View Full Version : Vundo/Virtumonde infection
I appear to have a nasty Vundo/Virtumonde infection. Spybot, Ad-Aware, MalwareBytes, and Symantec FixVundo all have failed. No matter what I do, a temp file with alternating letters and numbers appears in my Windows/TEMP folder and runs itself as a process whenever the system is connected to the internet. Below is the DDS log, and attached is the DDS attachement per the program's intstructions. I consider myself very familiar with the operating system and have worked in IT support in the past, but this one has me stumped. The one thing I do notice is the odd entry under "hosts". "Spywareinfo.com" sounds like a malware site. I'd really prefer not to have to erase my HDD so any assistance is greatly appreciated.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 23:08:14.08 on Mon 05/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.603 [GMT -4:00]
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compaq Wireless LAN\Client Manager\CMCOM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Administrator\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.hp.com/sbso/index_evo.html?jumpid=ex_r295_go/business-evo/psg-embed
uSearch Bar = hxxp://go.compaq.com/2Q00CPT/0409/bF8.asp
uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/2q00cpt/0409/kb3.asp
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [HP Mobile Printing] c:\program files\hewlett-packard\hp mobile printing\HPBMOBIL.EXE
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [eabconfg.cpl] c:\program files\compaq\eab\EABSERVR.EXE /Start
mRun: [hkss] c:\program files\compaq\hotkey software\hkss.exe
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq wireless lan\client manager\CMCOM.EXE
IE: &NeoTrace It! - c:\progra~1\neotra~1\NTXcontext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210010224511
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-11 64288]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1291544]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-10-6 1275216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100514.005\naveng.sys [2010-5-14 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100514.005\navex15.sys [2010-5-14 1347504]
S2 gupdate1ca2f532b9e6350;Google Update Service (gupdate1ca2f532b9e6350);c:\program files\google\update\GoogleUpdate.exe [2009-9-6 133104]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\admini~1\locals~1\temp\gusbstoi.sys --> c:\docume~1\admini~1\locals~1\temp\gUSBSTOi.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-10-6 173392]
S3 wlcom51b;Compaq USB Driver;c:\windows\system32\drivers\wlcom51b.sys [2003-10-29 178176]
=============== Created Last 30 ================
2010-05-18 03:08:04 54016 ----a-w- c:\windows\system32\drivers\tmiu.sys
2010-05-18 00:58:08 0 d-----w- c:\windows\system32\CatRoot_bak
2010-05-17 22:35:58 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-05-17 22:35:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-17 22:35:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-17 22:35:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-17 22:35:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-01 14:33:33 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-05-01 14:33:33 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-05-01 14:33:32 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-05-01 14:33:32 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-05-01 14:33:31 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-05-01 14:33:30 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-05-01 14:33:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-05-01 14:33:27 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-05-01 14:33:25 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-05-01 14:33:24 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-05-01 14:33:23 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
==================== Find3M ====================
2010-05-18 03:08:23 845824 ----a-w- c:\windows\system32\drivers\onuofe.sys
2010-05-08 02:36:46 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-08 01:47:31 1538 ----a-w- c:\windows\eReg.dat
2010-04-29 02:22:13 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-12 02:16:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 12:31:30 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
============= FINISH: 23:09:38.87 ===============
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Step # 1: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
Thanks for the response and for your assistance. GMER did find a potential issue in its initial scan so I exported the log as a text file and the results are below. Is the hidden issue a part of Vundo? Currently the computer is disconnected from the internet. I transferred the log to another system to post it after scanning it for malware.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-18 17:53:14
Windows 5.1.2600 Service Pack 2
Running: 8ufp61k3.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwloyfow.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 898B48D0
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (EAB-II PS/2 Keyboard filter driver/Compaq Computer Corp.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (EAB-II PS/2 Keyboard filter driver/Compaq Computer Corp.)
---- Services - GMER 1.0.15 ----
Service (*** hidden *** ) [BOOT] onuofe <-- ROOTKIT !!!
---- EOF - GMER 1.0.15 ----
GMER did find a potential issue in its initial scan so I exported the log as a text file and the results are below. Is the hidden issue a part of Vundo?
It doesn't appear to be related to Vundo, it looks to be some other infection that was either brought on by Vundo or brought Vundo with it. When googling onuofe.sys and Service (*** hidden *** ) onuofe <-- ROOTKIT !!! all the results I get come back to this thread. It also may be a leftover, you mentioned running Spybot, Ad-Aware, MalwareBytes, and Symantec FixVundo earlier in the thread. Its possible those may have removed somethings and the onuofe.sys is a leftover.
Step # 1: Disable Teatimer
Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.
This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the version 1.5 or 1.6, Click once on [b]Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Step # 2: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.
Okay...disabled Ad-Aware resident, Spybot S&D Resident/TeaTimer, and Symantec AntiVirus. Ran ComboFix, and the log is below. It did find a few things. What did it do with "onuofe"? My system is still disconnected from the internet at this time...the cable is unplugged to prevent automatic downloads.
ComboFix 10-05-17.01 - Administrator 05/18/2010 22:04:37.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1042 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Application Data\{62A0890F-3130-4A4F-B2EA-CCC8313ADEA8}
c:\documents and settings\Administrator\Local Settings\Application Data\{62A0890F-3130-4A4F-B2EA-CCC8313ADEA8}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{62A0890F-3130-4A4F-B2EA-CCC8313ADEA8}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{62A0890F-3130-4A4F-B2EA-CCC8313ADEA8}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{62A0890F-3130-4A4F-B2EA-CCC8313ADEA8}\install.rdf
.
((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))
.
2010-05-18 00:58 . 2010-05-18 03:19 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-05-17 22:35 . 2010-05-17 22:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-17 22:35 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-17 22:35 . 2010-05-17 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-17 22:35 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-17 22:35 . 2010-05-17 22:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-01 14:33 . 2010-02-04 14:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-05-01 14:33 . 2010-02-04 14:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-05-01 14:33 . 2010-02-04 14:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-05-01 14:33 . 2010-02-04 14:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-05-01 14:33 . 2009-09-04 21:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-05-01 14:33 . 2009-09-04 21:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-05-01 14:33 . 2009-09-04 21:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-05-01 14:33 . 2009-09-04 21:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-05-01 14:33 . 2009-09-04 21:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-05-01 14:33 . 2009-09-04 21:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-05-01 14:33 . 2009-09-04 21:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 01:52 . 2008-05-05 19:17 -------- d-----w- c:\program files\Symantec AntiVirus
2010-05-18 01:46 . 2002-09-09 17:09 88158 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-05-16 23:00 . 2010-04-11 20:17 120 ----a-w- c:\windows\Llezico.dat
2010-05-16 16:24 . 2008-05-05 18:19 68032 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-16 14:37 . 2010-04-11 20:17 0 ----a-w- c:\windows\Obifu.bin
2010-05-08 02:36 . 2008-05-28 22:02 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-08 01:47 . 2008-05-05 20:05 1538 ----a-w- c:\windows\eReg.dat
2010-05-08 01:38 . 2008-05-05 19:57 -------- d-----w- c:\program files\EA Games
2010-05-08 01:07 . 2009-09-07 00:34 -------- d-----w- c:\program files\Google
2010-05-08 01:06 . 2003-10-29 20:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-08 01:06 . 2010-01-03 16:04 -------- d-----w- c:\program files\GMATPrep
2010-04-29 02:22 . 2010-04-14 01:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-12 02:16 . 2009-11-08 16:15 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-12 02:10 . 2008-05-05 22:53 -------- d-----w- c:\program files\Lavasoft
2010-04-12 02:10 . 2010-04-12 02:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-12 02:09 . 2008-05-05 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-11 21:51 . 2008-08-09 23:59 143 ----a-w- c:\windows\wininit.tmp
2010-04-06 01:15 . 2010-02-10 23:28 1045608 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-27 01:41 . 2009-12-17 02:58 -------- d-----w- c:\program files\AIM
2010-03-27 01:41 . 2010-03-27 01:41 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-03-10 06:15 . 2002-08-29 02:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2002-08-29 02:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 12:31 . 2002-08-29 02:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Mobile Printing"="c:\program files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2002-12-19 704512]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-08 344064]
"eabconfg.cpl"="c:\program files\Compaq\EAB\EABSERVR.EXE" [2002-11-12 229376]
"hkss"="c:\program files\Compaq\Hotkey Software\hkss.exe" [2002-09-19 192512]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2002-12-07 176220]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-18 87751]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-24 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Client Manager.lnk - c:\program files\Compaq Wireless LAN\Client Manager\CMCOM.EXE [2008-5-5 339968]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\fpupdate.exe"=
"c:\\Program Files\\Defcon\\defcon.exe"=
"c:\\Program Files\\Raven\\SOF\\SoF.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert(tm) II\\RA2\\gamemd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/11/2010 10:16 PM 64288]
S2 gupdate1ca2f532b9e6350;Google Update Service (gupdate1ca2f532b9e6350);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2009 8:35 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1291544]
S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\gUSBSTOi.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\gUSBSTOi.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/6/2004 5:56 PM 173392]
S3 wlcom51b;Compaq USB Driver;c:\windows\system32\drivers\wlcom51b.sys [10/29/2003 4:10 PM 178176]
--- Other Services/Drivers In Memory ---
*Deregistered* - onuofe
.
Contents of the 'Scheduled Tasks' folder
2010-05-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:26]
2010-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 00:35]
2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 00:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com/sbso/index_evo.html?jumpid=ex_r295_go/business-evo/psg-embed
uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/2q00cpt/0409/kb3.asp
uInternet Settings,ProxyOverride = *.local
IE: &NeoTrace It! - c:\progra~1\NEOTRA~1\NTXcontext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-18 22:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?5?2?5??????? ??#B?????????????l|B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\onuofe]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1810747794-4199652531-3157441969-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,13,00,97,cf,f2,db,46,b9,6e,38,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,13,00,97,cf,f2,db,46,b9,6e,38,\
[HKEY_USERS\S-1-5-21-1810747794-4199652531-3157441969-500\Software\SecuROM\License information*]
"datasecu"=hex:0f,6e,b4,5e,3d,b7,36,22,d7,80,04,3e,ca,09,ca,c9,b2,8f,43,6f,0a,
66,0e,52,a2,75,e2,0e,11,37,81,b0,bc,1e,d5,5e,43,e8,37,4f,71,15,54,81,6b,bd,\
"rkeysecu"=hex:20,c5,68,78,51,dd,60,10,4c,e4,a5,74,c4,d1,21,79
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-18 22:12:28
ComboFix-quarantined-files.txt 2010-05-19 02:12
Pre-Run: 15,407,300,608 bytes free
Post-Run: 15,720,378,368 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 359B2D98FC2309BCF62FADE6EFD0A266
What did it do with "onuofe"?
It looks like ComboFix found some instances/leftovers of it, now we'll have ComboFix get rid of it. :)
Step # 1: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
RootKit::
c:\windows\system32\drivers\onuofe.sys
File::
c:\windows\Llezico.dat
c:\windows\Obifu.bin
DDS::
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\onuofe]
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on mattb's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.
I will do that as soon as I get back to the system. Not sure if this matters or not, but I accidentally moved ComboFix into the "My Documents" folder after it ran the first time. I can move it back out to the desktop again via cut/paste but I just wanted to make sure that wouldn't cause any problems.
I will do that as soon as I get back to the system. Not sure if this matters or not, but I accidentally moved ComboFix into the "My Documents" folder after it ran the first time. I can move it back out to the desktop again via cut/paste but I just wanted to make sure that wouldn't cause any problems.
Moving ComboFix.exe back to Desktop from your "My Documents" folder shouldn't cause any problems. :)
Okay, ran Combofix with the CFScript, and the results are below:
ComboFix 10-05-17.01 - Administrator 05/19/2010 18:13:39.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1036 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FILE ::
"c:\windows\Llezico.dat"
"c:\windows\Obifu.bin"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Llezico.dat
c:\windows\Obifu.bin
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_onuofe
-------\Service_onuofe
((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))
.
2010-05-18 00:58 . 2010-05-18 03:19 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-05-17 22:35 . 2010-05-17 22:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-17 22:35 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-17 22:35 . 2010-05-17 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-17 22:35 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-17 22:35 . 2010-05-17 22:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-01 14:33 . 2010-02-04 14:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-05-01 14:33 . 2010-02-04 14:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-05-01 14:33 . 2010-02-04 14:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-05-01 14:33 . 2010-02-04 14:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-05-01 14:33 . 2009-09-04 21:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-05-01 14:33 . 2009-09-04 21:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-05-01 14:33 . 2009-09-04 21:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-05-01 14:33 . 2009-09-04 21:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-05-01 14:33 . 2009-09-04 21:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-05-01 14:33 . 2009-09-04 21:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-05-01 14:33 . 2009-09-04 21:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 22:02 . 2008-05-05 19:17 -------- d-----w- c:\program files\Symantec AntiVirus
2010-05-18 01:46 . 2002-09-09 17:09 88158 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-05-16 16:24 . 2008-05-05 18:19 68032 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-08 02:36 . 2008-05-28 22:02 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-08 01:47 . 2008-05-05 20:05 1538 ----a-w- c:\windows\eReg.dat
2010-05-08 01:38 . 2008-05-05 19:57 -------- d-----w- c:\program files\EA Games
2010-05-08 01:07 . 2009-09-07 00:34 -------- d-----w- c:\program files\Google
2010-05-08 01:06 . 2003-10-29 20:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-08 01:06 . 2010-01-03 16:04 -------- d-----w- c:\program files\GMATPrep
2010-04-29 02:22 . 2010-04-14 01:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-12 02:16 . 2009-11-08 16:15 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-12 02:10 . 2008-05-05 22:53 -------- d-----w- c:\program files\Lavasoft
2010-04-12 02:10 . 2010-04-12 02:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-12 02:09 . 2008-05-05 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-11 21:51 . 2008-08-09 23:59 143 ----a-w- c:\windows\wininit.tmp
2010-04-06 01:15 . 2010-02-10 23:28 1045608 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-27 01:41 . 2009-12-17 02:58 -------- d-----w- c:\program files\AIM
2010-03-27 01:41 . 2010-03-27 01:41 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-03-10 06:15 . 2002-08-29 02:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2002-08-29 02:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 12:31 . 2002-08-29 02:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Mobile Printing"="c:\program files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2002-12-19 704512]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-08 344064]
"eabconfg.cpl"="c:\program files\Compaq\EAB\EABSERVR.EXE" [2002-11-12 229376]
"hkss"="c:\program files\Compaq\Hotkey Software\hkss.exe" [2002-09-19 192512]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2002-12-07 176220]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-18 87751]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-24 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Client Manager.lnk - c:\program files\Compaq Wireless LAN\Client Manager\CMCOM.EXE [2008-5-5 339968]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\fpupdate.exe"=
"c:\\Program Files\\Defcon\\defcon.exe"=
"c:\\Program Files\\Raven\\SOF\\SoF.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert(tm) II\\RA2\\gamemd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/11/2010 10:16 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1291544]
S2 gupdate1ca2f532b9e6350;Google Update Service (gupdate1ca2f532b9e6350);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2009 8:35 PM 133104]
S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\gUSBSTOi.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\gUSBSTOi.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/6/2004 5:56 PM 173392]
S3 wlcom51b;Compaq USB Driver;c:\windows\system32\drivers\wlcom51b.sys [10/29/2003 4:10 PM 178176]
.
Contents of the 'Scheduled Tasks' folder
2010-05-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:26]
2010-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 00:35]
2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-07 00:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com/sbso/index_evo.html?jumpid=ex_r295_go/business-evo/psg-embed
uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/2q00cpt/0409/kb3.asp
uInternet Settings,ProxyOverride = *.local
IE: &NeoTrace It! - c:\progra~1\NEOTRA~1\NTXcontext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-19 18:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?5?2?5??????? ??#B?????????????l|B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1810747794-4199652531-3157441969-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,13,00,97,cf,f2,db,46,b9,6e,38,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ac,13,00,97,cf,f2,db,46,b9,6e,38,\
[HKEY_USERS\S-1-5-21-1810747794-4199652531-3157441969-500\Software\SecuROM\License information*]
"datasecu"=hex:0f,6e,b4,5e,3d,b7,36,22,d7,80,04,3e,ca,09,ca,c9,b2,8f,43,6f,0a,
66,0e,52,a2,75,e2,0e,11,37,81,b0,bc,1e,d5,5e,43,e8,37,4f,71,15,54,81,6b,bd,\
"rkeysecu"=hex:20,c5,68,78,51,dd,60,10,4c,e4,a5,74,c4,d1,21,79
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\COMRes.dll
- - - - - - - > 'explorer.exe'(2064)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\AGRSMMSG.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-05-19 18:28:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-19 22:28
ComboFix2.txt 2010-05-19 02:12
Pre-Run: 15,733,870,592 bytes free
Post-Run: 15,602,143,232 bytes free
- - End Of File - - E0654D8A2991D79A6AD99F3D0FBCE607
After the system rebooted after running Combofix, I ran DDS as requested. Results below and attached:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 18:32:16.24 on Wed 05/19/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.777 [GMT -4:00]
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\Program Files\Compaq Wireless LAN\Client Manager\CMCOM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\dds.com
C:\WINDOWS\system32\wuauclt.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.hp.com/sbso/index_evo.html?jumpid=ex_r295_go/business-evo/psg-embed
uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/2q00cpt/0409/kb3.asp
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [HP Mobile Printing] c:\program files\hewlett-packard\hp mobile printing\HPBMOBIL.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [eabconfg.cpl] c:\program files\compaq\eab\EABSERVR.EXE /Start
mRun: [hkss] c:\program files\compaq\hotkey software\hkss.exe
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq wireless lan\client manager\CMCOM.EXE
IE: &NeoTrace It! - c:\progra~1\neotra~1\NTXcontext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210010224511
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-11 64288]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1291544]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-10-6 1275216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100514.005\naveng.sys [2010-5-14 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100514.005\navex15.sys [2010-5-14 1347504]
S2 gupdate1ca2f532b9e6350;Google Update Service (gupdate1ca2f532b9e6350);c:\program files\google\update\GoogleUpdate.exe [2009-9-6 133104]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\admini~1\locals~1\temp\gusbstoi.sys --> c:\docume~1\admini~1\locals~1\temp\gUSBSTOi.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-10-6 173392]
S3 wlcom51b;Compaq USB Driver;c:\windows\system32\drivers\wlcom51b.sys [2003-10-29 178176]
=============== Created Last 30 ================
2010-05-19 22:12:38 77312 ----a-w- c:\windows\MBR.exe
2010-05-19 22:12:37 98816 ----a-w- c:\windows\sed.exe
2010-05-19 22:12:37 256512 ----a-w- c:\windows\PEV.exe
2010-05-19 22:12:37 161792 ----a-w- c:\windows\SWREG.exe
2010-05-19 02:03:08 0 d-sha-r- C:\cmdcons
2010-05-18 00:58:08 0 d-----w- c:\windows\system32\CatRoot_bak
2010-05-17 22:35:58 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-05-17 22:35:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-17 22:35:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-17 22:35:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-17 22:35:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-01 14:33:33 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-05-01 14:33:33 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-05-01 14:33:32 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-05-01 14:33:32 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-05-01 14:33:31 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-05-01 14:33:30 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-05-01 14:33:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-05-01 14:33:27 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-05-01 14:33:25 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-05-01 14:33:24 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-05-01 14:33:23 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
==================== Find3M ====================
2010-05-08 02:36:46 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-08 01:47:31 1538 ----a-w- c:\windows\eReg.dat
2010-04-29 02:22:13 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-12 02:16:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 12:31:30 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
============= FINISH: 18:33:21.68 ===============
Thanks again for all your help with this.
Out of curiosity what are all the new .exe files like sed.exe? Are they part of ComboFix?
Looks like ComboFix got rid of the rest of "onuofe". :)
Out of curiosity what are all the new .exe files like sed.exe? Are they part of ComboFix?
That's correct. Those files are part of ComboFix.
From now on, you can connect your computer back to the Internet as it will need to be connected to the 'Net to do the next few steps.
Step # 1 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u20 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
Java 2 Runtime Environment, SE v1.4.2
Java(TM) 6 Update 10
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Step # 3 Run Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.
Post the MalwareBytes' Log in your next post/reply.
Java updated. Scanned system with MalwareBytes. It did find a few remaining objects (incidentally Symantec AntiVirus also found the same objects at the same time). It appears that a few artifacts of the infection were left behind. Not sure where the AntiVirusDisableNotify entry came from.
The log is below:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4118
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702
5/20/2010 12:02:11 AM
mbam-log-2010-05-20 (00-02-11).txt
Scan type: Full scan (C:\|)
Objects scanned: 185356
Time elapsed: 55 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\onuofe.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B3675813-51EC-4F91-81F9-89204506E761}\RP601\A0078844.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
I ran MalwareBytes again to be sure that everything was clean after the reboot, and got this again:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Is this a false positive? Not sure how it can be deleted successfully and then come right back like that when MalwareBytes finds nothing eles infected.
I ran MalwareBytes again to be sure that everything was clean after the reboot, and got this again:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Is this a false positive? Not sure how it can be deleted successfully and then come right back like that when MalwareBytes finds nothing eles infected.
Its not a false positive, but its not something to worry about.
What is happening is that Symantec/Norton has disabled Windows Security Center by itself, it normally does this so that Norton can monitor itself and not have Windows Security Center do it. To stop it from showing up each time you do a scan, open up MalwareBytes' and do another scan. Once that is done and AntiVirusDisable Notify has been found again, tell MBAM to ignore it and not remove by clicking Ignore. If that doesn't work, try clicking the Quarantine tab. Make sure that the AntiVirusDisableNotify line has a check by it, then click Ignore and MBAM will ignore that when doing a scan.
Step # 1 Update Adobe Acrobat Reader
There is a newer version of Adobe Acrobat Reader available. (See Note below)
First, go to Add/Remove Programs and uninstall Adobe Reader 8.1.5.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
Note: Adobe 9.3.2 is a large program and if you prefer a smaller program you can get Foxit 3.3.0 instead from http://www.foxitsoftware.com/downloads/index.php
If you decide to install Foxit 3.3.0 instead of Adobe, do the following during Foxit's Setup/Installation process:
Uncheck the following boxes:
I accept the License Terms and want to install Foxit Toolbar
Make Ask.com my default search
Create desktop, quick launch and start menu icon to eBay
Step # 2: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. A fresh DDS Log
3. How is your computer doing, any problems?
Adobe Reader has been updated. Kaspersky found a few things, but they were all either in an Outlook Backup PST file (which isn't surprising, there's probably an infected attachment in there somewhere), or in a Symantec AV quarantine file (though oddly SAV doesn't show anything currently in quarantine). Log is below:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, May 20, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, May 20, 2010 20:01:28
Records in database: 4144109
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Objects scanned: 74380
Threats found: 2
Infected objects found: 6
Suspicious objects found: 4
Scan duration: 04:10:47
File name / Threat / Threats count
C:\Documents and Settings\Administrator\My Documents\Installers\Outlook backup.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 4
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B180000.VBN Infected: Rootkit.Win32.Bubnix.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B180001.VBN Infected: Rootkit.Win32.Bubnix.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DEC0000.VBN Infected: Rootkit.Win32.Bubnix.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DEC0001.VBN Infected: Rootkit.Win32.Bubnix.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB40000.VBN Infected: Rootkit.Win32.Bubnix.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB40001.VBN Infected: Rootkit.Win32.Bubnix.k 1
Selected area has been scanned.
DDS Log follows/attached:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 23:32:39.35 on Thu 05/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.640 [GMT -4:00]
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Compaq Wireless LAN\Client Manager\CMCOM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.hp.com/sbso/index_evo.html?jumpid=ex_r295_go/business-evo/psg-embed
uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/2q00cpt/0409/kb3.asp
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [HP Mobile Printing] c:\program files\hewlett-packard\hp mobile printing\HPBMOBIL.EXE
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [eabconfg.cpl] c:\program files\compaq\eab\EABSERVR.EXE /Start
mRun: [hkss] c:\program files\compaq\hotkey software\hkss.exe
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq wireless lan\client manager\CMCOM.EXE
IE: &NeoTrace It! - c:\progra~1\neotra~1\NTXcontext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210010224511
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-11 64288]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1291544]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-10-6 1275216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100519.002\naveng.sys [2010-5-20 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100519.002\navex15.sys [2010-5-20 1347504]
S2 gupdate1ca2f532b9e6350;Google Update Service (gupdate1ca2f532b9e6350);c:\program files\google\update\GoogleUpdate.exe [2009-9-6 133104]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 gUSBSTOi;gUSBSTOi;\??\c:\docume~1\admini~1\locals~1\temp\gusbstoi.sys --> c:\docume~1\admini~1\locals~1\temp\gUSBSTOi.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-10-6 173392]
S3 wlcom51b;Compaq USB Driver;c:\windows\system32\drivers\wlcom51b.sys [2003-10-29 178176]
=============== Created Last 30 ================
2010-05-20 03:02:11 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-19 22:40:55 266360 ----a-w- c:\windows\system32\TweakUI.exe
2010-05-19 22:40:55 160217 ----a-w- c:\windows\system32\PowerToysLicense.rtf
2010-05-19 22:12:38 77312 ----a-w- c:\windows\MBR.exe
2010-05-19 22:12:37 98816 ----a-w- c:\windows\sed.exe
2010-05-19 22:12:37 256512 ----a-w- c:\windows\PEV.exe
2010-05-19 22:12:37 161792 ----a-w- c:\windows\SWREG.exe
2010-05-19 02:03:08 0 d-sha-r- C:\cmdcons
2010-05-18 00:58:08 0 d-----w- c:\windows\system32\CatRoot_bak
2010-05-17 22:35:58 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-05-17 22:35:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-17 22:35:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-17 22:35:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-17 22:35:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-01 14:33:33 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-05-01 14:33:33 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-05-01 14:33:32 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-05-01 14:33:32 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-05-01 14:33:31 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-05-01 14:33:30 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-05-01 14:33:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-05-01 14:33:27 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-05-01 14:33:25 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-05-01 14:33:24 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-05-01 14:33:23 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
==================== Find3M ====================
2010-05-08 02:36:46 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-05-08 01:47:31 1538 ----a-w- c:\windows\eReg.dat
2010-04-29 02:22:13 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-12 02:16:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 12:31:30 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
============= FINISH: 23:33:31.54 ===============
The system itself seems to be running fine. It's connected to the internet and no random temp files are appearing, internet searches run properly, and there are no strange processes running. Should I go ahead and use Spybot's File Shredder to destroy the files Kaspersky found? The Outlook Backup file is easily replaced with a new one (and the active PST file didn't come up as infected which is good) and the quarantine files are completely worthless to have.
Thanks again for your assistance.
The system itself seems to be running fine. It's connected to the internet and no random temp files are appearing, internet searches run properly, and there are no strange processes running. Should I go ahead and use Spybot's File Shredder to destroy the files Kaspersky found? The Outlook Backup file is easily replaced with a new one (and the active PST file didn't come up as infected which is good) and the quarantine files are completely worthless to have.
Good to hear that the computer is running fine. :) Go ahead and use Spybot's File Shredder to get rid of the files that Kaspersky found. Also, go into outlook and delete any e-mails you no longer need in the Inbox and delete all e-mails in the Junk/Spam/Bulk/Trash folder.
Let me know if you have any trouble.
MattB? How are things coming along?
This topic has been archived due to inactivity.
If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
Applies only to the original poster, anyone else with similar problems please start a new topic.