Solved More Malware

MH Lindsey

Posts: 195   +0
Hi, many thanks in advance for you help with this one. This computer was dumped on my mom as a gift because it was so messed up that they couldn't use it. Its an HP Intel T2400, 1.83GH, 987MH, 1.99GB Ram running XP 2002, SP2. My Dad when to town it this with Malwarebytes, downloaded Norton & ran that, then took Norton off, because phone support wanted him to pay more money for more support. He ran MB a few more times and thought it was clean. I've taken it to be sure: Here are the logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by john at 16:30:47 on 2014-07-04
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1570 [GMT -7:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
StartupFolder: c:\docume~1\john\startm~1\programs\startup\vongot~1.lnk - c:\program files\vongo\Tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{282AB533-0203-49E5-8CDE-4ACDA940DB75} : DhcpNameServer = 192.168.2.1 192.168.2.1
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-7-4 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-7-4 192352]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-7-4 779536]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-7-4 414392]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-7-4 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-7-4 67824]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-7-4 50344]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-7-4 1809720]
S2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-7-4 860472]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-7-4 23256]
.
=============== Created Last 30 ================
.
2014-07-04 23:45:15 24184 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-07-04 23:45:07 43152 ----a-w- c:\windows\avastSS.scr
2014-07-04 23:34:48 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-07-04 23:34:48 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-07-04 23:34:48 192352 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-07-04 23:23:39 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-04 23:23:21 53208 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-07-04 23:23:21 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-07-04 23:23:21 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-07-04 23:23:21 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2014-07-04 23:12:58 779536 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-07-04 23:12:29 -------- d-----w- c:\program files\AVAST Software
2014-07-04 23:10:20 -------- d-----w- c:\documents and settings\john\application data\MSNInstaller
2014-07-04 23:10:10 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2014-07-04 23:06:30 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2014-07-04 23:03:52 -------- d-----w- c:\documents and settings\john\local settings\application data\Mozilla
2014-07-04 23:02:45 -------- d-----w- c:\windows\jumpshot.com
2014-07-04 23:02:30 -------- d-----w- c:\documents and settings\john\application data\AVAST Software
2014-07-04 23:02:24 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2014-07-04 23:02:24 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2014-07-04 22:16:36 -------- d-----w- c:\program files\NetWaiting
2014-07-04 22:16:25 110592 ------w- c:\windows\system32\SmartAudio.cpl
2014-06-26 23:53:05 -------- d-----w- c:\program files\iYogi Support Dock
2014-06-26 23:27:49 -------- d-----w- c:\documents and settings\all users\application data\SmartPCScan
2014-06-23 23:02:46 -------- d-----w- c:\windows\system32\appmgmt
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver
1 ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\Harddisk0\DR0[0x89E12AB8]
3 CLASSPNP[0xF74E805B] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\00000080[0x89DE29E0]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EEF9C] -> \Device\Ide\IAAStorageDevice-0[0x89DD1030]
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
user != kernel MBR !!!
.
============= FINISH: 16:31:17.78 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/7/2014 2:23:49 PM
System Uptime: 7/4/2014 4:01:35 PM (0 hours ago)
.
Motherboard: Hewlett-Packard | | 30A8
Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | U1 | 1316/mhz
Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | U1 | 1316/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 97 GiB total, 71.906 GiB free.
D: is FIXED (FAT32) - 14 GiB total, 0.971 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 466 GiB total, 424.938 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 5/7/2014 2:23:55 PM - System Checkpoint
RP2: 5/7/2014 2:23:24 PM - Installed Vongo
RP3: 5/7/2014 2:32:33 PM - Norton Antivirus post configuration restore point
RP4: 6/23/2014 3:42:58 PM - System Checkpoint
RP5: 6/23/2014 3:42:28 PM - System Checkpoint
RP6: 6/23/2014 3:26:06 PM - System Checkpoint
RP7: 6/23/2014 4:02:40 PM - Removed Vongo
RP8: 6/26/2014 4:43:44 PM - System Checkpoint
RP9: 6/26/2014 4:24:42 PM - System Checkpoint
RP10: 6/26/2014 5:07:23 PM - Configured Customer Experience Enhancement
RP11: 6/26/2014 5:07:46 PM - Configured easy Internet sign-up
RP12: 6/26/2014 4:14:01 PM - Removed muvee autoProducer 4.5
RP13: 6/26/2014 4:15:07 PM - Installed NetWaiting
RP14: 6/26/2014 4:15:24 PM - Installed NetWaiting
RP15: 6/26/2014 4:17:05 PM - Removed SmartAudio
RP16: 6/26/2014 4:17:23 PM - Removed Sonic Audio Module
RP17: 6/26/2014 4:17:35 PM - Removed Sonic Copy Module
RP18: 6/26/2014 4:17:47 PM - Removed Sonic Data Module
RP19: 6/26/2014 4:18:02 PM - Removed Sonic Express Labeler
RP20: 6/26/2014 4:18:40 PM - Removed Sonic MyDVD Plus
RP21: 6/26/2014 4:19:03 PM - Removed Sonic Update Manager
RP22: 6/26/2014 4:19:13 PM - Removed SonicAC3Encoder
RP23: 6/26/2014 4:19:22 PM - Removed SonicMPEGEncoder
RP24: 7/4/2014 3:16:22 PM - Installed SmartAudio
RP25: 7/4/2014 3:16:39 PM - Installed NetWaiting
RP26: 7/4/2014 4:12:29 PM - avast! Free Antivirus Setup
RP27: 7/4/2014 4:36:51 PM - avast! antivirus system restore point
.
==== Installed Programs ======================
.
.
Adobe Reader 6.0.1
avast! Free Antivirus
BufferChm
Conexant HD Audio
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
Destinations
DeviceManagementQFolder
FullDPAppQFolder
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB912436)
Hotfix for Windows XP (KB915326)
HP Game Console and games
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Quick Launch Buttons 6.00 E2
HP QuickPlay 2.1
HP Rhapsody
HP Software Update
HP User Guides--System Recovery
HP User Guides 0019
HP Wireless Assistant 2.00 E1
HpSdpAppCoreApp
InstantShareDevices
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
J2SE Runtime Environment 5.0 Update 6
LightScribe 1.4.74.1
Macromedia Flash Player 8
Malwarebytes Anti-Malware version 2.0.2.1012
Microsoft .NET Framework 1.1
Microsoft Money 2006
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
NetWaiting
Office 2003 Trial Assistant
OptionalContentQFolder
PhotoGallery
Quicken 2006
RandMap
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SkinsHP1
SmartAudio
Sonic_PrimoSDK
SonicAC3Encoder
SonicMPEGEncoder
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TourSetup
Unload
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB912945)
Update Rollup 2 for Windows XP Media Center Edition 2005
Vongo
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888402
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890546
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
Wireless Home Network Setup
.
==== Event Viewer Messages From Past Week ========
.
7/4/2014 4:10:47 PM, error: Dhcp [1002] - The IP address lease 192.168.1.10 for the Network Card with network address 0013025C053F has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
7/4/2014 4:03:18 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.
7/4/2014 4:02:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AliIde PCIIde ViaIde
7/4/2014 4:02:08 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
7/4/2014 4:01:42 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
.
==== End Of File ===========================
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/4/2014
Scan Time: 4:03:55 PM
Logfile: 2014-0704-1mbam-log.txt
Administrator: No

Version: 2.00.2.1012
Malware Database: v2014.07.06.08
Rootkit Database: v2014.07.03.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows XP Service Pack 2
CPU: x86
File System: NTFS
User: john

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 355033
Time Elapsed: 14 min, 34 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 1
PUM.Hijack.StartMenu, HKU\S-1-5-21-2333270519-2351239788-1557963414-1006-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),Replaced,[da765f3d770470c6cba9bfd2966e1ae6]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
 
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/4/2014
Scan Time: 4:18:10 PM
Logfile: 2014-0704-2mbam-log.txt
Administrator: No

Version: 2.00.2.1012
Malware Database: v2014.07.06.08
Rootkit Database: v2014.07.03.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows XP Service Pack 2
CPU: x86
File System: NTFS
User: jane

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 319888
Time Elapsed: 8 min, 19 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/4/2014
Scan Time: 4:24:34 PM
Logfile: 2014-0704-3mbam-log.txt
Administrator: No

Version: 2.00.2.1012
Malware Database: v2014.07.06.08
Rootkit Database: v2014.07.03.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows XP Service Pack 2
CPU: x86
File System: NTFS
User: jane

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 319967
Time Elapsed: 8 min, 29 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 4
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[163a128a5d1ebb7bd221d7b80df7fd03]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[064ab8e488f38da9cc28296653b1d62a]
PUM.Hijack.StartMenu, HKU\S-1-5-21-2333270519-2351239788-1557963414-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),Replaced,[58f8a5f71d5e64d20371bcd5c53fc13f]
PUM.Hijack.StartMenu, HKU\S-1-5-21-2333270519-2351239788-1557963414-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff, 1, Good: (0), Bad: (1),Replaced,[f7591488eb9051e50f65395850b429d7]

Folders: 0
(No malicious items detected)

Files: 5
Backdoor.Bot, C:\Documents and Settings\Bob\Application Data\svhostu.exe, Quarantined, [59f75547a5d610262222264abb45fd03],
Backdoor.Bot, C:\Documents and Settings\Bob\Start Menu\Programs\Startup\crss.exe, Quarantined, [3f11a7f59be071c5fb4971ff34cc2ad6],
Trojan.Agent, C:\Documents and Settings\Bob\Local Settings\Temp\nnnv0.9189470726629662.exe, Quarantined, [fc54a3f9047778be9ab96f13be427987],
Backdoor.Bot, C:\Documents and Settings\Bob\Local Settings\Temp\svhostu.exe, Quarantined, [67e97e1ed3a8bc7ae0649bd58b7522de],
Malware.Trace, C:\Documents and Settings\Bob\Application Data\ldr.ini, Quarantined, [66ea0696176434022f7dcbc5887bbd43],

Physical Sectors: 0
(No malicious items detected)


(end)
 
Hello and welcome to TechSpot.com My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Read this article: Danger: Remote Access Trojans.
If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.
I would counsel you to disconnect this PC from the Internet immediately.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall?
We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post
 
We would like to clean this computer as best possible. We appreciate the warning and will not use it for online purchases.
 
Please download AdwCleaner by Xplode onto your Desktop.
Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.
AdwCleaner-icon.jpg

If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
When the AdwCleaner program will open, click on the Scan button as shown below.
untitled.png

AdwCleaner will now start to search for malicious files that may be installed on your computer.
To remove the files that were detected in the previous step, please click on the Clean button.
3.png

AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.
*********************************************
Malwarebytes' Anti-Rootkit
Please download Malwarebytes' Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.
*************************************************
Please download Junkware Removal Tool to your desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
•The tool will open and start scanning your system.
•Please be patient as this can take a while to complete depending on your system's specifications.
•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
•Copy and Paste the JRT.txt log into your next message.
 
# AdwCleaner v3.215 - Report created 04/07/2014 at 16:07:48
# Updated 09/07/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 2 (32 bits)
# Username : john - PC139818592325
# Running from : C:\Documents and Settings\john\My Documents\janes logs\programs\adwcleaner_3.215.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Common Files\Software Update Utility
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.dll
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.xpt
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll
File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.xpt
File Deleted : C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\6g68dorn.default\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]

***** [ Browsers ] *****

-\\ Internet Explorer v6.0.2900.2180


-\\ Mozilla Firefox v9.0.1 (en-US)

[ File : C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\6g68dorn.default\prefs.js ]

Line Deleted : user_pref("aol_toolbar.surf.date", "6");
Line Deleted : user_pref("aol_toolbar.surf.lastDate", "7");
Line Deleted : user_pref("aol_toolbar.surf.lastMonth", "4");
Line Deleted : user_pref("aol_toolbar.surf.lastYear", "2014");
Line Deleted : user_pref("aol_toolbar.surf.month", "6");
Line Deleted : user_pref("aol_toolbar.surf.prevMonth", "1");
Line Deleted : user_pref("aol_toolbar.surf.total", "65989");
Line Deleted : user_pref("aol_toolbar.surf.week", "6");
Line Deleted : user_pref("aol_toolbar.surf.year", "6");
Line Deleted : user_pref("browser.search.defaulturl", "hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20100825055206343&tb_oid=25-08-2010&tb_mrud=25-08-2[...]
Line Deleted : user_pref("keyword.URL", "hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=20100825055206343&tb_oid=25-08-2010&tb_mrud=25-08-2010&query=");

[ File : C:\Documents and Settings\jane\Application Data\Mozilla\Firefox\Profiles\q71qd2h0.default\prefs.js ]


[ File : C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\jm80b2xd.default\prefs.js ]


-\\ Google Chrome v35.0.1916.114

[ File : C:\Documents and Settings\Bob\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Documents and Settings\john\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [3054 octets] - [04/07/2014 16:05:28]
AdwCleaner[S0].txt - [3028 octets] - [04/07/2014 16:07:48]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3088 octets] ##########
 
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org

Database version: v2014.05.21.07

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
john :: PC139818592325 [limited]

7/4/2014 4:07:22 PM
mbar-log-2014-07-04 (16-07-22).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 332745
Time elapsed: 19 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 8
c:\windows\$ntuninstallkb3255$\3328594841 (Backdoor.0Access) -> Delete on reboot. [8d7354ac877923ddbaf550b0857b8c74]
c:\windows\$ntuninstallkb62280$\3509641331 (Backdoor.0Access) -> Delete on reboot. [3cc4c7398d73b24e822d5aa6de22bb45]
c:\windows\$ntuninstallkb3255$\485945278 (Backdoor.0Access) -> Delete on reboot. [ee127e8216eaa0603080e020f9077c84]
c:\windows\$ntuninstallkb3255$\485945278\l (Backdoor.0Access) -> Delete on reboot. [ee127e8216eaa0603080e020f9077c84]
c:\windows\$ntuninstallkb3255$\485945278\u (Backdoor.0Access) -> Delete on reboot. [ee127e8216eaa0603080e020f9077c84]
c:\windows\$ntuninstallkb62280$\485945278 (Backdoor.0Access) -> Delete on reboot. [d22e9d6387798878ebc57b85b54b3bc5]
c:\windows\$ntuninstallkb62280$\485945278\l (Backdoor.0Access) -> Delete on reboot. [d22e9d6387798878ebc57b85b54b3bc5]
c:\windows\$ntuninstallkb62280$\485945278\u (Backdoor.0Access) -> Delete on reboot. [d22e9d6387798878ebc57b85b54b3bc5]

Files Detected: 27
c:\windows\3203397148:3809022017.exe (Rootkit.0Access) -> Delete on reboot. [48b8c33da957758b4896cdd98c74e818]
c:\windows\$ntuninstallkb3255$\485945278\l\pzofaiii (Backdoor.0Access) -> Delete on reboot. [748c09f7d12fab55f9ae7e827e8211ef]
c:\windows\$ntuninstallkb3255$\485945278\u\00000001.@ (Backdoor.0Access) -> Delete on reboot. [37c9c13f31cf9f611095f20e3fc1ee12]
c:\windows\$ntuninstallkb3255$\485945278\u\00000002.@ (Backdoor.0Access) -> Delete on reboot. [3dc3966a57a97f81c4e1c33dbc4442be]
c:\windows\$ntuninstallkb3255$\485945278\u\80000000.@ (Backdoor.0Access) -> Delete on reboot. [b44c996755abd828238221dfc43cd52b]
c:\windows\$ntuninstallkb3255$\485945278\u\80000032.@ (Backdoor.0Access) -> Delete on reboot. [b24ec83848b80bf5b6efa06011ef57a9]
c:\windows\$ntuninstallkb62280$\485945278\l\pzofaiii (Backdoor.0Access) -> Delete on reboot. [5ea2ec147e82847c3f68f50b4db3ab55]
c:\windows\$ntuninstallkb62280$\485945278\u\00000001.@ (Backdoor.0Access) -> Delete on reboot. [21dfd32d798751af376e32ceae52a35d]
c:\windows\$ntuninstallkb62280$\485945278\u\00000002.@ (Backdoor.0Access) -> Delete on reboot. [13ed4ab63fc197699312ee12748c916f]
c:\windows\$ntuninstallkb62280$\485945278\u\00000004.@ (Backdoor.0Access) -> Delete on reboot. [d32dac540000946ceeb76c94669a0ef2]
c:\windows\$ntuninstallkb62280$\485945278\u\80000000.@ (Backdoor.0Access) -> Delete on reboot. [7b85817fb54b6a96a9fc6b957f81b64a]
c:\windows\$ntuninstallkb62280$\485945278\u\80000004.@ (Backdoor.0Access) -> Delete on reboot. [6e92fb05fc041de302a30af607f924dc]
c:\windows\$ntuninstallkb62280$\485945278\u\80000032.@ (Backdoor.0Access) -> Delete on reboot. [f30de917da26de22a1047987bb4527d9]
c:\windows\$ntuninstallkb3255$\485945278\@ (Backdoor.0Access) -> Delete on reboot. [ee127e8216eaa0603080e020f9077c84]
c:\windows\$ntuninstallkb3255$\485945278\bckfg.tmp (Backdoor.0Access) -> Delete on reboot. [ee127e8216eaa0603080e020f9077c84]
c:\windows\$ntuninstallkb3255$\485945278\cfg.ini (Backdoor.0Access) -> Delete on reboot. [ee127e8216eaa0603080e020f9077c84]
c:\windows\$ntuninstallkb3255$\485945278\desktop.ini (Backdoor.0Access) -> Delete on reboot. [ee127e8216eaa0603080e020f9077c84]
c:\windows\$ntuninstallkb3255$\485945278\keywords (Backdoor.0Access) -> Delete on reboot. [ee127e8216eaa0603080e020f9077c84]
c:\windows\$ntuninstallkb3255$\485945278\kwrd.dll (Backdoor.0Access) -> Delete on reboot. [ee127e8216eaa0603080e020f9077c84]
c:\windows\$ntuninstallkb3255$\485945278\lsflt7.ver (Backdoor.0Access) -> Delete on reboot. [ee127e8216eaa0603080e020f9077c84]
c:\windows\$ntuninstallkb62280$\485945278\@ (Backdoor.0Access) -> Delete on reboot. [d22e9d6387798878ebc57b85b54b3bc5]
c:\windows\$ntuninstallkb62280$\485945278\bckfg.tmp (Backdoor.0Access) -> Delete on reboot. [d22e9d6387798878ebc57b85b54b3bc5]
c:\windows\$ntuninstallkb62280$\485945278\cfg.ini (Backdoor.0Access) -> Delete on reboot. [d22e9d6387798878ebc57b85b54b3bc5]
c:\windows\$ntuninstallkb62280$\485945278\desktop.ini (Backdoor.0Access) -> Delete on reboot. [d22e9d6387798878ebc57b85b54b3bc5]
c:\windows\$ntuninstallkb62280$\485945278\keywords (Backdoor.0Access) -> Delete on reboot. [d22e9d6387798878ebc57b85b54b3bc5]
c:\windows\$ntuninstallkb62280$\485945278\kwrd.dll (Backdoor.0Access) -> Delete on reboot. [d22e9d6387798878ebc57b85b54b3bc5]
c:\windows\$ntuninstallkb62280$\485945278\lsflt7.ver (Backdoor.0Access) -> Delete on reboot. [d22e9d6387798878ebc57b85b54b3bc5]

Physical Sectors Detected: 0
(No malicious items detected)

(end)
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org

Database version: v2014.07.09.13

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
john :: PC139818592325 [limited]

7/9/2014 6:29:44 PM
mbar-log-2014-07-09 (18-29-44).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 357974
Time elapsed: 19 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
Malwarebytes Anti-Rootkit BETA 1.07.0.1012

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Non-administrative

Internet Explorer version: 6.0.2900.2180

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 1.828000 GHz
Memory total: 2137042944, free: 1449771008

Host not found
Host not found
Host not found
Initializing...
======================
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1EA71EA6

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 203222187
Partition file system is NTFS
Partition is bootable

Partition 1 type is Other (0xc)
Partition is NOT ACTIVE.
Partition starts at LBA: 203238315 Numsec = 29093715

Partition 2 type is Other (0xd7)
Partition is NOT ACTIVE.
Partition starts at LBA: 232332030 Numsec = 2104515

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 120034123776 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-234421648-234441648)...
Done!
Infected: c:\windows\3203397148:3809022017.exe --> [Rootkit.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\l\pzofaiii --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\u\00000001.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\u\00000002.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\u\80000000.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\u\80000032.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\l\pzofaiii --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\u\00000001.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\u\00000002.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\u\00000004.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\u\80000000.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\u\80000004.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\u\80000032.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\3328594841 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\3509641331 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\bckfg.tmp --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\cfg.ini --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\desktop.ini --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\keywords --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\kwrd.dll --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\lsflt7.ver --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\l --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb3255$\485945278\u --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\bckfg.tmp --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\cfg.ini --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\desktop.ini --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\keywords --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\kwrd.dll --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\lsflt7.ver --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\l --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\u --> [Backdoor.0Access]
Scan finished
Creating System Restore point...
Cleaning up...
Executing an action fixdamage.exe...
Success!
Queuing an action fixdamage.exe
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-I.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-0-0-63-I.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Non-administrative

Internet Explorer version: 6.0.2900.2180

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 1.828000 GHz
Memory total: 2137042944, free: 1455226880

Host not found
Downloaded database version: v2014.07.09.13
Downloaded database version: v2014.07.09.01
Initializing...
======================
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1EA71EA6

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 203222187
Partition file system is NTFS
Partition is bootable

Partition 1 type is Other (0xc)
Partition is NOT ACTIVE.
Partition starts at LBA: 203238315 Numsec = 29093715

Partition 2 type is Other (0xd7)
Partition is NOT ACTIVE.
Partition starts at LBA: 232332030 Numsec = 2104515

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 120034123776 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-234421648-234441648)...
Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-I.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-0-0-63-I.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.3 (03.23.2014:1)
OS: Microsoft Windows XP x86
Ran by john on Wed 07/09/2014 at 18:26:55.32
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values




~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Failed to delete: [File] "C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 07/09/2014 at 18:33:56.14
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE: During this scan - the software stopped and said there was a bad sector and needed to remove it - so it rebooted, and then came back and finished with this report.
 
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Read this article: Danger: Remote Access Trojans.
If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.
I would counsel you to disconnect this PC from the Internet immediately.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall?
We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post
 
You cautioned me about this in the beginning and I have chosen to attempt to clean this computer as much as possible. What is our next step?
 
Sorry about the repitition. I'm juggling too many threads at once. Let's run another scan just to make sure.
  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
 
RogueKiller V9.2.1.0 [Jun 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : john [Admin rights]
Mode : Scan -- Date : 07/09/2014 18:31:11

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[PUM.Policies] HKEY_USERS\S-1-5-21-2333270519-2351239788-1557963414-1006\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] HKEY_USERS\S-1-5-21-2333270519-2351239788-1557963414-1006\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 2 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\redbook @ Unknown (\SystemRoot\system32\DRIVERS\redbook.sys)
[Filter(Root.Keylogger)] \Driver\Kbdclass @ Unknown : \Driver\eabfiltr @ Unknown (\SystemRoot\System32\DRIVERS\RDPCDD.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: FUJITSU MHV2120BH PL +++++
--- User ---
[MBR] c0b152ddebbeeabc588875d17a0e66cc
[BSP] 148bc81b10889459167713687c8765ef : Toshiba MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 99229 MB
1 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 203238315 | Size: 14205 MB
2 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 232332030 | Size: 1027 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WD My Passport 0748 USB Device +++++
--- User ---
[MBR] 80437cd8b9e3133868a6b0722d39af1b
[BSP] 9b6ebbf7c1a08cbb9ccbeeaea6641cdb : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476907 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


NOTE: I only ran the Scan - and went to Report. The screen asks me to select things I want to delete. I have not done anything with that. The report does not match what is on the screen 9options to delete) the antirootkit - has windows\system32\drivers\aswSnx.sys. Under Browsers there are several entries for Chrome. it looks like leaving my Passport external drive may have been a problem (?) as it is in the report. Please advise.
 
I re-ran the RougeKiller Scan - here is the report

RogueKiller V9.2.1.0 [Jun 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : john [Admin rights]
Mode : Scan -- Date : 07/09/2014 19:08:49

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[PUM.Policies] HKEY_USERS\S-1-5-21-2333270519-2351239788-1557963414-1006\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] HKEY_USERS\S-1-5-21-2333270519-2351239788-1557963414-1006\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 2 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\redbook @ Unknown (\SystemRoot\system32\DRIVERS\redbook.sys)
[Filter(Root.Keylogger)] \Driver\Kbdclass @ Unknown : \Driver\eabfiltr @ Unknown (\SystemRoot\System32\DRIVERS\RDPCDD.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: FUJITSU MHV2120BH PL +++++
--- User ---
[MBR] c0b152ddebbeeabc588875d17a0e66cc
[BSP] 148bc81b10889459167713687c8765ef : Toshiba MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 99229 MB
1 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 203238315 | Size: 14205 MB
2 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 232332030 | Size: 1027 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_07092014_183111.log
 
Items that don't seem to be on the report - see image 2566
 

Attachments

  • IMG_2568.JPG
    IMG_2568.JPG
    602.4 KB · Views: 3
  • IMG_2566.JPG
    IMG_2566.JPG
    668.2 KB · Views: 2
  • IMG_2567.JPG
    IMG_2567.JPG
    587.3 KB · Views: 2
Which program produced those images?
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the
esetOnline.png
button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on
    esetSmartInstall.png
    to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the
    esetSmartInstallDesktopIcon-1.png
    icon on your desktop.
•Check
esetAcceptTerms.png

•Click the
esetStart.png
button.
•Accept any security warnings from your browser.
  • Leave the check mark next to Remove found threats.
•Check
esetScanArchives.png

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
esetListThreats.png

•Push
esetExport.png
, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the
esetBack.png
button.
•Push
esetFinish.png

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
 
RogueKiller produced those images (the ones I took with my camera), the RougeKieller Report does not mention a few of them. I am still waiting on if I should delete what has been reported by Rouge Killer before I shut it down and run ESET
 
In case the dates on some of these reports seem screwy, this computer seems to be having trouble keeping an accurate date & time, might be a battery needing replacing...

ESET log from 07/11/14 -
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\6\7db8686-1ceb728d multiple threats cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\62\5faae47e-781ba633 multiple threats cleaned by deleting - quarantined
 
In case the dates on some of these reports seem screwy, this computer seems to be having trouble keeping an accurate date & time, might be a battery needing replacing...
That's one of the first indications of a dead battery.
How's your computer running now? Any other issues?
 
I run Avast again this time as a boot scan, it picked up around 8 more malware items that were not found before - I am trying to figure out how to get the txt log from avast - it just has a history log - blah! What are your thoughts on running Combofix ?
 
Last edited:
Back