Jump to content
Sign in to follow this  
McTeague

Hijack This Scan Log - Please Help

Recommended Posts

Hello McTeague

 

It has been a couple of days now. Did Combofix run okay? How are you getting on?

Share this post


Link to post
Share on other sites

Hello McTeague

 

It has been a couple of days now. Did Combofix run okay? How are you getting on?

 

Hi JonTom:

 

You'll have to forgive the occasional delay from me. I have been working long days (meaning also nights)and getting home too late to get on the computer. I should be able to run the scans this evening.

 

Thanks for hanging in there.

Share this post


Link to post
Share on other sites

JonTom:

 

Here is the log for the ComboFix scan. I also reinstalled Java as directed. I will let you know the results of the online scan in the next post.

 

ComboFix 10-04-01.02 - David Harty 04/02/2010 21:58:18.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.211 [GMT -4:00]

Running from: c:\documents and settings\David Harty\Desktop\McTeague.exe

AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users\Favorites\_favdata.dat

c:\documents and settings\David Harty\Local Settings\Application Data\Windows Server

c:\windows\AppPatch\AcAdProc.dll

 

.

((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))

.

 

2010-04-03 01:47 . 2010-04-03 01:47 -------- d-----w- c:\program files\Common Files\Java

2010-04-03 01:45 . 2010-04-03 01:45 -------- d-----w- c:\program files\Java

2010-03-30 07:47 . 2010-03-30 07:47 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-21 01:50 . 2010-03-21 01:50 -------- dc----w- c:\documents and settings\David Harty\Application Data\Malwarebytes

2010-03-21 01:50 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-21 01:50 . 2010-03-21 01:50 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-21 01:50 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-21 01:50 . 2010-03-21 03:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-20 23:04 . 2010-03-20 23:04 4 ----a-w- c:\program files\4318639.dat

2010-03-14 05:50 . 2010-03-14 05:53 -------- dc----w- C:\HJT

2010-03-14 05:47 . 2010-03-14 05:47 -------- dc----w- C:\rsit

2010-03-14 05:32 . 2010-03-14 05:32 -------- dc----w- c:\documents and settings\All Users\Application Data\PCPitstop

2010-03-14 05:30 . 2010-03-18 02:02 -------- d-----w- c:\program files\PCPitstop

2010-03-14 03:03 . 2010-03-14 03:03 4 ----a-w- c:\program files\13822896.dat

2010-03-07 08:12 . 2010-02-04 15:52 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-06 08:45 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-06 08:38 . 2010-03-06 08:39 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-03 01:46 . 2009-07-01 02:48 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-27 16:59 . 2010-03-27 16:59 348160 -c--a-w- c:\documents and settings\David Harty\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11930dcf-n\msvcr71.dll

2010-03-27 16:59 . 2010-03-27 16:59 61440 -c--a-w- c:\documents and settings\David Harty\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5439f2df-n\decora-sse.dll

2010-03-27 16:59 . 2010-03-27 16:59 503808 -c--a-w- c:\documents and settings\David Harty\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11930dcf-n\msvcp71.dll

2010-03-27 16:59 . 2010-03-27 16:59 499712 -c--a-w- c:\documents and settings\David Harty\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11930dcf-n\jmc.dll

2010-03-27 16:59 . 2010-03-27 16:59 12800 -c--a-w- c:\documents and settings\David Harty\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5439f2df-n\decora-d3d.dll

2010-03-27 16:39 . 2007-04-21 04:00 -------- d-----w- c:\program files\Common Files\Real

2010-03-27 16:39 . 2007-04-21 04:00 -------- d-----w- c:\program files\Real

2010-03-27 16:23 . 2009-06-24 01:39 -------- d-----w- c:\program files\QuickTime

2010-03-21 03:09 . 2003-07-26 16:55 -------- dc----w- c:\documents and settings\David Harty\Application Data\MyKey IBM

2010-03-21 00:30 . 2008-12-13 22:23 -------- d-----w- c:\program files\iTunes

2010-03-20 23:05 . 2006-12-14 01:57 -------- d-----w- c:\program files\Windows Defender

2010-03-20 04:51 . 2006-07-24 03:58 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-12 12:28 . 2010-03-12 12:28 20829680 -c--a-w- c:\documents and settings\David Harty\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe

2010-03-12 12:28 . 2010-03-12 12:28 8405312 -c--a-w- c:\documents and settings\David Harty\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe

2010-03-12 12:27 . 2010-03-12 12:27 149000 -c--a-w- c:\documents and settings\David Harty\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe

2010-03-12 12:27 . 2010-03-12 12:27 10309448 -c--a-w- c:\documents and settings\David Harty\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe

2010-03-12 12:26 . 2010-03-12 12:26 79368 -c--a-w- c:\documents and settings\David Harty\Application Data\Real\Update\setup3.10\RUP\vista.exe

2010-03-12 12:26 . 2010-03-12 12:26 64000 -c--a-w- c:\documents and settings\David Harty\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll

2010-03-12 12:26 . 2010-03-12 12:26 52288 -c--a-w- c:\documents and settings\David Harty\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll

2010-03-12 12:26 . 2010-03-12 12:26 50688 -c--a-w- c:\documents and settings\David Harty\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll

2010-03-12 12:26 . 2010-03-12 12:26 49152 -c--a-w- c:\documents and settings\David Harty\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll

2010-03-12 12:26 . 2010-03-12 12:26 118784 -c--a-w- c:\documents and settings\David Harty\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll

2010-03-12 04:25 . 2010-03-12 04:25 439816 -c--a-w- c:\documents and settings\David Harty\Application Data\Real\Update\setup3.10\setup.exe

2010-03-06 08:39 . 2009-05-31 22:37 -------- d-----w- c:\program files\Lavasoft

2010-03-06 08:36 . 2007-08-27 01:16 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-03-06 07:40 . 2009-10-11 20:34 -------- dc----w- c:\documents and settings\David Harty\Application Data\vlc

2010-02-24 14:16 . 2009-10-03 01:20 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-06 04:54 . 2009-12-01 05:19 -------- dc----w- c:\documents and settings\David Harty\Application Data\dvdcss

2010-02-04 15:53 . 2010-03-06 08:38 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-01-05 10:00 . 2005-02-18 20:19 832512 ------w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 1980-01-01 07:00 17408 ----a-w- c:\windows\system32\corpol.dll

2006-10-16 03:04 . 2006-10-16 02:26 89 ----a-w- c:\program files\Common Files\appop.log

2005-05-09 01:12 . 2005-05-09 01:12 18075 ----a-w- c:\program files\IEHook.EX_

2000-07-19 18:57 . 2000-07-19 18:57 766 ----a-w- c:\program files\Common Files\ringtail.ico

.

<pre>
c:\program files\QuickTime\qttask		   .exe
c:\program files\ThinkPad\ConnectUtilities\qctray  .exe
c:\program files\ThinkPad\ConnectUtilities\qcwlicon	  .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"S3TRAY2"="S3Tray2.exe" [N/A]

"TrackPointSrv"="tp4serv.exe" [N/A]

"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]

"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [N/A]

"TP4EX"="tp4ex.exe" [N/A]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [N/A]

"PCRecSA"="c:\progra~1\xpoint\pe\PCRECSA.EXE" [N/A]

"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [N/A]

"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]

"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [N/A]

"ATIModeChange"="Ati2mdxx.exe" [N/A]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [N/A]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]

2005-09-06 08:08 262144 ----a-w- c:\windows\system32\QConGina.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 04:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2005-06-17 03:23 24576 ----a-w- c:\windows\system32\tphklock.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" -hide

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\IBMTOOLS\\Updater\\jre\\bin\\javaw.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

 

R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [10/15/2006 11:23 PM 38784]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/6/2010 4:45 AM 64288]

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [6/19/2003 8:30 PM 16384]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1263728]

R2 SBFSHOOK;SBFSHOOK;c:\windows\system32\drivers\sbfshook.sys [10/15/2006 10:57 PM 8320]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 3:00 AM 13840]

S2 SRFilter;SRFilter;\??\c:\drivers\SRNTFLT.SYS --> c:\drivers\SRNTFLT.SYS [?]

S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [10/15/2006 11:23 PM 116224]

S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [1/28/2006 10:21 PM 12288]

S3 tdisnap;tdisnap;\??\c:\windows\system32\tdisnap.sys --> c:\windows\system32\tdisnap.sys [?]

 

--- Other Services/Drivers In Memory ---

 

*Deregistered* - udffsrec

.

Contents of the 'Scheduled Tasks' folder

 

2010-04-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 07:47]

 

2010-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

 

2010-04-02 c:\windows\Tasks\BMMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2003-06-20 06:38]

 

2010-04-03 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

 

2010-04-03 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-02 22:19

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]

"ImagePath"=multi:"System32\DRIVERS\fdc.sys\00"

--

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]

"KeepImagePath"=multi:"\00"

"ImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"

"SDImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]

"ImagePath"=multi:"System32\DRIVERS\fdc.sys\00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]

"KeepImagePath"=multi:"\00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]

"KeepImagePath"=multi:"\00"

"ImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]

"KeepImagePath"=multi:"\00"

"ImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"

"SDImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(928)

c:\windows\system32\tphklock.dll

 

- - - - - - - > 'explorer.exe'(3160)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\windows\system32\S24EvMon.exe

c:\windows\System32\Ati2evxx.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\System32\QCONSVC.EXE

c:\windows\system32\RegSrvc.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\TpKmpSVC.exe

c:\progra~1\xpoint\xpadmin\xpadmin.exe

c:\progra~1\xpoint\agent\Xpagent.exe

c:\progra~1\xpoint\EEClient\xpclient.exe

c:\progra~1\xpoint\SAS\jre\bin\javaw.exe

c:\windows\System32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

c:\windows\AGRSMMSG.exe

c:\windows\system32\RunDll32.exe

c:\program files\Citrix\ICA Client\pnagent.exe

.

**************************************************************************

.

Completion time: 2010-04-02 22:28:02 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-03 02:27

ComboFix2.txt 2010-03-25 03:59

ComboFix3.txt 2010-03-21 00:23

ComboFix4.txt 2010-03-20 05:06

ComboFix5.txt 2010-04-03 01:56

 

Pre-Run: 14,403,465,216 bytes free

Post-Run: 14,492,004,352 bytes free

 

- - End Of File - - 4A61FA78EA1A0C140C74BE5AEF66338B

Share this post


Link to post
Share on other sites

JonTom:

 

Here is the log from the ESET scan. The Kapersky can froze at 19%, and the next morning it was still frozen, so I went ahead and did the ESET scan.

 

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# IEXPLORE.EXE=7.00.6000.16981 (vista_gdr.091215-2244)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=3f17c64d343cdf43b9aa5458aa24b5e2

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-04-03 04:27:49

# local_time=2010-04-03 12:27:49 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=768 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=64823

# found=13

# cleaned=0

# scan_time=8073

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadersit.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\[4]-Submit_2010-03-20_00.41.38.zip probably a variant of Win32/Kryptik.CWK trojan 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\[4]-Submit_2010-03-20_19.05.23.zip multiple threats 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Program Files\g76sq2gr\31588903.exe.vir Win32/Adware.ClearSearch application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP3\A0000330.exe Win32/Adware.ClearSearch application 00000000000000000000000000000000 I

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP3\A0000519.exe probably a variant of Win32/Kryptik.CWK trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP3\A0000520.exe probably a variant of Win32/Kryptik.CWK trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP3\A0000521.exe probably a variant of Win32/Kryptik.CWK trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP3\A0000522.exe probably a variant of Win32/Kryptik.CWK trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP3\A0000523.exe probably a variant of Win32/Kryptik.CWK trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP3\A0000524.exe probably a variant of Win32/Kryptik.CWK trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP3\A0000525.exe probably a variant of Win32/Kryptik.CWK trojan 00000000000000000000000000000000 I

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP3\A0000526.exe probably a variant of Win32/Kryptik.CWK trojan 00000000000000000000000000000000 I

Share this post


Link to post
Share on other sites

Hello McTeague

 

Thank you for the logs.

 

We are making progress. Before we continue, I would like to take a closer look at a couple of files on your machine.

  • Please work through the following steps

     

  • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
  • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
  • Copy and Paste the text in the codebox below into the open Notepad window:

     

    @echo off
    Vfind.exe -ltf "%systemdrive%\* .exe" > Log.txt
    Start notepad log.txt
    

  • Save this as check.bat and Choose to "Save type as - All Files".
  • Double click on check.bat & allow it to run.
  • It shall produce a log which you must attach (do not post the log) in your next reply.
If you have any problems let me know.

 

Share this post


Link to post
Share on other sites

Hello McTeague

 

I think I have to be enabled by the administrator to attach files

No problem.

 

The log that was produced was blank

Thats good news. Thank you for letting me know.

 

One of the things that this malware has done is change the spacing of some of the file names on your system.

 

Combofix is still detecting a number of files on your computer that have this altered spacing. From what I can tell, there does not appear to be anything wrong with these files except for the extra spaces after the file names. It appears as though they may have been left behind after you uninstalled QuickTime and ThinkPad\ConnectUtilities.

 

You can manually remove these files and then reinstall the software if you wish.

 

  • Please search for the following files/folders

     

    • NOTE: DO NOT double click on ANY executable (.exe) files in the next step!!!
    • Right-click your "Start" button and select "Explore".
    • Navigate to and delete the following files in the codebox below (if present):
    c:\program files\QuickTime\qttask		   .exe
    
    c:\program files\ThinkPad\ConnectUtilities\qctray  .exe
    
    c:\program files\ThinkPad\ConnectUtilities\qcwlicon	  .exe
    
    • Note: If you are unable to delete these files you may have to manually remove the extra spaces between the filename and the ".exe" and then try again.

    Next, I would like to take another look at your machine with a different scanner, just to make sure that everything is as it should be:

     

  • Please perform the following scan

     

    • Please download DDS from here and save it to your desktop.
    • Disable any script blocking protection (How to Disable your Security Programs)
    • Double click on the DDS icon to run the tool (may take up to 3 minutes to run).
    • When done, DDS.txt will open.
    • After a few moments, attach.txt will open in a second window.
    • Save both reports to your desktop.
    • Please post the contents of the DDS.txt and Attach.txt logs in your next reply.
    Please post the DDS logs in your next reply.

Share this post


Link to post
Share on other sites

Hi JonTom:

 

All done. Here are the logs:

 

 

DDS (Ver_10-03-17.01) - NTFSx86

Run by David Harty at 16:03:10.55 on Sun 04/04/2010

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.273 [GMT -4:00]

 

AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\S24EvMon.exe

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\TpKmpSVC.exe

C:\PROGRA~1\xpoint\xpadmin\xpadmin.exe

C:\PROGRA~1\xpoint\agent\Xpagent.exe

C:\Program Files\Citrix\ICA Client\pnagent.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\xpoint\EEClient\xpclient.exe

C:\PROGRA~1\xpoint\SAS\jre\bin\javaw.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\David Harty\Desktop\dds.scr

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [s3TRAY2] S3Tray2.exe

mRun: [TrackPointSrv] tp4serv.exe

mRun: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe

mRun: [TP4EX] tp4ex.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [PCRecSA] c:\progra~1\xpoint\pe\PCRECSA.EXE -noshow

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [bMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor

mRun: [bMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor

mRun: [bLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog

mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall

mRun: [ATIModeChange] Ati2mdxx.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\progra~1.lnk - c:\program files\citrix\ica client\pnagent.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172451749140

DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/51/install/gtdownls.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://soundpath.webex.com/client/T23L/webex/ieatgpc.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab

Notify: QConGina - QConGina.dll

Notify: tpfnf2 - notifyf2.dll

Notify: tphotkey - tphklock.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 nwprovau

 

============= SERVICES / DRIVERS ===============

 

R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [2006-10-15 38784]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-6 64288]

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2003-6-19 16384]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]

R2 SBFSHOOK;SBFSHOOK;c:\windows\system32\drivers\sbfshook.sys [2006-10-15 8320]

R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 13840]

S2 SRFilter;SRFilter;\??\c:\drivers\srntflt.sys --> c:\drivers\SRNTFLT.SYS [?]

S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [2006-10-15 116224]

S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2006-1-28 12288]

S3 tdisnap;tdisnap;\??\c:\windows\system32\tdisnap.sys --> c:\windows\system32\tdisnap.sys [?]

 

=============== Created Last 30 ================

 

2010-04-03 13:54:10 0 d-----w- c:\program files\ESET

2010-04-03 01:46:45 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-03-30 07:47:24 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-03-21 01:50:24 0 dc----w- c:\docume~1\davidh~1\applic~1\Malwarebytes

2010-03-21 01:50:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-21 01:50:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-21 01:50:15 0 dc----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-03-21 01:50:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-20 23:04:17 4 ----a-w- c:\program files\4318639.dat

2010-03-18 02:10:25 0 dcsha-r- C:\cmdcons

2010-03-18 02:07:59 98816 ----a-w- c:\windows\sed.exe

2010-03-18 02:07:59 77312 ----a-w- c:\windows\MBR.exe

2010-03-18 02:07:59 261632 ----a-w- c:\windows\PEV.exe

2010-03-18 02:07:59 161792 ----a-w- c:\windows\SWREG.exe

2010-03-14 05:50:10 0 dc----w- C:\HJT

2010-03-14 05:32:37 0 dc----w- c:\docume~1\alluse~1\applic~1\PCPitstop

2010-03-14 05:30:04 0 d-----w- c:\program files\PCPitstop

2010-03-14 03:03:40 4 ----a-w- c:\program files\13822896.dat

2010-03-07 08:12:10 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-06 08:45:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-03-06 08:38:46 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

 

==================== Find3M ====================

 

2010-04-03 01:46:07 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe

2006-10-16 03:04:26 89 ----a-w- c:\program files\common files\appop.log

2005-05-09 01:12:21 18075 ----a-w- c:\program files\IEHook.EX_

2000-07-19 18:57:12 766 ----a-w- c:\program files\common files\ringtail.ico

 

============= FINISH: 16:04:17.93 ===============

 

 

and

 

 

 

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

 

DDS (Ver_10-03-17.01)

 

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 6/29/2003 2:46:27 AM

System Uptime: 4/3/2010 10:33:04 PM (18 hours ago)

 

Motherboard: IBM | | 2672CBU

Processor: Intel® Pentium® M processor 1400MHz | None | 1398/400mhz

 

==== Disk Partitions =========================

 

C: is FIXED (NTFS) - 27 GiB total, 13.326 GiB free.

E: is FIXED (FAT32) - 7 GiB total, 3.471 GiB free.

F: is CDROM ()

 

==== Disabled Device Manager Items =============

 

==== System Restore Points ===================

 

RP1: 3/20/2010 12:32:28 AM - System Checkpoint

RP2: 3/20/2010 12:33:29 AM - March 20

RP3: 3/20/2010 5:59:28 PM - Software Distribution Service 3.0

RP4: 3/27/2010 12:21:12 PM - Removed QuickTime

RP5: 3/27/2010 12:33:15 PM - Removed ThinkPad Configuration

RP6: 3/27/2010 12:58:09 PM - Installed Java 6 Update 18

RP7: 3/28/2010 1:44:58 PM - System Checkpoint

RP8: 3/29/2010 1:47:55 PM - System Checkpoint

RP9: 3/30/2010 2:47:49 PM - System Checkpoint

RP10: 3/31/2010 3:47:51 PM - System Checkpoint

RP11: 4/1/2010 4:47:50 PM - System Checkpoint

RP12: 4/2/2010 5:04:34 PM - System Checkpoint

RP13: 4/2/2010 9:30:13 PM - Removed Java 6 Update 18

RP14: 4/2/2010 9:45:45 PM - Installed Java 6 Update 19

RP15: 4/3/2010 10:02:44 AM - Removed Windows Defender

RP16: 4/4/2010 12:39:20 PM - System Checkpoint

 

==== Installed Programs ======================

 

Access IBM

Access IBM Message Center

Access IBM Tools

Ad-Aware

Ad-Aware Email Scanner for Outlook

Adobe Flash Player 10 ActiveX

Adobe Reader 8.1.6

Agere Systems AC'97 Modem

alm

Amazon MP3 Downloader 1.0.3

Apple Software Update

ATI Display Driver

AVS Audio Converter version 6.1

AVS Update Manager 1.0

AVS4YOU Software Navigator 1.3

Bonjour

Citrix Web Client

Critical Update for Windows Media Player 11 (KB959772)

ESET Online Scanner v3

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

IBM DLA

IBM Rapid Restore PC

IBM Rapid Restore PC Setup

IBM RecordNow

IBM RecordNow Update Manager

IBM Software Uninstall

IBM Themes

IBM ThinkPad Battery MaxiMiser and Power Management Features

IBM Update Connector

Intel® PRO Network Adapters and Drivers

Intel® PROSet for Wired Connections

Intel® Sebring API

InterVideo MediaOne

InterVideo WinDVD

iTunes

Java Auto Updater

Java 6 Update 19

Malwarebytes' Anti-Malware

MetaFrame Presentation Server Client

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

MobileMe Control Panel

MSN

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

PC-Doctor for Windows

Print Server Driver

Ringtail Image Viewer Client 2.1.2.1

Scroll Lock Indicator Utility

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Media Encoder (KB954156)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978706)

SoundMAX

Spybot - Search & Destroy

ThinkPad EasyEject Utility

ThinkPad FullScreen Magnifier

ThinkPad Keyboard Customizer Utility

ThinkPad Power Management Driver

ThinkPad Presentation Director

ThinkPad TrackPoint Driver

ThinkVantage Access Connections

TPNala Wallpaper

TrackPoint Accessibility Features

TurboTax Deluxe 2005

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

VLC media player 1.0.2

WebEx

WebFldrs XP

Windows Defender Signatures

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage v1.3.0254.0

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Media Encoder 9 Series

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

WinRAR archiver

 

==== Event Viewer Messages From Past Week ========

 

4/2/2010 9:57:44 PM, error: Service Control Manager [7034] - The Xpoint Agent Server service terminated unexpectedly. It has done this 1 time(s).

4/2/2010 9:57:44 PM, error: Service Control Manager [7034] - The Xpoint Admin Server service terminated unexpectedly. It has done this 1 time(s).

4/2/2010 9:57:43 PM, error: Service Control Manager [7034] - The IBM KCU Service service terminated unexpectedly. It has done this 1 time(s).

3/28/2010 7:44:51 PM, error: DCOM [10001] - Unable to start a DCOM Server: {58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB} as /. The error: "%2" Happened while starting this command: C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -s -Embedding

3/28/2010 7:44:11 PM, error: Service Control Manager [7000] - The SRFilter service failed to start due to the following error: The system cannot find the file specified.

 

==== End Of File ===========================

 

 

Thanks.

Share this post


Link to post
Share on other sites

Hello McTeague

 

Thank you for the logs.

 

Now for some good news......your logs appear to be clean. Good job!

 

We only have a small number of things left to do. Please work your way through the following steps:

 

  • Please empty your Spybot Recovery Folder

     

    • One of the infections detected by the ESET Online Scan is located in your Spybot Recovery Folder.
    • To empty this folder, please do the following:
    • Open Spybot Search & Destroy, click on "Recovery", select "ZlobDownloadersit.zip", then click on "purge selected items".
  • Please re-enable Spybot Teatimer

     

    • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
    • On the left hand side, click "Tools", then click on the "Resident" icon in the list.
    • Place a check mark in the "Resident "TeaTimer" (Protection of overall system settings) active" box.
    • Click the "System Startup" icon in the List.
    • Place a check in the "TeaTimer" box and "OK" any prompts.
    • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    • Exit Spybot S&D when done.
  • Please remove the following tools

     

    • You no longer need DDS, GMER or SystemLook. Please delete these from your machine.
  • Please Uninstall Combofix

    • Click on "Start" and then on "Run".
    • Now type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.
  • Your Adobe is out of date

     

    • You can obtain the latest version of Adobe Reader from here, and the latest version of Flash Player from here.
    • For more information and links to Adobe updates and downloads click here.
  • Your Internet Explorer is out of date

     

    • A newer version of Internet Explorer is available from here.
    • Alternatively, you can use Firefox (I will provide the link later).

    Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.

     

  • Finally, please take the time to read through the information provided below:

     

    Enhance your System Security

    • For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here.
    • IMPORTANT! Do not run more than ONE firewall and ONE real-time antivirus on your system at any one time. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
    • Once complete, remember to re-engage your resident security before going online.
    Web Browsers and Browser Security

     

    Firefox

    • Firefox is generally considered to have greater browsing security in comparison to other popular programs. You can download Firefox 3.0 from here.
    No-Script
    • If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
    • You can download No-Script by clicking here.
    Internet Explorer
    • The newest version of Internet Explorer is available from here.
    SpywareBlaster
    • If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
    • SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
    • You can download SpywareBlaster by clicking here.
    Web of Trust
    • When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
    • Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
    • You can download Web of Trust by clicking here.
    Keep your Software Updated
    • Outdated software can sometimes have vulnerabilities that are exploitable by malware.
    • Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here.
    Passwords
    • Learn how to create strong passwords by clicking here and test the strength of the passwords you already use by clicking here.
    General ReadingLearn How To Combat Malware
    • Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here.

Share this post


Link to post
Share on other sites

Hi JonTom:

 

I followed the instructions, and do have a few questions.

 

1. What was that thing?

2. How can we be sure it's gone?

 

I also wanted to express my gratitude to you for all the help you have given me. Thanks, really. And I was wondering what you get out of this, since it obvously takes up a lot of your time.

 

Now just one more thing, which I hope will be simple. I downloaded one of each of the anti-virus, malware, etc. applications suggested on the links page you provided, but when I went to restart my computer, I received a message saying that Windows has encountered an error and needs to shut down. There were a few other paragraphs, although I could not read it because the window only lasted for a couple seconds. Restarting brought the same message and again, and shutdown. This happened four times, and then I stopped trying to restart. Do you think if I deleted one of the new applications, the computer would restart properly? And if so, how would that be done?

 

Thanks.

Edited by McTeague

Share this post


Link to post
Share on other sites

Hello McTeague

 

Do you think if I deleted one of the new applications, the computer would restart properly? And if so, how would that be done?

You already have real-time McAfee AntiVirus, Firewall, as well as Spybot and MBAM for on demand spyware scans.

 

As mentioned in my closing notes:

 

IMPORTANT! Do not run more than ONE firewall and ONE real-time antivirus on your system at any one time.

You did not need to download the extra programs, you should be just fine with your McAfee AV and Firewall. I suggest that you uninstall the programs that you downloaded and see if that solves the problem. To do this:

 

  • Reboot Your System using Last Known good Configuration

     

    • Restart your computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
    • Use the arrow keys to select the Last known good configuration menu item.
    • Press Enter.
  • Please try the following

     

    • It is possible that the security programs you downloaded are clashing with those already installed on your system.
    • Please uninstall these programs.
    • To do this, Click on "Start" then on "Control Panel" and then on "Add or remove programs".
    • A list of currently installed programs will be displayed.
    • Find the programs you just installed, click on each one once and then click on the "Remove" button.
    • If you are prompted to re-boot your computer to complete the uninstall please do so.
    Has this resolved your issue? If not, come back and let me know.

Share this post


Link to post
Share on other sites

Hello McTeague

 

Thanks, JonTom. I think I'm fine now.

No problem :)

 

In answer to your other questions:

 

What was that thing

You were hit by a Vundo file infector (quite nasty).

 

How can we be sure it's gone?

The ESET Online Scan you ran flagged some leftovers present in your Spybot Recovery Folder (which you should have emptied) plus some items present in the ComboFix quarantine folder and in your system restore points. When you Uninstall ComboFix, the quarantine folder is automatically removed, your old restore points are flushed and a new restore point is created.

 

Provided you emptied the Spybot Recovery Folder and uninstalled ComboFix, all should be well.

 

I also wanted to express my gratitude to you for all the help you have given me. Thanks, really

You are Very Welcome. Glad we could help.

 

And I was wondering what you get out of this, since it obvously takes up a lot of your time.

It does take up a lot of time, but it is something that I enjoy (I certainly would'nt do it otherwise ;) ).

 

What do I get out of it? Knowledge, experience and the satisfaction of being able to help people who are in need.

 

Please respond back one more time so we can mark this thread as resolved.

 

Best wishes

JonTom

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×