View Full Version : Malware is email spamming
An email was opened on our pc that had some sort of virus that infected the computer. It disabled the task manager, changed the background of the computer, and set up something that tries to spam out emails.
I have run all kinds of programs, and most have been removed except for the email spamming part. As soon as I connect to the internet, Symantec shows it is scanning outgoing emails. This in turn disables the internet browsing, even though I'm still connected to the wireless...only thing that is going out is the spam.
I have run Adware, Spybot, Norton Antivirus, Sophos Anti-Rootkit, and Malwarebytes.
I also tried doing a System Restore from previous dates and it was failing.
Here is the log from HJT....thanks in advance for anyone's help.
--------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:19 PM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174494516734
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 6962 bytes
pskelley
2008-09-09, 15:25
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
No malware showing in the HJT log, if you get any more information post it, in the meantime we will ask Kaspersky Online Scan to take a look.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks
Thanks! I will definitely give this a try...however, just a question...if whatever is causing my email to spam is disabling my internet, I may not be able to run this virus scan. Will give it a shot, but wasn't sure if there was another option in case this did not work.
Was able to finally get it to run. Here is the log file.
Thanks again.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, September 10, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, September 11, 2008 00:27:52
Records in database: 1209909
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Files scanned: 84415
Threat name: 15
Infected objects: 24
Suspicious objects: 0
Duration of the scan: 02:33:19
File name / Threat name / Threats count
C:\Documents and Settings\ppbansal\My Documents\Manju\EMBASSYREFI2006 (D)\music_en-gb.exe Infected: not-a-virus:AdWare.Win32.Comet.di 1
C:\Program Files\Norton AntiVirus\Quarantine\062E3A60.exe Infected: Trojan-Downloader.Win32.Exchanger.ut 1
C:\Program Files\Norton AntiVirus\Quarantine\081F283E.exe Infected: not-a-virus:AdWare.Win32.BHO.crz 1
C:\Program Files\Norton AntiVirus\Quarantine\281A778E.tmp Infected: Trojan-Downloader.Java.OpenConnection.ao 2
C:\Program Files\Norton AntiVirus\Quarantine\281A778E.tmp Infected: Trojan.Java.ClassLoader.au 1
C:\Program Files\Norton AntiVirus\Quarantine\332230E8.tmp Infected: Trojan-Downloader.Win32.Exchanger.ut 1
C:\Program Files\Norton AntiVirus\Quarantine\344F479D.exe Infected: not-a-virus:AdWare.Win32.BHO.crz 1
C:\Program Files\Norton AntiVirus\Quarantine\346C417D.exe Infected: not-a-virus:AdWare.Win32.BHO.crz 1
C:\Program Files\Norton AntiVirus\Quarantine\509E582F Infected: Backdoor.Win32.Agent.pnt 1
C:\Program Files\Norton AntiVirus\Quarantine\5D4211E4.tmp Infected: not-a-virus:AdWare.Win32.BHO.crz 1
C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbates1.exe Infected: not-a-virus:AdWare.Win32.HelpExpress.d 1
C:\RECYCLER\NPROTECT\00000322.dll Infected: not-a-virus:AdWare.Win32.404Search.i 1
C:\RECYCLER\NPROTECT\00000325.dll Infected: Trojan-Downloader.Win32.Dyfuca.cn 1
C:\RECYCLER\NPROTECT\00000331.DLL Infected: Trojan-Clicker.Win32.Delf.r 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\Fifoed(78)\A0058102.exe Infected: Trojan-Spy.Win32.Briss.h 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\Fifoed(78)\A0058103.dll Infected: Trojan-Spy.Win32.Briss.k 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\Fifoed(78)\A0058104.exe Infected: Trojan-Downloader.Win32.Agent.ae 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2305\A0127180.exe Infected: Trojan-Downloader.Win32.Exchanger.ut 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2305\A0127181.exe Infected: not-a-virus:AdWare.Win32.BHO.crz 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2305\A0127207.exe Infected: not-a-virus:AdWare.Win32.BHO.crz 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2309\A0128377.dll Infected: Trojan.Win32.Agent.abas 1
C:\WINDOWS\polmx2.exe Infected: Trojan-Downloader.Win32.Agent.ae 1
C:\WINDOWS\UnstSA2.exe Infected: Trojan-Dropper.Win32.Delf.z 1
The selected area was scanned.
pskelley
2008-09-11, 09:48
Thanks for returning your Kaspersky Online Scan (KOS) results. The scan results show a few nasty trojans the databases of the tools we used so far were not including. Let's remove this stuff and see what happens.
1) C:\Program Files\Norton AntiVirus\Quarantine <<< delete everything in that folder in red
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506
2) C:\RECYCLER\NPROTECT <<< delete the contents of the folder in red
http://service1.symantec.com/support/nsw.nsf/ba62122e5d142a6588256d87006b22be/831aa5c6ef0d750685256c370048ad89?OpenDocument&src=bar_sch_nam
3) Clean infected System Restore files:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
These are the infected files still on the computer, navigate to the file in red and delete it.
C:\Documents and Settings\ppbansal\My Documents\Manju\EMBASSYREFI2006 (D)\music_en-gb.exe ------> AdWare.Win32.Comet.di 1
C:\WINDOWS\polmx2.exe ------> Trojan-Downloader.Win32.Agent.ae 1
C:\WINDOWS\polmx2.inf <<< delete that file if there
C:\WINDOWS\UnstSA2.exe ------> Trojan-Dropper.Win32.Delf.z 1
You may need to show all files and folder to see this junk:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
UnstSA2.exe <<< this file scans as a fairly nasty adware program, see this:
http://www.symantec.com/security_response/print_writeup.jsp?docid=2004-032116-0235-99
and Symantec has provided a free removal tool, please download and run this tool: http://securityresponse.symantec.com/avcenter/FxBlzFnd.exe
Once you get to this point, empty the recycle bin on the Desktop and run Clean Manager: http://spyware-free.us/tutorials/cleanmgr/
Then give me a report.
Thanks
Thanks! I performed all the tasks above, and reran the KOS. Here are the results.
One note, it looks like spam emails are being sent out (Symantec is doing a scan for each outgoing email)...
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, September 11, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 12, 2008 00:16:39
Records in database: 1214434
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Files scanned: 63427
Threat name: 7
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 01:43:00
File name / Threat name / Threats count
C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbates1.exe Infected: not-a-virus:AdWare.Win32.HelpExpress.d 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000002.exe Infected: Trojan-Dropper.Win32.Delf.z 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000096.exe Infected: Trojan-Downloader.Win32.Exchanger.ut 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000105.exe Infected: not-a-virus:AdWare.Win32.BHO.crz 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000138.exe Infected: Trojan-Downloader.Win32.Agent.ae 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000139.exe Infected: not-a-virus:AdWare.Win32.BHO.crz 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000140.exe Infected: not-a-virus:AdWare.Win32.BHO.crz 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000150.dll Infected: not-a-virus:AdWare.Win32.404Search.i 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000152.dll Infected: Trojan-Downloader.Win32.Dyfuca.cn 1
The selected area was scanned.
pskelley
2008-09-12, 11:39
Are you sure you follow the directions to clean the System Restore files, looks like the same files in the KOS:
This got missed:
C:\Program Files\WebSavingsfromEbates\WebSavingsfromEbates1.exe Infected: not-a-virus:1
and it is possible it creates spam.
http://www.emsisoft.com/en/malware/?Adware.Win32.HelpExpress.d
Because I am not satisfied with results so far, I would like to start again, please follow these directions.
1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log and that uninstall list.
Thanks
Thanks....here are the logs requested
HJT Uninstall Log
ComboFix Log
HJT Log
-----------------------------------------------------
Ad-aware 6 Personal
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8
Adobe® Photoshop® Album Starter Edition 3.0
ANIO Service
ANIWZCS2 Service
ATI Display Driver
Brother MFL-Pro Suite
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Creative WebCam Center
Creative WebCam Live! User's Guide (English)
Dell | Support
Dell Picture Studio - Dell Image Expert
Easy CD Creator 5 Basic
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
ImageMixer VCD/DVD2 for OLYMPUS
Java(TM) 6 Update 7
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Office XP Proofing Tools
Microsoft Picture It! Photo 2002
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Norton AntiVirus 2003 Professional Edition
Norton WMI Update
OLYMPUS Master
PaperPort
QuickTime
SafeCast Shared Components
SatellitePC
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Shockwave
Sophos Anti-Rootkit 1.3.1
Spybot - Search & Destroy
The Rosetta Stone
TurboTax Home & Business 2006
TurboTax Home & Business 2007
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
TurboTax Premier 2005
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Service Pack 2
Wireless G WUA-1340
Yudit Bitmap Fonts 1.2
Yudit-2.8.1
-----------------------------------------------------
ComboFix 08-09-10.04 - ppbansal 2008-09-12 7:00:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.232 [GMT -5:00]
Running from: C:\Documents and Settings\ppbansal\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-08-12 to 2008-09-12 )))))))))))))))))))))))))))))))
.
2008-09-09 20:06 . 2008-09-09 20:06 <DIR> d-------- C:\WINDOWS\Sun
2008-09-09 20:06 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-09-09 20:05 . 2008-09-09 20:06 <DIR> d-------- C:\Program Files\Java
2008-09-09 20:05 . 2008-09-09 20:05 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-05 20:44 . 2008-09-05 20:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-05 20:44 . 2008-09-05 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-05 00:03 . 2008-09-05 00:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-04 23:42 . 2005-03-31 01:06 36,864 --------- C:\WINDOWS\SYSTEM32\CTCamMgr.dll
2008-09-04 21:58 . 2008-09-04 21:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-04 21:58 . 2008-09-04 21:58 <DIR> d-------- C:\Documents and Settings\ppbansal\Application Data\Malwarebytes
2008-09-04 21:58 . 2008-09-04 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-04 21:58 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-04 21:58 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-04 20:59 . 2008-09-04 20:59 <DIR> d-------- C:\Program Files\Sophos
2008-09-03 23:20 . 2008-09-03 23:21 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-02 05:19 . 2008-09-12 07:04 86,804 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\a50e339b.sys
2008-08-27 01:06 . 2008-09-04 01:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-12 16:23 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-12 11:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-07 19:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-05 04:47 --------- d-----w C:\Program Files\Common Files\Real
2008-09-05 04:44 --------- d-----w C:\Program Files\ecto 2
2008-09-05 04:43 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-09-05 04:43 --------- d-----w C:\Program Files\Audacity
2008-09-05 04:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 15:57 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-16 11:27 77,008 ----a-w C:\Documents and Settings\ppbansal\Application Data\GDIPFONTCACHEV1.DAT
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2006-11-13 01:18 32 --sha-w C:\WINDOWS\{4FB1692B-3A98-4B3B-B896-EE5B583C4113}.dat
2006-11-13 01:18 32 --sha-w C:\WINDOWS\SYSTEM32\{796B69C2-A470-49CB-81B5-90E5820A0731}.dat
.
((((((((((((((((((((((((((((( snapshot@2008-09-05_ 6.24.38.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-13 08:06:18 167,936 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2008-09-10 08:01:52 167,936 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2008-08-13 08:06:18 2,560 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-09-10 08:01:52 2,560 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-08-13 08:06:18 34,304 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-09-10 08:01:52 34,304 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-08-13 08:06:19 8,192 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-09-10 08:01:52 8,192 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-08-13 08:06:19 3,584 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-09-10 08:01:52 3,584 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-08-13 08:06:19 114,688 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-09-10 08:01:52 114,688 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2008-08-13 08:06:18 16,384 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-09-10 08:01:52 16,384 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-08-13 08:06:18 30,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-09-10 08:01:52 30,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-08-13 08:06:19 22,528 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-09-10 08:01:52 22,528 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-08-13 08:06:18 45,056 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-09-10 08:01:52 45,056 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-08-13 08:06:18 90,112 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-09-10 08:01:52 90,112 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2008-08-13 08:06:05 2,560 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-09-10 08:02:06 2,560 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-08-13 08:06:04 34,304 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-09-10 08:02:06 34,304 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-08-13 08:06:05 8,192 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-09-10 08:02:07 8,192 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-08-13 08:06:05 3,584 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-09-10 08:02:07 3,584 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-08-13 08:06:04 16,384 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-09-10 08:02:06 16,384 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-08-13 08:06:05 22,528 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-09-10 08:02:07 22,528 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-08-13 08:06:04 45,056 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-09-10 08:02:06 45,056 ----a-r C:\WINDOWS\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2004-08-04 07:56:41 58,880 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\atl.dll
+ 2004-08-04 07:56:10 7,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\kbdsmsfi.dll
+ 2004-08-04 07:56:44 1,708,032 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\netshell.dll
- 2002-08-29 14:10:24 24,669 ------w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-06-10 06:21:01 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2002-08-29 14:10:24 24,671 ------w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 06:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 07:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
- 2008-08-05 16:11:02 15,888,504 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-08-26 20:28:12 16,208,504 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-09-06 01:19:41 573,560 ----a-w C:\WINDOWS\SYSTEM32\Restore\rstrlog.dat
+ 2008-04-15 17:54:19 1,724,416 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-06-02 57344]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-30 98304]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 864256]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-06-02 40960]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [2002-08-26 79480]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-11-12 100056]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"D-Link Wireless G WUA-1340"="C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe" [2005-12-15 2715648]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-11-30 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 24633]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.MJPG"= pvmjpg21.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CbEvtSvc"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4452:UDP"= 4452:UDP:Windows Media Format SDK (wmplayer.exe)
"4453:UDP"= 4453:UDP:Windows Media Format SDK (wmplayer.exe)
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 295168]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]
S3 Bulk503;Chameleon Mega Digital Camera;C:\WINDOWS\system32\Drivers\Bulk503.sys [ ]
S3 ISO503;Chameleon Mega Video Camera;C:\WINDOWS\system32\Drivers\ISO503.SYS [ ]
S3 memsweep2;MEMSWEEP2;C:\WINDOWS\system32\254.tmp [ ]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 38144]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34c14f03-859b-11dc-8305-00e02948311c}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5be8efa-bcd0-11dc-8314-0015e9fb9565}]
\Shell\AutoRun\command - F:\Launch.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKLM-Main,Search Bar =
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-12 07:03:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\memsweep2]
"ImagePath"="\??\C:\WINDOWS\system32\254.tmp"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a50e339b]
"ImagePath"="\SystemRoot\System32\drivers\a50e339b.sys"
.
Completion time: 2008-09-12 7:06:16
ComboFix-quarantined-files.txt 2008-09-12 12:05:52
Pre-Run: 28,433,367,040 bytes free
Post-Run: 28,464,140,288 bytes free
225 --- E O F --- 2008-09-10 08:03:34
-----------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:07 AM, on 9/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1221008745033&h=ba21489dc0a76d0454fdc28b213370c6/&filename=jinstall-6u7-windows-i586-jc.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 6953 bytes
pskelley
2008-09-12, 14:45
I don't recognize all of your programs but I see nothing that looks like malware.
C:\Program Files\WebSavingsfromEbates\ <<< navigate to that folder and delete it if it is there.
Follow these directions please:
1) Please download F-Secure Blacklight:
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save to your C:\ drive.
Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
Exit Blacklight and post the contents of the log in your next reply.
2) Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
3) Not being a Symantec user, I can't help with directions, but you will need to supply me with more information. You should be able to post a log showing the outgoing email that are being scanned. If you can't figure out how to do that, ask Symantec:
http://www.symantec.com/enterprise/support/index.jsp
4) Post a new KOS scan result also.
Thanks
Sorry I haven't gotten back to you earlier (had some Ike evacuees staying with us).
I did delete WebSavingsfromEbates.
I did run F-Secure Blacklight, but didn't follow it by running the command prompt, so I need to rerun it (first run didn't produce anything).
Been trying to work with Symantec, but not having much success with them.
Working on generating a new KOS, but been having issues keeping that pc on the network because of the email spamming issue. Hopefully will get it completed today.
I also uninstalled Outlook and Outlook Express to see if that would help in case it was using some mail server there, but no luck.
pskelley
2008-09-15, 21:02
Here is a tutorial with pictures for BlackLight. Once the scan has been completeed, post that information. Do not try to fix anything because they may be valid.
http://www.bleepingcomputer.com/tutorials/tutorial124.html
pskelley
2008-09-20, 22:00
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.