System Security

View previous topic View next topic Go down

System Security

Post by mdaller on Tue Jul 14, 2009 4:21 am

I got this over the weekend after a 'friend' got rid of my anti-virus program. Google search links get hijacked, I keep getting the "your computer contains various signs of virous and malware... System Security will perform a quick and free scanning..." warnings followed by fake computer scans. I tried installing Norton, but it is won't load and run properly (spent 3 hrs with their tech support) and will only un-install in safe mode. Norton blocks access to axuewpo.cn. Pops up about every 10 minutes. Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:38 AM, on 7/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\pp10.exe
C:\Program Files\Norton SystemWorks\NswUiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\MCUI32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R3 - Default URLSearchHook is missing
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C1EA-F165BB85A330} - (no file)
O3 - Toolbar: Snap Shots - {8CD8EA48-D284-477E-B6DF-85D1E39D855F} - C:\Program Files\Snap Shots\snapbar10.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks\osCheck.exe"
O4 - HKLM\..\Run: [NswUiTray] C:\Program Files\Norton SystemWorks\NswUiTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 7042 bytes

Thanks!

mdaller
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by Belahzur on Tue Jul 14, 2009 4:19 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - Default URLSearchHook is missing
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C1EA-F165BB85A330} - (no file)
    O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
    O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
    O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
    O15 - Trusted Zone: [You must be registered and logged in to see this link.]
    O15 - Trusted Zone: [You must be registered and logged in to see this link.]


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security

Post by mdaller on Wed Jul 15, 2009 12:14 am

Belahzur,

I've gone thru the steps. O4-HKLM\..\Run:[pp] C:\Windows\pp10.exe was not on the log when I re-ran Hijack This. Here's the log from MBAM.

Malwarebytes' Anti-Malware 1.39
Database version: 2432
Windows 5.1.2600 Service Pack 3

7/14/2009 7:59:04 PM
mbam-log-2009-07-14 (19-59-04).txt

Scan type: Quick Scan
Objects scanned: 133188
Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 3
Registry Data Items Infected: 6
Folders Infected: 4
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\rpd56.rpd56mgr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rpd56.rpd56mgr.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ea73037a-f182-44a0-bc0b-690d71231330} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ea73037a-f182-44a0-bc0b-690d71231330} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Security2009 (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcehaj0er1a (Rogue.AntiVirusXP2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Mike\Application Data\AntiSpywareDAT (Rogue.TotalAntiSpyware) -> Quarantined and deleted successfully.
c:\documents and settings\Mike\application data\antispywaredat\Quarantine (Rogue.TotalAntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysloc (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\PC_Security2009 (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\freddy49.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\srn_1247427246.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\Mike\application data\antispywaredat\Scan_Log.txt (Rogue.TotalAntiSpyware) -> Quarantined and deleted successfully.
c:\documents and settings\Mike\application data\antispywaredat\quarantine\.reg (Rogue.TotalAntiSpyware) -> Quarantined and deleted successfully.
c:\documents and settings\Mike\application data\antispywaredat\quarantine\QuarantineLog.txt (Rogue.TotalAntiSpyware) -> Quarantined and deleted successfully.
c:\program files\pc_security2009\Uninstall.exe (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\Patrick\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Clare\local settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Clare\local settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Sysvxd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\f23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122366.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\dk39fi4fe.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

However, the fake security warning (along with the window to start a Norton tech support session) popped up roughly 10 minutes after I re-booted.

Any thoughts?

mdaller
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by mdaller on Wed Jul 15, 2009 2:17 am

Belahzur,

Here's an update:

I cleared the MBAM quarantine, re-booted in safe mode and removed Norton. I rebooted and ran MBAM; it found nothing. I ran Spybot S&D which found two spywares, which it fixed. It's been over an hour since I last re-booted and haven't had any more problems. Also, one other symptom I had (but forgot to include in the original post) was that Google search results page links would be re-directed to a wide variety of sites (one was about knee pain?). That problem is also gone. I'm going to re-load Norton and I should be all set.


Thanks for the help!

Thank You!

mdaller
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by mdaller on Wed Jul 15, 2009 11:58 am

When I re-loaded Norton, it all came back. I've un-installed Norton again. Ran both MBAM and SpyBot. Nothing found on both. I haven't seen the System Security warning since removing Norton, but I still have the problem with the internet links being re-directed. Norton was not on the computer when the problem started so I don't understand why the problem now only appears when Norton is installed. Please let me know what I should do next. Thanks.

mdaller
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by Belahzur on Wed Jul 15, 2009 2:54 pm

Perhaps the Norton installer is infected and isn't the real thing.
Anyhow, please don't do anything without a staff member asking, because it makes it harder for us.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security

Post by mdaller on Thu Jul 16, 2009 1:41 am

I was loading Norton of the CD that I purchased at Office Depot.

Here's the dds.txt log. Thanks.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Mike at 21:35:27.03 on Wed 07/15/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.646 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: Verizon Broadband Toolbar: {4e7bd74f-2b8d-469e-d0fc-e57af4d5fa7d} - c:\windows\downlo~1\vzbb.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
TB: Snap Shots: {8cd8ea48-d284-477e-b6df-85d1e39d855f} - c:\program files\snap shots\snapbar10.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {E92BEFBA-E79D-4F41-9733-68DA49C4492B} - No File
TB: {4E7BD74F-2B8D-469E-C1EA-F165BB85A330} - No File
TB: {5bed3930-2e9e-76d8-bacc-80df2188d455} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Sonic RecordNow!]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: amec.com\project6.na
Trusted Zone: microsoft.com\*.windowsupdate
DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]

============= SERVICES / DRIVERS ===============

S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10910.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10910.sys [?]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2008-10-7 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2008-10-7 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2008-10-7 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2008-10-7 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2008-10-7 98568]

=============== Created Last 30 ================

2009-07-14 23:48 --d----- c:\program files\Spybot - Search & Destroy
2009-07-14 23:40 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-14 23:40 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-14 23:40 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 23:39 --d----- c:\program files\Trend Micro
2009-07-14 19:50 --d----- c:\docume~1\mike\applic~1\Malwarebytes
2009-07-14 19:50 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-13 19:54 --d----- c:\program files\Smith Micro
2009-07-13 19:50 --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-07-13 19:50 --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-07-13 19:49 --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-07-13 19:43 --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-07-12 19:54 --d----- c:\windows\system32\XPSViewer
2009-07-12 19:53 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-07-12 19:53 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-12 19:53 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-12 19:53 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-12 19:53 --d----- C:\c5edbf48a9f8f5491bf8c170a86d
2009-07-12 19:53 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-07-12 19:53 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-07-12 19:53 117,760 -------- c:\windows\system32\prntvpt.dll
2009-07-12 17:50 --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-07-12 17:47 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-08 15:56 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-07-08 15:33 --d----- c:\windows\pss
2009-07-07 18:00 --d----- c:\windows\system32\wbem\Repository
2009-07-07 17:59 --d----- c:\program files\Bonjour
2009-06-29 14:44 --d----- c:\program files\Bonjour(2)

==================== Find3M ====================

mdaller
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by mdaller on Thu Jul 16, 2009 1:47 am

Sorry. I missed this last section when I copied.


2009-07-11 11:41 5,305,344 a------- c:\program files\SecurityScannerFull.msi
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2007-12-31 14:24 22,328 a------- c:\docume~1\mike\applic~1\PnkBstrK.sys
2007-08-13 21:04 56,912 a------- c:\documents and settings\mike\g2mdlhlpx.exe
2008-06-25 23:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062520080626\index.dat

============= FINISH: 21:36:55.10 ===============

mdaller
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by Origin on Thu Jul 16, 2009 4:31 pm

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by mdaller on Fri Jul 17, 2009 1:31 am

I got a couple warnings along the way. First on was that "This machine does not have Microsoft Windows Recovery Console" and asked it I wanted to download. I said no (came up after the re-boot also). Second warning was that it detected presence of rootkit activity and listed the following files (then re-booted):

c:\windows\system32\drivers\hjgruiijebblrp.sys
c:\windows\system32\hjgruiesgtppey.dat
c:\windows\system32\hjgruijcjaorgr.dll
c:\windows\system32\hjgruijtqgrviy.dll
c:\windows\system32\hjgruikbeddeuc.dat

Also, when I came back into the forum, a warning popped up that said that my default browser was not Internet Explorer. I did not change it.

Here's the log:

ComboFix 09-07-14.08 - Mike 07/16/2009 21:12.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.733 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT
c:\windows\desktop
c:\windows\desktop\Hooked on Phonics Learn to Read.lnk
c:\windows\Installer\12d7da.msi
c:\windows\Installer\43ba4efc.msi
c:\windows\Installer\61e48c.msp
c:\windows\Installer\633ee0.msi
c:\windows\Installer\a4aa6f6.msi
c:\windows\Installer\ba1c.msi
c:\windows\Installer\ba22.msi
c:\windows\Installer\ed93cb9.msi
c:\windows\Installer\ef7b64.msi
c:\windows\Installer\fa3da94.msi
c:\windows\system32\drivers\hjgruiijebblrp.sys
c:\windows\system32\hjgruiesgtppey.dat
c:\windows\system32\hjgruijcjaorgr.dll
c:\windows\system32\hjgruijtqgrviy.dll
c:\windows\system32\hjgruikbeddeuc.dat
c:\windows\system32\skinboxer43.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruimcopolxb


((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))
.

2009-07-15 03:48 . 2009-07-15 03:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-15 03:40 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 03:40 . 2009-07-15 03:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 03:40 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 03:39 . 2009-07-15 03:39 -------- d-----w- c:\program files\Trend Micro
2009-07-14 23:50 . 2009-07-14 23:50 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes
2009-07-14 23:50 . 2009-07-14 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-14 00:01 . 2009-07-14 00:08 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Symantec
2009-07-13 23:55 . 2009-07-13 23:55 57856 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{849089CF-4988-49ED-A2DD-110CD5D9D7E8}\Icon849089CF.exe
2009-07-13 23:54 . 2009-07-13 23:54 -------- d-----w- c:\program files\Smith Micro
2009-07-13 23:50 . 2009-07-13 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-07-13 23:50 . 2009-07-15 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-13 23:49 . 2009-07-15 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-13 23:43 . 2009-07-15 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-12 23:54 . 2009-07-12 23:54 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-12 23:54 . 2009-07-12 23:54 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-12 23:54 . 2009-07-12 23:54 -------- d-----w- c:\program files\MSBuild
2009-07-12 23:54 . 2009-07-12 23:54 -------- d-----w- c:\program files\Reference Assemblies
2009-07-12 23:53 . 2009-07-12 23:53 -------- d-----w- C:\c5edbf48a9f8f5491bf8c170a86d
2009-07-12 23:53 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-12 23:53 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-12 23:53 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-12 23:53 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-12 23:53 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-12 23:53 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-12 23:53 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-12 21:50 . 2009-07-12 21:50 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-07-12 21:47 . 2009-07-15 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-12 21:31 . 2009-07-12 21:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-11 15:41 . 2009-07-11 15:41 5305344 ----a-w- c:\program files\SecurityScannerFull.msi
2009-07-08 19:56 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-07 22:00 . 2009-07-07 22:00 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-07 21:59 . 2009-07-07 21:59 -------- d-----w- c:\program files\Bonjour
2009-06-29 18:44 . 2009-07-07 21:59 -------- d-----w- c:\program files\Bonjour(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 23:38 . 2005-05-12 22:40 58680 ----a-w- c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-11 15:42 . 2007-03-09 14:41 -------- d-----w- c:\program files\QuickTime
2009-07-08 19:31 . 2007-07-03 12:32 -------- d-----w- c:\program files\Common Files\Apple
2009-06-29 18:48 . 2007-07-03 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-10 11:53 . 2007-06-21 15:23 -------- d-----w- c:\program files\Coupons
2009-06-05 15:42 . 2007-11-25 20:30 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-02 00:33 . 2009-06-02 00:31 -------- d-----w- c:\documents and settings\Mike\Application Data\Move Networks
2009-06-02 00:33 . 2009-06-02 00:31 34062 ----a-w- c:\documents and settings\Mike\Application Data\Move Networks\ie_bin\Uninst.exe
2009-05-31 16:13 . 2009-04-26 17:07 164 ----a-w- c:\windows\install.dat
2009-05-13 05:15 . 2005-02-18 20:19 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-07-16 20:32 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 20:34 . 2005-05-19 01:49 58680 ----a-w- c:\documents and settings\Clare\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8CD8EA48-D284-477E-B6DF-85D1E39D855F}"= "c:\program files\Snap Shots\snapbar10.dll" [2007-09-02 380928]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-26 809864]

[HKEY_CLASSES_ROOT\clsid\{8cd8ea48-d284-477e-b6df-85d1e39d855f}]
[HKEY_CLASSES_ROOT\Snapbar.SnapShots.1]
[HKEY_CLASSES_ROOT\TypeLib\{F57712B7-CEDB-4C0E-915B-4BB043CEF769}]
[HKEY_CLASSES_ROOT\Snapbar.SnapShots]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8CD8EA48-D284-477E-B6DF-85D1E39D855F}"= "c:\program files\Snap Shots\snapbar10.dll" [2007-09-02 380928]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-26 809864]

[HKEY_CLASSES_ROOT\clsid\{8cd8ea48-d284-477e-b6df-85d1e39d855f}]
[HKEY_CLASSES_ROOT\Snapbar.SnapShots.1]
[HKEY_CLASSES_ROOT\TypeLib\{F57712B7-CEDB-4C0E-915B-4BB043CEF769}]
[HKEY_CLASSES_ROOT\Snapbar.SnapShots]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-28 335872]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Verizon\\Media Manager\\MediaManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5050:UDP"= 5050:UDP:TV
"18000:TCP"= 18000:TCP:TV 1
"18001:TCP"= 18001:TCP:TV 2

S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [?]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [10/7/2008 8:18 AM 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [10/7/2008 8:18 AM 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [10/7/2008 8:18 AM 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [10/7/2008 8:19 AM 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [10/7/2008 8:19 AM 98568]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-17 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-02-26 15:25]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4E7BD74F-2B8D-469E-C1EA-F165BB85A330} - (no file)
HKCU-Run-Sonic RecordNow! - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: amec.com\project6.na
Trusted Zone: microsoft.com\*.windowsupdate
DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-16 21:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-17 21:21
ComboFix-quarantined-files.txt 2009-07-17 01:21

Pre-Run: 84,820,488,192 bytes free
Post-Run: 85,510,778,880 bytes free

179 --- E O F --- 2009-07-16 11:38

mdaller
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by Origin on Fri Jul 17, 2009 7:43 pm

Now open a new notepad file.
Input this into the notepad file:

Registry::
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]



Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by mdaller on Sat Jul 18, 2009 12:26 am

no reboot this time. Here's the log.

ComboFix 09-07-14.08 - Mike 07/17/2009 20:16.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.631 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-06-18 to 2009-07-18 )))))))))))))))))))))))))))))))
.

2009-07-15 03:48 . 2009-07-15 03:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-15 03:40 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 03:40 . 2009-07-15 03:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 03:40 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 03:39 . 2009-07-15 03:39 -------- d-----w- c:\program files\Trend Micro
2009-07-14 23:50 . 2009-07-14 23:50 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes
2009-07-14 23:50 . 2009-07-14 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-14 00:01 . 2009-07-14 00:08 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Symantec
2009-07-13 23:55 . 2009-07-13 23:55 57856 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{849089CF-4988-49ED-A2DD-110CD5D9D7E8}\Icon849089CF.exe
2009-07-13 23:54 . 2009-07-13 23:54 -------- d-----w- c:\program files\Smith Micro
2009-07-13 23:50 . 2009-07-13 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-07-13 23:50 . 2009-07-15 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-13 23:49 . 2009-07-15 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-13 23:43 . 2009-07-15 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-12 23:54 . 2009-07-12 23:54 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-12 23:54 . 2009-07-12 23:54 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-12 23:54 . 2009-07-12 23:54 -------- d-----w- c:\program files\MSBuild
2009-07-12 23:54 . 2009-07-12 23:54 -------- d-----w- c:\program files\Reference Assemblies
2009-07-12 23:53 . 2009-07-12 23:53 -------- d-----w- C:\c5edbf48a9f8f5491bf8c170a86d
2009-07-12 23:53 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-12 23:53 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-12 23:53 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-12 23:53 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-12 23:53 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-12 23:53 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-12 23:53 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-12 21:50 . 2009-07-12 21:50 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-07-12 21:47 . 2009-07-15 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-12 21:31 . 2009-07-12 21:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-11 15:41 . 2009-07-11 15:41 5305344 ----a-w- c:\program files\SecurityScannerFull.msi
2009-07-08 19:56 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-07 22:00 . 2009-07-07 22:00 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-07 21:59 . 2009-07-07 21:59 -------- d-----w- c:\program files\Bonjour
2009-06-29 18:44 . 2009-07-07 21:59 -------- d-----w- c:\program files\Bonjour(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 23:38 . 2005-05-12 22:40 58680 ----a-w- c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-11 15:42 . 2007-03-09 14:41 -------- d-----w- c:\program files\QuickTime
2009-07-08 19:31 . 2007-07-03 12:32 -------- d-----w- c:\program files\Common Files\Apple
2009-06-29 18:48 . 2007-07-03 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-10 11:53 . 2007-06-21 15:23 -------- d-----w- c:\program files\Coupons
2009-06-05 15:42 . 2007-11-25 20:30 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-02 00:33 . 2009-06-02 00:31 -------- d-----w- c:\documents and settings\Mike\Application Data\Move Networks
2009-06-02 00:33 . 2009-06-02 00:31 34062 ----a-w- c:\documents and settings\Mike\Application Data\Move Networks\ie_bin\Uninst.exe
2009-05-31 16:13 . 2009-04-26 17:07 164 ----a-w- c:\windows\install.dat
2009-05-13 05:15 . 2005-02-18 20:19 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-07-16 20:32 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 20:34 . 2005-05-19 01:49 58680 ----a-w- c:\documents and settings\Clare\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8CD8EA48-D284-477E-B6DF-85D1E39D855F}"= "c:\program files\Snap Shots\snapbar10.dll" [2007-09-02 380928]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-26 809864]

[HKEY_CLASSES_ROOT\clsid\{8cd8ea48-d284-477e-b6df-85d1e39d855f}]
[HKEY_CLASSES_ROOT\Snapbar.SnapShots.1]
[HKEY_CLASSES_ROOT\TypeLib\{F57712B7-CEDB-4C0E-915B-4BB043CEF769}]
[HKEY_CLASSES_ROOT\Snapbar.SnapShots]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8CD8EA48-D284-477E-B6DF-85D1E39D855F}"= "c:\program files\Snap Shots\snapbar10.dll" [2007-09-02 380928]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-26 809864]

[HKEY_CLASSES_ROOT\clsid\{8cd8ea48-d284-477e-b6df-85d1e39d855f}]
[HKEY_CLASSES_ROOT\Snapbar.SnapShots.1]
[HKEY_CLASSES_ROOT\TypeLib\{F57712B7-CEDB-4C0E-915B-4BB043CEF769}]
[HKEY_CLASSES_ROOT\Snapbar.SnapShots]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-28 335872]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Verizon\\Media Manager\\MediaManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5050:UDP"= 5050:UDP:TV
"18000:TCP"= 18000:TCP:TV 1
"18001:TCP"= 18001:TCP:TV 2

S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [?]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [10/7/2008 8:18 AM 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [10/7/2008 8:18 AM 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [10/7/2008 8:18 AM 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [10/7/2008 8:19 AM 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [10/7/2008 8:19 AM 98568]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-02-26 15:25]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: amec.com\project6.na
Trusted Zone: microsoft.com\*.windowsupdate
DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-17 20:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2408)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-07-18 20:23
ComboFix-quarantined-files.txt 2009-07-18 00:23
ComboFix2.txt 2009-07-17 01:21

Pre-Run: 85,468,131,328 bytes free
Post-Run: 85,449,850,880 bytes free

160 --- E O F --- 2009-07-16 11:38

mdaller
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by Origin on Sat Jul 18, 2009 12:27 am

Run another Malwarebytes scan for me and post the contents of the log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by mdaller on Sat Jul 18, 2009 12:28 pm

Here's the log.

Malwarebytes' Anti-Malware 1.39
Database version: 2432
Windows 5.1.2600 Service Pack 3

7/18/2009 8:25:52 AM
mbam-log-2009-07-18 (08-25-52).txt

Scan type: Quick Scan
Objects scanned: 125791
Time elapsed: 3 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

mdaller
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by Origin on Sat Jul 18, 2009 8:24 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by mdaller on Sat Jul 18, 2009 11:47 pm

It doesn't seem to be having any problems now. Should I try re-installing Norton again?

mdaller
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27032
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security

Post by Origin on Sat Jul 18, 2009 11:49 pm

I wouldn't recommend using Norton, its bogs down your system, I would recommend using Avira, its free and helps catch over 50,000 viruses, more info can be found here:

[You must be registered and logged in to see this link.]


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum