Ok thanks for checking Judy.
Stonehands 0 Light Poster
HJ This File
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:49:44 AM, on 7/13/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\internet explorer\iexplore.exe
C:\Program Files (x86)\internet explorer\iexplore.exe
C:\Program Files (x86)\internet explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10b.exe
C:\Users\Troy Dykstra\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JAZCLSWN\HijackThis[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=ZNman000&ptb=L5_lCR5JUJ6yIBqKK9YndA
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program …
Stonehands 0 Light Poster
I bought a new laptop a couple months ago and it seems to run slow at times. Have run m-bam and atf cleaner regularly. Most times I have 70 to 80 processes running. This seems like a lot. May not be the right forum for this but not sure where I should. If this is the place please let me know and I will run all the scans. Thanks Troy
Stonehands 0 Light Poster
Could someone please refer me to a safe website where I can download a MP4 converter.
Thanks
Stonehands 0 Light Poster
Yes - I think the machine is clean, but we should now make sure all the security measures are up to date.
The Kaspersky Internet Securty Suite on the machine is usually solid. It should be updated. If she allowed the license to lapse and does not want to renew, we'll have to replace it with a free option.
Please do this:
-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the toolGreat. Thanks again for all your help. It will be this weekend before I can get to it as I had to go out of town this week. Post as soon as possible.
Troy* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it.That will give me the info I need to make any recommendations.
PP :)
It will be this weekend before I can getto it as I had to go out of town for work.
Stonehands 0 Light Poster
No worries!
These particular keys can be a real pain to remove, even when orphaned.
It won't hurt anything to leave them there - there are likely (many) hundreds of orphaned keys accumulated in the registry. I am leery about trying to rip them out forcibly again given what occurred the last time...If you didn't see HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules key or any "imagepath" values, it would seem that those have been cleaned previously.
-- How are things running now?
If OK, let's Flush System Restore. Just turn it off and back on as noted in the linky.
If you prefer, you can leave it off and use ERUNT - 'Course you have to remember to do it or set ERUNT to run automatically.PP:)
things seem to be running fine. Did the restore delete. anything else I need to do?
Stonehands 0 Light Poster
Thankyou and Happy Thanksgiving to you aswell.
Start > Run Combofix /u could not be found. I think I removed all the Combofix files though,
Files are backed up with Erunt.
I checked the system/driver files listed and found nothing.
Registry keys listed: I found the first folder system/UACd but none of the seperate folders listed. system/uacd folder could not be deleted but only contained (Default) REG_SZ (value not set) which also could not be deleted.
Stonehands 0 Light Poster
Yeah that would be great if you could list the registry keys that need to be deleted.
New Mbam log.
Malwarebytes' Anti-Malware 1.41
Database version: 3221
Windows 5.1.2600 Service Pack 3
11/23/2009 9:37:32 PM
mbam-log-2009-11-23 (21-37-32).txt
Scan type: Full Scan (C:\|)
Objects scanned: 198219
Time elapsed: 55 minute(s), 36 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{E5F689B9-8C88-425A-878C-812257CD29D2}\RP524\A0117443.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E5F689B9-8C88-425A-878C-812257CD29D2}\RP524\A0117431.exe (Trojan.Banker) -> Quarantined and deleted successfully.
Stonehands 0 Light Poster
Yes I still have the recovery console installed. Wow that scan took over 22hrs! It did find something and delete it...this is good! Here are the logs and thanks again for all your help.
Also not sure about the previous check that I did when the computer would not reboot. I was unaware that it had saved a log and weird that it saved it to the flash drive but I found this Bootex log file on the flash so I will post that aswell. Not sure if it is pertinent but I thought you should see it.
Checking file system on E:
The type of the file system is FAT32.
One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
Volume Serial Number is 2B18-32E1
Windows has checked the file system and found no problems.
15620160 KB total disk space.
16 KB in 1 folders.
9296 KB in 6 files.
15610832 KB are available.
16384 bytes in each allocation unit.
976260 total allocation units on disk.
975677 allocation units available on disk.
Scan
----
Scanned: 572896
Detected: 1
Untreated: 0
Start time: 11/22/2009 10:06:22 AM
Duration: 22:12:19
Finish time: 11/23/2009 8:18:41 AM
Detected
--------
Status Object
------ ------
deleted: Trojan program Rootkit.Win32.PMax.e File: C:\System Volume Information\_restore{E5F689B9-8C88-425A-878C-812257CD29D2}\RP516\A0107266.sys:1
Events
------
Time Name Status Reason
---- ---- ------ ------
Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives … This attachment is potentially unsafe to open. It may be an executable that is capable of making changes to your file system, or it may require specific software to open. Use caution and only open this attachment if you are comfortable working with zip files.
Stonehands 0 Light Poster
Did as instructed. Computer shut down to reboot and did not restart. Power was on but would not run windows. Tried to restart normally with no success. Had to restart from last known good configuration. Start successful. Not sure if I should retry Avenger?
Stonehands 0 Light Poster
OK no UCAd.sys on correct computer either. There is on called Serial and has a ! next to it.
Stonehands 0 Light Poster
No worries - we're all busy with real life :)
For some reason, combofix is not getting this. It should...
-- Is the recovery console still installed?
Also, see if you can do this:
-- RightClick on MyComputer Icon and select Properties.
-- Select the Hardware Tab and Click on Device Manager.
-- Select the View option and Click on Show Hidden Drivers.
--Scroll down to Non Plug and Play Drivers and Click the + to expand the list.
-- In the list of drivers, RightClick on UACd.sys and Disable it. If asked to confirm, Click Yes.REBOOT
Don't do anything else - just answer the recovery console question and let me know if the UACd step went OK.
And we'll go from there.PP:)
UACD.sys is not shown in the non plug and play...I'm a dork.I'll do it on the correct PC this time.
Stonehands 0 Light Poster
Gmer log:
GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-18 20:56:40
Windows 5.1.2600 Service Pack 3
Running: il7404xf.exe; Driver: C:\DOCUME~1\kelli\LOCALS~1\Temp\pgldqpob.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAA9AD36E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xAA9ADA86]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xAA9AE60C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xAA9AEB40]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xAA9ADD78]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xAA9AC460]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xAA9AEA18]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xAA9ABD0A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xAA9AE8D4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xAA9AD102]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xAA9AEC72]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAA9B040E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xAA9AD886]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xAA9AE976]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xAA9ACA20]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xAA9ACCF8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xAA9AE21C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xAA9B0980]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xAA9ACE3A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xAA9ACEE4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xAA9AE016]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xAA9AFEA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xAA9AC43C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xAA9AC44E]
Stonehands 0 Light Poster
Sorry about the delay but I was enjoying my 3hr commute home. :)
Scanning now.
Stonehands 0 Light Poster
New Log:
ComboFix 09-11-18.06 - kelli 11/18/2009 14:30.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.151 [GMT -8:00]
Running from: c:\documents and settings\kelli\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kelli\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
FILE ::
"c:\windows\system32\drivers\UACmlsfkrshab.sys"
"c:\windows\system32\SET17.tmp"
"c:\windows\system32\UACblqpqeupkd.dll"
"c:\windows\system32\UACktapucvber.dll"
"c:\windows\system32\UACobuaiteytn.dll"
"c:\windows\system32\UACsxrogejixq.dat"
"c:\windows\system32\UACyewybordig.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\496a39afdbed2b24c2c8
c:\496a39afdbed2b24c2c8\$shtdwn$.req
c:\496a39afdbed2b24c2c8\mrt.exe
c:\496a39afdbed2b24c2c8\mrtstub.exe
C:\7982518c8b11f8a4e878
c:\7982518c8b11f8a4e878\$shtdwn$.req
c:\7982518c8b11f8a4e878\mrt.exe
c:\7982518c8b11f8a4e878\mrtstub.exe
C:\7f53c993687974ed3c0117715ee81f01
c:\7f53c993687974ed3c0117715ee81f01\$shtdwn$.req
c:\7f53c993687974ed3c0117715ee81f01\mrt.exe
c:\7f53c993687974ed3c0117715ee81f01\mrtstub.exe
C:\a49032d5139bca81285f7967b5
c:\a49032d5139bca81285f7967b5\$shtdwn$.req
c:\a49032d5139bca81285f7967b5\mrt.exe
c:\a49032d5139bca81285f7967b5\mrtstub.exe
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.
2009-11-18 22:30 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-18 22:30 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-11-14 17:25 . 2009-11-14 17:25 -------- d-sh--w- c:\documents and settings\kelli\IECompatCache
2009-11-14 02:33 . 2009-11-14 02:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-14 02:14 . 2009-11-14 02:14 -------- d-sh--w- c:\documents and settings\kelli\PrivacIE
2009-11-14 02:11 . 2009-11-14 02:11 -------- d-----w- c:\windows\system32\scripting
2009-11-14 02:11 . 2009-11-14 02:11 -------- d-----w- c:\windows\l2schemas
2009-11-14 02:11 . 2009-11-14 02:11 -------- d-----w- c:\windows\system32\en
2009-11-14 02:11 . 2009-11-14 02:11 -------- d-----w- c:\windows\system32\bits
2009-11-14 01:55 . 2009-11-14 01:55 -------- d-----w- c:\windows\EHome
2009-11-14 01:42 . 2009-11-14 01:42 -------- d-sh--w- c:\documents and settings\kelli\IETldCache
2009-11-14 01:12 . 2009-10-02 …
Stonehands 0 Light Poster
The MSRT did not come up with anything. Wierd thing is this morning I thought I would try the combofix one more time and it loaded right up. Heres the log.
Thanks T
ComboFix 09-11-17.01 - kelli 11/17/2009 8:37.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.177 [GMT -8:00]
Running from: c:\documents and settings\kelli\Desktop\iexplorer.exe
AV: Kaspersky Internet Security *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.
2009-11-14 17:25 . 2009-11-14 17:25 -------- d-sh--w- c:\documents and settings\kelli\IECompatCache
2009-11-14 02:33 . 2009-11-14 02:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-14 02:14 . 2009-11-14 02:14 -------- d-sh--w- c:\documents and settings\kelli\PrivacIE
2009-11-14 02:11 . 2009-11-14 02:11 -------- d-----w- c:\windows\system32\scripting
2009-11-14 02:11 . 2009-11-14 02:11 -------- d-----w- c:\windows\l2schemas
2009-11-14 02:11 . 2009-11-14 02:11 -------- d-----w- c:\windows\system32\en
2009-11-14 02:11 . 2009-11-14 02:11 -------- d-----w- c:\windows\system32\bits
2009-11-14 01:55 . 2009-11-14 01:55 -------- d-----w- c:\windows\EHome
2009-11-14 01:42 . 2009-11-14 01:42 -------- d-sh--w- c:\documents and settings\kelli\IETldCache
2009-11-14 01:12 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-14 01:12 . 2009-11-16 15:06 -------- d-----w- c:\windows\ie8updates
2009-11-14 01:11 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-14 01:11 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-14 01:08 . 2009-11-14 01:11 -------- dc-h--w- c:\windows\ie8
2009-11-14 00:37 . 2009-11-14 00:37 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-11-14 00:37 . 2009-11-14 00:37 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
…
Stonehands 0 Light Poster
Same Date Error in Safe mode aswell.....?
Stonehands 0 Light Poster
Malwarebytes' Anti-Malware 1.41
Database version: 3185
Windows 5.1.2600 Service Pack 3
11/16/2009 6:37:34 PM
mbam-log-2009-11-16 (18-37-34).txt
Scan type: Full Scan (C:\|)
Objects scanned: 196116
Time elapsed: 38 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Active Security (Rogue.ActiveSecurity) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2669f63b-e857-4672-804b-1ebc92e010a6}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e1be4467-30d2-4c66-9d9c-eb0bbb62900d}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2669f63b-e857-4672-804b-1ebc92e010a6}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e1be4467-30d2-4c66-9d9c-eb0bbb62900d}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{2669f63b-e857-4672-804b-1ebc92e010a6}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e1be4467-30d2-4c66-9d9c-eb0bbb62900d}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{2669f63b-e857-4672-804b-1ebc92e010a6}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{e1be4467-30d2-4c66-9d9c-eb0bbb62900d}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Stonehands 0 Light Poster
So when I click click iexplore/combofix to run it the blue window opens as depicted in the instructions and as with the last scan. Now I get an Date Error popping up. It says Date Error: 2009-11-16 Check your settings.
Stonehands 0 Light Poster
GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-14 23:55:11
Windows 5.1.2600 Service Pack 3
Running: 2nlbp8lu.exe; Driver: C:\DOCUME~1\kelli\LOCALS~1\Temp\pgldqpob.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAA9AD36E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xAA9ADA86]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xAA9AE60C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xAA9AEB40]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xAA9ADD78]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xAA9AC460]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xAA9AEA18]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xAA9ABD0A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xAA9AE8D4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xAA9AD102]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xAA9AEC72]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAA9B040E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xAA9AD886]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xAA9AE976]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xAA9ACA20]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xAA9ACCF8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xAA9AE21C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xAA9B0980]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xAA9ACE3A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xAA9ACEE4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xAA9AE016]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xAA9AFEA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xAA9AC43C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xAA9AC44E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys …
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-10-26.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/28/2006 1:29:33 PM
System Uptime: 11/16/2009 6:55:13 AM (1 hours ago)
Motherboard: Intel Corporation | | MPAD-MSAE Customer Reference Boards
Processor: Genuine Intel(R) CPU T1300 @ 1.66GHz | U1 | 1662/mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 93 GiB total, 52.658 GiB free.
D: is CDROM (CDFS)
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0000
Manufacturer: Microsoft
Name: Microsoft Tun Miniport Adapter
PNP Device ID: ROOT\*TUNMP\0000
Service: tunmp
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/Wireless 3945ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10408086&REV_02\4&2803E7C1&0&00E2
Manufacturer: Intel Corporation
Name: Intel(R) PRO/Wireless 3945ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10408086&REV_02\4&2803E7C1&0&00E2
Service: w39n51
==== System Restore Points ===================
RP516: 11/13/2009 12:10:21 PM - Software Distribution Service 3.0
RP517: 11/13/2009 12:15:04 PM - Avg8 Update
RP518: 11/13/2009 12:51:22 PM - Removed AVG 9.0
RP519: 11/13/2009 12:53:58 PM - Installed AVG 9.0
RP520: 11/13/2009 4:13:41 PM - Installed Kaspersky Internet Security 2010.
RP521: 11/13/2009 4:52:55 PM - Software Distribution Service 3.0
RP522: 11/13/2009 5:46:19 PM - Software Distribution Service 3.0
RP523: 11/16/2009 6:58:45 AM - Software Distribution Service 3.0
==== Installed Programs ======================
Adobe AIR
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader 7.0
Adobe Photoshop Album Starter Edition 3.0
Apple Mobile Device Support
Apple Software Update
ArcSoft Software Suite
Bluetooth Stack for Windows by Toshiba
Bonjour
CD/DVD Drive Acoustic Silencer
DVD-RAM Driver
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
ImageMixer VCD2
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
InterVideo WinDVD for TOSHIBA
iPod for Windows 2005-10-12
iTunes
J2SE Runtime Environment 5.0 Update 4
Kaspersky Internet Security 2010
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
mCore
mDrWiFi
Metamail (Toshiba Registration Utility)
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
mIWA
mLogView
mMHouse
Move Networks Media Player for Internet Explorer
mPfMgr
mPfWiz
mProSafe
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
mWlsSafe
mXML
mZConfig
PANTECH UM175 Driver
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Rhapsody Player Engine
SD Secure Module
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sonic DLA
Sonic RecordNow!
Sony USB Driver
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA Assist
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
==== End Of File =========================== Stonehands 0 Light Poster
Update: Well I thought I would try out the computer and search the web. So I googled Microsoft and second browser window opened up. It wanted me to allow cookie 'admnt" or something. I closed the window and proceeded to Microsoft.com. Instead of the website I get windows security alert popup. Kaspersky detected 2 Trojans and 1 Maliciuos tools at the same time. Iwas able to close the window.
Stonehands 0 Light Poster
Yeah - it does that sometimes.
We are making some progress - I'd like to double-check something:
Click START > RUN > Type cmd and hit OK
At the command prompt, type or Copy&Paste: dir /a /s "%systemdrive%\eventlog.dll" >> "%userprofile%\desktop\logit.txt"
Please post me the Logit.txt that appears on your Desktop.PP:)
Volume in drive C is SQ004012P03
Volume Serial Number is 649E-AA8F
Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e
04/13/2008 04:11 PM 56,320 eventlog.dll
1 File(s) 56,320 bytes
Total Files Listed:
1 File(s) 56,320 bytes
0 Dir(s) 59,282,022,400 bytes free
Stonehands 0 Light Poster
I didn't read in the instructions that it would reboot so that kinda freaked me but here is the log.
ComboFix 09-11-13.06 - kelli 11/13/2009 13:11.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.246 [GMT -8:00]
Running from: c:\documents and settings\kelli\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-3833446936-2546658454-1005873343-500
c:\program files\Common
c:\program files\Common\_helper.sig
c:\recycler\S-1-5-21-3189052832-4293742930-2107519714-1003
c:\windows\batmeter16.dll
c:\windows\system32\bimawoyo.exe
c:\windows\system32\gejanojo.exe
c:\windows\system32\lomugiti.dll
c:\windows\system32\murevalo.dll
c:\windows\system32\nevoputo.exe
c:\windows\system32\pisuvedi.dll
c:\windows\system32\wowafuha.dll
c:\windows\system32\yolufeta.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.
2009-11-13 20:15 . 2009-11-12 02:52 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-13 20:15 . 2009-11-12 02:52 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-13 20:15 . 2009-11-12 02:52 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-13 20:15 . 2009-11-12 02:52 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-13 20:15 . 2009-11-12 02:52 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-13 20:15 . 2009-11-12 02:52 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-12 21:16 . 2009-11-12 21:16 -------- d-----w- c:\windows\IDB
2009-11-12 15:35 . 2009-11-12 15:35 -------- d-----w- c:\program files\Trend Micro
2009-11-12 05:52 . 2009-11-12 05:52 -------- d-----w- c:\documents and settings\kelli\Application Data\Malwarebytes
2009-11-12 05:50 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-12 05:50 . 2009-11-12 05:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-12 05:50 . 2009-11-12 05:50 -------- d-----w- c:\documents and settings\All …
Stonehands 0 Light Poster
I screwed up the txt. doc. on the first run of the "%userprofile%\desktop\win32kdiag.exe" -f –r
So I had to run again. Here is the log.
Running from: C:\Documents and Settings\kelli\desktop\win32kdiag.exe
Log file at : C:\Documents and Settings\kelli\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Finished!
Thanks for the help. I will run the combofix and post log.
Stonehands 0 Light Poster
win32di...
Running from: C:\Documents and Settings\kelli\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\kelli\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB913580\KB913580
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3FF.tmp\ZAP3FF.tmp
Mount point …
Stonehands 0 Light Poster
Sorry I thought that I did have them removed. Rescanning now.
Stonehands 0 Light Poster
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:28 AM, on 11/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
Stonehands 0 Light Poster
M-bam log file:
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2
11/11/2009 10:54:47 PM
mbam-log-2009-11-11 (22-54-25).txt
Scan type: Full Scan (C:\|)
Objects scanned: 170106
Time elapsed: 37 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\UACxrrxobodjk.sys (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\UACsxrogejixq.dat (Rootkit.TDSS) -> No action taken. Stonehands 0 Light Poster
Thanks for the reply PP.
I got some help from the IT guy from work today and managed to remove most of the Trojans. Vundo topping the list.
Could not intall Kaspersky 2010 b/c of a Mcafee file filter driver conflict (Save that for another thread).
Downloaded AVG 9.0 and found Trojan Win32/Cryptor but AVG did not remove. Just downloaded Mbam and wouldn't load. Renamed exe. file and installed and ran succesfully! 58 more infection in 5 mins. Hopefully its getting cleaner. What should my next step be?
Edit: There is a log file from Mbam. Mbam said that some file could not be deleted. I see in the log file last line C:\WINDOWS\system32
uacinit.dll (Trojan.Agent) ;> Delete on reboot.
Thanks T
Stonehands 0 Light Poster
Hello, I am trying to help a friend with her computer. It is infected quite well it seems. Lots of warnings popping up ie. Net worm, Rootkit, Trojan, Backdoor, and so on. I have tried to run Mbam, HJT, and more normally and in safe mode. Nothing will start up. Please advise.
Thanks
Update: As of this morning after cleaning out temp user files all of the security warning pop up windows have stopped. While currently trying to run a scan off the trendmicro website the screen returned to the desktop. The download progress window remained open but progress slowed. The a window labled redirect popped up but the screen was empty. I closed. Progress window ran to 100% and asked if I agreed with the licence agreement but the licence agreement was not visible.
Stonehands 0 Light Poster
Hello, I am trying to help a friend with her computer. It is infected quite well it seems. Lots of warnings popping up ie. Net worm, Rootkit, Trojan, Backdoor, and so on. I have tried to run Mbam, HJT, and more normally and in safe mode. Nothing will start up. Please advise.
Thanks