gda6
join:2004-08-28
Chicago, IL | reply to TheJoker
Re: HJT Log IE7 Browser Gets Redirected Hello The Joker,
... or is it just Hello Joker ... ?
Okay, first to answer your questions.
0. This is my friend's computer. So, I don't know the exact history of how it got infected. But I'll do my best to describe the situation.
1. Why didn't Avira identify the trojan earlier? It was configured to virus-scan the entire hard disk on demand. For this computer, that happens infrequently. Avira was setup to detect suspicious file reads/writes on-the-fly. When my friend gave me his machine after being infected. I immediately uninstaled Avira -- and re-installed the latest version. So, the scan that I previously submitted is from the re-installed version.
2. I don't suspect that the winrar_patch.exe did something malicious. That file has been around for about a year without any ill effects.
3. The power-quest backup for this machine is 11 months old. It's too far out of date to use. Therefore, I'm going to go through the "cleaning" process. But if cleaning doesn't work -- then we'll either have to re-install windows -- or restore the 11-month-old backup.
.... okay here are the cleaning steps that I performed today.
A. Cleaned ALL IE files/history/cookies/passwords/etc.
B. Ran cleanmgr
C. Ran Malwarebytes. Log file is attached: f1_mbam....txt.
D. Reran Hijackthis. Log file is attached: f2_hijackthis....log.
E. Allowes Hijackthis to remove R0 entry.
Note: at this time I enabled most of the start-up programs
that were being blocked by msconfig.exe. The reason that
I did this is that I wanted to create a restore point. I had turned off system restore, before posting my first hijackthis log. So I needed to turn it back on to create a restore point.
I couldn't create a restore point after turning system-restore back on. Windows told me to restart the computer. After doing so; I still could not create a restore point. That is why I unblocked a lot of start-up programs. I thought maybe one of them was part of the problem. It was not. I still was not able to create a restore point.
... okay back to the clean-up activities ...
F. Ran Combofix. Log file is attached: f3_combo_fix....txt
G. Reran Hijackthis. Log file is attached: f4_hijackthis....log.
I have not tried to use the computer after these actions.
Combofix advises that I should not try to fix anything without advice from security forum. |
 lilhurricaneCrunchin' For CuresPremium,Mod
join:2003-01-11
Purple Zone
kudos:51
 ·Comcast
Host:
TV over IP
Software
RCN
Inside Insight
Team Discovery
| I'm going to open those logs up for ease of viewing
Malwarebytes' Anti-Malware 1.37
Database version: 2296
Windows 5.1.2600 Service Pack 3
6/17/2009 8:40:49 AM
mbam-log-2009-06-17 (08-40-49).txt
Scan type: Quick Scan
Objects scanned: 81942
Time elapsed: 2 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ieupdates.exe.tmp (Adware.Agent) -> Quarantined and deleted successfully.
ComboFix 09-06-17.02 - Lamar 06/17/2009 20:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1633 [GMT -5:00]
Running from: c:\documents and settings\Lamar\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Lamar\Application Data\inst.exe
c:\windows\system32\drivers\SKYNETpmeevkax.sys
c:\windows\system32\SKYNETgylclswx.dat
c:\windows\system32\SKYNETkpuakgyd.dll
c:\windows\system32\SKYNETowfnanim.dll
c:\windows\system32\SKYNETqkkeuytv.dat
----- BITS: Possible infected sites -----
hxxp://binuser.fileave.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SKYNETyutgwmri
((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.
2009-06-17 13:43 . 2009-06-17 13:56 -------- d-----w- c:\temp\working
2009-06-17 13:36 . 2009-06-17 13:36 -------- d-----w- c:\documents and settings\Lamar\Application Data\Malwarebytes
2009-06-17 13:36 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 13:36 . 2009-06-17 13:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 13:36 . 2009-06-17 13:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-17 13:36 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 13:34 . 2009-06-17 13:34 3371384 ----a-w- c:\temp\mbam-setup.exe
2009-06-17 04:26 . 2009-06-17 04:26 -------- d-----w- c:\program files\Trend Micro
2009-06-17 04:24 . 2009-06-17 04:24 812344 ----a-w- c:\temp\HJTInstall.exe
2009-06-17 04:15 . 2009-06-17 03:09 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-17 03:09 . 2009-06-17 03:08 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-17 03:09 . 2009-06-17 03:09 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-17 03:09 . 2009-06-17 03:09 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-17 03:09 . 2009-06-17 03:09 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-17 03:09 . 2009-06-17 03:09 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-17 03:09 . 2009-06-17 03:09 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-17 03:09 . 2009-06-17 03:09 294240 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-17 03:09 . 2009-06-17 03:09 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-17 03:08 . 2009-06-17 03:08 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-17 03:08 . 2009-06-17 03:08 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-17 03:08 . 2009-06-17 03:08 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-17 03:08 . 2009-06-17 03:08 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-17 03:08 . 2009-06-17 03:08 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-17 03:08 . 2009-06-17 03:08 540536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-17 03:08 . 2009-06-17 03:08 559464 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-17 03:08 . 2009-06-17 03:08 2352456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-17 03:08 . 2009-06-17 03:08 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-17 03:08 . 2009-06-17 03:08 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-17 03:08 . 2009-06-17 03:08 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-17 03:07 . 2009-06-17 03:07 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-17 03:07 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-17 03:07 . 2009-06-17 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-17 03:07 . 2009-06-17 03:07 -------- d-----w- c:\program files\Lavasoft
2009-06-17 03:06 . 2009-06-17 03:06 37452296 ----a-w- c:\temp\Ad-AwareAE.exe
2009-06-17 00:41 . 2009-06-17 02:45 -------- d-----w- c:\documents and settings\Lamar\.housecall6.6
2009-06-16 05:03 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-16 05:03 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-16 05:03 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-16 05:03 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-16 05:03 . 2009-06-16 05:03 -------- d-----w- c:\program files\Avira
2009-06-16 05:03 . 2009-06-16 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-16 04:47 . 2009-06-16 04:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-16 04:44 . 2009-06-16 04:44 30075904 ----a-w- c:\temp\avira_antivir_personal_en.exe
2009-06-16 04:39 . 2009-06-16 04:39 16409960 ----a-w- c:\temp\spybotsd162.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-16 04:49 . 2008-05-31 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-09 23:49 . 2008-06-03 20:48 -------- d-----w- c:\documents and settings\Lamar\Application Data\NewsBin
2009-06-07 15:18 . 2009-06-07 15:19 3087360 ----a-w- c:\windows\Internet Logs\xDB25.tmp
2009-06-07 15:18 . 2009-06-07 15:19 1887744 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2009-06-04 14:18 . 2008-08-12 09:36 -------- d-----w- c:\documents and settings\Lamar\Application Data\dvdcss
2009-06-01 01:56 . 2009-02-07 03:00 -------- d-----w- c:\program files\DYMO DiscPainter
2009-05-30 21:16 . 2009-05-30 21:19 1884160 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2009-05-30 21:16 . 2009-05-30 21:19 372224 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2009-05-22 06:32 . 2008-06-05 02:24 -------- d-----w- c:\documents and settings\Lamar\Application Data\CopyToDvd
2009-05-22 06:24 . 2008-06-05 02:15 -------- d-----w- c:\program files\VSO
2009-05-12 07:34 . 2008-10-25 09:12 2595102 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-05 18:15 . 2009-01-12 02:48 10022 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-03-30 02:12 . 2009-03-30 03:09 60928 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2009-03-30 01:50 . 2009-03-30 03:09 1833472 ----a-w- c:\windows\Internet Logs\xDB20.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-01-26 902936]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-17 518488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Omnipage"="c:\program files\ScanSoft\OmniPagePro11.0\opware32.exe" [2001-06-21 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"dyaaserv.exe"="c:\program files\DYMO DiscPainter\Drivers\dyaaserv.exe" [2007-11-12 177152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-06-14 16132608]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/16/2009 10:09 PM 64160]
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [6/3/2003 3:52 PM 123957]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [6/3/2003 3:52 PM 46900]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/16/2009 12:03 AM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1005904]
S3 DYUSB;DYMO DiscPainter USB Status Monitor Driver;c:\windows\system32\drivers\dyusb.sys [10/22/2007 12:07 PM 35200]
.
Contents of the 'Scheduled Tasks' folder
2009-06-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:08]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2009-06-17 20:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-06-18 20:46
ComboFix-quarantined-files.txt 2009-06-18 01:46
Pre-Run: 57,662,877,696 bytes free
Post-Run: 57,822,457,856 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
164 --- E O F --- 2009-06-10 00:03
--
~Safe Hex~ Team Discovery ~ Project Hope ~ Like A Hurricane~ |
