Jump to content


Photo
- - - - -

"newgenerationp.com/x" and "oldschoolzzz.com.x"


  • This topic is locked This topic is locked
40 replies to this topic

#1 CaseyJ000

CaseyJ000

    New Member

  • Members
  • Pip
  • 48 posts

Posted 19 June 2012 - 11:31 PM

I'm getting ESET alerts on my wife's computer running Windows XP

blocking "newgenerationp.com/x" and "oldschoolzzz.com.x"

ESET keeps giving alerts that the computer needs to be updated, but I see the updates have been failing for several days. And they failed when I tried.

Malewarebytes is showing nothing now. I deleted a trojan earlier today.

I know i should post some logs first, but if anyone has any suggestions of what to start with let me know.

#2 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 20 June 2012 - 06:02 AM

Hello CaseyJ000! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:
  • If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Please follow the instructions here:
http://forums.malwar...?showtopic=9573

Post the log files when you are ready.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#3 CaseyJ000

CaseyJ000

    New Member

  • Members
  • Pip
  • 48 posts

Posted 20 June 2012 - 08:27 AM

Hi Maniac,
I saw your posts on Techmonkey.com related to this trojan. I've already ran TDSSKiller because I saw the info about blue screens probably coming soon, and hadn't heard back from anyone. My apologies. So I have those logs too.

MBAM
Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.19.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Frances :: JIM2-88XVZV9YF [administrator]

Protection: Disabled

6/19/2012 10:26:25 PM
mbam-log-2012-06-19 (22-26-25).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 417013
Time elapsed: 2 hour(s), 28 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

dds.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_33
Run by Frances at 6:00:33 on 2012-06-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.278 [GMT -7:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
svchost.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\frxhser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\frxhapp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [frxmxins] frxmxins
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [FGLRXDetectPnPMonitor] rundll32 fglrxmon.dll,MonitorDetect
StartupFolder: c:\docume~1\frances\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.clarkcolor.com/ClarkActivia.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://aon.webex.com/client/T25L10NSP41EP7/webex/ieatgpc.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{7A7E11BE-51A3-42F3-8CDD-67FC3AD14385} : DhcpNameServer = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\frances\application data\mozilla\firefox\profiles\pi4kvmcf.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-8-12 810144]
R2 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [2005-1-16 53248]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-5-14 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-5-14 22344]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-6-19 40776]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\frances\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\frances\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\frances\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\frances\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
S2 PPPoEService;PPPoE Service;c:\progra~1\nts\entern~1\app\pppoeservice.exe --> c:\progra~1\nts\entern~1\app\pppoeservice.exe [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-29 257696]
S3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [2005-1-16 417061]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-29 129976]
.
=============== Created Last 30 ================
.
2012-06-20 05:26:06 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-20 05:15:19 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-20 04:52:34 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-16 14:32:56 -------- d-----w- c:\documents and settings\frances\application data\AdobeAUM
2012-06-16 14:29:31 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-06-16 14:29:30 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-06-16 14:29:30 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-06-16 14:29:29 159232 ----a-w- c:\windows\system32\ptpusd.dll
2012-06-13 02:25:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-13 02:25:34 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-30 01:58:31 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-29 14:49:32 -------- d-----w- c:\program files\Mozilla Maintenance Service
.
==================== Find3M ====================
.
2012-06-13 02:25:02 472840 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-30 02:01:24 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:12:30 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-04 22:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 6:01:40.56 ===============


.Extras.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/16/2005 12:43:54 PM
System Uptime: 6/19/2012 10:20:10 PM (8 hours ago)
.
Motherboard: Dell Computer Corp. | |
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2784/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 31.087 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 699 GiB total, 637.908 GiB free.
G: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP287: 3/23/2012 3:25:35 AM - System Checkpoint
RP288: 3/24/2012 4:25:35 AM - System Checkpoint
RP289: 3/25/2012 5:25:38 AM - System Checkpoint
RP290: 3/26/2012 8:12:52 AM - System Checkpoint
RP291: 3/27/2012 1:22:24 PM - System Checkpoint
RP292: 3/28/2012 1:50:02 PM - System Checkpoint
RP293: 3/29/2012 2:26:38 PM - System Checkpoint
RP294: 3/30/2012 2:42:12 PM - System Checkpoint
RP295: 3/31/2012 3:26:35 PM - System Checkpoint
RP296: 4/1/2012 3:27:39 PM - System Checkpoint
RP297: 4/2/2012 3:53:59 PM - System Checkpoint
RP298: 4/3/2012 3:56:22 PM - System Checkpoint
RP299: 4/4/2012 4:16:52 PM - System Checkpoint
RP300: 4/5/2012 4:22:39 PM - System Checkpoint
RP301: 4/6/2012 5:20:29 PM - System Checkpoint
RP302: 4/7/2012 5:41:34 PM - System Checkpoint
RP303: 4/8/2012 5:56:07 PM - System Checkpoint
RP304: 4/9/2012 6:08:07 PM - System Checkpoint
RP305: 4/10/2012 6:42:55 PM - System Checkpoint
RP306: 4/11/2012 8:50:12 AM - Software Distribution Service 3.0
RP307: 4/12/2012 10:01:33 AM - System Checkpoint
RP308: 4/13/2012 10:48:15 AM - System Checkpoint
RP309: 4/14/2012 8:25:44 PM - System Checkpoint
RP310: 4/15/2012 9:42:50 PM - System Checkpoint
RP311: 4/16/2012 9:47:08 PM - System Checkpoint
RP312: 4/17/2012 10:47:09 PM - System Checkpoint
RP313: 4/18/2012 11:11:20 PM - System Checkpoint
RP314: 4/19/2012 1:15:01 PM - Installed QuickTime
RP315: 4/20/2012 1:24:07 PM - System Checkpoint
RP316: 4/21/2012 2:23:56 PM - System Checkpoint
RP317: 4/22/2012 3:25:00 PM - System Checkpoint
RP318: 4/23/2012 4:23:55 PM - System Checkpoint
RP319: 4/24/2012 5:20:14 PM - System Checkpoint
RP320: 4/25/2012 6:30:50 PM - System Checkpoint
RP321: 4/26/2012 7:21:19 PM - System Checkpoint
RP322: 4/27/2012 7:43:38 PM - System Checkpoint
RP323: 4/28/2012 8:37:59 PM - System Checkpoint
RP324: 4/29/2012 9:37:58 PM - System Checkpoint
RP325: 4/30/2012 10:07:20 PM - System Checkpoint
RP326: 5/1/2012 10:36:38 PM - System Checkpoint
RP327: 5/2/2012 10:59:15 PM - System Checkpoint
RP328: 5/3/2012 11:59:14 PM - System Checkpoint
RP329: 5/5/2012 12:59:19 AM - System Checkpoint
RP330: 5/6/2012 1:59:15 AM - System Checkpoint
RP331: 5/7/2012 2:50:19 AM - System Checkpoint
RP332: 5/8/2012 3:50:18 AM - System Checkpoint
RP333: 5/9/2012 4:50:20 AM - System Checkpoint
RP334: 5/10/2012 8:57:12 AM - System Checkpoint
RP335: 5/10/2012 1:13:35 PM - Software Distribution Service 3.0
RP336: 5/11/2012 1:30:29 PM - System Checkpoint
RP337: 5/12/2012 1:52:39 PM - System Checkpoint
RP338: 5/13/2012 2:40:36 PM - System Checkpoint
RP339: 5/14/2012 3:15:29 PM - System Checkpoint
RP340: 5/15/2012 3:43:46 PM - System Checkpoint
RP341: 5/16/2012 4:42:09 PM - System Checkpoint
RP342: 5/17/2012 5:30:11 PM - System Checkpoint
RP343: 5/18/2012 5:43:41 PM - System Checkpoint
RP344: 5/19/2012 6:30:10 PM - System Checkpoint
RP345: 5/20/2012 7:30:08 PM - System Checkpoint
RP346: 5/21/2012 8:07:08 PM - System Checkpoint
RP347: 5/22/2012 8:42:21 PM - System Checkpoint
RP348: 5/23/2012 8:42:41 PM - System Checkpoint
RP349: 5/24/2012 8:43:48 PM - System Checkpoint
RP350: 5/25/2012 9:20:43 PM - System Checkpoint
RP351: 5/26/2012 10:20:45 PM - System Checkpoint
RP352: 5/27/2012 11:20:44 PM - System Checkpoint
RP353: 5/28/2012 11:27:32 PM - System Checkpoint
RP354: 5/29/2012 11:40:20 PM - System Checkpoint
RP355: 5/30/2012 11:58:35 PM - System Checkpoint
RP356: 6/1/2012 12:58:36 AM - System Checkpoint
RP357: 6/2/2012 6:56:36 AM - System Checkpoint
RP358: 6/3/2012 7:54:39 AM - System Checkpoint
RP359: 6/4/2012 7:50:42 PM - System Checkpoint
RP360: 6/5/2012 8:50:30 PM - System Checkpoint
RP361: 6/6/2012 9:38:21 PM - System Checkpoint
RP362: 6/7/2012 10:38:20 PM - System Checkpoint
RP363: 6/8/2012 10:59:34 PM - System Checkpoint
RP364: 6/9/2012 11:57:51 PM - System Checkpoint
RP365: 6/11/2012 12:05:40 AM - System Checkpoint
RP366: 6/12/2012 12:12:42 AM - System Checkpoint
RP367: 6/12/2012 7:24:08 PM - Removed Java™ 6 Update 26
RP368: 6/12/2012 7:24:49 PM - Installed Java™ 6 Update 33
RP369: 6/13/2012 8:11:58 PM - Software Distribution Service 3.0
RP370: 6/14/2012 8:23:23 PM - System Checkpoint
RP371: 6/15/2012 9:07:50 PM - System Checkpoint
RP372: 6/16/2012 9:37:07 PM - System Checkpoint
RP373: 6/17/2012 10:21:14 PM - System Checkpoint
RP374: 6/18/2012 10:35:53 PM - System Checkpoint
RP375: 6/19/2012 10:15:38 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
2Wire Wireless Client
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader X (10.1.3)
Apple Application Support
Apple Software Update
AT&T Yahoo! High Speed Internet Home Networking Installer
ATI - Software Uninstall Utility
ATI Display Driver
Canon iP2600 series
Canon iP2600 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Critical Update for Windows Media Player 11 (KB959772)
Dell Driver Download Manager
Dell ResourceCD
Drive Manager
ESET Online Scanner v3
ESET Smart Security
GoToAssist Corporate
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel® PRO Ethernet Adapter and Software
iTunes
Java Auto Updater
Java™ 6 Update 33
Junk Mail filter update
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Excel 97
Microsoft IntelliPoint 7.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 97
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 6 Service Pack 2 (KB954459)
Norton SystemWorks
Picture Package Music Transfer
QuickTime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Skype™ 5.8
Sony Picture Utility
SpywareBlaster 4.6
Symantec Technical Support Web Controls
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebEx
WebFldrs XP
Windows 7 Upgrade Advisor
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
6/19/2012 9:46:16 AM, error: Print [6161] - The document http://msn.careerbui...terviewing-The- owned by Frances failed to print on printer Canon iP2600 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 115608. Number of bytes printed: 115440. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\JIM2-88XVZV9YF. Win32 error code returned by the print processor: 0 (0x0).
6/19/2012 9:44:44 AM, error: Print [6161] - The document http://msn.careerbui...terviewing-The- owned by Frances failed to print on printer Canon iP2600 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 196608. Number of bytes printed: 115440. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\JIM2-88XVZV9YF. Win32 error code returned by the print processor: 0 (0x0).
6/19/2012 9:00:46 PM, error: Print [6161] - The document https://hrjobs.trave...E/HRMS/c/HRS_HR owned by Frances failed to print on printer Canon iP2600 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 196608. Number of bytes printed: 39100. Total number of pages in the document: 2. Number of pages printed: 0. Client machine: \\JIM2-88XVZV9YF. Win32 error code returned by the print processor: 0 (0x0).
6/15/2012 10:33:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd SASDIFSV SASKUTIL
6/15/2012 10:33:32 PM, error: Service Control Manager [7000] - The iPodService service failed to start due to the following error: %1 is not a valid Win32 application.
6/15/2012 10:33:32 PM, error: DCOM [10005] - DCOM got error "%193" attempting to start the service iPodService with arguments "-Service" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C}
6/15/2012 10:33:31 PM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
6/15/2012 10:33:31 PM, error: Service Control Manager [7000] - The PPPoE Service service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================

Attached Files



#4 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 20 June 2012 - 08:31 AM

BACKDOOR WARNING


One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#5 CaseyJ000

CaseyJ000

    New Member

  • Members
  • Pip
  • 48 posts

Posted 20 June 2012 - 09:20 AM

Here's the Combofix log.
I guess we will install Window 7. (Temporarily, can I use something like Sandoxie until we get the OS? I'll probably have my wife on Sandbox after we install the OS. If it's the dumbest thing you've ever heard let me know.) We won't do any banking or Credit card use on this computer until this is changed.

Is there a possibility the Backdoor Trojan can get into other computers on a hardwire router? If so I can't have her change passwords on my computer.

Is her Iphone somewhat safe because it is a MAC?
Thanks!

ESET first detected bad websites at 5/8/12. I imagine System Restore is fully infected




ComboFix 12-06-20.01 - Frances 06/20/2012 6:53.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.534 [GMT -7:00]
Running from: c:\documents and settings\Frances\Desktop\ComboFix.exe
AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\windows\_detmp.2
.
.
((((((((((((((((((((((((( Files Created from 2012-05-20 to 2012-06-20 )))))))))))))))))))))))))))))))
.
.
2012-06-20 05:15 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-20 04:52 . 2012-06-20 05:11 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-16 14:32 . 2012-06-16 14:32 -------- d-----w- c:\documents and settings\Frances\Application Data\AdobeAUM
2012-06-16 14:29 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-06-16 14:29 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-06-16 14:29 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-06-16 14:29 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2012-06-13 02:25 . 2012-06-13 02:25 -------- d-----w- c:\program files\Common Files\Java
2012-06-13 02:25 . 2012-06-13 02:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-13 02:25 . 2012-06-13 02:25 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-30 01:58 . 2012-05-30 02:01 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-29 14:49 . 2012-05-29 14:49 -------- d-----w- c:\program files\Mozilla Maintenance Service
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-13 02:25 . 2011-01-16 17:12 472840 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-31 13:22 . 2008-09-13 14:58 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-30 02:01 . 2011-07-16 17:21 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-16 15:08 . 2004-08-24 03:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2008-09-13 14:57 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2002-09-03 19:42 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2002-09-03 19:40 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2008-09-13 15:00 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:12 . 2008-09-13 14:57 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2008-09-13 14:57 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-09-13 14:57 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-04 22:56 . 2011-05-15 00:50 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-21 01:19 . 2012-05-29 14:48 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"frxmxins"="frxmxins" [X]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-10 169328]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-12 1468256]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-08-12 2215064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FGLRXDetectPnPMonitor"="fglrxmon.dll" [2003-09-17 307200]
.
c:\documents and settings\Frances\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2008-9-26 385024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-05-17 02:24 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 1:31 PM 115008]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [8/12/2010 2:16 PM 810144]
R2 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [1/16/2005 1:59 PM 53248]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/14/2011 5:50 PM 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/14/2011 5:50 PM 22344]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 PPPoEService;PPPoE Service;c:\progra~1\NTS\ENTERN~1\app\pppoeservice.exe --> c:\progra~1\NTS\ENTERN~1\app\pppoeservice.exe [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/29/2012 8:50 AM 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/29/2012 6:58 PM 257696]
S3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [1/16/2005 1:59 PM 417061]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/29/2012 7:49 AM 129976]
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-30 02:01]
.
2012-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: DhcpNameServer = 192.168.1.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Frances\Application Data\Mozilla\Firefox\Profiles\pi4kvmcf.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-20 07:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(940)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
c:\windows\system32\FRXHDLL.DLL
.
Completion time: 2012-06-20 07:07:10
ComboFix-quarantined-files.txt 2012-06-20 14:07
.
Pre-Run: 33,240,498,176 bytes free
Post-Run: 34,392,760,320 bytes free
.
- - End Of File - - 0879C58C21D3CA7FB475844B8DF69923

#6 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 20 June 2012 - 05:08 PM

Temporarily, can I use something like Sandoxie until we get the OS?


Makes no sense unless you clean the system ie you have nothing to keep, you have a compromised system.

Is there a possibility the Backdoor Trojan can get into other computers on a hardwire router?


No, there isn't.

Is her Iphone somewhat safe because it is a MAC?


First, your home network is not infected. Second, her iPhone has another mobile operating system - iOS. There are things in times other than Windows OS, so there is absolutely no chance of being infected, even if your network was damaged.


Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named)

Click the cog in the upper right
Posted Image

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and post it in your next reply.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#7 CaseyJ000

CaseyJ000

    New Member

  • Members
  • Pip
  • 48 posts

Posted 21 June 2012 - 09:19 PM

Hi Maniac,

I did this scan with the internet connected. I don't know if that was okay. Let me know if you need me to do it again. I was wondering how to insure the Data was clean when we put the new Operating System in. At some point the other day we were got some sort of Java update box and I guess it was probably fake based on this report. I'd been doing a lot of Java updates since I was advised to do it in another thread here. I didn't realize the trojan was active.

Status: Deleted (events: 6)
6/21/2012 7:30:17 AM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\19.06.2012_21.49.43\mbr0000\mbr0000\tsk0000.dta High
6/21/2012 7:30:17 AM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\19.06.2012_21.49.43\mbr0000\mbr0000\tsk0000.dta//HDDImage High
6/21/2012 7:32:46 AM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\19.06.2012_21.49.43\mbr0000\mbr0000\tsk0001.dta//mbr//HDDImage High
6/21/2012 7:32:46 AM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\19.06.2012_21.49.43\mbr0000\mbr0000\tsk0001.dta//vbr0 High
6/21/2012 7:32:46 AM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\19.06.2012_21.49.43\mbr0000\mbr0000\tsk0001.dta//mbr High
6/21/2012 7:32:46 AM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\19.06.2012_21.49.43\mbr0000\mbr0000\tsk0001.dta High
Status: Disinfected (events: 10)
6/21/2012 8:53:38 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\32\5b0c2160-2e1bee54/durdom/huiak.class High
6/21/2012 8:53:38 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\36\205b5264-63832b5f/durdom/huiak.class High
6/21/2012 8:53:39 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\38\1d3809e6-5c7776ca/durdom/huiak.class High
6/21/2012 8:53:38 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\32\5b0c2160-2e1bee54 High
6/21/2012 8:53:39 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\36\205b5264-63832b5f High
6/21/2012 8:53:39 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\38\1d3809e6-5c7776ca High
6/21/2012 8:53:43 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\39\45ba72e7-1e7fb920/durdom/huiak.class High
6/21/2012 8:53:43 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\50\4e6a9e72-3047fa74/durdom/huiak.class High
6/21/2012 8:53:43 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\39\45ba72e7-1e7fb920 High
6/21/2012 8:53:43 AM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eh E:\Backup\backup5_15_11\Local Disk ©\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\50\4e6a9e72-3047fa74 High

#8 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 22 June 2012 - 05:56 AM

To ensure that everything is okay, it is important to make a full format the hard drive and install everything again.

How are things now?
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#9 CaseyJ000

CaseyJ000

    New Member

  • Members
  • Pip
  • 48 posts

Posted 22 June 2012 - 08:57 AM

I'm going to have to assemble the passwords and things for the softwares and buy the OS. it may take me a while to get everything together.
One of the articles you recommended says these Rootkit Backdoor Trojans could be hidden in stored emails and pictures. I guess anything is possible at this point. I'm a bit worried about that. What do you think?

#10 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 22 June 2012 - 09:28 AM

If you have any doubts about any file you can upload it in www.virustotal.com and will be scanned from more than 40 antivirus programs.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#11 CaseyJ000

CaseyJ000

    New Member

  • Members
  • Pip
  • 48 posts

Posted 22 June 2012 - 10:22 AM

Giant problems now. Computer is not allowing AVG scan to be downloaded but I'm going to try to put it on from a USB. it keeps changing all the folders even desktop to read only.

#12 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 22 June 2012 - 10:25 AM

Why do you need AVG? You do not have to use USB flash drive without being secured! What are you doing now?
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#13 CaseyJ000

CaseyJ000

    New Member

  • Members
  • Pip
  • 48 posts

Posted 22 June 2012 - 10:31 AM

installing avg in safe mode. Wife opened email. Computer went crazy. Have to leave for work. running Kaspersky in Safe Mode now.

#14 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 22 June 2012 - 10:33 AM

Did you uninstall ESET Smart Security before installed AVG? Why you do that without my instructions? I suggest you to re-install your system, because I don't know what are you doing there and why. The whole procedure passes without my participation.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#15 CaseyJ000

CaseyJ000

    New Member

  • Members
  • Pip
  • 48 posts

Posted 22 June 2012 - 10:35 AM

I just wanted to stabilize it because it changed everything to "read only." It'll take 3 hours to rescan, but I assume Trojan will still be in email. Computer is unplugged from internet.
I guess I'll have to start reformatting when I get home. Some passwords may be in emails, Probably not, probably on my machine.

#16 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 22 June 2012 - 10:38 AM

Before re-install make sure your data is not infected as I suggest if you think that any file is infected, upload it in www.virustotal.com and you will see.
http://forums.malwar...ndpost&p=563260
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#17 CaseyJ000

CaseyJ000

    New Member

  • Members
  • Pip
  • 48 posts

Posted 22 June 2012 - 10:38 AM

I didn't uninstall ESET by the way, and I looked at it right before my wife opened the email and it said everything was fine.
The AVG scan notes a lot of files as password protected now, and when I did it before. I don't know where that log is but I imagine the trojan is in those too.

#18 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 22 June 2012 - 10:49 AM

Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. If you choose to install more than one Anti-Virus program on your computer, then only one of them should be active in memory at a time. Your system currently has a mess, a very serious mess, so you should immediately re-install it.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#19 CaseyJ000

CaseyJ000

    New Member

  • Members
  • Pip
  • 48 posts

Posted 22 June 2012 - 11:01 AM

Immmediately reinstall what? The OS? I think we might be having a bit of trouble understanding each other. we've been running ESET and Malewarebytes for a long time. As I said ESET and Malwarbytes were active just a few seconds ago when the trojan took control of the computer.
I'll be in touch, I have to go and I'll have to work on this when I get home. I'll check into the forum to see what you say.
sorry, I was afraid all the data would be lost if I didn't run AVG again. ESET and Malwarbytes are getting tricked by this. We had the 2011 AntiVirus Malware on this computer last year and it was a major problem to save my wife's emails because the Virus changed almost everything to "read only"
Thanks for the help, I'll take care of you.
Best Wishes.

#20 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 22 June 2012 - 12:04 PM

If you want to proceed our work here, post a new fresh DDS log file and describe what are your problems now. Don't do anything else.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users