how-to block ads
|
TCSteve
@reachone.com
| [Spyware] Hosts issue / HJT Log
I'm working on a co-worker's laptop at work to try and disinfect it. I've been working on this all day so far (literally) and a few hours ago I thought I had it wrapped up but it's still pointing to the wrong location for most security-related domains. If I use nslookup on lavasoft.com or safer-networking.org it resolves to the correct IP, but if I ping it the ICMP goes to 127.0.0.1. It's probably a symptom of a larger issue so it's time to call in reinforcements (that's you guys, btw).
This is an HP laptop, so it's got all of the usual HP cruft running. It's having issues starting up, it hangs around on the 'preparing network connections' screen for quite a few minutes. I have it unplugged from the network and wireless disabled until I get it disinfected.
I see that there's a radio button to choose Smitfraud as an option, I'm not very familiar with that but there was an entry for Smitfraud that either Ad-Aware or SpybotS&D found that I removed.
I forgot to mention that the hosts file is fine, and I've also used the hostsXpert program to reset it. Since nslookup succeeds and ping fails it seems like there's a hook in another layer that's intercepting the requests, but I'm not a pro at this stuff. I'm just a programmer trying to do my work but having to fix broken computers 
I updated and ran Ad-Aware 2008, SpybotS&D 1.6, Windows Defender, and the malicious software removal tool. The last 2 didn't find anything, the first 2 found a few items that I removed (including a smitfraud file). I ran a winsock fix tool to try and fix the logon issues (sometimes the box won't even appear at all, leaving me to make interesting movements with the mouse cursor; same thing in safe mode). Keeping the Windows CD in the drive seems to help it boot, but I think that's just a coincidence. I tried to enter XP setup and go through the repair install but it told me that it couldn't find the hard drive when I did that, which is a pretty neat trick. IE6 is installed and it seems to have issues with ActiveX, it would not run the MS validation control to download defender. I didn't check the settings to see if ActiveX was disabled in the settings, I was sort of under the impression that if ActiveX was already disabled I wouldn't be looking at this computer in the first place. It seemed more likely that the URL for that file was being blocked (other downloads on Microsoft.com were being blocked).
I could not access online virus scans on the laptop, I tried trendmicro.com, the eset.eu site, and pandasoftware. None of them were reachable from the laptop.
HJT log below. Thanks for looking.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:43:19 PM, on 8/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\steve\Desktop\security\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.hp.com
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [MsmqIntCert] "C:\WINDOWS\system32\regsvr32.exe" /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PTHOSTTR] "C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" /Start
O4 - HKLM\..\Run: [DLA] "C:\WINDOWS\System32\DLA\DLACTRLW.EXE"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [CognizanceTS] "C:\WINDOWS\system32\rundll32.exe" C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\Sminst\Recguard.exe"
O4 - HKLM\..\Run: [Scheduler] "C:\WINDOWS\SMINST\Scheduler.exe"
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\InterVideo\DVD Check\DVDCheck.exe"
O4 - HKLM\..\Run: [vptray] "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [masqform.exe] "C:\Program Files\PureEdge\Viewer 6.5\masqform.exe" -RunOnce
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »www.update.microsoft.com/microso···31107440
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »fpdownload2.macromedia.com/get/s···lash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tc.tracorp.com
O17 - HKLM\Software\..\Telephony: DomainName = tc.tracorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tc.tracorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tc.tracorp.com
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe | |
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
 ·Verizon Online DSL
2 edits | First Steps
:!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.
Please download ATF Cleaner
It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
• Double-click ATF-Cleaner.exe to run the program.
First Step:
• Under Main choose: Select All
• Click the Empty Selected button.
Next, if you use Firefox (and some Mozilla-based browsers)
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
Next, if you use the Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button. :!: Click Exit on the Main menu to close the program.
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:
• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and exit My Computer.
• Now your computer is configured to show all hidden files.
TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose Yes at the Warning prompt.
• Expand the Tools menu.
• Click Resident.
• Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
• In the File menu click Exit to exit Spybot Search & Destroy.
• Download and Unzip to your Desktop:
• Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
We have to Disable SpySweeper
quote:
Spy Sweeper version 4:
* Open it, Click Options over on the left, then Program options
* Uncheck load at windows startup.
* Over to the left, Click shields and Uncheck all there.
* Uncheck home page shield.
* Uncheck automatically restore default without notification.
* Reboot your machine for the changes to take effect.
SpySweeper version 5:
To disable SpySweeper Shields:
* Open SpySweeper.
* Click Shield Settings on the right
(or Shields on the left, depending what screen you're on).
* Click Internet Explorer and uncheck all items.
* Click Windows System and uncheck all items.
* Click Hosts File and uncheck all items.
* Click Startup Programs and uncheck all items.
* Close SpySweeper.
:!: Reboot your computer, and ensure Spy Sweeper is disabled.
Malware Identification and Removal Steps
1. Please download MalwareBytes Anti-malware (MBAM) from one of the following links:
Once downloaded, close all programs and Windows on your computer (including this one.)
Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later.
2. Download and Run -- ComboFix©
Download this file -- to your Desktop -- from any of these sources:
• Disconnect from the Internet.
• Disable your Antivirus software -- this includes any Script Blocking Feature it may have.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
3. Run HijackThis again, and save the log file.
Submit to the Forum:
• Your MBAM results;
• The contents of C:\Combofix.txt;
• The new HijackThis log.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
TCSteve
@reachone.com
| Thanks for the reply, that MBAM program found quite a few things (including several tds*.dll and .sys files it identified as a trojan). I'm still waiting for the laptop to boot to get the logs off it. After running the Combofix program and saving the log I saw a few strange things. It added 2 files to the desktop without a name, where right-clicking on them only showed Cut, Create Shortcut, and Delete. It also added the IE shortcut to the desktop. When I clicked on the Start menu the My Computer and Printers items were just labelled "folder", and I couldn't expand the Programs. I used Win+E to open Explorer and I wasn't able to pull up a folder list to copy the logs over the network. I rebooted the machine, it let me sign in, but I'm still waiting for the desktop to appear, I'm looking at a blue screen with a mouse cursor on it right now. I'm debating whether or not it would be a good idea to do a hard reboot, so I figured I would post and give it a few more minutes. If I don't hear back with alternate instructions I'll do a hard reboot after a while and try to go into safe mode or back to normal mode to get the logs copied over and posted. | |
TCSteve
@reachone.com
| Still desktopless. I used Ctrl+Shift+Esc to open task manager, which opened, and I'm trying to execute explorer.exe (which isn't running). I go up to File->Run and browse for explorer.exe. When I click on Windows I'm not seeing any folders or files in it, I'm still seeing My Computer as a generic file icon item labelled "Folder", and I believe it's also My Network Places that's also being labelled Folder. This is in the folder dropdown for the browse box. On the left, from top to bottom in that box I see Recent (folder icon), Desktop (desktop icon), blank name (My Documents icon), and 2 file icons labelled "Folder" (My Computer and My Network Places perhaps). The first time I typed "explorer" into the run box I thought I saw it pop up in the process list and immediately go away, not when I try to run it I don't see it appearing. Still no desktop, explorer.exe isn't running. I'll use task manager to reboot again and check out safe mode. | |
TCSteve
@reachone.com
| For reference, this is the list of processes I see running (haven't rebooted to safe mode yet):
aawservice.exe
alg.exe
AppleMobileDeviceService.exe
btwdins.exe
csrss.exe
DefWatch.exe
lsass.exe
LSSrvc.exe
mqsvc.exe
msdtc.exe
MsMpEng.exe
services.exe
smss.exe
spoolsv.exe
SpySweeper.exe (I could never disable the service or end this process, although I disabled all shields as described)
svchost.exe x8
taskmgr.exe
winlogon.exe
wscntfy.exe
Plus the system and idle processes. MsMpEng is using the most RAM, although aawservice peaked at 169MB, and none of them are using any CPU time. aawservice has 3 seconds of CPU time, MsMpEng has 6 seconds, SpySweeper.exe has 13 seconds. | |
TCSteve
@reachone.com
| I used "shutdown -r -t 01" to reboot and went to safe mode. Safe mode is pretty similar, still no explorer process or desktop. Processes:
aawservice.exe
csrss.exe
lsass.exe
MsMpEng.exe
services.exe
smss.exe
SpySweeper.exe
svchost.exe x5
winlogon.exe
If I manually run explorer I get the popup explaining that this is in safe mode, while the popup is up I can see explorer.exe in the process list and when I press Yes the process ends.
I'm going to use shutdown -s -t 01 to shut this thing down and wait until I hear back. | |
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to TCSteve
Just do a cold restart of the system in Normal mode. Bring up Task Manager. Do a File, New Task (Run...) and enter: explorer.exe
See if you can now view the Desktop. I really need to see the log results from at least Combofix. If you cannot bring up the Desktop, at least do from New Task Run:
notepad C:\combofix.txt
Post the log results back to the Forum.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
TCSteve
@reachone.com
| OK, I'm still not able to get explorer to stay running, either in safe or normal mode. If I run it I see the process briefly in the process list and it closes almost immediately. In safe mode it waits for my response on the dialog before closing.
Good call on notepad though, I was able to run notepad and open the files that I previously saved on the desktop, and I was able to use notepad to save the files onto a network share by just typing the path into the Save As box, e.g. \\server\share\path\file.txt. I saved these logs, including the HJT log, after running Combofix and before rebooting.
========================================================================
========================================================================
========================================================================
ComboFix 08-08-25.01 - steve 2008-08-26 11:08:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.601 [GMT -7:00]
Running from: C:\Documents and Settings\steve\Desktop\ComboFix.exe
* Created a new restore point
[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\karen\Application Data\macromedia\Flash Player\#SharedObjects\GR8R3SZ8\bin.clearspring.com
C:\Documents and Settings\karen\Application Data\macromedia\Flash Player\#SharedObjects\GR8R3SZ8\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\karen\Application Data\macromedia\Flash Player\#SharedObjects\GR8R3SZ8\interclick.com
C:\Documents and Settings\karen\Application Data\macromedia\Flash Player\#SharedObjects\GR8R3SZ8\interclick.com\ud.sol
C:\Documents and Settings\karen\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\karen\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\karen\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\karen\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Marcy\Application Data\macromedia\Flash Player\#SharedObjects\LALB9W3G\bin.clearspring.com
C:\Documents and Settings\Marcy\Application Data\macromedia\Flash Player\#SharedObjects\LALB9W3G\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Marcy\Application Data\macromedia\Flash Player\#SharedObjects\LALB9W3G\www.broadcaster.com
C:\Documents and Settings\Marcy\Application Data\macromedia\Flash Player\#SharedObjects\LALB9W3G\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Marcy\Application Data\macromedia\Flash Player\#SharedObjects\LALB9W3G\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Marcy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Marcy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Marcy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Marcy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV
-------\Service_tdssserv
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.
2008-08-26 11:36 . 2008-08-26 11:36 114,688 --a------ C:\WINDOWS\system32\chg.exe
2008-08-26 10:43 . 2008-08-26 10:43 d-------- C:\Program Files\Malwarebytes Anti-Malware
2008-08-26 10:43 . 2008-08-26 10:43 d-------- C:\Documents and Settings\steve\Application Data\Malwarebytes
2008-08-26 10:43 . 2008-08-26 10:43 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-26 10:43 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-26 10:43 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-25 17:23 . 2008-08-25 17:23 d-------- C:\Program Files\Windows Defender
2008-08-25 10:17 . 2008-08-25 10:17 d-------- C:\Program Files\Lavasoft
2008-08-25 10:17 . 2008-08-25 10:18 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-25 09:48 . 2008-08-25 09:48 d-------- C:\Documents and Settings\steve\Application Data\Webroot
2008-08-25 09:48 . 2008-08-25 09:48 d-------- C:\Documents and Settings\steve\Application Data\PureEdge
2008-08-24 12:33 . 2008-08-24 12:33 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-08-24 12:27 . 2008-08-24 12:27 d-------- C:\Program Files\Webroot
2008-08-24 12:27 . 2008-08-24 12:27 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-08-24 12:27 . 2008-08-24 12:27 d-------- C:\Documents and Settings\karen\Application Data\Webroot
2008-08-24 12:27 . 2008-08-24 12:27 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-08-24 12:27 . 2008-08-09 16:04 1,538,928 --a------ C:\WINDOWS\WRSetup.dll
2008-08-24 12:27 . 2008-08-09 14:42 166,512 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-08-24 12:27 . 2007-06-21 18:43 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-08-24 12:27 . 2008-08-09 14:42 23,152 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-08-12 15:54 . 2008-05-01 07:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-09 14:42 . 2008-08-09 14:42 29,808 --a------ C:\WINDOWS\system32\drivers\ssfs0bbc.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 18:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-25 18:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-25 17:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-25 02:20 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-08-25 00:54 --------- d-----w C:\Program Files\Qwest
2008-08-25 00:33 --------- d-----w C:\Program Files\MySpace
2008-08-24 22:12 --------- d-----w C:\Program Files\Java
2008-07-21 01:32 --------- d-----w C:\Documents and Settings\karen\Application Data\Juniper Networks
2008-07-20 21:50 --------- d-----w C:\Documents and Settings\karen\Application Data\ICAClient
2008-07-20 20:23 --------- d-----w C:\Program Files\triCerat
2008-07-20 20:23 --------- d-----w C:\Program Files\Citrix
2008-07-20 20:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Juniper Networks
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 16:12 667,136 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-23 16:12 667,136 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2008-06-23 16:12 618,496 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-06-23 16:12 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2008-06-23 16:12 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-06-23 16:12 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2008-06-23 16:12 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-06-23 16:12 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2008-06-23 16:12 1,499,136 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-06-23 16:11 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2008-06-23 16:11 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2008-06-23 16:11 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2008-06-23 16:11 3,067,392 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 16:11 251,904 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2008-06-23 16:11 205,312 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2008-06-23 16:11 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2008-06-23 16:11 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-06-23 16:11 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2008-06-23 16:11 1,024,000 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2008-06-23 09:53 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2007-10-26 19:30 14,579,256 ----a-w C:\Program Files\snagit.exe
2007-08-29 17:56 28,672 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2007-08-29 17:56 98,304 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 01:11 925696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 11:56 122880]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-08-31 05:20 122940]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 11:04 761945]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 05:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 05:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 05:17 118784]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 10:49 454656]
"CognizanceTS"="C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 11:12 17920]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 15:39 131072]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 08:03 40960]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-20 15:51 1187840]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-02-15 15:43 892928]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 11:59 184320]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 09:50 643072]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"MsmqIntCert"="mqrt.dll" [2007-07-06 05:46 177152 C:\WINDOWS\system32\mqrt.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [N/A]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-15 16:16:02 581693]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2006-11-10 15:47:43 184320]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 11:41 40960 C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
"MSVideo"= CSvidcap.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\mstsc.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 ssfs0bbc;ssfs0bbc;C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys [2008-08-09 14:42]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2004-08-04 01:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-06-13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2008-08-26 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
2008-08-24 C:\WINDOWS\Tasks\wrSpySweeperFullSweep.job
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-09 16:04]
2008-08-24 C:\WINDOWS\Tasks\wrSpySweeperFullSweep.job
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-09 16:04]
2008-08-24 C:\WINDOWS\Tasks\wrSpySweeperFullSweep.job
- C:\","D:\","E:\" []
.
- - - - ORPHANS REMOVED - - - -
ShellIconOverlayIdentifiers- - (no file)
ShellExecuteHooks-{367BDF4B-04E5-46C9-9D83-D68307F659E3} - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\steve\Application Data\Mozilla\Firefox\Profiles\eisaftfu.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-08-26 11:37:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????M??????(?@???????@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\HPQ\IAM\Bin\asghost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-26 11:47:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-26 18:47:10
Pre-Run: 34,016,698,368 bytes free
Post-Run: 33,963,372,544 bytes free
253 --- E O F --- 2008-08-24 19:16:21
========================================================================
========================================================================
========================================================================
Malwarebytes' Anti-Malware 1.25
Database version: 1088
Windows 5.1.2600 Service Pack 2
11:00:03 AM 8/26/2008
mbam-log-08-26-2008 (11-00-03).txt
Scan type: Quick Scan
Objects scanned: 67773
Time elapsed: 4 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 11
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\karen\Application Data\rhc7l2j0e7t9 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\karen\Application Data\rhc7l2j0e7t9\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\karen\Application Data\rhc7l2j0e7t9\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\karen\Application Data\rhc7l2j0e7t9\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\karen\Application Data\rhc7l2j0e7t9\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\karen\Application Data\rhc7l2j0e7t9\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\karen\Application Data\rhc7l2j0e7t9\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\karen\Application Data\rhc7l2j0e7t9\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\karen\Application Data\rhc7l2j0e7t9\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\karen\Application Data\rhc7l2j0e7t9\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\karen\Application Data\rhc7l2j0e7t9\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\lphc3l2j0e7t9.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphc3l2j0e7t9.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
========================================================================
========================================================================
========================================================================
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:54, on 2008-08-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\steve\Desktop\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [MsmqIntCert] "C:\WINDOWS\system32\regsvr32.exe" /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PTHOSTTR] "C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" /Start
O4 - HKLM\..\Run: [DLA] "C:\WINDOWS\System32\DLA\DLACTRLW.EXE"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [CognizanceTS] "C:\WINDOWS\system32\rundll32.exe" C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\Sminst\Recguard.exe"
O4 - HKLM\..\Run: [Scheduler] "C:\WINDOWS\SMINST\Scheduler.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [vptray] "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [masqform.exe] "C:\Program Files\PureEdge\Viewer 6.5\masqform.exe" -RunOnce
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tc.tracorp.com
O17 - HKLM\Software\..\Telephony: DomainName = tc.tracorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tc.tracorp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tc.tracorp.com
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - (no file)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 6911 bytes | |
TCSteve
@reachone.com
| I'm not having much joy with this computer, I'm not sure if the lack of replies from people indicates a lack of time or if other people are stumped also, but if I can't get this working by next week I'll probably just go ahead and wipe it. If anyone has any suggestions they would be much appreciated.
To recap, the machine will boot in both normal and safe mode, but explorer.exe does not stay running. It closes immediately on startup after login and before the desktop gets displayed, and trying to run it using Task Manager shows it open and immediately close again. | |
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
4 edits | Explorer is not being closed by malware. We removed your considerable Vundo infection, including a very nasty rootkit service, TDSSSERV. Your DNS redirection has been removed.
What does your Event Logs say about Explorer? Because the issue with Explorer is not due to a malware infection. (Your last log showed Explorer.exe as active in Normal mode.) My concern is that the issue with Explorer -- or more directly your Desktop -- is likely due to the use of other anti-malware cleaners that have damaged the LSA portions of the registry. Spybot S&D at the moment will do this.
As two cuts at things, lets set the defaults for the display of the Desktop and Taskbar back to where they should be in case the registry entries have been damaged.
#1. Download this VBS script by MS-MVP Kelly Theriot. Double click the downloaded file to run the script.
#2. After doing the above, using your mouse, left click once below where it says: "Copy to clipboard" or highlight and Copy/Paste the entire Code box contents below:
Open a new Notepad document. (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and enter (including quotation marks) as the filename: "RegistryFix.REG". Exit Notepad.
Double click your new file and agree to the registry merge when asked. You can then delete this new file.
:!: Reboot.
What utilities have you tried on your own to fix this computer?
Your Event Logs should give some indication of why Explorer is terminating (if it is -- it shows as an active process in your log results.) | |
TCSteve
@reachone.com
| It definitely sounds you're on the right track, I think a corrupted registry might be the only issue now.
I wasn't sure how to run the VB script with WSH or do the automated registry add without explorer running, so I fired up regedit and made the changes manually. Most things in the registry matched what are in the VB script file, except for these differences:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU\ does not exist
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ does not exist
When adding the NoCloseDragDropBands value to this key:
I created nearly the entire branch, starting with the Group Policy Objects key (there was no GPO key in that location).
For the changes you posted, neither of those registry values existed (there was not a key for explorer.exe, iexplorer.exe, or iexplore.exe in the Image File Execution Options key).
I made those changes and rebooted, but the desktop still did not appear. Then I tried to open the Event Viewer by running mmc.exe, and this is is the message I get:
quote:
MMC failed to initialize because it was installed incorrectly or because a portion of the registry has become corrupted. Make sure the file Mmcndmgr.dll is registered by running "regsvr32 %SystemRoot%\system32\mmcndmgr.dll".
After registering the DLL, I ran mmc.exe again to open event viewer and got this:
quote:
MMC cannot open the file C:\Windows\system32\eventvwr.msc. This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file.
I did verify that the file exists where it's looking. There is also an eventvwr.exe there which shows the same error.
The utilities I've tried were listed in the first post, first I ran Ad-Aware and Spybot and then when I came to post here I ran the other tools listed on the "before you post" page, and then the tools that you had me run. I didn't run any special-purpose tools like vundofix before posting, just the general anti-malware applications. The machine already had SpySweeper installed (which I have since uninstalled because I couldn't get the service to stop running), the person using this computer had previously installed that to try and get rid of virtumonde I believe. | |
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to TCSteve
We no longer are dealing with malware issues. You seem to have quite a bit of unregistered and missing core files. Since you are now clean, do an in-place upgrade of XP. First create an SP3 slipstream to avoid having to spend two days at Microsoft Updates if you use an SP2 slipstream for the in-place repair upgrade reinstallation. | |
TCSteve
@reachone.com | Awesome, exactly what I wanted to do today. Thanks for the help. | |
-
|
