktop firewall\WDF.exe"
mRun: [MSConfig] "c:\windows\pchealth\helpctr\binaries\MSConfig.exe" /auto
mRun: [SpySweeper] c:\program files\webroot\webrootsecurity\SpySweeperUI.exe /startintray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\craigus\applic~1\mozilla\firefox\profiles\hyof7sm2.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2008-7-31 103304]
R2 PRTGService;PRTG Service;c:\program files\prtg traffic grapher\PRTG Traffic Grapher.exe [2007-9-29 3822624]
R2 prtgwatchservice;PRTG Watchdog;c:\program files\prtg traffic grapher\watchdog\prtgwatchdog.exe [2007-9-29 443904]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\webroot\webroot desktop firewall\wdfsvc.exe [2008-7-31 353672]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-4-21 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-7-7 1205760]
R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2007-9-10 16269]
R3 RDID1057;EDIROL UA-1EX;c:\windows\system32\drivers\Rdwm1057.sys [2009-1-22 139793]
R3 WPRO_40_901;WinPcap Packet Driver (WPRO_40_901);c:\windows\system32\drivers\wpro_40_901.sys --> c:\windows\system32\drivers\WPRO_40_901.sys [?]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-2-17 96256]
S3 kxwdmdrv;kX WDM Driver Service;c:\windows\system32\drivers\kx.sys [2004-2-17 571776]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2008-4-20 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2008-4-20 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2008-4-20 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s125mgmt.sys [2008-4-20 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2008-4-20 98696]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2009-07-07 23:46 100,880 a------- c:\windows\system32\WPRO_40_901woem.tmp
2009-07-07 23:43 775,168 a------- c:\windows\isRS-000.tmp
2009-07-07 23:43 1,563,008 a------- c:\windows\WRSetup.dll
2009-07-07 23:43 <DIR> --d----- c:\docume~1\craigus\applic~1\Webroot
2009-07-07 21:16 164 a------- c:\windows\install.dat
2009-07-07 19:07 <DIR> --d----- c:\program files\FileASSASSIN
2009-07-07 19:06 <DIR> --d----- c:\docume~1\craigus\applic~1\Malwarebytes
2009-07-07 19:05 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-07 19:05 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-07 19:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-07 19:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-07 07:42 <DIR> --d----- c:\windows\pss
2009-07-06 23:16 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-06 23:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-06 19:35 <DIR> --d----- c:\program files\MSSOAP
2009-07-06 19:33 146 a------- c:\windows\ODBC.INI
2009-07-06 19:33 <DIR> --d----- c:\program files\Webroot
2009-07-06 19:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-07-06 19:02 <DIR> --d----- c:\program files\Lavasoft

==================== Find3M ====================

2009-05-07 17:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-29 06:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 06:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 11:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 17:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2008-01-17 23:15 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-11-16 18:30 22,328 a------- c:\docume~1\craigus\applic~1\PnkBstrK.sys

============= FINISH: 1:09:48.96 ===============


The Attach.zip is attached.

Gmer did not report any rootkits.

Please advise.

Regards

[TheGooseMan]

Bump.

[Ried]

Hello TheGooseMan and thank you for your patience. :)

Download HostsXpert.

• Unzip HostsXpert to it's own folder.
• Run HostsXpert.exe
• Click "Restore MS Hosts file" and then click OK.
• Close HostsXpert.
• Note: If a custom Hosts file was in place, you'll have to edit those entries back in.

==================================


Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:


**Vista users - right click on the IE icon and run as administrator

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

Kaspersky results
Update on system behavior

[TheGooseMan]

Hi

There's been no change in the system's behaviour. I'm still unable to connect to sites such as Symantec, Windows Update and Facebook.

The Kaspersky online scan report is:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, July 14, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, July 14, 2009 09:00:38
Records in database: 2467466
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 127952
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:53:01


File name / Threat name / Threats count
E:\MoveToAnotherDrive\Download\MMedia\DVD\Region\RegionKiller\SetupRegKill2702.exe Infected: not-a-virus:AdWare.Win32.CommonName.af 1
E:\MoveToAnotherDrive\Temp\CarlosIPodShuffle\F00\BHXF.mp3 Infected: Virus.DOS.PS-MPC.Bamestra.531 1

The selected area was scanned.


Regards

[Ried]

Did you happen to save the log from MBAM? If so, please post the contents in your next reply.

[TheGooseMan]

Hi

MBAM log:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

2009/07/07 08:07:44 PM
mbam-log-2009-07-07 (20-07-44).txt

Scan type: Full Scan (C:\|E:\|I:\|)
Objects scanned: 246437
Time elapsed: 50 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\SysFile.brk (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.ext (Trojan.Agent) -> Quarantined and deleted successfully.

Regards

[Ried]

Thank you. :)

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

====================================================


Download ComboFix from here and save it to your desktop.


*IMPORTANT - Be sure to save ComboFix.exe directily to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.

====================================================


Double click on combofix.exe & follow the prompts.

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

[TheGooseMan]

I can't download the recovery console so I'm going to try installing it from the XP installation disc. It may complain since the disc is pre any service packs and I seem to remember SP3 being installed on the machine, so some injection of service pack stuff is likely to have to take place before it'll work. Should be able to get it sorted over the weekend so I can run ComboFix.

[Ried]

I wish you would have come here and told me about this. There is a simpler solution

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named.


---------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

[TheGooseMan]

I couldn't do that anyway as it seems I can't connect/download from Microsoft. Recovery console installed via integrating SP2 into original i386 folder.

ComboFix log:

ComboFix 09-07-19.02 - Craigus 2009/07/19 22:44.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.27.1033.18.2047.1519 [GMT 2:00]
Running from: c:\documents and settings\Craigus\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Craigus\Application Data\.#
c:\documents and settings\Craigus\Application Data\.#\MBX@13C4@A141C8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@13C4@A141F8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@13C4@A14218.###
c:\documents and settings\Craigus\Application Data\.#\MBX@13C4@A14228.###
c:\documents and settings\Craigus\Application Data\.#\MBX@1794@A141C8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@1794@A141F8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@1794@A14228.###
c:\documents and settings\Craigus\Application Data\.#\MBX@738@A141C8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@738@A141E8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@738@A141F8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@738@A14218.###
c:\documents and settings\Craigus\Application Data\.#\MBX@738@A14228.###
c:\documents and settings\Craigus\Application Data\.#\MBX@8E0@A141C8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@8E0@A141F8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@8E0@A14228.###
c:\documents and settings\Craigus\Application Data\.#\MBX@9DC@A141C8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@9DC@A141F8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@9DC@A14228.###
c:\documents and settings\Craigus\Application Data\.#\MBX@AB0@A141C8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@AB0@A141F8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@AB0@A14218.###
c:\documents and settings\Craigus\Application Data\.#\MBX@AB0@A14228.###
c:\documents and settings\Craigus\Application Data\.#\MBX@B34@A141C8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@B34@A141F8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@B34@A14218.###
c:\documents and settings\Craigus\Application Data\.#\MBX@B34@A14228.###
c:\documents and settings\Craigus\Application Data\.#\MBX@D0C@A141C8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@D0C@A141F8.###
c:\documents and settings\Craigus\Application Data\.#\MBX@D0C@A14218.###
c:\documents and settings\Craigus\Application Data\.#\MBX@D0C@A14228.###
c:\windows\system32\Cache
c:\windows\system32\Data
c:\windows\system32\windows.txt

.
((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-19 20:37 . 2009-07-19 20:38 -------- d-----w- C:\7e1e2c24f171c11dd1dbe43d3f0170
2009-07-19 20:26 . 2009-07-19 20:32 -------- d-----w- C:\xpsp2
2009-07-19 20:26 . 2009-07-19 20:38 -------- d-----w- C:\xpcd
2009-07-14 06:06 . 2009-07-14 06:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-08 22:29 . 2009-07-08 22:29 -------- d-----w- C:\VundoFix Backups
2009-07-07 19:51 . 2009-07-16 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-07-07 19:16 . 2009-07-07 21:42 164 ----a-w- c:\windows\install.dat
2009-07-07 17:07 . 2009-07-07 17:07 -------- d-----w- c:\program files\FileASSASSIN
2009-07-07 17:06 . 2009-07-07 17:06 -------- d-----w- c:\documents and settings\Craigus\Application Data\Malwarebytes
2009-07-07 17:05 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-07 17:05 . 2009-07-07 18:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-07 17:05 . 2009-07-07 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-07 17:05 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-06 21:16 . 2009-07-07 18:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-06 21:16 . 2009-07-07 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-06 17:35 . 2009-07-06 17:35 -------- d-----w- c:\program files\MSSOAP
2009-07-06 17:33 . 2009-07-16 05:40 -------- d-----w- c:\program files\Webroot
2009-07-06 17:15 . 2009-07-16 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-07-06 17:02 . 2009-07-07 18:16 -------- d-----w- c:\program files\Lavasoft
2009-07-06 17:02 . 2009-07-07 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-05 12:30 . 2009-07-05 12:30 -------- d-----w- c:\documents and settings\Administrator.GOOSEMAN\Local Settings\Application Data\AVG Security Toolbar
2009-07-05 12:30 . 2009-07-05 12:30 -------- d-----w- c:\documents and settings\Administrator.GOOSEMAN\Local Settings\Application Data\Mozilla
2009-07-05 08:29 . 2009-07-05 08:29 -------- d-----w- c:\documents and settings\Administrator.GOOSEMAN\Application Data\Sony Ericsson

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 18:19 . 2009-07-19 18:19 100880 ----a-w- c:\windows\system32\WPRO_40_901woem.tmp
2009-07-19 18:19 . 2008-11-18 20:02 -------- d-----w- c:\program files\Steam
2009-07-17 05:09 . 2007-10-01 20:35 -------- d-----w- c:\program files\Zoom Player
2009-07-14 06:05 . 2007-08-31 19:31 -------- d-----w- c:\program files\Java
2009-07-08 22:07 . 2007-08-30 22:17 35256 ----a-w- c:\documents and settings\Craigus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 18:38 . 2007-12-04 04:16 -------- d-----w- c:\program files\Common Files\Teleca Shared
2009-07-07 18:33 . 2007-10-01 20:39 -------- d-----w- c:\program files\RealMedia
2009-07-07 18:26 . 2007-09-30 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-07 18:24 . 2007-12-26 20:25 -------- d-----w- c:\program files\IBM
2009-07-07 18:23 . 2007-09-28 20:24 -------- d-----w- c:\program files\GetRight
2009-07-07 18:21 . 2008-01-05 23:05 -------- d-----w- c:\program files\DVD X Player Pro
2009-07-07 18:16 . 2007-08-30 22:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 19:40 . 2008-02-17 19:50 -------- d-----w- c:\program files\Creative
2009-07-06 18:35 . 2008-05-31 09:35 -------- d-----w- c:\program files\Bonjour
2009-05-16 00:14 . 2009-05-16 00:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-05-14 13:49 . 2009-05-14 13:49 94360 ------w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 13:47 . 2009-05-14 13:47 107256 ------w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 13:41 . 2009-05-14 13:41 114472 ------w- c:\windows\system32\drivers\eamon.sys
2009-05-08 20:09 . 2009-05-08 20:09 130 ----a-w- c:\documents and settings\Craigus\Local Settings\Application Data\fusioncache.dat
2009-05-07 15:44 . 2002-08-29 01:41 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2002-08-29 01:41 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2007-08-30 22:31 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-22 17:06 . 2008-12-23 21:06 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-01-05 23:24 . 2008-01-05 23:24 24 --sh--w- c:\windows\SBA0AC57A.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 1871872]
"Steam"="c:\program files\Steam\Steam.exe" [2008-11-18 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2006-03-09 1669120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-03-01 826880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-03 110592]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-01-09 16859648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-23 805392]
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2007-9-2 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\PRTG Traffic Grapher\\PRTG Traffic Grapher.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Games\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Games\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"135:TCP"= 135:TCP:DCOM(135)

R2 PRTGService;PRTG Service;c:\program files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe [2007/09/29 12:35 AM 3822624]
R2 prtgwatchservice;PRTG Watchdog;c:\program files\PRTG Traffic Grapher\watchdog\prtgwatchdog.exe [2007/09/29 12:35 AM 443904]
R3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2007/09/10 06:00 PM 16269]
R3 RDID1057;EDIROL UA-1EX;c:\windows\system32\drivers\Rdwm1057.sys [2009/01/22 08:04 PM 139793]
R3 WPRO_40_901;WinPcap Packet Driver (WPRO_40_901);c:\windows\system32\drivers\WPRO_40_901.sys --> c:\windows\system32\drivers\WPRO_40_901.sys [?]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008/02/17 04:07 PM 96256]
S3 kxwdmdrv;kX WDM Driver Service;c:\windows\system32\drivers\kx.sys [2004/02/17 12:19 AM 571776]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005/09/23 07:01 AM 2799808]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Craigus\Application Data\Mozilla\Firefox\Profiles\hyof7sm2.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 22:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-1425521274-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:fc,28,00,6a,e1,5a,23,95,db,e7,65,ed,c4,bd,e5,fb,c3,a5,15,62,9e,d0,d5,
71,d9,a7,52,2b,18,ac,3c,75,e2,aa,ec,cb,c9,4b,a2,47,5e,92,cd,75,6c,72,4c,94,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-07-19 22:49
ComboFix-quarantined-files.txt 2009-07-19 20:49

Pre-Run: 54,738,272,256 bytes free
Post-Run: 55,489,654,784 bytes free

206 --- E O F --- 2009-06-24 06:20

Regards

[Ried]

Can you access those sites now?

[TheGooseMan]

No, still nothing.

[Ried]

Please ensure Hidden files and folders are viewable:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

I'd like to see your hosts file. Navigate to C:\windows\system32\drivers\etc\hosts and attach that file in your next reply.

[TheGooseMan]

Here's the hosts file:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

-----------

It's taken a while to reply as I've been fiddling with my laptop which has been experiencing the same problems. I thought that both might've gotten the virus (I use my laptop and desktop more or less interchangeably and with the same removable media, etc., so it's possible one infected the other).

What I've been doing is installing Ubuntu on a dual-boot to see if I get the same problems running linux. Which I do.

I don't know if there's any way that could be a virus. I don't know enough to know if that's possible. My gut says, "No," which indicates that the problem lies outside my machines and in my router (which, I suppose, could get a virus like anything else) or further down the chain.

Let me know what you think. For now I'm going to try resetting my router to see if that makes any difference. I won't mess with the desktop in any way, except insofar as you give me instructions on what to mess with.

Regards

[Ried]

That was going to be my next question - do you have a router - after seeing your hosts file is as it should be.

Yes, it's entirely possible the router has been hijacked. What I'd like you to do is a hard reset with your router. Leave it on, and there should be a little pinhole in the back of the unit. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

Then change your admin login and password--make it a strong password.

You may also want to ask your ISP for help in case there are custom settings that need to be maintained.

If you need further assitance in carrying that out, let me know the brand of router you have.

[TheGooseMan]

Hi

Yep, after all that it was the router causing the problem.

Thanks for all your help.

[Ried]

You're welcome. Let's tidy up a bit....

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u


================================

Take care and Think Prevention