Solved

XP SP3 Virus/Malware - Fake Windows Update claiming Service Pack 2010

Posted on 2010-09-02
24
1,191 Views
Last Modified: 2013-11-22
I'm not even sure where to start explaining. At this point it's got me pretty well locked down in standard (as opposed to safe mode). I can't open task manager, do installations or open a browser. I'm doing a scan as we speak with hitman pro. Please help. I'm not sure what else to say... just ask.

Optoma... come save me again.

Thanks in advance.
0
Comment
Question by:jpfulton
  • 15
  • 9
24 Comments
 
LVL 22

Expert Comment

by:optoma
ID: 33590647
Hi!
What name is the fake malware going by?
Hitmanpro scanning in safe mode w networking?

After it scans reboot normally and see if you can access task manager.
If you cant, run ExeHelper for starters :)
http://raktor.net/exeHelper/exeHelper.com
0
 

Author Comment

by:jpfulton
ID: 33590738
Yes, Hitman ran in safe mode with networking... found a ton of stuff. It said that it thinks it's TDL3 (Alureon) Rootkit, you probably know this but according to google that's TDSS. So I restarted and went back into safe mode w networking. Now no internet so no rescan with Hitman possible. I ran TDSSKiller (Kaspersky) in safe mode which found nothing. Accidentally reboot into regular mode... it's a sh*tstorm in there (stuff popping up left and right trying to get my to buy fake antivirus). Back into safe mode w networking. Still no internet. Ran winsockfix trying to get internet back so I could get back to Hitman. Restarted back into safe mode w networking... still no internet. Check with ipconfig showing 0.0.0.0 for ip... /release /renew says "The RPC server is unavailable". What now?
0
 
LVL 22

Expert Comment

by:optoma
ID: 33590824
Try this and see if you get back an ip address back.
If you do let  know before running anything else
http://www.randomfix.com/2006/11/03/unable-to-renew-ip-address-rpc-service-is-unavailable/
0
 

Author Comment

by:jpfulton
ID: 33590862
Those directions don't really seem to apple. DHCP is already running in services.msc. I'm going into regular mode to see if I can get the connection going. Let me know if I shouldn't.
0
 

Author Comment

by:jpfulton
ID: 33590864
apple=apply
0
 

Author Comment

by:jpfulton
ID: 33590973
Not sure what to do. I'm trying to get the internet connection going. The program that pops up calls itself Malware Doctor and in task manager the executable is called mediafix*.exe (taskmgr working again).
0
 

Author Comment

by:jpfulton
ID: 33591025
BOOM. Got it. DHCP Client service refuses to run so I manually assigned IP :)
0
 
LVL 22

Expert Comment

by:optoma
ID: 33591058
Ok run Combofix this time. Follow its instructions and post log
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Rename combofix to cf.exe before saving it to desktop
0
 

Author Comment

by:jpfulton
ID: 33591085
In safe mode, right?
0
 
LVL 22

Expert Comment

by:optoma
ID: 33591221
If there are too many popups in normal mode download it in safe mode w net to desktop.
Reboot into normal mode and run it.
0
 

Author Comment

by:jpfulton
ID: 33591458
ComboFix 10-09-01.04 - jpfulton 09/02/2010  16:44:14.1.4 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2743 [GMT -4:00]
Running from: c:\documents and settings\jpfulton\Desktop\cf.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jpfulton\Application Data\A739AE0EC6F9389A6D091D4EF6D66A37
c:\documents and settings\jpfulton\Application Data\A739AE0EC6F9389A6D091D4EF6D66A37\enemies-names.txt
c:\documents and settings\jpfulton\Application Data\A739AE0EC6F9389A6D091D4EF6D66A37\local.ini
c:\documents and settings\jpfulton\Application Data\A739AE0EC6F9389A6D091D4EF6D66A37\lsrslt.ini
c:\documents and settings\jpfulton\Application Data\A739AE0EC6F9389A6D091D4EF6D66A37\mediafix70700en02.exe
c:\windows\$NtUninstallMTF1011$

.
(((((((((((((((((((((((((   Files Created from 2010-08-02 to 2010-09-02  )))))))))))))))))))))))))))))))
.

2010-09-02 18:49 . 2010-09-02 18:49      --------      d-----w-      C:\xp
2010-09-02 18:33 . 2010-09-02 18:49      --------      d-----w-      c:\program files\nLite
2010-09-01 17:51 . 2010-09-01 18:29      --------      d-----w-      C:\pv
2010-08-26 19:19 . 2010-08-26 19:19      --------      d-----w-      c:\documents and settings\jpfulton\Local Settings\Application Data\Move Networks
2010-08-26 19:19 . 2010-08-26 19:19      --------      d-----w-      c:\documents and settings\jpfulton\Application Data\Move Networks
2010-08-10 20:38 . 2010-09-02 19:13      16968      ----a-w-      c:\windows\system32\drivers\hitmanpro35.sys
2010-08-10 20:37 . 2010-08-10 20:49      --------      d-----w-      c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-10 20:37 . 2010-09-02 19:08      --------      d-----w-      c:\program files\Hitman Pro 3.5

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-02 20:53 . 2009-04-04 02:53      128020512      --sha-w-      c:\windows\system32\drivers\fidbox.dat
2010-09-02 20:51 . 2009-04-04 02:52      5658144      --sha-w-      c:\windows\system32\drivers\fidbox2.dat
2010-09-02 20:49 . 2009-04-04 02:53      1738508      --sha-w-      c:\windows\system32\drivers\fidbox.idx
2010-09-02 20:49 . 2009-04-04 02:52      551336      --sha-w-      c:\windows\system32\drivers\fidbox2.idx
2010-09-02 20:38 . 2009-04-04 02:52      --------      d-----w-      c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-09-02 18:56 . 2009-05-08 13:46      --------      d-----w-      c:\documents and settings\jpfulton\Application Data\BitTorrent
2010-09-02 15:43 . 2009-04-03 20:38      131568      ----a-w-      c:\documents and settings\jpfulton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-02 12:11 . 2009-04-03 20:54      1682      --sha-w-      c:\windows\system32\KGyGaAvL.sys
2010-09-02 04:55 . 2010-05-14 21:22      24328      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Interop.QBInstanceFinder.dll
2010-09-02 04:55 . 2010-05-14 21:22      211720      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-09-02 04:55 . 2010-05-14 21:22      1394440      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-09-02 04:55 . 2010-05-14 21:21      975648      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\DownloadQB20\EPatch\qbpatch2.exe
2010-09-02 04:55 . 2010-05-14 21:21      44832      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\DownloadQB20\EPatch\qbpatch.exe
2010-08-31 15:38 . 2010-05-16 12:32      50304      ----a-w-      c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-26 19:19 . 2010-08-26 19:19      144162      ----a-w-      c:\documents and settings\jpfulton\Application Data\Move Networks\uninstall.exe
2010-08-26 19:19 . 2009-12-18 03:27      5603776      ----a-w-      c:\documents and settings\jpfulton\Application Data\Move Networks\plugins\npqmp071706000001.dll
2010-08-24 21:00 . 2010-05-14 21:22      4470      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\qbbackup.sys
2010-08-10 17:39 . 2009-04-03 21:02      --------      d-----w-      c:\documents and settings\jpfulton\Application Data\TeraCopy
2010-07-29 15:25 . 2009-04-04 02:53      97549      ----a-w-      c:\windows\system32\drivers\klick.dat
2010-07-29 15:25 . 2009-04-04 02:53      113933      ----a-w-      c:\windows\system32\drivers\klin.dat
2010-07-27 14:48 . 2002-08-29 01:27      23040      ----a-w-      c:\windows\system32\drivers\mouclass.sys
2010-07-26 14:29 . 2010-07-26 14:29      --------      d-----w-      c:\program files\ESET
2010-07-26 13:20 . 2009-08-19 15:55      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2010-07-26 12:58 . 2009-04-06 12:56      --------      d-----w-      c:\documents and settings\All Users\Application Data\Soulseek
2010-07-02 06:26 . 2010-05-14 21:22      791856      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2010-07-02 06:26 . 2010-05-14 21:22      763184      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2010-07-02 06:26 . 2010-05-14 21:22      570672      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2010-07-02 06:26 . 2010-05-14 21:22      496944      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2010-07-02 06:26 . 2010-05-14 21:22      423216      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2010-07-02 06:26 . 2010-05-14 21:22      398640      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2010-07-02 06:26 . 2010-05-14 21:22      296240      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2010-07-02 06:26 . 2010-05-14 21:22      267568      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2010-07-02 06:26 . 2010-05-14 21:22      2184496      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2010-07-02 06:26 . 2010-05-14 21:22      1152304      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2010-07-02 06:26 . 2010-05-14 21:22      856880      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\dblgen11.dll
2010-06-30 12:31 . 2003-03-31 12:00      149504      ----a-w-      c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2003-03-31 12:00      916480      ----a-w-      c:\windows\system32\wininet.dll
2010-06-23 20:36 . 2009-04-26 12:20      1324      ----a-w-      c:\windows\system32\d3d9caps.dat
2010-06-23 13:44 . 2003-03-31 12:00      1851904      ----a-w-      c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2003-03-31 12:00      354304      ----a-w-      c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2003-03-31 12:00      80384      ----a-w-      c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-04-03 20:09      744448      ----a-w-      c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:41 . 2003-03-31 12:00      1172480      ----a-w-      c:\windows\system32\msxml3.dll
2010-06-22 00:08 . 2009-04-03 20:21      119808      ----a-w-      c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-04-03 21:57 . 2009-04-03 20:54      56      --sh--r-      c:\windows\system32\57DE56C7FE.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-22 30192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"nwiz"="nwiz.exe" [2008-07-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-26 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-01-27 1337608]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-09-02 6300480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-4-3 221251]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-3-24 1154848]
Suitcase 11.0.lnk - c:\windows\Installer\{7451C9B5-3E10-4E59-AD37-AB7438D84288}\_01D57C9244869186542E24.exe [2009-4-3 9062]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute      REG_MULTI_SZ         autocheck autochk *\0bootdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Web Connector.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Web Connector.lnk
backup=c:\windows\pss\QuickBooks Web Connector.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 07:12      483328      ----a-w-      c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-04-20 22:51      140832      ----a-w-      c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-04-20 22:57      1866368      ----a-w-      c:\program files\Acronis\TrueImageServer\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
2006-04-05 21:53      1015808      ----a-w-      c:\program files\ACT\ACT for Windows\Act8.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTSchedulerUI]
2009-04-16 19:52      638976      ------w-      c:\program files\ACT\ACT for Windows\Act.Scheduler.UI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58      611712      ----a-w-      c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2007-03-22 23:29      39264      ----a-w-      c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2010-01-27 05:04      1337608      ----a-w-      c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10      142120      ----a-w-      c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42      1695232      ------w-      c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50      155648      ----a-w-      c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53      421888      ----a-w-      c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-04-20 22:49      1129400      ----a-w-      c:\program files\Acronis\TrueImageServer\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
2006-06-18 19:56      712704      ----a-w-      c:\program files\UltraVNC\winvnc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/4/2009 11:34 AM 28552]
R2 klnagent;Kaspersky Network Agent;c:\program files\Kaspersky Lab\NetworkAgent\klnagent.exe [3/17/2008 6:19 PM 94608]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [4/3/2009 5:03 PM 6016]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [8/10/2010 4:38 PM 16968]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/30/2007 6:49 PM 24344]
S0 ydyzdn;ydyzdn; [x]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/3/2009 4:21 PM 30192]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1.0\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1.0\QBDBMgrN.exe -hvQuickBooksDB19 [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {2A228AB5-BA96-4D74-A365-DA99D18446BA} = 10.0.0.2
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks Enterprise Solutions 9.0\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks Enterprise Solutions 9.0\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\jpfulton\Application Data\Mozilla\Firefox\Profiles\ouk0f0vq.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\jpfulton\Application Data\Mozilla\Firefox\Profiles\ouk0f0vq.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\documents and settings\jpfulton\Application Data\Move Networks\plugins\npqmp071706000001.dll
FF - plugin: c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-mediafix70700en02.exe - c:\documents and settings\jpfulton\Application Data\A739AE0EC6F9389A6D091D4EF6D66A37\mediafix70700en02.exe
HKLM-Run-GEST - (no file)
Notify-AtiExtEvent - (no file)
SafeBoot-klmdb.sys
AddRemove-HijackThis - c:\docume~1\jpfulton\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-02 16:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1208)
c:\windows\system32\klogon.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(1264)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3676)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\RTHDCPL.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
.
**************************************************************************
.
Completion time: 2010-09-02  16:59:23 - machine was rebooted
ComboFix-quarantined-files.txt  2010-09-02 20:59

Pre-Run: 77,733,531,648 bytes free
Post-Run: 77,678,698,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - CFB6E06B2726FD63A5023DE234DBA726
0
 
LVL 22

Expert Comment

by:optoma
ID: 33591615
1. Open Notepad
2. Copy + paste all bolded text only between lines below into Notepad window
==================================================
Driver::ydyzdn

==================================================
3. Now Save as CFScript.txt on your desktop/same location as Combofix.exe
4. Then drag the CFScript.txt into ComboFix.exe
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:jpfulton
ID: 33591651
Okay. I'm at the office and leaving for the day. I've dragged CFScript.txt onto the cf.exe icon. I am going to let it run. I will be back in tomorrow morning at 8 EST to resume. Should I leave the computer alone until I hear from you again?
0
 
LVL 22

Accepted Solution

by:
optoma earned 350 total points
ID: 33591708
Combofix's log looks ok apart from that one entry.
When its finished post new log.

Then run Atf cleaner to clear temp files http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25

Update Flash and java
http://get.adobe.com/flashplayer/
http://www.java.com/en/

>It should be fine to use :)
0
 

Author Comment

by:jpfulton
ID: 33591718
Ugh, combofix is hanging now. It's been probably 10 minutes and it's stuck at:

======================================================
Scanning for infected files . . .
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double"
======================================================

That's it. It appears the actually scanning has not started like it did last time. I don't know what to do so I guess I'm just going to leave as is. Please let me know what the next step is from here... whether I should close the window or be patient.
0
 

Author Comment

by:jpfulton
ID: 33591826
Okay. I'm impatient and determined. Have not yet left the office and I chose to do a manual restart of the computer (via button on the case). Now I've once again dragged cfscript.txt onto cf.exe. It has already progressed past the point it did on the previous run. It is hanging a little on stage 3 but I'm guessing it will be fine. Thanks for all of your help. I'll follow the rest of your suggestions and assuming all is well a few hours into the day tomorrow I'll close the thread.

Thank you!
0
 

Author Comment

by:jpfulton
ID: 33595675
I've run the second round of combofix (cf.exe) with cfscript.exe as instructed. The only thing I will note (and this happened the first time too) is that when combofix automatically restarts the pc and then takes over again, it says something like "Don't run any programs until combofix is done"... meanwhile the pc is still in it's startup sequence and therefore loading all of the initial programs that run at startup (APC Battery Monitor, Font manager, etc). I am now going to run Atf Cleaner and update flash and java. Here's the ComboFix log:


ComboFix 10-09-01.04 - jpfulton 09/02/2010  17:49:03.2.4 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2859 [GMT -4:00]
Running from: c:\documents and settings\jpfulton\Desktop\cf.exe
Command switches used :: c:\documents and settings\jpfulton\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YDYZDN
-------\Service_ydyzdn


(((((((((((((((((((((((((   Files Created from 2010-08-03 to 2010-09-03  )))))))))))))))))))))))))))))))
.

2010-09-02 18:49 . 2010-09-02 18:49      --------      d-----w-      C:\xp
2010-09-02 18:33 . 2010-09-02 18:49      --------      d-----w-      c:\program files\nLite
2010-09-01 17:51 . 2010-09-01 18:29      --------      d-----w-      C:\pv
2010-08-26 19:19 . 2010-08-26 19:19      --------      d-----w-      c:\documents and settings\jpfulton\Local Settings\Application Data\Move Networks
2010-08-26 19:19 . 2010-08-26 19:19      144162      ----a-w-      c:\documents and settings\jpfulton\Application Data\Move Networks\uninstall.exe
2010-08-26 19:19 . 2010-08-26 19:19      --------      d-----w-      c:\documents and settings\jpfulton\Application Data\Move Networks
2010-08-10 20:38 . 2010-09-02 20:58      16968      ----a-w-      c:\windows\system32\drivers\hitmanpro35.sys
2010-08-10 20:37 . 2010-08-10 20:49      --------      d-----w-      c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-10 20:37 . 2010-09-02 19:08      --------      d-----w-      c:\program files\Hitman Pro 3.5

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 12:02 . 2009-04-04 02:53      128199712      --sha-w-      c:\windows\system32\drivers\fidbox.dat
2010-09-03 12:01 . 2009-04-04 02:52      5664288      --sha-w-      c:\windows\system32\drivers\fidbox2.dat
2010-09-02 21:56 . 2009-04-04 02:52      551696      --sha-w-      c:\windows\system32\drivers\fidbox2.idx
2010-09-02 21:56 . 2009-04-04 02:53      1739900      --sha-w-      c:\windows\system32\drivers\fidbox.idx
2010-09-02 21:47 . 2009-04-04 02:52      --------      d-----w-      c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-09-02 18:56 . 2009-05-08 13:46      --------      d-----w-      c:\documents and settings\jpfulton\Application Data\BitTorrent
2010-09-02 15:43 . 2009-04-03 20:38      131568      ----a-w-      c:\documents and settings\jpfulton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-02 12:11 . 2009-04-03 20:54      1682      --sha-w-      c:\windows\system32\KGyGaAvL.sys
2010-09-02 04:55 . 2010-05-14 21:22      24328      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Interop.QBInstanceFinder.dll
2010-09-02 04:55 . 2010-05-14 21:22      211720      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-09-02 04:55 . 2010-05-14 21:22      1394440      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-09-02 04:55 . 2010-05-14 21:21      975648      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\DownloadQB20\EPatch\qbpatch2.exe
2010-09-02 04:55 . 2010-05-14 21:21      44832      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\DownloadQB20\EPatch\qbpatch.exe
2010-08-31 15:38 . 2010-05-16 12:32      50304      ----a-w-      c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-26 19:19 . 2009-12-18 03:27      5603776      ----a-w-      c:\documents and settings\jpfulton\Application Data\Move Networks\plugins\npqmp071706000001.dll
2010-08-24 21:00 . 2010-05-14 21:22      4470      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\qbbackup.sys
2010-08-10 17:39 . 2009-04-03 21:02      --------      d-----w-      c:\documents and settings\jpfulton\Application Data\TeraCopy
2010-07-29 15:25 . 2009-04-04 02:53      97549      ----a-w-      c:\windows\system32\drivers\klick.dat
2010-07-29 15:25 . 2009-04-04 02:53      113933      ----a-w-      c:\windows\system32\drivers\klin.dat
2010-07-27 14:48 . 2002-08-29 01:27      23040      ----a-w-      c:\windows\system32\drivers\mouclass.sys
2010-07-26 14:29 . 2010-07-26 14:29      --------      d-----w-      c:\program files\ESET
2010-07-26 13:20 . 2009-08-19 15:55      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2010-07-26 12:58 . 2009-04-06 12:56      --------      d-----w-      c:\documents and settings\All Users\Application Data\Soulseek
2010-07-02 06:26 . 2010-05-14 21:22      791856      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2010-07-02 06:26 . 2010-05-14 21:22      763184      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2010-07-02 06:26 . 2010-05-14 21:22      570672      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2010-07-02 06:26 . 2010-05-14 21:22      496944      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2010-07-02 06:26 . 2010-05-14 21:22      423216      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2010-07-02 06:26 . 2010-05-14 21:22      398640      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2010-07-02 06:26 . 2010-05-14 21:22      296240      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2010-07-02 06:26 . 2010-05-14 21:22      267568      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2010-07-02 06:26 . 2010-05-14 21:22      2184496      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2010-07-02 06:26 . 2010-05-14 21:22      1152304      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2010-07-02 06:26 . 2010-05-14 21:22      856880      ----a-w-      c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 10.0\Components\SyncMgr\OCD\dblgen11.dll
2010-06-30 12:31 . 2003-03-31 12:00      149504      ----a-w-      c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2003-03-31 12:00      916480      ----a-w-      c:\windows\system32\wininet.dll
2010-06-23 20:36 . 2009-04-26 12:20      1324      ----a-w-      c:\windows\system32\d3d9caps.dat
2010-06-23 13:44 . 2003-03-31 12:00      1851904      ----a-w-      c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2003-03-31 12:00      354304      ----a-w-      c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2003-03-31 12:00      80384      ----a-w-      c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-04-03 20:09      744448      ----a-w-      c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:41 . 2003-03-31 12:00      1172480      ----a-w-      c:\windows\system32\msxml3.dll
2010-06-22 00:08 . 2009-04-03 20:21      119808      ----a-w-      c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-04-03 21:57 . 2009-04-03 20:54      56      --sh--r-      c:\windows\system32\57DE56C7FE.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-22 30192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"nwiz"="nwiz.exe" [2008-07-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-26 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-01-27 1337608]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-09-02 6300480]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-4-3 221251]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-3-24 1154848]
Suitcase 11.0.lnk - c:\windows\Installer\{7451C9B5-3E10-4E59-AD37-AB7438D84288}\_01D57C9244869186542E24.exe [2009-4-3 9062]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute      REG_MULTI_SZ         autocheck autochk *\0bootdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Web Connector.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Web Connector.lnk
backup=c:\windows\pss\QuickBooks Web Connector.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 07:12      483328      ----a-w-      c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-04-20 22:51      140832      ----a-w-      c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-04-20 22:57      1866368      ----a-w-      c:\program files\Acronis\TrueImageServer\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
2006-04-05 21:53      1015808      ----a-w-      c:\program files\ACT\ACT for Windows\Act8.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTSchedulerUI]
2009-04-16 19:52      638976      ------w-      c:\program files\ACT\ACT for Windows\Act.Scheduler.UI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58      611712      ----a-w-      c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2007-03-22 23:29      39264      ----a-w-      c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2010-01-27 05:04      1337608      ----a-w-      c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10      142120      ----a-w-      c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42      1695232      ------w-      c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50      155648      ----a-w-      c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53      421888      ----a-w-      c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-04-20 22:49      1129400      ----a-w-      c:\program files\Acronis\TrueImageServer\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
2006-06-18 19:56      712704      ----a-w-      c:\program files\UltraVNC\winvnc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/4/2009 11:34 AM 28552]
R2 klnagent;Kaspersky Network Agent;c:\program files\Kaspersky Lab\NetworkAgent\klnagent.exe [3/17/2008 6:19 PM 94608]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [4/3/2009 5:03 PM 6016]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/30/2007 6:49 PM 24344]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/3/2009 4:21 PM 30192]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [8/10/2010 4:38 PM 16968]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?]
S4 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1.0\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1.0\QBDBMgrN.exe -hvQuickBooksDB19 [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {2A228AB5-BA96-4D74-A365-DA99D18446BA} = 10.0.0.2
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks Enterprise Solutions 9.0\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks Enterprise Solutions 9.0\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\jpfulton\Application Data\Mozilla\Firefox\Profiles\ouk0f0vq.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\jpfulton\Application Data\Mozilla\Firefox\Profiles\ouk0f0vq.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\documents and settings\jpfulton\Application Data\Move Networks\plugins\npqmp071706000001.dll
FF - plugin: c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 08:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1184)
c:\windows\system32\klogon.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(1240)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2900)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\RTHDCPL.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
.
**************************************************************************
.
Completion time: 2010-09-03  08:04:45 - machine was rebooted
ComboFix-quarantined-files.txt  2010-09-03 12:04
ComboFix2.txt  2010-09-02 20:59

Pre-Run: 77,647,863,808 bytes free
Post-Run: 77,572,694,016 bytes free

- - End Of File - - D68F2D573C7BDAB16BAB4207E9A6F1A7
0
 

Author Comment

by:jpfulton
ID: 33599396
It looks like combofix did it's job. I was then left with DHCP still not starting. Turns out I had to expand netbt.sys off of an XP install disc and copy it to system32\drivers. Next I checked on the reg entry for netbt and it was totally borked so I exported the entry off of a working xp system and imported onto mine. That did it. Next I tried to do some .NET updates on my computer. All updates were failing. I had to use some .NET Framework cleanup utility to remove all versions of .NET then one at a time reinstall them starting with 1.1 and up to 4.0. Kind of a scary prospect considering the fact that a number of installed programs that I use rely on .NET 2.0. Finally I had to re-edit my hosts file and re-activate a program I have the relies on hosts for "special activation".

That's it. Thanks for your help. I'm giving you 350 b/c this was a tough one (at least in my opinion). Hopefully I'll be gone for a while. I think the problem may have been outdated flash and java versions resulting in drive by downloads.
0
 

Author Comment

by:jpfulton
ID: 33599404
Thanks!
0
 
LVL 22

Expert Comment

by:optoma
ID: 33600371
No prob and well done getting Dhcp resolved!
Whats strange is that CF restored an infected userinit.exe on that second run??


First log showed no sign of infection.
When you get a chance run Malwarebytes and full scan with your AV and let us know if anything detected.

BTW, Bittorrent is installed. Is it being used?
0
 

Author Comment

by:jpfulton
ID: 33600710
Will do. Bit torrent is indeed used. Is it an unsafe program? Do you suggest a different bt client or avoiding bt altogether?
0
 
LVL 22

Expert Comment

by:optoma
ID: 33600927
All torrents potentially can have an un savory side effect, depending on its usage/whats downloaded.
For eg, a mp3 downloaded may have a virus attached to it.
Not always the case but the chances are higher with torrent applications like Bit.
Using a multi vendor online scanner to scan any downloads is helpful like Virustotal, or install its Uploader(quite handy)
http://www.virustotal.com/
http://www.virustotal.com/advanced.html

If that machine is a buisness machine or used for business type applications, its recommended to keep it separate from other usage as the above :)
0
 

Author Comment

by:jpfulton
ID: 33600944
Ha, yeah, separate usage. Novel concept. Thanks for the tip!
0
 
LVL 22

Expert Comment

by:optoma
ID: 33600963
NP.
Check out VT Uploader!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now