TechSpot

Virus Malware Removal

By NCBucknut
May 12, 2011
  1. GMER Log:

    GMER 1.0.15.15627 - http://www.gmer.net
    Rootkit scan 2011-05-12 17:06:41
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST916041 rev.0003
    Running: ypktmtx8.exe; Driver: C:\DOCUME~1\setup\LOCALS~1\Temp\fwloipob.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8989B1A0 ZwAlertResumeThread
    SSDT 899B2258 ZwAlertThread
    SSDT 85AF55A0 ZwAllocateVirtualMemory
    SSDT 8920C260 ZwConnectPort
    SSDT 85A39888 ZwCreateMutant
    SSDT 85AF9458 ZwCreateThread
    SSDT 85A44AA8 ZwFreeVirtualMemory
    SSDT 85AF9420 ZwImpersonateAnonymousToken
    SSDT 8A46E0F0 ZwImpersonateThread
    SSDT 85A36C40 ZwMapViewOfSection
    SSDT 85AF94B8 ZwOpenEvent
    SSDT 89954268 ZwOpenProcessToken
    SSDT 85A322C8 ZwOpenThreadToken
    SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB6A3F8B0]
    SSDT 8A46B1F8 ZwResumeThread
    SSDT 89998220 ZwSetContextThread
    SSDT 85A32398 ZwSetInformationProcess
    SSDT 85AF95C0 ZwSetInformationThread
    SSDT 85A39850 ZwSuspendProcess
    SSDT 89955958 ZwSuspendThread
    SSDT 899A4D00 ZwTerminateProcess
    SSDT 89992090 ZwTerminateThread
    SSDT 8A3F5840 ZwUnmapViewOfSection
    SSDT 85A44B78 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    ? vrhmqsfu.sys The system cannot find the file specified. !

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device 9DA02D20
    Device 9D9FF7B4

    AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    DDS.TXT Log:
    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by setup at 17:37:31.64 on Thu 05/12/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3027.2407 [GMT -4:00]
    .
    AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\idt\dellxpm09b_6124v037\wdm\stacsv.exe
    svchost.exe
    C:\PROGRA~1\CrossTec\CROSST~1\client32.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
    C:\Program Files\Asset Services Management\ASMAgent.exe
    C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
    C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\AESTFltr.exe
    C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
    C:\Program Files\PrintKey2000\Printkey2000.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Documents and Settings\setup\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
    mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [SonicWALLNetExtender] c:\program files\sonicwall\ssl-vpn\netextender\NEGui.exe -hideGUI -clearReboot
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
    mRun: [Timekeeper Central] "c:\program files\kronos\timekeeper central\tkc\RemapClientDrives.exe" Timekeeper Central
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
    DPF: {627C5D14-CB66-493E-B0F3-589C7E2FA813} - hxxp://192.168.5.50/WebClient.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1296853435200
    DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://192.168.5.2/NELX.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://sqlservernc/tms/viewers/activeXViewer/activexviewer.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://192.168.5.49/user/TSBnwCam.CAB
    Notify: igfxcui - igfxdev.dll
    Notify: LMIinit - LMIinit.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-4-27 293968]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-6-15 108392]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-6-15 108392]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-7-16 376096]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-11-5 47640]
    R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-1-14 196912]
    R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-6-15 1831024]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-11-5 112128]
    R3 ASMMEMORYDRIVER;ASMMEMORYDRIVER;c:\program files\asset services management\ASMMemoryDriver.sys [2010-11-5 2560]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-10 105592]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-11-5 109568]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110511.033\NAVENG.SYS [2011-5-12 86136]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110511.033\NAVEX15.SYS [2011-5-12 1393144]
    R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2009-2-23 20504]
    S0 cerc6;cerc6; [x]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-6-15 23888]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    .
    =============== Created Last 30 ================
    .
    2011-05-12 19:39:48 -------- d-----w- c:\docume~1\setup\applic~1\Malwarebytes
    2011-05-12 19:39:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-12 19:39:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-05-12 19:39:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-12 19:39:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-02 14:03:21 -------- d-----w- c:\docume~1\setup\locals~1\applic~1\MotionDSP
    2011-05-02 14:03:11 -------- d-----w- c:\docume~1\setup\applic~1\MotionDSP
    2011-05-02 14:03:04 -------- d-----w- c:\program files\vReveal
    2011-04-26 19:49:41 -------- d-----w- c:\program files\NxRemoteXH
    2011-04-16 12:34:26 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2011-04-15 14:49:02 -------- d-----w- c:\program files\Barnstead 2.00
    2011-04-15 14:48:35 249856 ------w- c:\windows\Setup1.exe
    2011-04-15 14:48:33 73216 ----a-w- c:\windows\ST6UNST.EXE
    2011-04-13 20:25:51 -------- d-----w- C:\CWorksSQL-WR
    2011-04-13 15:32:43 26416 ----a-w- c:\windows\system32\nitrolocalmon.dll
    2011-04-13 15:32:43 17712 ----a-w- c:\windows\system32\nitrolocalui.dll
    2011-04-13 15:32:32 -------- d-----w- c:\program files\common files\Nitro PDF
    2011-04-13 15:30:39 -------- d-----w- c:\docume~1\setup\locals~1\applic~1\OpenCandy
    2011-04-13 15:30:37 -------- d-----w- c:\docume~1\setup\applic~1\OpenCandy
    2011-04-13 15:30:36 -------- d-----w- c:\program files\Nitro PDF
    .
    ==================== Find3M ====================
    .
    2011-03-08 16:53:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-08 16:53:26 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-28 22:37:32 180624 ----a-w- c:\windows\system32\Primomonnt.dll
    2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
    .
    ============= FINISH: 17:37:59.03 ===============

    Attach.txt:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 11/3/2010 5:58:57 PM
    System Uptime: 5/12/2011 5:25:02 PM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0D693C
    Processor: Intel Pentium III Xeon processor | Microprocessor | 1591/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 149 GiB total, 134.457 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: SM Bus Controller
    Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_02621028&REV_02\3&61AAA01&0&FB
    Manufacturer:
    Name: SM Bus Controller
    PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_02621028&REV_02\3&61AAA01&0&FB
    Service:
    .
    ==== System Restore Points ===================
    .
    RP1: 5/11/2011 7:55:07 AM - System Checkpoint
    RP2: 5/11/2011 5:45:02 PM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    .
    32 Bit HP BiDi Channel Components Installer
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader X (10.0.1)
    Adobe Shockwave Player 11.5
    AnswerWorks Runtime
    ASMBaseMSI
    Broadcom Gigabit Integrated Controller
    ClearType Tuning Control Panel Applet
    CrossTec Remote Control
    CWorksSQL-Client WR
    Dell ControlPoint System Manager
    Dell Resource CD
    Dell Touchpad
    FastStone Image Viewer 4.2
    FRx 6.7 C:\Program Files\FRx Software\FRx 6.7 DrillDown Viewer
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    IDT Audio
    InfinityQS ProFicient
    Intel PROSet Wireless
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless WiFi Software
    Java Auto Updater
    Java(TM) 6 Update 24
    Kronos Data Collection Manager (Timekeeper Central)
    Kronos Timekeeper Central 4.4 (Timekeeper Central)
    Legitronic Standard Series Labeling Software
    LiveUpdate 3.3 (Symantec Corporation)
    LogMeIn
    Lotus Notes 6.5.1
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nitro PDF Reader
    PrimoPDF -- brought to you by Nitro PDF Software
    PrintKey2000
    Prism Video File Converter
    RICOH R5C83x/84x Media Driver Ver.3.53.02
    SBClient
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2466156)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2464583)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360131)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    SolidWorks eDrawings 2011
    SonicWALL SSL-VPN NetExtender
    Symantec Endpoint Protection
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office Outlook 2007 (KB2509470)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Microsoft Windows (KB971513)
    Update for Outlook 2007 Junk Email Filter (KB2536413)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Van **** Technologies CRT 2.2
    vReveal
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows Media Format 11 runtime
    Windows Media Player 11
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/9/2011 7:13:31 AM, error: NETLOGON [5719] - No Domain Controller is available for domain NC due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    5/6/2011 2:07:09 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
    5/6/2011 2:06:59 PM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
    5/6/2011 2:04:51 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
    5/6/2011 2:04:34 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the RasMan service.
    5/6/2011 2:03:51 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the wuauserv service.
    5/6/2011 2:03:24 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service.
    5/6/2011 2:02:45 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
    5/6/2011 2:02:28 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the SENS service.
    5/5/2011 9:57:06 AM, error: iastor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
    5/12/2011 4:02:29 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    5/12/2011 4:02:29 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please keep all the programs, scans, comments for this problem on this thread.

    Please repost your Mbam log here. I am going to close the other thread.
     
  3. NCBucknut

    NCBucknut TS Rookie Topic Starter

    Ok, sorry about that. Here is the Mbam log....

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6563

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/12/2011 3:59:24 PM
    mbam-log-2011-05-12 (15-59-24).txt

    Scan type: Quick scan
    Objects scanned: 218667
    Time elapsed: 11 minute(s), 48 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 6

    Memory Processes Infected:
    c:\WINDOWS\Wtotya.exe (Trojan.Downloader) -> 2416 -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\5GUTNY6MFK (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\R8388QA8U8 (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\R8388QA8U8 (Trojan.Downloader) -> Value: R8388QA8U8 -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\Wtotya.exe (Trojan.Downloader) -> Delete on reboot.
    c:\Documents and Settings\setup\Local Settings\Temp\Wrx.exe (Trojan.Downloader) -> Delete on reboot.
    c:\WINDOWS\system32\tlist32pp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\setup\local settings\Temp\Wrw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please give me a description of the problems you're having. I didn't realize it wasn't on this thread also. There were several different Trojan Downloaders found and removed in Malwarebytes. Hopefully they haven't destroyed the system.

    You can go ahead and run the following:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ==================================
    Please note: If you have Combofix on the desktop already, please uninstall it. The download the current version and do the scan: Uninstall directions, if needed:
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =====================================
    Question: I notice you're using the AutoPatcher in lieu of the updates. I thought this was pulled due to Microsoft objections. Is this your work computer?
     
  5. NCBucknut

    NCBucknut TS Rookie Topic Starter

    Bobbye - I have been having problems with redirects when I click a link after conducting a search. No other problems that I've noticed. In answer to your last question, yes, this is a work computer. I will run ESET and Combofix this weekend and post the results. Thanks for your help.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do you have an IT person in your office? It is a matter of concern that there were so many Trojan Downloaders on a work system. There is some possibility that the company servers may have gotten infected.


    We'll see what the Eset scan and Combofix show and go from there.
     
  7. NCBucknut

    NCBucknut TS Rookie Topic Starter

    Bobbye - here's the logs from the ESET and Combofix scans:

    ESET Log:

    C:\Documents and Settings\tmudgett\Application Data\Sun\Java\Deployment\cache\6.0\43\41fc65eb-15ce3742 multiple threats

    Combofix Log:

    ComboFix 11-05-15.03 - setup 05/15/2011 21:15:32.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3027.2198 [GMT -4:00]
    Running from: c:\documents and settings\setup\Desktop\ComboFix.exe
    AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\itemp\WINDOWS
    c:\documents and settings\kdurbin\WINDOWS
    c:\documents and settings\setup\WINDOWS
    c:\documents and settings\tmudgett\My Documents\DPE.DUS
    c:\documents and settings\tmudgett\WINDOWS
    c:\windows\system32\spool\prtprocs\w32x86\hpzpp5no.dll
    .
    ----- BITS: Possible infected sites -----
    .
    hxxp://kncpoll1
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-16 to 2011-05-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-15 21:57 . 2011-05-15 21:57 -------- d-----w- c:\program files\ESET
    2011-05-13 19:41 . 2011-05-13 19:51 -------- d-----w- c:\documents and settings\tmudgett\Application Data\Apple Computer
    2011-05-13 19:41 . 2011-05-13 19:43 -------- d-----w- c:\documents and settings\tmudgett\Local Settings\Application Data\Apple Computer
    2011-05-13 19:30 . 2011-05-13 19:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2011-05-13 19:28 . 2011-05-13 19:31 -------- d-----w- c:\documents and settings\setup\Application Data\Apple Computer
    2011-05-13 19:28 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2011-05-13 19:28 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
    2011-05-13 19:27 . 2011-05-13 19:27 -------- d-----w- c:\program files\iPod
    2011-05-13 19:27 . 2011-05-13 19:28 -------- d-----w- c:\program files\iTunes
    2011-05-13 19:27 . 2011-05-13 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2011-05-13 19:27 . 2011-05-13 19:27 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    2011-05-13 19:27 . 2011-05-13 19:27 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    2011-05-13 19:27 . 2011-05-13 19:27 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
    2011-05-13 19:25 . 2011-05-13 19:28 -------- d-----w- c:\documents and settings\setup\Local Settings\Application Data\Apple Computer
    2011-05-12 19:39 . 2011-05-12 19:39 -------- d-----w- c:\documents and settings\setup\Application Data\Malwarebytes
    2011-05-12 19:39 . 2011-05-12 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-05-12 19:39 . 2011-05-12 22:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-11 20:06 . 2011-05-16 01:17 -------- d-----w- c:\documents and settings\kdurbin
    2011-05-02 14:03 . 2011-05-12 18:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2011-05-02 14:03 . 2011-05-02 14:03 -------- d-----w- c:\documents and settings\setup\Local Settings\Application Data\MotionDSP
    2011-05-02 14:03 . 2011-05-02 14:03 -------- d-----w- c:\documents and settings\setup\Application Data\MotionDSP
    2011-05-02 14:03 . 2011-05-02 14:03 -------- d-----w- c:\program files\vReveal
    2011-04-26 19:49 . 2011-04-26 19:49 -------- d-----w- c:\program files\NxRemoteXH
    2011-04-21 13:38 . 2011-05-14 11:42 664 ----a-w- c:\documents and settings\tmudgett\Local Settings\Application Data\d3d9caps.tmp
    2011-04-16 12:34 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-15 14:48 . 2011-04-15 14:48 249856 ------w- c:\windows\Setup1.exe
    2011-04-15 14:48 . 2011-04-15 14:48 73216 ----a-w- c:\windows\ST6UNST.EXE
    2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2011-03-08 16:53 . 2011-03-08 16:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-03-08 16:53 . 2011-03-08 16:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-07 05:33 . 2010-11-03 21:55 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37 . 2008-04-13 23:00 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21 . 2008-04-13 23:00 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-28 22:37 . 2010-11-05 14:27 180624 ----a-w- c:\windows\system32\Primomonnt.dll
    2011-02-22 23:06 . 2008-04-13 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06 . 2008-04-13 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06 . 2008-04-13 23:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41 . 2008-04-13 23:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-17 13:18 . 2008-04-13 23:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-02-17 13:18 . 2008-04-13 23:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-02-17 12:32 . 2010-11-05 16:41 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 12:56 . 2008-04-13 23:00 290432 ----a-w- c:\windows\system32\atmfd.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-22 134656]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-22 166912]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-22 134656]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-11-19 483420]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-27 471040]
    "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-07-11 1351680]
    "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-11 1191936]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-21 200704]
    "DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-06-12 656384]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-06-15 115560]
    "SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2009-03-25 710480]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-05-31 63048]
    "Timekeeper Central"="c:\program files\Kronos\Timekeeper Central\tkc\RemapClientDrives.exe" [2002-08-27 24576]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-7-16 1253152]
    Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2010-11-5 772608]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2010-12-16 13:06 87424 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\CrossTec\\CrossTec Remote Control\\client32.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [4/27/2009 2:40 PM 293968]
    R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [7/16/2009 1:04 PM 376096]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/27/2010 3:47 PM 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [5/31/2010 12:31 PM 12856]
    R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [1/14/2011 1:35 PM 196912]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [11/5/2010 10:45 AM 112128]
    R3 ASMMEMORYDRIVER;ASMMEMORYDRIVER;c:\program files\Asset Services Management\ASMMemoryDriver.sys [11/5/2010 10:52 AM 2560]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/10/2011 7:56 AM 105592]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [11/5/2010 10:37 AM 109568]
    R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2/23/2009 5:55 PM 20504]
    S0 cerc6;cerc6; [x]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/15/2010 5:26 PM 23888]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-01-17 c:\windows\Tasks\prismShakeIcon.job
    - c:\program files\NCH Software\Prism\prism.exe [2011-01-14 18:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: {627C5D14-CB66-493E-B0F3-589C7E2FA813} - hxxp://192.168.5.50/WebClient.cab
    DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://192.168.5.49/user/TSBnwCam.CAB
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-Symantec Antvirus
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-15 21:19
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1380)
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\netprovcredman.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    Completion time: 2011-05-15 21:20:28
    ComboFix-quarantined-files.txt 2011-05-16 01:20
    .
    Pre-Run: 132,550,082,560 bytes free
    Post-Run: 133,876,654,080 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    .
    - - End Of File - - 11B49A3CF58C4818AAF63C653970BFE5
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, you can handle the Eset entries, then I have some questions:
    The malware entries are in the Java cache: To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      There are three options on this window to clear the cache.Check all.
    • . Delete Files
    • .View Applications
    • .View Applets
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
    ===================================
    Questions & Comments:
    1 Symantec Endpoint is suppose to be disabled when you run Combofix.
    2.Is there some reason you didn't allow this?
    3. Do you recognize enough of the following? It is a possible infected site: hxxp://kncpoll1
    4. Can you give me any information about what these were:
    5. And what these are? They are printer related:
    6. And what are these Directories for Apple Computer? All on 2011-05-13
    ============================================
    The deletions are puzzling as are some of the entries.
    I also notice you are connecting remotely. Does that mean you do not have an IT person available?
     
  9. NCBucknut

    NCBucknut TS Rookie Topic Starter

    Bobbye - thanks for your help with this issue. I removed the Java temporary files as instructed. Here's my responses to your questions:

    1) I did disable Symantec before I ran the scan, but received the message you referred to. I allowed it to run because I did disable everything first.
    2) I was surprised to see this message, because I allowed the recovery console to install when Combofix ran.
    3) This is a network station that collects SPC data.
    4) These are entries from our network administrators. Not sure how/why they are entered.
    5) Not sure on these entries. Maybe related to network printers?
    6) Received a new iphone on 5/13 and itunes was installed on my laptop.

    We do have an IT person available, but he was on vacation the last week and I wanted to try to correct the problem without taking up his time when he returned. I did let him know about the trojans and to check our network.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Since many of the entries are either work related or 'I don't know what they are', if the office IT person has returned, I would prefer-and it would be safer for you- to have him/her check the system.

    5 Good Reasons why I shouldn't be working on your work computer:

    1) I did disable Symantec before I ran the scan, but received the message you referred to. I allowed it to run because I did disable everything first. Most office environments will not allow the endpoint protection to be disabled-or-only the administrator can disable it.
    2) I was surprised to see this message, because I allowed the recovery console to install when Combofix ran. You should check and see if the recovery Console was actually installed.
    3) This is a network station that collects SPC data. I don't know what 'SPC data is I am not qualified to make changes on a network workstation.
    4) These are entries from our network administrators. Not sure how/why they are entered.These entries were removed by Combofix. It is possible that they were a False Positive. Only your ntw. admin. can determine that.
    5) Not sure on these entries. Maybe related to network printers? They are related to the printer. Some were removed by Combofix- another possible False Positive.
    6) Received a new iphone on 5/13 and itunes was installed on my laptop. But the entries are showing on your workstation.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...