Trojan csrss.exe Malware removal - Free Antivirus Forum

Trojan csrss.exe Malware removal

BullGuard Antivirus Forum > Virus Removal > Removal Help > Trojan csrss.exe Malware removal

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

elsmootho
New Member

Date Joined Jan 2007
Total Posts : 30

Posted 10-30-2009 3:41 (GMT +1)

Hello Andrei/Touch,

On XP Pro SP3 machine, Symantec Auto protect was declareing Trojan csrss.exe. freaked

Ran CCleaner, Malwarebytes, DDS, and Hijackthis.

As you can see from the logs Malwarebytes seems to have cleaned Trojan.

What concerns me is that i still have csrss.exe file in my C:\windows\system32 folder.

Should i delete it? (i noticed MalwareBytes deleted it in other folders)

Symantec seems to be quiet now, how do i know for sure everything is ok?

Here are the logfiles; (for next time should i add logfiles as attachments?)

Thank You & Best Regards

..elsmootho

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:57 PM, on 10/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.montrealgazette.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: <html>
O1 - Hosts: <head>
O1 - Hosts: <title>cominstall-adobe-flash.com</title>
O1 - Hosts: <script type="text/javascript" src="/js/general.js"></script>
O1 - Hosts: <script type="text/javascript">
O1 - Hosts: ChkRequestEnc();
O1 - Hosts: </script>
O1 - Hosts: <script type="text/javascript">
O1 - Hosts: </script>
O1 - Hosts: </head>
O1 - Hosts: <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
O1 - Hosts: 
O1 - Hosts: <frame src="http://sedoparking.com/search/registrar.php?domain=cominstall-adobe-flash.com&registrar=trellian5">
O1 - Hosts: <noframes>
O1 - Hosts: <body bgcolor="#ffffff" text="#000000">
O1 - Hosts: <a href="http://sedoparking.com/search/registrar.php?domain=cominstall-adobe-flash.com&registrar=trellian5">Click here to enter</a>.
O1 - Hosts: </body>
O1 - Hosts: </noframes>
O1 - Hosts: </frameset>
O1 - Hosts: </html>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Documents and Settings\owner\My Documents\Sergio_Docs\Raw\WeatherEye.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate1c9cc0782757846) (gupdate1c9cc0782757846) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7825 bytes

MalwareBytes log

Malwarebytes' Anti-Malware 1.41
Database version: 3051
Windows 5.1.2600 Service Pack 3

10/29/2009 2:03:37 AM
mbam-log-2009-10-29 (02-03-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 138852
Time elapsed: 30 minute(s), 15 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\csrss.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\csrss2.dll (Trojan.Dropper) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Csrss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12858754 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\12858754 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\csrss2.dll (Trojan.Dropper) -> Delete on reboot.
C:\System Volume Information\_restore{783DCA3F-968D-43A8-BF29-4B8B463E1C69}\RP267\A0028115.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\12858754\12858754 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\12858754\pc12858754ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\csrss.exe (Trojan.Agent) -> Delete on reboot.

MalwareBytes second log after fix

Malwarebytes' Anti-Malware 1.41
Database version: 3051
Windows 5.1.2600 Service Pack 3

10/29/2009 9:38:07 AM
mbam-log-2009-10-29 (09-38-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 137863
Time elapsed: 27 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS

DDS (Ver_09-10-26.01) - NTFSx86
Run by owner at 22:03:54.60 on Thu 10/29/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.514 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Sergio_Docs\antivirus_stuff\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.montrealgazette.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WeatherEye] c:\documents and settings\owner\my documents\sergio_docs\raw\WeatherEye.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-7-26 58728]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-7-26 301928]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-7-26 918760]
S2 gupdate1c9cc0782757846;Google Update Service (gupdate1c9cc0782757846);c:\program files\google\update\GoogleUpdate.exe [2009-5-3 133104]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-8-2 173392]

=============== Created Last 30 ================

2009-10-29 06:18:30 0 d-----w- C:\del
2009-10-29 04:55:13 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-10-29 04:55:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 04:55:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 04:55:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 04:55:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-29 04:32:52 0 d-----w- c:\program files\CCleaner

==================== Find3M ====================

2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-03-22 01:51:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032120090322\index.dat

============= FINISH: 22:04:15.50 ===============

DDS Attach log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/17/2009 6:01:02 AM
System Uptime: 10/29/2009 9:51:00 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4P800-VM
Processor: Intel(R) Celeron(R) CPU 2.66GHz | CPU 1 | 2661/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 25.986 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP186: 7/31/2009 3:19:28 PM - System Checkpoint
RP187: 8/1/2009 4:14:02 PM - System Checkpoint
RP188: 8/2/2009 4:56:27 PM - System Checkpoint
RP189: 8/3/2009 6:14:42 PM - System Checkpoint
RP190: 8/4/2009 6:27:01 PM - System Checkpoint
RP191: 8/5/2009 6:49:15 PM - System Checkpoint
RP192: 8/6/2009 7:38:22 PM - System Checkpoint
RP193: 8/7/2009 7:58:08 PM - System Checkpoint
RP194: 8/8/2009 8:44:10 PM - System Checkpoint
RP195: 8/9/2009 9:25:02 PM - System Checkpoint
RP196: 8/11/2009 7:37:48 AM - System Checkpoint
RP197: 8/12/2009 8:21:07 AM - System Checkpoint
RP198: 8/13/2009 8:34:35 AM - System Checkpoint
RP199: 8/14/2009 9:15:26 AM - System Checkpoint
RP200: 8/15/2009 10:15:40 AM - System Checkpoint
RP201: 8/15/2009 4:10:05 PM - Software Distribution Service 3.0
RP202: 8/16/2009 4:41:12 PM - System Checkpoint
RP203: 8/17/2009 4:52:24 PM - System Checkpoint
RP204: 8/18/2009 8:50:27 AM - Avg8 Update
RP205: 8/18/2009 8:52:06 AM - Avg8 Update
RP206: 8/18/2009 9:41:03 PM - Software Distribution Service 3.0
RP207: 8/20/2009 10:51:26 AM - System Checkpoint
RP208: 8/21/2009 11:05:33 AM - System Checkpoint
RP209: 8/22/2009 11:40:39 AM - System Checkpoint
RP210: 8/23/2009 12:59:39 PM - System Checkpoint
RP211: 8/24/2009 12:33:46 PM - Software Distribution Service 3.0
RP212: 8/25/2009 1:28:22 PM - System Checkpoint
RP213: 8/26/2009 2:47:06 PM - System Checkpoint
RP214: 8/27/2009 2:51:38 PM - System Checkpoint
RP215: 8/28/2009 3:49:39 PM - System Checkpoint
RP216: 8/29/2009 5:25:54 PM - System Checkpoint
RP217: 8/30/2009 7:17:30 PM - System Checkpoint
RP218: 8/31/2009 7:59:30 PM - System Checkpoint
RP219: 9/1/2009 8:18:07 PM - System Checkpoint
RP220: 9/2/2009 8:38:58 PM - System Checkpoint
RP221: 9/3/2009 9:22:38 PM - System Checkpoint
RP222: 9/4/2009 10:03:51 PM - System Checkpoint
RP223: 9/6/2009 6:46:28 AM - System Checkpoint
RP224: 9/7/2009 9:36:54 AM - System Checkpoint
RP225: 9/8/2009 10:29:45 AM - System Checkpoint
RP226: 9/9/2009 12:10:40 PM - System Checkpoint
RP227: 9/10/2009 12:35:01 PM - System Checkpoint
RP228: 9/11/2009 1:29:49 PM - System Checkpoint
RP229: 9/12/2009 2:58:51 PM - System Checkpoint
RP230: 9/13/2009 3:18:25 PM - System Checkpoint
RP231: 9/14/2009 1:37:57 PM - Software Distribution Service 3.0
RP232: 9/15/2009 2:53:27 PM - System Checkpoint
RP233: 9/16/2009 3:07:25 PM - System Checkpoint
RP234: 9/17/2009 3:40:13 PM - System Checkpoint
RP235: 9/18/2009 4:37:52 PM - System Checkpoint
RP236: 9/19/2009 5:49:13 PM - System Checkpoint
RP237: 9/20/2009 7:15:35 PM - System Checkpoint
RP238: 9/21/2009 7:22:22 PM - System Checkpoint
RP239: 9/22/2009 7:52:47 PM - System Checkpoint
RP240: 9/23/2009 8:20:33 PM - System Checkpoint
RP241: 9/24/2009 8:26:27 PM - System Checkpoint
RP242: 9/25/2009 8:56:07 PM - System Checkpoint
RP243: 9/26/2009 9:42:06 PM - System Checkpoint
RP244: 9/28/2009 5:33:13 AM - System Checkpoint
RP245: 9/29/2009 7:18:49 AM - System Checkpoint
RP246: 9/30/2009 8:05:40 AM - System Checkpoint
RP247: 10/1/2009 9:24:35 AM - System Checkpoint
RP248: 10/2/2009 10:06:26 AM - System Checkpoint
RP249: 10/3/2009 8:12:13 AM - Avg8 Update
RP250: 10/3/2009 8:13:04 AM - Avg8 Update
RP251: 10/4/2009 8:46:32 AM - System Checkpoint
RP252: 10/5/2009 1:03:31 PM - System Checkpoint
RP253: 10/6/2009 1:06:00 PM - System Checkpoint
RP254: 10/7/2009 8:30:13 AM - Avg8 Update
RP255: 10/8/2009 8:34:22 AM - System Checkpoint
RP256: 10/9/2009 9:57:20 AM - System Checkpoint
RP257: 10/10/2009 11:55:42 AM - System Checkpoint
RP258: 10/11/2009 12:58:03 PM - System Checkpoint
RP259: 10/12/2009 2:05:55 PM - System Checkpoint
RP260: 10/13/2009 2:10:12 PM - System Checkpoint
RP261: 10/14/2009 2:38:40 PM - System Checkpoint
RP262: 10/15/2009 3:08:23 PM - System Checkpoint
RP263: 10/16/2009 4:04:45 PM - System Checkpoint
RP264: 10/17/2009 9:12:15 AM - Avg8 Update
RP265: 10/18/2009 10:02:22 AM - System Checkpoint
RP266: 10/19/2009 10:15:44 AM - System Checkpoint
RP267: 10/20/2009 7:21:57 AM - Software Distribution Service 3.0
RP268: 10/29/2009 12:18:43 AM - Removed AVG Free 8.5
RP269: 10/29/2009 12:19:44 AM - Installed AVG Free 8.5

==== Installed Programs ======================

Adobe Acrobat 6.0 Professional
Adobe Flash Player 10 ActiveX
BufferChm
Camera Support Core Library
Camera Window
CameraDrivers
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CCleaner
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CustomerResearchQFolder
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
eSupportQFolder
FullDPAppQFolder
Google Earth
Google Update Helper
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP Extended Capabilities 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Product Assistant
HP Solution Center & Imaging Support Tools 5.3
HP Update
HPProductAssistant
InstantShareDevices
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Connections Drivers
LiveUpdate 2.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MovieEdit Task
MSXML 4.0 SP2 (KB954430)
PanoStandAlone
PhotoGallery
PhotoStitch
PS8200
PSPrinters08
PSTAPlugin
RandMap
Rapport
RAW Image Task 1.1
RemoteCapture Task 1.0.3
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SkinsHP1
SolutionCenter
Sonic_PrimoSDK
Status
Symantec AntiVirus
TrayApp
Unload
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WeatherEye
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

10/28/2009 11:15:27 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 86eae9f8, parameter3 86eaeb6c, parameter4 805fb046.

==== End Of File ===========================

Post Edited (Touch) : 02-11-2009 03:56:23 GMT

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 925

Posted 10-30-2009 4:18 (GMT +1)

Hello elsmootho,

Looks like the repairs you did addressed the active malware there, though your Hosts file is oddly enough altered as a HTML web page. Not sure what caused that,
but we can surely correct it now.

Download System Repair Engineer. Use the Local Download button to download sreng2.zip.

Extract (unzip) it to it's own folder on your Desktop, then double click SREngLdr.exe to run it.

When the display opens, click the System Repair - HOSTS File tab. Instead of us going back-and-forth and delaying checks of the Hosts file, just click the red "Reset" option in the lower left corner, and click "Yes" for SREng to create a default Hosts file. Then just click the X upper right to close the display. I strongly recommend you not be tempted to run any other scans/make any other changes using SREng unless we discuss them here.

Then let's check for anything that might remain. And before I forget, that System32 file is an important and legit file, so you don't want to be trying to delete it (if Windows would even allow that).

Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications

Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.

If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

elsmootho
New Member

Date Joined Jan 2007
Total Posts : 30

Posted 10-31-2009 7:11 (GMT +1)

Hello Jintan,

I ran System Repair Engineer and hit the red "reset" & "yes" but i also had

to hit "save" before terminating the application. I also ran the Eset Scanner,

looks good, here is the logfile. Thank you in advance for your support. cool

..s

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 925

Posted 10-31-2009 9:50 (GMT +1)

Looks like the system was clean. Any problems we need to address there?

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

elsmootho
New Member

Date Joined Jan 2007
Total Posts : 30

Posted 11-1-2009 12:25 (GMT +1)

Dear Jintan et al Bullguard Moderators,

Thank you so much for your help. I don't know where i would be without you guys.

All the best! jumpin

...s

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 925

Posted 11-1-2009 1:44 (GMT +1)

Glad to provide you with some tips here. To remove what our bit of work added there, you can just delete all the files/folders from the tools we ran, and then just uninstall Eset through Add/Remove Programs.

In addition, I like to recommend reviewing the information Here to make sure you stay malware free.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

elsmootho
New Member

Date Joined Jan 2007
Total Posts : 30

Posted 11-1-2009 7:42 (GMT +1)

Hello Jintan, cry

I spoke too soon, was browsing net with same machine today and

Antivirus System Pro got onto it, looks like a Virus, i just ran Malwarebytes again, he found

5 infections so far, i'll let you know more. Anything else you recomend? Should i install ZoneAlarm?

I read your recomendations link. I'm using Symantec Antivirus full version 9.00.338 2004,

should i be moving on to Avast?

Thanks again, Best Regards...

..s

elsmootho
New Member

Date Joined Jan 2007
Total Posts : 30

Posted 11-1-2009 10:50 (GMT +1)

re:from previous post

-->

Hello Jintan, cry

I spoke too soon, was browsing net with same machine today and

Antivirus System Pro got onto it, looks like a Virus, i just ran Malwarebytes again, he found

5 infections so far, i'll let you know more. Anything else you recomend? Should i install ZoneAlarm?

I read your recomendations link. I'm using Symantec Antivirus full version 9.00.338 2004,

should i be moving on to Avast?

Thanks again, Best Regards...

<---

Well, I found 9 infections total Trojan.Vundo.H, Rogue.sysguard, & backdoor.bot freaked

Can't understand why the system got re-infected so soon but the user did warn me about

this Rogue Antivirus System Pro getting on there, it just never showed up when i was cleaning the computer.

Only the CSrss Trojan was detectable . I went through the gauntlet again, here are the log files;

Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:06 PM, on 11/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.montrealgazette.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 winguard2009.microsoft.com
O1 - Hosts: 91.212.127.226 winguard-2009.com
O1 - Hosts: 91.212.127.226 www.winguard-2009.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Documents and Settings\owner\My Documents\Sergio_Docs\Raw\WeatherEye.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate1c9cc0782757846) (gupdate1c9cc0782757846) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6529 bytes

MalwareBytes Log (ran it a second time after with no issues reported)

Malwarebytes' Anti-Malware 1.41
Database version: 3052
Windows 5.1.2600 Service Pack 3

11/1/2009 2:18:21 PM
mbam-log-2009-11-01 (14-18-21).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 144731
Time elapsed: 33 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c277b942-1f68-486b-8f95-6e486a13f148} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c277b942-1f68-486b-8f95-6e486a13f148} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c277b942-1f68-486b-8f95-6e486a13f148} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System tool (Rogue.SysGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System tool (Rogue.SysGuard) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\uvhchc\jfoxsysguard.exe (Rogue.SysGuard) -> Delete on reboot.
C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

DDS Logs

DDS (Ver_09-10-26.01) - NTFSx86
Run by owner at 15:47:04.23 on Sun 11/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.492 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\owner\My Documents\Docs_Sergio\antivirus_stuff\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.montrealgazette.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WeatherEye] c:\documents and settings\owner\my documents\sergio_docs\raw\WeatherEye.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-11-01 18:00:14 0 d-----w- c:\program files\uvhchc
2009-10-31 05:07:02 0 d-----w- c:\program files\ESET
2009-10-30 02:09:19 0 d-----w- c:\program files\Trend Micro
2009-10-29 06:18:30 0 d-----w- C:\del
2009-10-29 04:55:13 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-10-29 04:55:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 04:55:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 04:55:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 04:55:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-29 04:32:52 0 d-----w- c:\program files\CCleaner

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-03-22 01:51:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032120090322\index.dat

============= FINISH: 15:47:21.25 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/17/2009 6:01:02 AM
System Uptime: 11/1/2009 3:19:34 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4P800-VM
Processor: Intel(R) Celeron(R) CPU 2.66GHz | CPU 1 | 2660/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 21.338 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 29 GiB total, 28.325 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP189: 8/3/2009 6:14:42 PM - System Checkpoint
RP190: 8/4/2009 6:27:01 PM - System Checkpoint
RP191: 8/5/2009 6:49:15 PM - System Checkpoint
RP192: 8/6/2009 7:38:22 PM - System Checkpoint
RP193: 8/7/2009 7:58:08 PM - System Checkpoint
RP194: 8/8/2009 8:44:10 PM - System Checkpoint
RP195: 8/9/2009 9:25:02 PM - System Checkpoint
RP196: 8/11/2009 7:37:48 AM - System Checkpoint
RP197: 8/12/2009 8:21:07 AM - System Checkpoint
RP198: 8/13/2009 8:34:35 AM - System Checkpoint
RP199: 8/14/2009 9:15:26 AM - System Checkpoint
RP200: 8/15/2009 10:15:40 AM - System Checkpoint
RP201: 8/15/2009 4:10:05 PM - Software Distribution Service 3.0
RP202: 8/16/2009 4:41:12 PM - System Checkpoint
RP203: 8/17/2009 4:52:24 PM - System Checkpoint
RP204: 8/18/2009 8:50:27 AM - Avg8 Update
RP205: 8/18/2009 8:52:06 AM - Avg8 Update
RP206: 8/18/2009 9:41:03 PM - Software Distribution Service 3.0
RP207: 8/20/2009 10:51:26 AM - System Checkpoint
RP208: 8/21/2009 11:05:33 AM - System Checkpoint
RP209: 8/22/2009 11:40:39 AM - System Checkpoint
RP210: 8/23/2009 12:59:39 PM - System Checkpoint
RP211: 8/24/2009 12:33:46 PM - Software Distribution Service 3.0
RP212: 8/25/2009 1:28:22 PM - System Checkpoint
RP213: 8/26/2009 2:47:06 PM - System Checkpoint
RP214: 8/27/2009 2:51:38 PM - System Checkpoint
RP215: 8/28/2009 3:49:39 PM - System Checkpoint
RP216: 8/29/2009 5:25:54 PM - System Checkpoint
RP217: 8/30/2009 7:17:30 PM - System Checkpoint
RP218: 8/31/2009 7:59:30 PM - System Checkpoint
RP219: 9/1/2009 8:18:07 PM - System Checkpoint
RP220: 9/2/2009 8:38:58 PM - System Checkpoint
RP221: 9/3/2009 9:22:38 PM - System Checkpoint
RP222: 9/4/2009 10:03:51 PM - System Checkpoint
RP223: 9/6/2009 6:46:28 AM - System Checkpoint
RP224: 9/7/2009 9:36:54 AM - System Checkpoint
RP225: 9/8/2009 10:29:45 AM - System Checkpoint
RP226: 9/9/2009 12:10:40 PM - System Checkpoint
RP227: 9/10/2009 12:35:01 PM - System Checkpoint
RP228: 9/11/2009 1:29:49 PM - System Checkpoint
RP229: 9/12/2009 2:58:51 PM - System Checkpoint
RP230: 9/13/2009 3:18:25 PM - System Checkpoint
RP231: 9/14/2009 1:37:57 PM - Software Distribution Service 3.0
RP232: 9/15/2009 2:53:27 PM - System Checkpoint
RP233: 9/16/2009 3:07:25 PM - System Checkpoint
RP234: 9/17/2009 3:40:13 PM - System Checkpoint
RP235: 9/18/2009 4:37:52 PM - System Checkpoint
RP236: 9/19/2009 5:49:13 PM - System Checkpoint
RP237: 9/20/2009 7:15:35 PM - System Checkpoint
RP238: 9/21/2009 7:22:22 PM - System Checkpoint
RP239: 9/22/2009 7:52:47 PM - System Checkpoint
RP240: 9/23/2009 8:20:33 PM - System Checkpoint
RP241: 9/24/2009 8:26:27 PM - System Checkpoint
RP242: 9/25/2009 8:56:07 PM - System Checkpoint
RP243: 9/26/2009 9:42:06 PM - System Checkpoint
RP244: 9/28/2009 5:33:13 AM - System Checkpoint
RP245: 9/29/2009 7:18:49 AM - System Checkpoint
RP246: 9/30/2009 8:05:40 AM - System Checkpoint
RP247: 10/1/2009 9:24:35 AM - System Checkpoint
RP248: 10/2/2009 10:06:26 AM - System Checkpoint
RP249: 10/3/2009 8:12:13 AM - Avg8 Update
RP250: 10/3/2009 8:13:04 AM - Avg8 Update
RP251: 10/4/2009 8:46:32 AM - System Checkpoint
RP252: 10/5/2009 1:03:31 PM - System Checkpoint
RP253: 10/6/2009 1:06:00 PM - System Checkpoint
RP254: 10/7/2009 8:30:13 AM - Avg8 Update
RP255: 10/8/2009 8:34:22 AM - System Checkpoint
RP256: 10/9/2009 9:57:20 AM - System Checkpoint
RP257: 10/10/2009 11:55:42 AM - System Checkpoint
RP258: 10/11/2009 12:58:03 PM - System Checkpoint
RP259: 10/12/2009 2:05:55 PM - System Checkpoint
RP260: 10/13/2009 2:10:12 PM - System Checkpoint
RP261: 10/14/2009 2:38:40 PM - System Checkpoint
RP262: 10/15/2009 3:08:23 PM - System Checkpoint
RP263: 10/16/2009 4:04:45 PM - System Checkpoint
RP264: 10/17/2009 9:12:15 AM - Avg8 Update
RP265: 10/18/2009 10:02:22 AM - System Checkpoint
RP266: 10/19/2009 10:15:44 AM - System Checkpoint
RP267: 10/20/2009 7:21:57 AM - Software Distribution Service 3.0
RP268: 10/29/2009 12:18:43 AM - Removed AVG Free 8.5
RP269: 10/29/2009 12:19:44 AM - Installed AVG Free 8.5
RP270: 10/30/2009 1:33:38 AM - System Checkpoint
RP271: 10/31/2009 1:44:30 AM - System Checkpoint
RP272: 10/31/2009 7:33:38 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Acrobat 6.0 Professional
Adobe Flash Player 10 ActiveX
BufferChm
Camera Support Core Library
Camera Window
CameraDrivers
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CCleaner
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CustomerResearchQFolder
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
ESET Online Scanner v3
eSupportQFolder
FullDPAppQFolder
Google Earth
Google Update Helper
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP Extended Capabilities 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Product Assistant
HP Solution Center & Imaging Support Tools 5.3
HP Update
HPProductAssistant
InstantShareDevices
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Connections Drivers
LiveUpdate 2.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MovieEdit Task
MSXML 4.0 SP2 (KB954430)
PanoStandAlone
PhotoGallery
PhotoStitch
PS8200
PSPrinters08
PSTAPlugin
RandMap
Rapport
RAW Image Task 1.1
RemoteCapture Task 1.0.3
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SkinsHP1
SolutionCenter
Sonic_PrimoSDK
Status
Symantec AntiVirus
TrayApp
Unload
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WeatherEye
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

10/28/2009 11:15:27 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 86eae9f8, parameter3 86eaeb6c, parameter4 805fb046.

==== End Of File ===========================

ESET Log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=07c058b17f92f14094c760e0a35a1eb3
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2009-10-31 05:34:08
# local_time=2009-10-31 01:34:08 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=39614
# found=0
# cleaned=0
# scan_time=1359
ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=07c058b17f92f14094c760e0a35a1eb3
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2009-11-01 09:19:58
# local_time=2009-11-01 04:19:58 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3585 63 50 0 0
# scanned=38788
# found=0
# cleaned=0
# scan_time=1008

..s

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 925

Posted 11-2-2009 12:39 (GMT +1)

Hosts file altered again, but not seeing the active malware here. Use the same SREng2 steps you did earlier to repair the Hosts file.

Then Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.

If on it's opening scan Gmer locates items shown in red or indicates "hidden" or "rootkit", stop there, and click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. We don't want any crashes just from taking an initial look at things.

If not, then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

elsmootho
New Member

Date Joined Jan 2007
Total Posts : 30

Posted 11-8-2009 3:38 (GMT +1)

Hello Jintan,

Sorry for the late reply, i fixed the HOSTS file again, here is the GMER log per your request. Thanks again for your help. smhair

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-07 21:32:36
Windows 5.1.2600 Service Pack 3
Running: ww3utpeb.exe; Driver: C:\DOCUME~1\owner\LOCALS~1\Temp\uwndqpow.sys

---- System - GMER 1.0.15 ----

SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwAssignProcessToJobObject [0xEEE36D10]
SSDT            E19608F8                                                                                                                          ZwConnectPort
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwCreateFile [0xEEE3743A]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwDeleteFile [0xEEE37586]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwDeleteKey [0xEEE3AA36]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwDeleteValueKey [0xEEE3AA68]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 Z!!!enFile [0xEEE374EA]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 Z!!!enProcess [0xEEE36E54]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 Z!!!enThread [0xEEE37044]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwProtectVirtualMemory [0xEEE37188]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwQueryValueKey [0xEEE3AB3C]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwRenameKey [0xEEE3AAA6]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwReplaceKey [0xEEE3AAD8]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwRestoreKey [0xEEE3AB0A]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwSetContextThread [0xEEE36CBE]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwSetInformationFile [0xEEE375E6]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwSetValueKey [0xEEE3A9D6]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwSuspendThread [0xEEE36C54]
SSDT            \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com)                     ZwTerminateProcess [0xEEEB30B0]
SSDT            \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.)                                                 ZwTerminateThread [0xEEE36BEA]

INT 0x93 \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys (RapportKE/Trusteer Ltd.) EF200780

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 21C 804E2878 4 Bytes JMP DBEEE374
.text ntoskrnl.exe!_abnormal_termination + 451 804E2AAD 7 Bytes [30, EB, EE, EA, 6B, E3, EE]

---- User code sections - GMER 1.0.15 ----

.text           C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[268] ntdll.dll!KiUserApcDispatcher                                   7C90E450 5 Bytes JMP 0040F290 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text           C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[268] kernel32.dll!LoadLibraryExW                                     7C801AF5 6 Bytes JMP 716B001E
.text           C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[268] USER32.dll!GetGUIThreadInfo + FB                                7E428023 6 Bytes JMP 716E001E
.text           C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[268] WS2_32.dll!getaddrinfo                                          71AB2A6F 5 Bytes JMP 71650022
.text           C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[268] WS2_32.dll!gethostbyname                                        71AB5355 5 Bytes JMP 71680022
.text           C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2204] ntdll.dll!KiUserApcDispatcher                                      7C90E450 5 Bytes JMP 004337A0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text           C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2204] kernel32.dll!LoadLibraryExW                                        7C801AF5 6 Bytes JMP 716B001E
.text           C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2204] WS2_32.dll!getaddrinfo                                             71AB2A6F 5 Bytes JMP 71680022
.text           C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2204] WS2_32.dll!gethostbyname                                           71AB5355 5 Bytes JMP 716E0022
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] ntdll.dll!KiUserApcDispatcher                                               7C90E450 5 Bytes JMP 10001580 C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll (Rooks/Base/Trusteer Ltd.)
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] kernel32.dll!LoadLibraryExW                                                 7C801AF5 6 Bytes JMP 716C000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] kernel32.dll!SetUnhandledExceptionFilter                                    7C84495D 6 Bytes JMP 715D000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] GDI32.dll!BitBlt                                                            77F16F79 6 Bytes JMP 7160000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!TranslateMessage                                                 7E418BF6 6 Bytes JMP 7151000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!RegisterClassW                                                   7E41A39A 6 Bytes JMP 7163000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!RegisterClassExW                                                 7E41AF7F 6 Bytes JMP 00D24640 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!DdeInitializeW                                                   7E4206D7 6 Bytes JMP 7157000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!DialogBoxParamW                                                  7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!RegisterClassA                                                   7E42EA5E 6 Bytes JMP 7166000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!GetClipboardData                                                 7E430DBA 6 Bytes JMP 7154000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!DialogBoxIndirectParamW                                          7E432072 5 Bytes JMP 3E351FF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!MessageBoxIndirectA                                              7E43A082 5 Bytes JMP 3E351F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!DialogBoxParamA                                                  7E43B144 5 Bytes JMP 3E351FBC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!MessageBoxExW                                                    7E450838 5 Bytes JMP 3E351F04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!MessageBoxExA                                                    7E45085C 5 Bytes JMP 3E351F3E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!DialogBoxIndirectParamA                                          7E456D7D 5 Bytes JMP 3E352032 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] USER32.dll!MessageBoxIndirectW                                              7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] ole32.dll!CoCreateInstanceEx                                                77500526 6 Bytes JMP 715A000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] ole32.dll!CoCreateInstance                                                  7750057E 6 Bytes JMP 7169000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] ole32.dll!OleLoadFromStream                                                 77529C85 5 Bytes JMP 3E3521F4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WS2_32.dll!getaddrinfo                                                      71AB2A6F 5 Bytes JMP 71170022
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WS2_32.dll!connect                                                          71AB4A07 5 Bytes JMP 711A0022
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!InternetCloseHandle                                             3D944261 6 Bytes JMP 713C000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!HttpAddRequestHeadersA                                          3D94632F 6 Bytes JMP 714E000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!HttpOpenRequestA                                                3D94AA7B 6 Bytes JMP 714B000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!InternetConnectA                                                3D94B0D2 6 Bytes JMP 7139000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!InternetConnectW                                                3D94C2C0 6 Bytes JMP 7136000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!InternetQueryDataAvailable                                      3D951615 6 Bytes JMP 712A000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!InternetOpenA                                                   3D953081 6 Bytes JMP 712D000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!HttpSendRequestA                                                3D953558 6 Bytes JMP 7148000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!InternetSetStatusCallback                                       3D957D7B 6 Bytes JMP 7124000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!HttpSendRequestExW                                              3D958C49 6 Bytes JMP 7142000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!InternetWriteFile                                               3D958D5C 6 Bytes JMP 7121000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!HttpSendRequestW                                                3D95FDF9 6 Bytes JMP 713F000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!InternetReadFileExA                                             3D963384 6 Bytes JMP 7127000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!InternetGetCookieExA                                            3D963A49 6 Bytes JMP 7130000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!HttpSendRequestExA                                              3D9AA92E 6 Bytes JMP 7145000A
.text           C:\Program Files\Internet Explorer\iexplore.exe[2432] WININET.dll!InternetGetCookieA                                              3D9AC120 6 Bytes JMP 7133000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs                                                                                                            SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip                                                                                                          SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp                                                                                                         SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp                                                                                                         SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp                                                                                                       SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat                                                                                                          SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Files - GMER 1.0.15 ----

ADS C:\Documents and Settings\owner\Favorites\Links\John B'mark\Flying\Section 1 Qs - Robyn's Improved PSTAR Study Guide.url:favicon 17344 bytes executable

---- EOF - GMER 1.0.15 ----

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 925

Posted 11-8-2009 4:15 (GMT +1)

Something is active within the Internet Explorer process, but I am not familiar with how that Rapport software you have functions, so not sure if these are from it. Better to run something else to check things for now.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com, then click the renamed 456out.com to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

elsmootho
New Member

Date Joined Jan 2007
Total Posts : 30

Posted 11-13-2009 3:51 (GMT +1)

Hello Jintan, blush

Sorry for the late reply, here is the Combofix log. During install he mentioned i'd have a black screen for 2 seconds on every bootup from now on (safe mode boot up option). Is there a way to undo or completely remove this? Also please note i DID disable my antivirus but seems the log shows it was still on? Not sure if that caused any problems but my screen didn't freeze up during the scan.

ComboFix 09-11-13.04 - owner 11/12/2009 21:23.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.545 [GMT -5:00]
Running from: c:\documents and settings\owner\My Documents\Docs_Sergio\antivirus_stuff\456out.com
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk

.
((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.

2009-11-13 01:47 . 2009-11-13 01:47 -------- d-----w- c:\documents and settings\owner\Application Data\Registry Mechanic
2009-11-11 12:30 . 2009-11-13 01:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 03:52 . 2009-11-12 17:28 117760 ----a-w- c:\documents and settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-02 03:52 . 2009-11-02 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-02 03:52 . 2009-11-12 12:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-02 03:52 . 2009-11-02 03:52 -------- d-----w- c:\documents and settings\owner\Application Data\SUPERAntiSpyware.com
2009-11-02 03:51 . 2009-11-02 03:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-01 18:00 . 2009-11-01 19:19 -------- d-----w- c:\program files\uvhchc
2009-11-01 06:28 . 2009-11-01 06:28 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\Temp
2009-10-31 05:07 . 2009-10-31 05:07 -------- d-----w- c:\program files\ESET
2009-10-30 02:09 . 2009-10-30 02:09 -------- d-----w- c:\program files\Trend Micro
2009-10-29 06:18 . 2009-10-29 06:18 -------- d-----w- C:\del
2009-10-29 04:55 . 2009-10-29 04:55 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes
2009-10-29 04:55 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 04:55 . 2009-10-29 04:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 04:55 . 2009-10-29 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-29 04:55 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 04:32 . 2009-10-29 04:32 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 02:29 . 2009-02-22 02:28 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-12 22:06 . 2009-03-09 02:45 -------- d-----w- c:\documents and settings\owner\Application Data\AdobeUM
2009-11-12 10:10 . 2009-05-03 15:53 -------- d-----w- c:\program files\Google
2009-09-11 14:18 . 2004-08-04 00:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 00:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-04 00:56 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 00:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 00:56 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-04 00:56 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-12 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-08-03 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-08-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-08-03 114688]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"110:TCP"= 110:TCP:svchost

R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [7/26/2009 10:03 AM 58728]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [7/26/2009 10:03 AM 301928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [7/26/2009 10:03 AM 918760]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S2 gupdate1c9cc0782757846;Google Update Service (gupdate1c9cc0782757846);c:\program files\Google\Update\GoogleUpdate.exe [5/3/2009 10:54 AM 133104]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/2/2004 7:36 PM 173392]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 15:54]

2009-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 15:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.montrealgazette.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WeatherEye - c:\documents and settings\owner\My Documents\Sergio_Docs\Raw\WeatherEye.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 21:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-11-12 21:34
ComboFix-quarantined-files.txt 2009-11-13 02:34

Pre-Run: 22,880,665,600 bytes free
Post-Run: 23,145,738,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2CB71A1B69D69E7AEBFD6689FA8DFA76

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 925

Posted 11-13-2009 5:37 (GMT +1)

I think you mean you are getting the start operating system choice option. Once ComboFix was allowed to install the Recovery Console access, then this was added as a bootup choice, along with your Windows there. The Recovery Console access built-in can be handy in the future, should there be an emergency need for that. But we can remove it if you would prefer that.

Nothing really being picked up right now, so I have to assume it is that Rapport software showing in the iexplore processes in Gmer (some do show among them). What problems are still occurring there now please?

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

elsmootho
New Member

Date Joined Jan 2007
Total Posts : 30

Posted 11-13-2009 7:24 (GMT +1)

Hello Jintan,

Everything seems normal right now, i was just running Combofix per your last suggestion.

Thank you for your help, i will leave the bootup choice option. All the best... !

...s

Jintan
Senior Member

Date Joined Dec 2006
Total Posts : 925

Posted 11-14-2009 1:38 (GMT +1)

Glad to provide the help. Just one change and then you can remove what we added there to finish up here.

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"110:TCP"=-

Open Notepad (Start - Run, type Notepad then press OK), and copy the text inside the box above and paste it into the open Notepad textbox.

Save this to your desktop as "fixer.reg"

Be sure to include the "" quotes in the name.

Then right click fixer.reg, select Merge, and allow it to merge the new information with the Registry. That is meant to remove a malware net access point.

----------------------

For what our work added there, Eset, if you don't plan to use it again, uninstalls through Add/Remove Programs.

You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTM.exe by OldTimer to your desktop. This will help by automatically removing some of the tools we used.

Click OTM.exe to run it and click on Cleanup. You'll be asked if you want to begin cleanup process? Select Yes.

OTM will search for and delete/uninstall many of the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. At the end of the run you will receive a prompt to reboot, but save that for the next step resetting Restore.

---------

Then reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

In addition, I like to recommend reviewing the information Here to make sure you stay malware free.

Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Forum Information

Currently it is Saturday, November 21, 2009 3:07 PM (GMT +1)
There are a total of 73.032 posts in 17.116 threads.
In the last 3 days there were 14 new threads and 69 reply posts. View Active Threads