0

Hello. This is my first post. I have been having problems for the past few weeks with some viruses/rootkits. I have the latest Trend and I also have spybot, but I cannot download HJT...everytime I try going to the website, my browser completely shuts down. When I was having the problems a few weeks ago, I was reading some threads on daniweb and I was able to download and run combofix (I ran only once) and I was able to reset my restore points, delete all my trend logs, take combofix off the computer and I also downloaded ATF Cleaner to clean out anything else that might be there. It was running better for a few days, but now it is starting to act up again. So, can someone please give me some instructions as to what I need to do and how to post logs to the thread. Thanks in advance for your help!

1
Contributor
1
Reply
2
Views
8 Years
Discussion Span
Last Post by jrb
0

Here is the combofix log from last time...

ComboFix 09-03-19.02 - Jill 2009-03-20 22:29:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2175.1729 [GMT -5:00]
Running from: c:\documents and settings\Jill\Desktop\jillfix.exe
AV: Trend Micro PC-cillin Internet Security 2007 *On-access scanning disabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\patch.exe
c:\windows\system32\~.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\bbfedbbfedfccdbee.dll
c:\windows\system32\drivers\UACaoeclkjt.sys
c:\windows\system32\ftpupd.exe
c:\windows\system32\UACarfglmnm.dll
c:\windows\system32\UACgklpumas.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACnbclgnli.log
c:\windows\system32\UACnhsvtudn.dll
c:\windows\system32\UACopoioumq.dll
c:\windows\system32\UACtjuidaer.dat
c:\windows\system32\UACtliyeqoy.log
c:\windows\system32\UACvpptrokw.dll
c:\windows\system32\UACxsaufiej.dll
c:\windows\system32\vumer.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.

2009-03-19 20:44 . 2009-03-19 20:44 <DIR> d-------- c:\documents and settings\Administrator
2009-03-17 06:46 . 2009-03-20 13:22 10,752 --a------ c:\windows\DCEBoot.exe
2009-03-12 22:27 . 2009-03-12 22:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-12 22:25 . 2009-03-12 22:25 <DIR> d-------- c:\program files\Bonjour
2009-03-12 22:24 . 2009-03-12 22:25 <DIR> d-------- c:\program files\QuickTime
2009-03-05 21:42 . 2009-03-05 21:42 <DIR> d-------- c:\documents and settings\Jill\Application Data\Blackberry Desktop
2009-03-01 18:14 . 2009-03-01 18:14 <DIR> d-------- c:\windows\SYSTEM32\Adobe
2009-02-27 18:42 . 2009-02-27 18:44 <DIR> d-------- c:\program files\V CAST Music with Rhapsody
2009-02-25 22:45 . 2009-03-20 23:11 256 --a------ c:\windows\SYSTEM32\pool.bin
2009-02-25 16:59 . 2009-02-27 12:16 <DIR> d-------- c:\documents and settings\Jill\Application Data\Research In Motion
2009-02-24 16:44 . 2009-02-27 12:14 <DIR> d-------- c:\program files\Research In Motion
2009-02-24 16:44 . 2009-02-25 21:26 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-02-24 16:44 . 2007-01-18 11:24 26,496 -ra------ c:\windows\SYSTEM32\DRIVERS\RimSerial.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 04:41 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-16 04:40 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-13 03:28 --------- d-----w c:\program files\iTunes
2009-03-13 03:27 --------- d-----w c:\program files\iPod
2009-03-13 03:27 --------- d-----w c:\program files\Common Files\Apple
2009-02-22 00:20 --------- d-----w c:\program files\HP
2009-01-23 22:07 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-01-23 21:55 --------- d-----w c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-01-23 21:06 --------- d-----w c:\documents and settings\Jill\Application Data\HPAppData
2008-04-29 22:05 83,328 -c--a-w c:\documents and settings\Jill\Application Data\GDIPFONTCACHEV1.DAT
2008-11-14 20:32 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-11-14 20:32 126,360 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-11-14 20:33 46,408 ----a-w c:\program files\mozilla firefox\plugins\atmccli.dll
2008-11-14 20:33 98,712 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-08-25 13:11 32,768 -csha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008082520080826\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-08-18 151597]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 3429904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-09-19 615696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2008-09-19 1545488]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2007-05-10 1078]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Free WebSite Tools.lnk
backup=c:\windows\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 12:28 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
-ra--c--- 2002-08-14 18:22 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
--a------ 2001-07-25 10:00 184376 c:\program files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
--a------ 2001-07-25 10:00 241714 c:\program files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-05-02 15:19 4640768 c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2003-08-18 17:50 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 04:59 122880 c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 tmpreflt;tmpreflt;c:\windows\SYSTEM32\DRIVERS\tmpreflt.sys [2007-04-09 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\SYSTEM32\DRIVERS\TM_CFW.sys [2007-04-09 288848]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~4\Tmntsrv.exe [2006-12-29 480784]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~4\TmPfw.exe [2006-12-29 943696]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~4\tmproxy.exe [2006-12-29 566872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8800006c-ff42-11db-af5a-0007e95e34c9}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2502BBD0-D73B-11DD-B4EC-CEBF56D89593} - c:\windows\system32\vumer.dll
MSConfigStartUp-IPInSightLAN 01 - c:\program files\Verizon Online\Visual IP InSight\IPClient.exe
MSConfigStartUp-IPInSightMonitor 01 - c:\program files\Verizon Online\Visual IP InSight\IPMon32.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-MMTray - c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
MSConfigStartUp-Motive SmartBridge - c:\progra~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
MSConfigStartUp-msnmsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\mcafee.com\vso\mcmnhdlr.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jill\Application Data\Mozilla\Firefox\Profiles\fvnog35z.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 23:13:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\1954e3dc66f6ecda8d0da55f113ac04b.sys 39936 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\1954e3dc66f6ecda8d0da55f113ac04b]
"ImagePath"="system32\1954e3dc66f6ecda8d0da55f113ac04b.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3337430407-2825330634-1630655782-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\snmp.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\documents and settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-20 23:19:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-21 04:19:25

Pre-Run: 21,183,156,224 bytes free
Post-Run: 21,213,532,160 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
206 --- E O F --- 2009-03-14 08:02:04

Also, here are the screenshots from the latest trend scan that came up with something...
"Spyware Scan Logs","2009/04/02","BOTTOFFICE"
"Time","Area","Item Name","Detected Resource","Target","Action"
"13:05","File System","HKTL_BBZA","C:\WINDOWS\system32\","1954e3dc66f6ecda8d0da55f113ac04b.sys","Detected"
"15:38","File System","HKTL_BBZA","C:\WINDOWS\system32\","1954e3dc66f6ecda8d0da55f113ac04b.sys","Detected"
"15:38","File System","HKTL_BBZA","C:\WINDOWS\system32\","1954e3dc66f6ecda8d0da55f113ac04b.sys","Detected

And the trend personal firewall keeps giving me this error/log...
"Personal Firewall Logs","2009/04/02","BOTTOFFICE"
"Type","Time","Protocol","Source IP Address","Source Port","Destination IP Address","Destination Port","Application Path","Application Description","Description"
"Exception List Rule","17:29:52","ICMP","192.168.1.254","n/a","192.168.1.103","n/a","---","---","Destination Unreachable"
"Exception List Rule","17:29:53","ICMP","192.168.1.254","n/a","192.168.1.103","n/a","---","---","Destination Unreachable"
"Exception List Rule","17:29:55","ICMP","192.168.1.254","n/a","192.168.1.103","n/a","---","---","Destination Unreachable

Sorry I didn't post these earlier, but in my original post I was working from Safe Mode with Networking. Please let me know what else I need to do/post to help. Thanks!

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.