Results 1 to 10 of 10

Thread: Trojans causing iexplore.exe to run in background

  1. 2010-10-21, 15:53 #1
    Nurofreeze
    Nurofreeze is offline
    Junior Member
    Join Date
    Oct 2010
    Posts
    8

    Default Trojans causing iexplore.exe to run in background

    I've tried running Spybot, and many other trojan removal programs but none have worked....for complete removal, anyway. The trojan causes multiple instances of iexplore.exe to run in the background I can't see them, but I constantly hear the clicks. Every once in a while, I hear an "error Message" tone, but don't see the error message. When I open up Internet explorer, it says that it wasn't closed properly, but it was. When I click to go to hte last viewed page, it takes me to a bunch of ad stuff. Other than that, I never see anything on my screen. I can just hear it clicking.

    My Norton antivirus catches it form time to time and then says it removes it, but its never permanent because it catches it again several hours later. I've run Malwarebytes several times and it usually finds about 20 things. I tell it to remove them and then it has me restart. Once I restart, I run it again to see if they are all gone but there are two files that are always there as soon as I restart the system. They are: fhpatch.dll and fiplock.dll. If I don't do anything after a day or so...maybe even hours, all of the 20 or so files are back. I don't know what else to do. I think it is related somehow to svchost.exe but am not 100 percent sure. I have multiple processes of it running in my task manager.

    In the past, Norton has said hte trojans are named Malware.trace, Bloodhound.MalPE and Backdoor.graybird, but it changes so I don't really know what it is.

    Thanks in advance.

    Here is a copy of my DDS.txt file. I've also attached a zipped version of the Attach.txt file.


    DDS (Ver_10-10-10.03) - NTFSx86
    Run by Ron.Beck at 8:47:49.15 on 2010-10-21
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1974.1141 [GMT -5:00]

    AV: Symantec AntiVirus Corporate Edition*On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    ============== Running Processes ===============

    c:\Program Files\Fingerprint Sensor\AtService.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\system32\agrsmsvc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\KACE\KBOX\KBOXSMMPService.exe
    C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\oracle\bin\omtsreco.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\r_server.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\scvhost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Documents and Settings\ron.beck\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    mWinlogon: Userinit=c:\windows\system32\KUsrInit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
    mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [cftmon] c:\windows\system32\cftmon.exe
    mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper_3004.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{a7091e1d-36a4-47f1-a739-173cc341414f}\Icon3E5562ED7.ico
    uPolicies-explorer: DisallowRun = 1 (0x1)
    uPolicies-disallowrun: 1 = aim.exe
    uPolicies-disallowrun: 2 = aim6.exe
    uPolicies-disallowrun: 3 = gaim.exe
    uPolicies-disallowrun: 4 = googletalk.exe
    uPolicies-disallowrun: 5 = icqlite.exe
    uPolicies-disallowrun: 6 = Install_AIM.exe
    uPolicies-disallowrun: 7 = mirc.exe
    uPolicies-disallowrun: 8 = msmsgs.exe
    uPolicies-disallowrun: 9 = msnmsgr.exe
    uPolicies-disallowrun: 10 = qq.exe
    uPolicies-disallowrun: 11 = Skype.exe
    uPolicies-disallowrun: 12 = trillian.exe
    uPolicies-disallowrun: 13 = yahoomessenger.exe
    uPolicies-disallowrun: 14 = YahooMessenger.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
    DPF: {30FE4017-9CC6-45D2-9D6C-E96F4E385B8F} - hxxp://phoenix/osoft/installation/Ev4Inst.CAB
    DPF: {5E1358C4-8831-4DEF-8293-0834F9B9C4A5} - hxxp://phoenix/osoft/installation/Ev4Diag.CAB
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206719847382
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: igfxcui - igfxdev.dll
    Notify: kwinhook - kwinhook.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\ron~1.bec\applic~1\mozilla\firefox\profiles\rv5vhndw.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\documents and settings\ron.beck\application data\mozilla\firefox\profiles\rv5vhndw.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064]
    R0 siwinacc;siwinacc;c:\windows\system32\drivers\siwinacc.sys [2010-4-2 17328]
    R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2010-4-2 337592]
    R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2010-4-2 54968]
    R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-6-12 1164536]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2010-4-2 192160]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2010-4-2 169632]
    R2 KBOXSMMP;KBOX SMMP Management Service;c:\program files\kace\kbox\KBOXSMMPService.exe [2010-4-5 1718272]
    R2 LogWatch;Event Log Watch;c:\program files\ca\sharedcomponents\ca_lic\LogWatNT.exe [2002-9-20 53248]
    R2 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [2010-4-2 724992]
    R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2010-4-2 115952]
    R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2010-4-2 1799408]
    R2 WMOptimizer;Windows Media Optimizer;c:\windows\system32\scvhost.exe service --> c:\windows\system32\scvhost.exe service [?]
    R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-6-12 477696]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-1 102448]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-4-2 41216]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101015.007\naveng.sys [2010-10-18 86064]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101015.007\navex15.sys [2010-10-18 1371184]
    S3 CA_LIC_CLNT;CA License Client;c:\program files\ca\sharedcomponents\ca_lic\lic98rmt.exe [2002-9-20 77824]
    S3 CA_LIC_SRVR;CA License Server;c:\program files\ca\sharedcomponents\ca_lic\lic98rmtd.exe [2002-9-20 77824]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-9-21 38224]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2010-4-2 14336]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

    =============== Created Last 30 ================

    2010-10-21 03:42:00 5120 ----a-w- c:\windows\system32\dllcache\rasauto.dll
    2010-10-21 03:39:41 76288 --sh--r- c:\windows\system32\cftmon.exe
    2010-10-21 03:39:41 6 ----a-w- c:\windows\system32\iphy.dll
    2010-10-21 03:39:41 5120 ----a-w- c:\windows\system32\C2H3
    2010-10-21 03:39:02 76288 --sh--r- c:\windows\system32\scvhost.exe
    2010-10-20 04:01:10 3 ----a-w- c:\windows\system32\fhpatch.dll
    2010-10-20 04:01:10 0 ----a-w- c:\windows\system32\fiplock.dll
    2010-10-13 17:59:25 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-13 17:59:25 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-13 17:59:10 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-12 01:39:45 442448 ----a-w- C:\setup2.exe
    2010-10-04 14:20:47 -------- d-----w- c:\program files\Registry Convoy 2009
    2010-09-25 04:41:52 81920 ------w- c:\windows\system32\ieencode.dll
    2010-09-25 04:41:52 516768 ------w- c:\windows\system32\ativvaxx.dll
    2010-09-25 04:41:52 229376 ------w- c:\windows\system32\ati2cqag.dll
    2010-09-25 04:41:52 201728 ------w- c:\windows\system32\ati2dvag.dll
    2010-09-25 04:41:52 1888992 ------w- c:\windows\system32\ati3duag.dll
    2010-09-25 04:41:50 701440 ------w- c:\windows\system32\drivers\ati2mtag.sys
    2010-09-25 04:41:17 19569 ----a-w- c:\windows\000001_.tmp
    2010-09-21 19:45:10 -------- d-----w- c:\docume~1\ron~1.bec\applic~1\Office Genuine Advantage
    2010-09-21 17:02:43 -------- d-----w- c:\docume~1\ron~1.bec\applic~1\Malwarebytes
    2010-09-21 17:02:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-21 17:02:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-21 17:02:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-21 17:02:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

    ==================== Find3M ====================

    2010-10-21 03:39:41 5120 ----a-w- c:\windows\system32\rasauto.dll
    2010-10-20 02:48:06 5120 ----a-w- c:\windows\system32\4F3X
    2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-08 02:06:11 573440 ----a-w- c:\windows\system32\MwUsbDs64.dll
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

    ============= FINISH: 8:48:20.58 ===============
  2. 2010-10-21, 15:55 #2
    Nurofreeze
    Nurofreeze is offline
    Junior Member
    Join Date
    Oct 2010
    Posts
    8

    Default

    Because I've seen it asked for in my serches. I've also downloaded hijackthis and created the log file, in case its needed.

    Thanks again for your help. I'm at my wits end with this.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:54:20 AM, on 2010-10-21
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    c:\Program Files\Fingerprint Sensor\AtService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\agrsmsvc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\KACE\KBOX\KBOXSMMPService.exe
    C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\oracle\bin\omtsreco.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\r_server.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\scvhost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\ron.beck\My Documents\Downloads\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\KUsrInit.exe,
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [cftmon] C:\WINDOWS\system32\cftmon.exe
    O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper_3004.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech.com/devicedetect...etection32.cab
    O16 - DPF: {30FE4017-9CC6-45D2-9D6C-E96F4E385B8F} (ClientInstallControl.EverestInstall) - http://phoenix/osoft/installation/Ev4Inst.CAB
    O16 - DPF: {5E1358C4-8831-4DEF-8293-0834F9B9C4A5} (ClientDiag.EverestDiagnostic) - http://phoenix/osoft/installation/Ev4Diag.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1206719847382
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lan.thrifty.net
    O17 - HKLM\Software\..\Telephony: DomainName = lan.thrifty.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lan.thrifty.net
    O20 - Winlogon Notify: kwinhook - kwinhook.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
    O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - c:\Program Files\Fingerprint Sensor\AtService.exe
    O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
    O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: KBOX SMMP Management Service (KBOXSMMP) - KACE Networks, Inc. - C:\Program Files\KACE\KBOX\KBOXSMMPService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\bin\omtsreco.exe
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Windows Media Optimizer (WMOptimizer) - Unknown owner - C:\WINDOWS\system32\scvhost.exe

    --
    End of file - 8454 bytes
  3. 2010-10-29, 09:10 #3
    peku006
    peku006 is offline
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi Nurofreeze

    Malwarebytes' Anti-Malware

    • Open Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Check for Updates
    • After the update have been completed, Select the Scanner tab.
    • Make sure the "Perform full scan" option is selected.
    • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.

    Back at the main Scanner screen:
    1. Click on the Show Results button to see a list of any malware that was found.
    2. Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
      We will take care of the System Volume Information items later.
    3. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    4. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
      The log can also be found here:
      C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    5. Copy and paste the contents of that report in your next reply and exit MBAM.


    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
    Click OK to either and let MBAM proceed with the disinfection process.
    If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

    Please reply with

    Malwarebytes' Anti-Malware Log

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.
  4. 2010-10-29, 16:28 #4
    Nurofreeze
    Nurofreeze is offline
    Junior Member
    Join Date
    Oct 2010
    Posts
    8

    Default

    Thanks for your response PeKu.

    Here is the log file...

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4988

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    2010-10-29 9:22:39 AM
    mbam-log-2010-10-29 (09-22-39).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 231301
    Time elapsed: 46 minute(s), 12 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 59

    Memory Processes Infected:
    C:\WINDOWS\system32\AdbUpdater.exe (Trojan.Downloader) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe updater (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mslivemsn (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\AdbUpdater.exe (Trojan.Downloader) -> Delete on reboot.
    C:\setup2.exe (Adware.Hotbar.Gen) -> Quarantined and deleted successfully.
    C:\Program Files\Symantec AntiVirus\296702.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003155.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003157.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003158.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003159.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003160.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003172.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP12\A0003156.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP13\A0003274.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP13\A0003275.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP13\A0003276.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP13\A0003277.exe (Adware.Hotbar.Gen) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP13\A0003286.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0003964.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0003966.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0003967.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0003971.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0007092.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0007093.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0007094.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0007095.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP16\A0007102.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP18\A0007512.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP18\A0007513.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP18\A0007514.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP3\A0000434.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP3\A0000435.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP3\A0000436.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP3\A0000437.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0000942.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0000943.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0000944.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0001484.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0001432.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0001433.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0001434.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0001435.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP4\A0001476.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001606.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001737.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001739.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001747.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001941.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001933.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001934.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP7\A0001935.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP8\A0002627.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP8\A0002630.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP8\A0002631.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\System Volume Information\_restore{016F790C-11EB-4B37-8943-BBA64AE44CE9}\RP9\A0002672.dll (Trojan.Phyiost) -> Not selected for removal.
    C:\WINDOWS\system32\4F3X (Trojan.Phyiost) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\AdbUpdtr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\C2H3 (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\fhpatch.dll (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\fiplock.dll (Malware.Trace) -> Delete on reboot.
    C:\WINDOWS\system32\htmp.030 (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\iphy.dll (Malware.Trace) -> Quarantined and deleted successfully.
  5. 2010-10-29, 17:44 #5
    peku006
    peku006 is offline
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi Nurofreeze

    We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    If you need help to disable your protection programs see here.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.
  6. 2010-10-29, 18:46 #6
    Nurofreeze
    Nurofreeze is offline
    Junior Member
    Join Date
    Oct 2010
    Posts
    8

    Default

    Here is the combofix log...

    ComboFix 10-10-28.09 - Ron.Beck 2010-10-29 11:34:16.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1974.1104 [GMT -5:00]
    Running from: c:\documents and settings\ron.beck\My Documents\Downloads\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\ron.beck\g2mdlhlpx.exe
    c:\windows\system32\fhpatch.dll
    c:\windows\system32\fiplock.dll

    Infected copy of c:\windows\system32\rasauto.dll was found and disinfected
    Restored copy from - c:\windows\$NtServicePackUninstall$\rasauto.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-29 )))))))))))))))))))))))))))))))
    .

    2010-10-13 17:59 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-13 17:59 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-13 17:59 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-04 14:20 . 2010-10-04 14:24 -------- d-----w- c:\program files\Registry Convoy 2009
    2010-10-01 17:20 . 2010-10-01 17:20 -------- d-----w- c:\documents and settings\liam.kelly
    2010-10-01 04:22 . 2010-10-01 04:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 17:23 . 2010-04-03 01:45 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2010-04-03 01:45 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2010-04-03 01:45 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2010-04-03 01:45 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58 . 2010-04-03 01:46 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2010-04-03 01:45 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2010-04-03 01:45 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-08 02:06 . 2010-09-08 02:06 573440 ----a-w- c:\windows\system32\MwUsbDs64.dll
    2010-09-01 11:51 . 2010-04-03 01:44 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2010-04-03 01:46 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2010-04-03 01:46 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2010-04-03 01:46 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2010-04-03 01:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2010-04-03 01:43 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2010-04-03 01:44 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2010-04-03 01:46 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2010-04-03 01:46 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-04-06 53408]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2010-04-06 124656]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-06 1310720]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-06 141336]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-06 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-06 142360]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-05 1044480]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2010-4-5 6144]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2010-04-06 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kwinhook]
    2010-04-06 19:40 6144 ----a-w- c:\windows\system32\KWinHook.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-1130\Scripts\Logoff\0\0]
    "Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogoff.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-1130\Scripts\Logon\0\0]
    "Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogin.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-11566\Scripts\Logoff\0\0]
    "Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogoff.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-11566\Scripts\Logon\0\0]
    "Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogin.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-4997\Scripts\Logoff\0\0]
    "Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogoff.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-4997\Scripts\Logon\0\0]
    "Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogin.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-7584\Scripts\Logoff\0\0]
    "Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogoff.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-7584\Scripts\Logon\0\0]
    "Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogin.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-7851\Scripts\Logoff\0\0]
    "Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogoff.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-492894223-1801674531-7851\Scripts\Logon\0\0]
    "Script"=\\lan.thrifty.net\sysvol\lan.thrifty.net\scripts\llogin.vbs

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 21:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-04-03 01:27 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-03-28 2:14 PM 24064]
    R0 siwinacc;siwinacc;c:\windows\system32\drivers\siwinacc.sys [2010-04-02 8:45 PM 17328]
    R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-06-12 1164536]
    R2 KBOXSMMP;KBOX SMMP Management Service;c:\program files\KACE\KBOX\KBOXSMMPService.exe [2010-04-05 6:31 PM 1718272]
    R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 9:29 AM 53248]
    R2 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [2010-04-02 8:46 PM 724992]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2010-04-02 8:29 PM 115952]
    R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-06-12 2:40 PM 477696]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-01 8:29 AM 102448]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-04-02 8:45 PM 41216]
    S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 9:27 AM 77824]
    S3 CA_LIC_SRVR;CA License Server;c:\program files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 9:41 AM 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
    DPF: {30FE4017-9CC6-45D2-9D6C-E96F4E385B8F} - hxxp://phoenix/osoft/installation/Ev4Inst.CAB
    DPF: {5E1358C4-8831-4DEF-8293-0834F9B9C4A5} - hxxp://phoenix/osoft/installation/Ev4Diag.CAB
    FF - ProfilePath - c:\documents and settings\ron.beck\Application Data\Mozilla\Firefox\Profiles\rv5vhndw.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    FF - prefs.js: network.proxy.type - 0
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-AtiExtEvent - (no file)
    MSConfigStartUp-cftmon - c:\windows\system32\cftmon.exe
    MSConfigStartUp-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-29 11:40
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,69,26,1e,1d,de,db,4d,bc,95,72,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,38,69,26,1e,1d,de,db,4d,bc,95,72,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1356)
    c:\windows\system32\kwinhook.dll
    c:\windows\system32\MSVCR71.dll

    - - - - - - - > 'explorer.exe'(3324)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\oracle\bin\omtsreco.exe
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\windows\system32\SearchIndexer.exe
    c:\windows\system32\igfxsrvc.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-29 11:43:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-29 16:43

    Pre-Run: 220,678,844,416 bytes free
    Post-Run: 220,820,422,656 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - EDC0285F84B116DCCDC765493E8B3F40
  7. 2010-10-30, 09:48 #7
    peku006
    peku006 is offline
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi Nurofreeze

    This machine is not used for business purposes or connected to a business network is it?

    Thanks peku006
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.
  8. 2010-11-01, 14:26 #8
    Nurofreeze
    Nurofreeze is offline
    Junior Member
    Join Date
    Oct 2010
    Posts
    8

    Default

    Yes. It is, but I have admin rights to it.
  9. 2010-11-01, 16:31 #9
    peku006
    peku006 is offline
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi

    I'm sorry but I can not help you, you should have read this properly

    Quote Originally Posted by tashi View Post
    The malware removal forum is set up to help those in need of assistance with their personal computers. This service is free and provided by volunteer analysts.

    When an infected computer is a company machine and/or in the workplace.

    The intention of this forum is not to replace a company's IT department, helpers cannot anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

    Another consideration is that company information may show in the logs and more than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

    To prevent possible loss or corruption of company information, please inform your IT Professional or Supervisor when a workplace computer has been infected. If niether are available please consider calling in a local technician who can see the machine/network in person.

    It's not that we don't want to help, but there are too many issues that could arise from a networked company machine that malware forum volunteers are not experienced in dealing with.

    Thank you for your understanding.

    -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Corporate, Government, Small Business or Institutional

    Spybot S&D Corporate-Small Business Editions

    Please contact our office support so they may provide direct assistance for your needs.

    Thank you.

    -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    If you are a computer business removing malware for paying customers, please don't post the logs here as our volunteers are not here to support such. Clients with infected PCs may be directed to this forum to receive advice in the first person.
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.
  10. 2010-11-08, 14:50 #10
    peku006
    peku006 is offline
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Due to a lack of response, this topic is now closed

    If you still require help, please open a new thread in the Malware Removal forum, include a
    fresh DDS log, and wait for a new helper.

    Your donation helps improving Spybot-S&D!
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules