User Tag List

prep instructions

This is a discussion on prep instructions within the Resolved HJT Threads forums, part of the Tech Support Forum category. Question on the preparation instruction set- Under the Gmer instructions, I do not see the "scan" button. When I run


 
 
Thread Tools Search this Thread
Old 07-09-2010, 06:53 AM   #1
Registered Member
 
Join Date: Jul 2010
Posts: 15
OS: winxp



Question on the preparation instruction set-

Under the Gmer instructions, I do not see the "scan" button. When I run that program, it scans, then pops up the warning which I answer no to. I can then uncheck the boxes as indicated, but from that point, there is no scan button? I cannot get it to scan with those boxes unchecked.

Also, I am running winxp, but I'm running in safe mode because of whatever has attacked my pc. Do these programs (dds and gmer) need to run outside of safe mode?

Thanks for helping me get started down this road to freedom.
pstgh is offline  
Sponsored Links
Advertisement
 
Old 07-09-2010, 08:19 AM   #2
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hello pstgh,

Yes, these tools can be run from Safe Mode. You likely can't see the scan button due to the screen resolution while in Safe Mode.

What happens while in Normal Mode?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 07-09-2010, 09:46 AM   #3
Registered Member
 
Join Date: Jul 2010
Posts: 15
OS: winxp



Some sort of virus started running where it would pop up a browser to a site where I can purchase anti-virus software. Interestingly, when I clicked on ctrl-alt-del to see end the process, it was able to hide that and then popup the browser again.

I disconnected this pc from the ether so that it wouldn't communicate with some rogue site until I can get it cleaned up.

I've now run the dds and gmer scans. What should I do next?

Thanks.

PS The gmer scan is showing a hidden service in the boot sector
pstgh is offline  
Sponsored Links
Advertisement
 
Old 07-09-2010, 11:56 AM   #4
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Do not attempt to fix that hidden service. Kindly post the logs for me so we can begin the disinfection process.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 07-09-2010, 05:08 PM   #5
Registered Member
 
Join Date: Jul 2010
Posts: 15
OS: winxp



Thanks- note that these scans were done from another Administrator account- the main problem is ocurring in the account called Philip Hager which is also an administrator account on this pc. Also, fyi, the pc has been de-ethered, that is, the internet is not connected to the pc at this time.

Here is the DDS report-

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 8:33:35.71 on Fri 07/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.319 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://money.cnn.com/data/markets/index.html
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
BHO: c:\windows\system32\c2559aex.dll: {c3ba40a2-75f1-52bd-f413-04b15a2c8953} - c:\windows\system32\c2559aex.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [Samsung Common SM] "c:\windows\samsung\comsmmgr\ssmmgr.exe" /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [net] "c:\windows\system32\net.net"
mRun: [ewrgetuj] c:\docume~1\philip~1\locals~1\temp\geurge.exe
mRun: [vkjurucp] c:\documents and settings\philip hager\local settings\application data\tfexngyqd\mwtmecdtssd.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08dd -f video -m logitech -d 10.5.1.2023
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {00000045-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/sg726acm.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246396754296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {038D8D0F-8452-4483-9A8A-F59E6490FA7E} = 205.152.37.23,205.152.150.23
TCP: {E97B9D82-0514-4589-A4EB-3037B4C10697} = 205.152.37.23,205.152.150.23
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\c2559aex.dll: {c3ba40a2-75f1-52bd-f413-04b15a2c8953} - c:\windows\system32\c2559aex.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\rn6um5xs.default\
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S0 ikgomlqv;ikgomlqv;c:\windows\system32\drivers\wntnybtk.sys --> c:\windows\system32\drivers\wntnybtk.sys [?]
S0 webtxvlx;webtxvlx;c:\windows\system32\drivers\dgcnitvx.sys --> c:\windows\system32\drivers\dgcnitvx.sys [?]
S2 gupdate1c9cda8e004a390;Google Update Service (gupdate1c9cda8e004a390);c:\program files\google\update\GoogleUpdate.exe [2009-5-5 133104]
S2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2006-7-11 857088]
S3 AX88172;NETGEAR FA120 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\FA120.sys [2006-9-9 14048]

============== File Associations ===============

txtfile=c:\program files\win32pad\win32pad.exe "%L"

=============== Created Last 30 ================

2010-07-08 21:19:06 2716 ----a-w- c:\windows\ijowihepalamu.dll
2010-07-08 21:12:06 2716 ----a-w- c:\windows\oyenufuq.dll
2010-07-08 21:10:51 766464 ----a-w- c:\windows\system32\drivers\ednmstv.sys
2010-07-08 21:09:46 30000 ----a-w- c:\windows\system32\c2559aex.dll
2010-07-08 21:08:42 36846 ----a-w- c:\windows\system32\net.net

==================== Find3M ====================

2009-09-03 17:28:22 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-09-03 17:28:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090320090904\index.dat

============= FINISH: 8:35:01.56 ===============


And here is the gmer report....

GMER 1.0.15.15281 - https://www.gmer.net
Rootkit scan 2010-07-09 15:11:10
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwrcaaow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ednmstv.sys F8557000 27 Bytes JMP F8595FE1 ednmstv.sys
.text ednmstv.sys F855701C 72 Bytes [44, 24, 04, 09, 4B, 60, 66, ...]
.text ednmstv.sys F8557065 95 Bytes [44, 24, 18, 66, 0F, CE, 56, ...]
.text ednmstv.sys F85570C6 139 Bytes [F0, 5E, 8B, 74, 24, 6C, 55, ...]
.text ednmstv.sys F8557152 119 Bytes CALL F8559401 ednmstv.sys
.text ...
? C:\WINDOWS\system32\drivers\ednmstv.sys A device attached to the system is not functioning.
PAGE Ntfs.sys F8462E55 4 Bytes CALL 8335C419
init C:\WINDOWS\System32\DRIVERS\mohfilt.sys entry point in "init" section [0xF8A03760]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1168] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00AF000A
.text C:\WINDOWS\Explorer.EXE[2476] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 001F000A
.text C:\WINDOWS\Explorer.EXE[2476] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0020000A
.text C:\WINDOWS\Explorer.EXE[2476] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 001E000C
.text C:\WINDOWS\system32\wuauclt.exe[3740] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\wuauclt.exe[3740] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\wuauclt.exe[3740] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0091000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 83384F38
Device \FileSystem\Fastfat \Fat ECDA9D20

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] ednmstv <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet005\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet005\Services\[email protected] 0
Reg HKLM\SYSTEM\ControlSet005\Services\[email protected] 0
Reg HKLM\SYSTEM\ControlSet005\Services\[email protected] Boot Bus Extender
Reg HKLM\SOFTWARE\Classes\.wjf\[email protected] edit,open
Reg HKLM\SOFTWARE\Classes\.wjf\shell\edit
Reg HKLM\SOFTWARE\Classes\.wjf\shell\[email protected] edit
Reg HKLM\SOFTWARE\Classes\.wjf\shell\edit\command
Reg HKLM\SOFTWARE\Classes\.wjf\shell\edit\[email protected] "C:\Program Files\WinZip\WINZIP32.EXE" /editjobfile "%1"
Reg HKLM\SOFTWARE\Classes\.wjf\shell\edit\[email protected] 5!H)kxJu1=D2gCpteyXcComplete>5!H)kxJu1=D2gCpjZDJ! /editjobfile "%1"?
Reg HKLM\SOFTWARE\Classes\.wjf\shell\open
Reg HKLM\SOFTWARE\Classes\.wjf\shell\[email protected] open
Reg HKLM\SOFTWARE\Classes\.wjf\shell\open\command
Reg HKLM\SOFTWARE\Classes\.wjf\shell\open\[email protected] "C:\Program Files\WinZip\WINZIP32.EXE" /runjobfile "%1"
Reg HKLM\SOFTWARE\Classes\.wjf\shell\open\[email protected] 5!H)kxJu1=D2gCpteyXcComplete>5!H)kxJu1=D2gCpjZDJ! /runjobfile "%1"?
Reg HKLM\SOFTWARE\Classes\.wzmul\[email protected] open
Reg HKLM\SOFTWARE\Classes\.wzmul\shell\open
Reg HKLM\SOFTWARE\Classes\.wzmul\shell\[email protected] open
Reg HKLM\SOFTWARE\Classes\.wzmul\shell\open\command
Reg HKLM\SOFTWARE\Classes\.wzmul\shell\open\[email protected] "C:\Program Files\WinZip\WINZIP32.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\.wzmul\shell\open\[email protected] 5!H)kxJu1=D2gCpteyXcComplete>5!H)kxJu1=D2gCpjZDJ! "%1"?
Reg HKLM\SOFTWARE\Classes\ezPMUtils.ContentHost\[email protected] {039B2CA5-3B41-4D93-AD77-47D3293FC5CB}
Reg HKLM\SOFTWARE\Classes\ezPMUtils.GameController\[email protected] {CA1073A2-5F3F-4445-8E5E-7109BDCEDDBE}
Reg HKLM\SOFTWARE\Classes\ezPMUtils.WindowGroup\[email protected] {42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}
Reg HKLM\SOFTWARE\Classes\NBService.NBClientListener\[email protected] {35212119-C615-4cd0-8DA5-7D7F19FBA1B8}
Reg HKLM\SOFTWARE\Classes\NBService.NBClientListener\[email protected] NBService.NBClientListener.4.0
Reg HKLM\SOFTWARE\Classes\NBService.NBClientListener.4.0\[email protected] {35212119-C615-4cd0-8DA5-7D7F19FBA1B8}
Reg HKLM\SOFTWARE\Classes\PAACE\[email protected] C:\Program Files\PowerArchiver\ICONS\PAACE100.ICO
Reg HKLM\SOFTWARE\Classes\PAACE\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PAACE\Shell\Open
Reg HKLM\SOFTWARE\Classes\PAACE\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PAACE\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PAARC\[email protected] C:\Program Files\PowerArchiver\ICONS\PAARC100.ICO
Reg HKLM\SOFTWARE\Classes\PAARC\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PAARC\Shell\Open
Reg HKLM\SOFTWARE\Classes\PAARC\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PAARC\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PAARJ\Default[email protected] C:\Program Files\PowerArchiver\ICONS\PAARJ100.ICO
Reg HKLM\SOFTWARE\Classes\PAARJ\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PAARJ\Shell\Open
Reg HKLM\SOFTWARE\Classes\PAARJ\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PAARJ\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PABH\[email protected] C:\Program Files\PowerArchiver\ICONS\PABH100.ICO
Reg HKLM\SOFTWARE\Classes\PABH\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PABH\Shell\Open
Reg HKLM\SOFTWARE\Classes\PABH\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PABH\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PABH\ShellEx\DropHandler
Reg HKLM\SOFTWARE\Classes\PABH\ShellEx\[email protected] {d03d3e6A-0c44-3d45-b15f-bcfd8a8b4c7e}
Reg HKLM\SOFTWARE\Classes\PABurnerOpen\[email protected] C:\Program Files\PowerArchiver\ICONS\PA100.ICO
Reg HKLM\SOFTWARE\Classes\PABurnerOpen\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PABurnerOpen\Shell\Open
Reg HKLM\SOFTWARE\Classes\PABurnerOpen\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PABurnerOpen\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\PABURNTOOLS.EXE"
Reg HKLM\SOFTWARE\Classes\PABZIP2\[email protected] C:\Program Files\PowerArchiver\ICONS\PABZIP100.ICO
Reg HKLM\SOFTWARE\Classes\PABZIP2\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PABZIP2\Shell\Open
Reg HKLM\SOFTWARE\Classes\PABZIP2\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PABZIP2\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PACAB\[email protected] C:\Program Files\PowerArchiver\ICONS\PACAB100.ICO
Reg HKLM\SOFTWARE\Classes\PACAB\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PACAB\Shell\Open
Reg HKLM\SOFTWARE\Classes\PACAB\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PACAB\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PACAB\ShellEx\DropHandler
Reg HKLM\SOFTWARE\Classes\PACAB\ShellEx\[email protected] {d03d3e6A-0c44-3d45-b15f-bcfd8a8b4c7e}
Reg HKLM\SOFTWARE\Classes\PACRY\[email protected] C:\Program Files\PowerArchiver\ICONS\PAPAE100.ICO
Reg HKLM\SOFTWARE\Classes\PACRY\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PACRY\Shell\Open
Reg HKLM\SOFTWARE\Classes\PACRY\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PACRY\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PAENC\[email protected] C:\Program Files\PowerArchiver\ICONS\PA100.ICO
Reg HKLM\SOFTWARE\Classes\PAENC\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PAENC\Shell\Open
Reg HKLM\SOFTWARE\Classes\PAENC\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PAENC\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PAGZIP\[email protected] C:\Program Files\PowerArchiver\ICONS\PAGZIP100.ICO
Reg HKLM\SOFTWARE\Classes\PAGZIP\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PAGZIP\Shell\Open
Reg HKLM\SOFTWARE\Classes\PAGZIP\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PAGZIP\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PAISO\[email protected] C:\Program Files\PowerArchiver\ICONS\PAISO100.ICO
Reg HKLM\SOFTWARE\Classes\PAISO\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PAISO\Shell\Burn using ImgBurn
Reg HKLM\SOFTWARE\Classes\PAISO\Shell\Burn using [email protected] Burn using ImgBurn
Reg HKLM\SOFTWARE\Classes\PAISO\Shell\Burn using ImgBurn\Command
Reg HKLM\SOFTWARE\Classes\PAISO\Shell\Burn using ImgBurn\[email protected] "C:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /SOURCE "%1"
Reg HKLM\SOFTWARE\Classes\PAISO\Shell\Open
Reg HKLM\SOFTWARE\Classes\PAISO\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PAISO\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PAJAR\[email protected] C:\Program Files\PowerArchiver\ICONS\PAJAR100.ICO
Reg HKLM\SOFTWARE\Classes\PAJAR\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PAJAR\Shell\Open
Reg HKLM\SOFTWARE\Classes\PAJAR\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PAJAR\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PALHA\[email protected] C:\Program Files\PowerArchiver\ICONS\PALHA100.ICO
Reg HKLM\SOFTWARE\Classes\PALHA\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PALHA\Shell\Open
Reg HKLM\SOFTWARE\Classes\PALHA\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PALHA\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PALHA\ShellEx\DropHandler
Reg HKLM\SOFTWARE\Classes\PALHA\ShellEx\[email protected] {d03d3e6A-0c44-3d45-b15f-bcfd8a8b4c7e}
Reg HKLM\SOFTWARE\Classes\PAPBS\[email protected] C:\Program Files\PowerArchiver\ICONS\PAPBS100.ICO
Reg HKLM\SOFTWARE\Classes\PAPBS\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PAPBS\Shell\Edit
Reg HKLM\SOFTWARE\Classes\PAPBS\Shell\Edit\command
Reg HKLM\SOFTWARE\Classes\PAPBS\Shell\Edit\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" /edit "%1"
Reg HKLM\SOFTWARE\Classes\PAPBS\Shell\Open
Reg HKLM\SOFTWARE\Classes\PAPBS\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PAPBS\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PAPPF\[email protected] C:\Program Files\PowerArchiver\ICONS\PA100.ICO
Reg HKLM\SOFTWARE\Classes\PAPPF\[email protected] Install
Reg HKLM\SOFTWARE\Classes\PAPPF\Shell\Install
Reg HKLM\SOFTWARE\Classes\PAPPF\Shell\Install\command
Reg HKLM\SOFTWARE\Classes\PAPPF\Shell\Install\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PARAR\[email protected] C:\Program Files\PowerArchiver\ICONS\PARAR100.ICO
Reg HKLM\SOFTWARE\Classes\PARAR\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PARAR\Shell\Open
Reg HKLM\SOFTWARE\Classes\PARAR\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PARAR\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PASZIP\[email protected] C:\Program Files\PowerArchiver\ICONS\PA7Z100.ICO
Reg HKLM\SOFTWARE\Classes\PASZIP\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PASZIP\Shell\Open
Reg HKLM\SOFTWARE\Classes\PASZIP\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PASZIP\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PASZIP\ShellEx\DropHandler
Reg HKLM\SOFTWARE\Classes\PASZIP\ShellEx\[email protected] {d03d3e6A-0c44-3d45-b15f-bcfd8a8b4c7e}
Reg HKLM\SOFTWARE\Classes\PATAR\[email protected] C:\Program Files\PowerArchiver\ICONS\PATAR100.ICO
Reg HKLM\SOFTWARE\Classes\PATAR\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PATAR\Shell\Open
Reg HKLM\SOFTWARE\Classes\PATAR\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PATAR\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PATAR\ShellEx\DropHandler
Reg HKLM\SOFTWARE\Classes\PATAR\ShellEx\[email protected] {d03d3e6A-0c44-3d45-b15f-bcfd8a8b4c7e}
Reg HKLM\SOFTWARE\Classes\PAZIP\[email protected] C:\Program Files\PowerArchiver\ICONS\PAZIP100.ICO
Reg HKLM\SOFTWARE\Classes\PAZIP\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PAZIP\Shell\Open
Reg HKLM\SOFTWARE\Classes\PAZIP\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PAZIP\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PAZIP\ShellEx\DropHandler
Reg HKLM\SOFTWARE\Classes\PAZIP\ShellEx\[email protected] {d03d3e6A-0c44-3d45-b15f-bcfd8a8b4c7e}
Reg HKLM\SOFTWARE\Classes\PAZOO\[email protected] C:\Program Files\PowerArchiver\ICONS\PAZOO100.ICO
Reg HKLM\SOFTWARE\Classes\PAZOO\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PAZOO\Shell\Open
Reg HKLM\SOFTWARE\Classes\PAZOO\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PAZOO\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PowerArchiver\[email protected] C:\Program Files\PowerArchiver\ICONS\PA100.ICO
Reg HKLM\SOFTWARE\Classes\PowerArchiver\[email protected] Open
Reg HKLM\SOFTWARE\Classes\PowerArchiver\Shell\Open
Reg HKLM\SOFTWARE\Classes\PowerArchiver\Shell\Open\command
Reg HKLM\SOFTWARE\Classes\PowerArchiver\Shell\Open\[email protected] "C:\Program Files\PowerArchiver\POWERARC.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\PowerArchiver\ShellEx\DropHandler
Reg HKLM\SOFTWARE\Classes\PowerArchiver\ShellEx\[email protected] {d03d3e6A-0c44-3d45-b15f-bcfd8a8b4c7e}
Reg HKLM\SOFTWARE\Classes\spmServices.DRMClientV2\[email protected] {D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}
Reg HKLM\SOFTWARE\Classes\spmServices.NamedStrings\[email protected] {D5A55D2D-C59D-42C3-A5BF-4C08EEE74339}
Reg HKLM\SOFTWARE\Classes\spmServices.PluginWindow\[email protected] {BB6410D8-F879-4184-9C5C-6A02D16AE0B3}
Reg HKLM\SOFTWARE\Classes\WinZip\[email protected] C:\PROGRA~1\WINZIP\winzip32.exe,2
Reg HKLM\SOFTWARE\Classes\WinZip\shell\open
Reg HKLM\SOFTWARE\Classes\WinZip\shell\[email protected] Open with &WinZip
Reg HKLM\SOFTWARE\Classes\WinZip\shell\open\command
Reg HKLM\SOFTWARE\Classes\WinZip\shell\open\[email protected] C:\PROGRA~1\WINZIP\winzip32.exe "%1"
Reg HKLM\SOFTWARE\Classes\WinZip\shell\print
Reg HKLM\SOFTWARE\Classes\WinZip\shell\print\command
Reg HKLM\SOFTWARE\Classes\WinZip\shell\print\[email protected] C:\PROGRA~1\WINZIP\winzip32.exe /print /ni "%1"
Reg HKLM\SOFTWARE\Classes\WinZip\shellex\DropHandler
Reg HKLM\SOFTWARE\Classes\WinZip\shellex\[email protected] {E0D79306-84BE-11CE-9641-444553540000}
Reg HKLM\SOFTWARE\Classes\WinZip.JobFile\[email protected] C:\PROGRA~1\WINZIP\winzip32.exe,-22
Reg HKLM\SOFTWARE\Classes\WinZip.JobFile\[email protected] open
Reg HKLM\SOFTWARE\Classes\WinZip.JobFile\shell\edit
Reg HKLM\SOFTWARE\Classes\WinZip.JobFile\shell\[email protected] &Edit with WinZip
Reg HKLM\SOFTWARE\Classes\WinZip.JobFile\shell\edit\command
Reg HKLM\SOFTWARE\Classes\WinZip.JobFile\shell\edit\[email protected] C:\PROGRA~1\WINZIP\winzip32.exe /editjobfile "%1"
Reg HKLM\SOFTWARE\Classes\WinZip.JobFile\shell\open
Reg HKLM\SOFTWARE\Classes\WinZip.JobFile\shell\[email protected] Run with &WinZip
Reg HKLM\SOFTWARE\Classes\WinZip.JobFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\WinZip.JobFile\shell\open\[email protected] C:\PROGRA~1\WINZIP\winzip32.exe /runjobfile "%1"
Reg HKLM\SOFTWARE\Classes\WinZip.RegFile\[email protected] C:\PROGRA~1\WINZIP\WinZip32.exe,0
Reg HKLM\SOFTWARE\Classes\WinZip.RegFile\[email protected] open
Reg HKLM\SOFTWARE\Classes\WinZip.RegFile\shell\open
Reg HKLM\SOFTWARE\Classes\WinZip.RegFile\shell\[email protected] Register &WinZip
Reg HKLM\SOFTWARE\Classes\WinZip.RegFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\WinZip.RegFile\shell\open\[email protected] C:\PROGRA~1\WINZIP\WinZip32.exe "%1"
Reg HKLM\SOFTWARE\Classes\WZFILEVIEW.FileViewCtrl.61\[email protected] {A09AE68F-B14D-43ED-B713-BA413F034904}
Reg HKLM\SOFTWARE\Classes\WZFolderView.FolderViewCtrl.61\[email protected] {F3834A2B-19CF-4A90-BE1D-ECC410D9DA09}
Reg HKLM\SOFTWARE\Classes\WZShellViewControls.TreeNode.61\[email protected] {4E3770F4-1937-4F05-B9A2-959BE7321909}

---- EOF - GMER 1.0.15 ----

THANKS for the assistance!!!!
pstgh is offline  
Old 07-09-2010, 09:17 PM   #6
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



You're welcome. :)


Before we begin, I want to ensure we get the Recovery Console installed on this system. The Windows recovery console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2


--------------------------------------------------------------------

Go to Microsoft's website => https://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer. Be sure to log in to Phil's account. We want to run the tool from there.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools




  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.



  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 07-10-2010, 07:59 AM   #7
Registered Member
 
Join Date: Jul 2010
Posts: 15
OS: winxp



So when I log onto that account, I get lots of warnings about an attack from the internet etc...and I don't really know which to believe, so I basically ignore all. I moved both programs (combofix.exe and the ms program) from a flash drive over to the desktop.

Oddly, when I drag the ms program to combofix as per your instructions, I get a Security Warning popup box that says "Application cannot be executed. The file combofix.exe is infected. Do you want to activate your antivirus software now?"

Clearly, that is this virus inserting itself into the process of us trying to clean it off the pc, but what do you suggest we do now?

Thanks
pstgh is offline  
Old 07-10-2010, 08:11 AM   #8
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



It's not really infecting combofix, it's just trying to stop you from running it.

On your keyboard, press the Windows Logo key and the letter E to open Windows Explorer.

Navigate to the following folder and drag it to the desktop

c:\documents and settings\philip hager\local settings\application data\tfexngyqd

Now run Combofix as previously outlined.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 07-10-2010, 08:26 AM   #9
Registered Member
 
Join Date: Jul 2010
Posts: 15
OS: winxp



I dragged that folder to the desktop, and tried it again- and it tries to run, but after the little combofix box shows like three bars towards completion, it quits.
pstgh is offline  
Old 07-10-2010, 08:28 AM   #10
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Boot into this account in Safe Mode and run it from there.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 07-10-2010, 09:27 AM   #11
Registered Member
 
Join Date: Jul 2010
Posts: 15
OS: winxp



THANKS- that worked- here's the combofix log...

Interestingly, after ComboFix rebooted the pc, a popup box came up and said that some driver (sorry, I didn't write it down, but I think it is listed in the deleted files below) was not found so there is an error in running it. Should I assume that is the virus trying to start backup?

Thanks...


ComboFix 10-07-09.02 - Philip Hager 07/10/2010 10:47:47.4.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.331 [GMT -5:00]
Running from: c:\documents and settings\Philip Hager\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Philip Hager\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\PHILIP~1\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\Ashley Hager\GoToAssistDownloadHelper.exe
c:\documents and settings\Philip Hager\Application Data\inst.exe
c:\program files\Internet Explorer\SET5E6.tmp
c:\windows\ijowihepalamu.dll
c:\windows\oyenufuq.dll
c:\windows\system\WING32.DLL
c:\windows\system32\_007716_.tmp.dll
c:\windows\system32\_007717_.tmp.dll
c:\windows\system32\_007718_.tmp.dll
c:\windows\system32\_007719_.tmp.dll
c:\windows\system32\_007726_.tmp.dll
c:\windows\system32\_007727_.tmp.dll
c:\windows\system32\_007728_.tmp.dll
c:\windows\system32\_007729_.tmp.dll
c:\windows\system32\_007731_.tmp.dll
c:\windows\system32\_007732_.tmp.dll
c:\windows\system32\_007735_.tmp.dll
c:\windows\system32\_007736_.tmp.dll
c:\windows\system32\_007738_.tmp.dll
c:\windows\system32\_007739_.tmp.dll
c:\windows\system32\_007740_.tmp.dll
c:\windows\system32\_007741_.tmp.dll
c:\windows\system32\_007742_.tmp.dll
c:\windows\system32\_007743_.tmp.dll
c:\windows\system32\_007745_.tmp.dll
c:\windows\system32\_007746_.tmp.dll
c:\windows\system32\_007750_.tmp.dll
c:\windows\system32\_007751_.tmp.dll
c:\windows\system32\_007753_.tmp.dll
c:\windows\system32\_007756_.tmp.dll
c:\windows\system32\_007758_.tmp.dll
c:\windows\system32\_007759_.tmp.dll
c:\windows\system32\_007760_.tmp.dll
c:\windows\system32\_007761_.tmp.dll
c:\windows\system32\_007762_.tmp.dll
c:\windows\system32\_007765_.tmp.dll
c:\windows\system32\_007766_.tmp.dll
c:\windows\system32\_007767_.tmp.dll
c:\windows\system32\_007768_.tmp.dll
c:\windows\system32\_007769_.tmp.dll
c:\windows\system32\_007774_.tmp.dll
c:\windows\system32\_007776_.tmp.dll
c:\windows\system32\_007777_.tmp.dll
c:\windows\system32\c2559aex.dll
c:\windows\system32\Cache
c:\windows\system32\net.net
c:\windows\UFINETM1.dll

Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\kernel32.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-10 to 2010-07-10 )))))))))))))))))))))))))))))))
.

2010-07-09 13:36 . 2010-07-09 13:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Gena01
2010-07-08 21:12 . 2010-07-08 21:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-08 21:10 . 2010-07-10 16:10 766464 ----a-w- c:\windows\system32\drivers\ednmstv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-10 16:07 . 2008-08-13 23:17 -------- d-----w- c:\program files\DNA
2010-07-10 16:07 . 2008-08-13 23:17 -------- d-----w- c:\documents and settings\Philip Hager\Application Data\DNA
2010-07-09 16:29 . 2007-10-04 22:47 8224 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-08 19:32 . 2009-03-15 18:26 -------- d-----w- c:\documents and settings\Philip Hager\Application Data\.tivoserver
2010-07-07 01:51 . 2009-01-30 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-07-07 01:47 . 2010-02-18 16:12 -------- d-----w- c:\documents and settings\Philip Hager\Application Data\RipIt4Me
2010-07-03 21:01 . 2010-04-18 12:00 439816 ----a-w- c:\documents and settings\Philip Hager\Application Data\Real\Update\setup3.10\setup.exe
2010-06-25 02:23 . 2008-12-29 00:06 -------- d-----w- c:\documents and settings\Philip Hager\Application Data\FileZilla
2010-04-17 21:30 . 2010-02-02 14:24 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-12 00:44 . 2004-08-15 20:09 73144 ----a-w- c:\documents and settings\Ashley Hager\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2006-07-11 1174528]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2006-07-11 341504]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2006-07-11 1313792]
"PowerArchiver Tray"="c:\program files\PowerArchiver\PASTARTER.EXE" [2008-11-06 143168]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-07 323392]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"Samsung Common SM"="c:\windows\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 372736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-07 180269]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2008-07-26 439568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 04:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\TiVo\\Desktop\\TiVoDesktop.exe"=
"c:\\Program Files\\TDUAP\\TDUAP.exe"=
"c:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Philip Hager\\My Documents\\Downloads\\tivoserver.exe"=
"c:\\DVR Stuff\\TyTool10r4\\TyTool10r4.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56334:TCP"= 56334:TCP:Pando P2P TCP Listening Port
"56334:UDP"= 56334:UDP:Pando P2P UDP Listening Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"56898:TCP"= 56898:TCP:Pando P2P TCP Listening Port
"56898:UDP"= 56898:UDP:Pando P2P UDP Listening Port
"8090:TCP"= 8090:TCP:Tivo2
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [7/11/2006 6:22 AM 857088]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S0 ikgomlqv;ikgomlqv;c:\windows\system32\drivers\wntnybtk.sys --> c:\windows\system32\drivers\wntnybtk.sys [?]
S0 webtxvlx;webtxvlx;c:\windows\system32\drivers\dgcnitvx.sys --> c:\windows\system32\drivers\dgcnitvx.sys [?]
S2 gupdate1c9cda8e004a390;Google Update Service (gupdate1c9cda8e004a390);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2009 12:42 PM 133104]
S3 AX88172;NETGEAR FA120 USB 2.0 Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\FA120.sys [9/9/2006 9:00 PM 14048]

--- Other Services/Drivers In Memory ---

*Deregistered* - ednmstv
.
Contents of the 'Scheduled Tasks' folder

2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 17:42]

2010-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 17:42]

2004-08-16 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2004-03-19 00:12]

2010-07-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = money.cnn.com/data/markets/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: {038D8D0F-8452-4483-9A8A-F59E6490FA7E} = 205.152.37.23,205.152.150.23
TCP: {E97B9D82-0514-4589-A4EB-3037B4C10697} = 205.152.37.23,205.152.150.23
FF - ProfilePath - c:\documents and settings\Philip Hager\Application Data\Mozilla\Firefox\Profiles\pvl16wke.default\
FF - prefs.js: browser.startup.homepage - hxxp://money.cnn.com/markets/data/index.html
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
.
------- File Associations -------
.
txtfile=c:\program files\Win32Pad\win32pad.exe "%L"
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Nzodurubohojaf - c:\windows\UFINETM1.dll
HKCU-Run-vkjurucp - c:\documents and settings\Philip Hager\Local Settings\Application Data\tfexngyqd\mwtmecdtssd.exe
HKLM-Run-vkjurucp - c:\documents and settings\Philip Hager\Local Settings\Application Data\tfexngyqd\mwtmecdtssd.exe
MSConfigStartUp-CTFMON - (no file)
MSConfigStartUp-Pando - c:\program files\Pando Networks\Pando\Pando.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-07-10 11:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, https://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82D42EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86caf28
\Driver\ACPI -> ACPI.sys @ 0xf863dcb8
\Driver\atapi -> atapi.sys @ 0xf8515852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf8421bb0
PacketIndicateHandler -> NDIS.sys @ 0xf8410a0d
SendHandler -> NDIS.sys @ 0xf8424b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ednmstv]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(7460)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\progra~1\MICROS~3\Office12\GRA8E1~1.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\inetsrv\inetinfo.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-10 11:19:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-10 16:19

Pre-Run: 11,109,879,808 bytes free
Post-Run: 11,309,342,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=1 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - E5682A5C411F1E8C25547957F9BCCAA8
pstgh is offline  
Old 07-10-2010, 10:03 AM   #12
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



We've still got a ways to go. There is still a rootkit that we haven't seen yet and I need that file name ahead of time in case something goes wrong during the removal.

Please download Rootkit Unhooker and save it to your desktop.
  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning. Please click OK to continue:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 07-10-2010, 02:26 PM   #13
Registered Member
 
Join Date: Jul 2010
Posts: 15
OS: winxp



OK Thanks- I've done that, but this forum doesn't allow a report that long to be posted.
pstgh is offline  
Old 07-10-2010, 04:54 PM   #14
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Please attach the report to your reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 07-10-2010, 06:29 PM   #15
Registered Member
 
Join Date: Jul 2010
Posts: 15
OS: winxp



OK- very good- here it is.

Thanks.
Attached Files
File Type: txt HookRpt.txt (162.5 KB, 19 views)
pstgh is offline  
Old 07-10-2010, 07:41 PM   #16
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Thank you, I now I have the name of the file that has been hijacked.

Download this file and extract TDSSKiller.exe to your Desktop.
  • Disable your onboard Anti Virus
  • Double click TDSSKiller.exe to run the tool.
  • You may be prompted to restart your machine. Type Y at the prompt

Once complete, a log will be produced at the root drive which is typically C:\.

For example, C:\TDSSKiller.2.3.0.0_24.05.2010_15.31.43_log.txt. Please post that log in your next reply.

================================

Next, Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/496220-prep-instructions.html#post2799229

Collect::
C:\WINDOWS\system32\drivers\ednmstv.sys
C:\windows\system32\drivers\wntnybtk.sys
C:\windows\system32\drivers\dgcnitvx.sys

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>

Driver::
ednmstv
ikgomlqv
webtxvlx


Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Please post the TdssKiller log and the C:\ComboFix.txt in your next reply.

How is the system behaving now?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 07-11-2010, 03:17 AM   #17
Registered Member
 
Join Date: Jul 2010
Posts: 15
OS: winxp



After firing up TSSKiller.exe, it notes that it has found a hidden service, lists the name of the file, and instructs me to type 'delete' without the quotes if I want to delete it?

I've got the CFScript.txt ready to go next, but am hung up at this stage in the TSSKiller.exe program. Should I delete that (and potentially others it finds) or should I leave it for now AND if I should leave it for now, how do you proceed without deleting? It's not real clear.

Thanks
pstgh is offline  
Old 07-11-2010, 04:48 AM   #18
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



What is the name of the hidden service it has found?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 07-11-2010, 04:54 AM   #19
Registered Member
 
Join Date: Jul 2010
Posts: 15
OS: winxp



ednmstv
pstgh is offline  
Old 07-11-2010, 04:56 AM   #20
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



No, don't let tdsskiller delete that. I am taking care of that with the CFScript I gave you and I'd prefer we take that out with ComboFix.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 05:11 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts