Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible Trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible Trojan

Unread postby carol_br » July 14th, 2008, 1:54 pm

Dear Helpers,

Norton Internet Security (v. 10.4.0.13) has been popping up in one of my household's computers, warning about what seems to be a trojan. It immediately claims to have fixed it, but then it pops up again with the same problem. This has been going on for a couple of days. Reading Norton's log, the bug seems to be a certain cerwxfst.sys, but there is almost no information about it in the web.

I've run Spybot S&D and every time I check for errors there are 2 error messages about the Includes files Trojans.sbi and TrojansC.sbi.

The machine has been playing strange sounds and music bits even when no browsers or media players are open. We've checked the other 2 computers in the network and they seem to be clean. We're always very careful and have no idea where this could have come form.

Here is the Hijack This log:

=================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:15 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\afinding.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\wserving.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Seagate\AutoBackup\MemeoBackup.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe (User 'Default user')
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe

--
End of file - 9012 bytes

=================================================

TIA for any help.

Regards,

Carol
(Toronto, Canada)
carol_br
Active Member
 
Posts: 6
Joined: July 14th, 2008, 1:10 pm
Advertisement
Register to Remove

Re: Possible Trojan

Unread postby Katana » July 17th, 2008, 9:56 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • MalwareBytes Log
  • ComboFix Log
  • A Fresh HJT Log
  • Installed Programs List
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Possible Trojan

Unread postby carol_br » July 18th, 2008, 1:18 am

Katana,

Here you are:

1- MalwareBytes Log
2- ComboFix Log
3- A Fresh HJT Log
4- Installed Programs List

# START #1 ####################################

Malwarebytes' Anti-Malware 1.20
Database version: 963
Windows 5.1.2600 Service Pack 2

12:26:33 AM 7/18/2008
mbam-log-7-18-2008 (00-26-33).txt

Scan type: Quick Scan
Objects scanned: 46618
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\system32\afinding.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\wserving.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\routing.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFinding (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WServing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afinding (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\afinding (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wserving (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wserving (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\User\Local Settings\Temp\GLB1DE.tmp (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\GLB1E4.tmp (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\GLB23.tmp (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\GLB6B.tmp (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\GLB7.tmp (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afinding.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wserving.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\routing.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

# END #1 ######################################

# START #2 ####################################

ComboFix 08-07-15.4 - User 2008-07-18 0:52:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503 [GMT -4:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\tmp0_171153195941.bk
C:\WINDOWS\system32\tmp0_20235484672.bk
C:\WINDOWS\system32\tmp0_538394558174.bk
C:\WINDOWS\system32\tmp0_71739016973.bk
C:\WINDOWS\system32\tmp0_744438387727.bk
C:\WINDOWS\system32\tmp0_894347844614.bk
C:\WINDOWS\system32\tmp0_95981361480.bk
C:\WINDOWS\system32\tmp1_148005590319.bk
C:\WINDOWS\system32\tmp1_164333767124.bk
C:\WINDOWS\system32\tmp1_489786795380.bk
C:\WINDOWS\system32\tmp1_618878133062.bk
C:\WINDOWS\system32\tmp1_6845155738.bk
C:\WINDOWS\system32\tmp2_449061217373.bk
C:\WINDOWS\system32\tmp2_529918107449.bk
C:\WINDOWS\system32\tmp2_589734748995.bk
C:\WINDOWS\system32\tmp2_808821867693.bk
C:\WINDOWS\system32\tmp3_196086809826.bk
C:\WINDOWS\system32\tmp3_397758602653.bk
C:\WINDOWS\system32\tmp3_734712703076.bk
C:\WINDOWS\system32\tmp3_897440338548.bk
C:\WINDOWS\system32\tmp4_133040501533.bk
C:\WINDOWS\system32\tmp4_500176162287.bk
C:\WINDOWS\system32\tmp4_51666124.bk
C:\WINDOWS\system32\tmp4_8236413756.bk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING


((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-18 00:16 . 2008-07-18 00:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-18 00:16 . 2008-07-18 00:16 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-07-18 00:16 . 2008-07-18 00:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-18 00:16 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-18 00:16 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-15 09:40 . 2008-07-15 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-15 09:37 . 2008-07-15 09:40 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-15 09:37 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-07-14 11:27 . 2008-07-14 11:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-14 11:27 . 2008-07-18 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 17:11 . 2008-07-10 17:11 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2008-07-10 17:11 . 2008-07-10 17:24 35,564 --a------ C:\WINDOWS\DIIUnin.dat
2008-07-10 17:11 . 2008-07-10 17:11 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2008-07-10 17:02 . 2008-07-17 18:33 <DIR> d-------- C:\Program Files\Diablo II

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 04:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-18 04:51 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-07-17 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-17 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-07-09 02:40 --------- d-----w C:\Documents and Settings\User\Application Data\Bioshock
2008-06-28 19:19 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 21:19 --------- d-----w C:\Program Files\QuickTime
2008-06-17 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-15 14:36 --------- d-----w C:\Program Files\Apple Software Update
2008-06-15 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 23:05 --------- d--h--r C:\Documents and Settings\User\Application Data\SecuROM
2008-06-06 22:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-06 22:53 --------- d-----w C:\Program Files\2K Games
2008-06-03 18:30 --------- d-----w C:\Program Files\Last.fm
2008-06-03 02:43 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-03 02:43 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-03 02:43 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-03 02:43 --------- d-----w C:\Program Files\Symantec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 07:07 228088]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 22:05 116328]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-26 01:00 771440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 14:20 190008]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 18:20 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-01-18 11:32 451896]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 02:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
AutoBackup Launcher.lnk - C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe [2008-01-14 11:48:32 95456]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 NOBICYT;NOBICYT;C:\WINDOWS\system32\Nobicyt.exe [2006-02-28 08:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{825e6d2c-b27c-11dc-be41-001bfc1ca6eb}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-08 19:49:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-15 00:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - User.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 00:57:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Seagate\AutoBackup\MemeoBackup.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-18 1:05:22 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2008-07-18 05:05:17

Pre-Run: 211,223,625,728 bytes free
Post-Run: 213,083,881,472 bytes free

170 --- E O F --- 2008-07-09 15:27:34

# END #2 ######################################

# START #3 ####################################

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:23 AM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Seagate\AutoBackup\MemeoBackup.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe (User 'Default user')
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8206 bytes

# END #3 ######################################

# START #4 ####################################

7-Zip 4.42
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
AppCore
Apple Software Update
ATI - Software Uninstall Utility
AV
BioShock
BlackBerry Desktop Software 4.2.2
BlackBerry Desktop Software 4.2.2
ccCommon
Diablo II
Europa Universalis III
FreeAgent Pro Tools
Haali Media Splitter
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
InterActual Player
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Last.fm 1.5.1.29527
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Matroska Pack
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.16)
MSRedist
MSXML 4.0 SP2 (KB936181)
Network Magic
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
Pdf995
PdfEdit995
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Roxio Media Manager
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
SimCity 4 Deluxe
Skype 3.0
Skype Plugin Manager
SPBBC 32bit
Spybot - Search & Destroy 1.4
SpywareBlaster 4.1
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VideoLAN VLC media player 0.8.6c
WavePad Uninstall
Winamp
Winamp Remote
Winamp Toolbar for Firefox
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781

# END #4 ######################################

I was astonished to see that MalwareBytes found a gazillion trojans! (I was only expecting one...)

Thanks again!

Best regards,

Carol.
carol_br
Active Member
 
Posts: 6
Joined: July 14th, 2008, 1:10 pm

Re: Possible Trojan

Unread postby Katana » July 18th, 2008, 9:17 am

carol_br wrote:I was astonished to see that MalwareBytes found a gazillion trojans! (I was only expecting one...)

Hi Carol :)
The problem with Trojans is that they like company, as soon as they find somewhere to live (Your PC ! ) they ring all their friends up and invite them round for a party :lol:


IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

uTorrent

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Please note: you must NOT use this whilst we are cleaning your machine.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u7
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) 6 update 7 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.

Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=32664&p=324884#p324884
    Comment:: Katana -- Trojan-Downloader.Win32.Delf.jxi
    Collect::[4]
    C:\WINDOWS\system32\Nobicyt.exe
    Driver::
    NOBICYT
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  • Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary and let the database download.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.




Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • ComboFix Log
  • Kaspersky Log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Possible Trojan

Unread postby carol_br » July 18th, 2008, 12:45 pm

Hi.

Here are today's logs:

# BEGIN #1 COMBOFIX ##################################

ComboFix 08-07-15.4 - User 2008-07-18 10:32:54.2 - NTFSx86
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\Nobicyt.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NOBICYT
-------\Service_NOBICYT


((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-18 00:16 . 2008-07-18 00:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-18 00:16 . 2008-07-18 00:16 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-07-18 00:16 . 2008-07-18 00:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-18 00:16 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-18 00:16 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-15 09:40 . 2008-07-15 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-15 09:37 . 2008-07-15 09:40 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-15 09:37 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-07-14 11:27 . 2008-07-14 11:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-14 11:27 . 2008-07-18 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 17:11 . 2008-07-10 17:11 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2008-07-10 17:11 . 2008-07-10 17:24 35,564 --a------ C:\WINDOWS\DIIUnin.dat
2008-07-10 17:11 . 2008-07-10 17:11 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2008-07-10 17:02 . 2008-07-17 18:33 <DIR> d-------- C:\Program Files\Diablo II

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 14:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-18 14:21 --------- d-----w C:\Program Files\Java
2008-07-18 14:15 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-07-18 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-17 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-06-28 19:19 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 21:19 --------- d-----w C:\Program Files\QuickTime
2008-06-17 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-15 14:36 --------- d-----w C:\Program Files\Apple Software Update
2008-06-15 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 23:05 --------- d--h--r C:\Documents and Settings\User\Application Data\SecuROM
2008-06-06 22:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-03 18:30 --------- d-----w C:\Program Files\Last.fm
2008-06-03 02:43 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-03 02:43 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-03 02:43 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-03 02:43 --------- d-----w C:\Program Files\Symantec
.

((((((((((((((((((((((((((((( snapshot@2008-07-18_ 1.05.04.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-22 05:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 05:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 06:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 07:07 228088]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 22:05 116328]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-26 01:00 771440]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 14:20 190008]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 18:20 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-01-18 11:32 451896]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 02:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
AutoBackup Launcher.lnk - C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe [2008-01-14 11:48:32 95456]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{825e6d2c-b27c-11dc-be41-001bfc1ca6eb}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-08 19:49:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-15 00:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - User.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 10:38:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Seagate\AutoBackup\MemeoBackup.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-18 10:47:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-18 14:47:01
ComboFix2.txt 2008-07-18 05:05:23

Pre-Run: 219,165,626,368 bytes free
Post-Run: 219,155,804,160 bytes free

154 --- E O F --- 2008-07-09 15:27:34

# END #1 COMBOFIX ####################################

# BEGIN #2 KASPERSKY ##################################

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, July 18, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, July 18, 2008 13:42:05
Records in database: 968400
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 96189
Threat name: 4
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 01:07:05


File name / Threat name / Threats count
C:\Documents and Settings\User\Desktop\[4]-Submit_2008-07-18@10.32.zip Infected: Trojan-Downloader.Win32.Delf.jxi 1
C:\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgh 1
C:\WINDOWS\system32\mtsycod.sys Infected: Trojan.Win32.Delf.del 1
C:\WINDOWS\system32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1
E:\Backup\Memeo\User's Backup\C_\Documents and Settings\User\Desktop\[4]-Submit_2008-07-18@10.32.zip Infected: Trojan-Downloader.Win32.Delf.jxi 1
E:\Backup\Memeo\User's Backup\C_\Documents and Settings\User\Desktop\[4]-Submit_2008-07-18@10.32@2008-07-18T14;32;52.zip Infected: Trojan-Downloader.Win32.Delf.jxi 1

The selected area was scanned.

# END #2 KASPERSKY ##################################

Something important:

After ComboFix's scan, an error message said it could not find C:\ComboFix\CF-Submit.htm, so it couldn't send the file through the internet (which was working properly). It seems this file (or one that looks like this) was saved in our computer. We can send it or copy it if you need it.

I have a couple of questions for you:

1- We're concerned with the fact that each time we scan the computer using a different program, it finds more trojans. After each scan the computer seems to be clean, but then we try another program and it looks like the bugs have returned. This is pretty scary. How can we be sure the computer is actually clean?

2- We have a network and use 3 computers. We've scanned the other ones with Norton, Spybot S&D, and Ad Aware. They seem to be clean (except for non-threatening cookies). Is it a good idea to scan the other computers with MalawareBytes and Kaspersky?

Thanks again for your help. We're ready to follow your next instructions.

(Oh, and we'll surely donate to this forum as this is an excellent service!)

Regards,

Carol.
carol_br
Active Member
 
Posts: 6
Joined: July 14th, 2008, 1:10 pm

Re: Possible Trojan

Unread postby Katana » July 18th, 2008, 2:24 pm

carol_br wrote:After ComboFix's scan, an error message said it could not find C:\ComboFix\CF-Submit.htm, so it couldn't send the file through the internet (which was working properly). It seems this file (or one that looks like this) was saved in our computer. We can send it or copy it if you need it.

Don't worry, the first set of instructions will show you how to submit this file :)

carol_br wrote:1- We're concerned with the fact that each time we scan the computer using a different program, it finds more trojans. After each scan the computer seems to be clean, but then we try another program and it looks like the bugs have returned.

There are a few reasons for this,
1) Each program has a different database of infections that it checks against
2) These type of infections can reproduce quickly if they are not completely removed
3) Infections can change on a day to day basis (if not faster), so if one file gets missed it can call in the latest variants
All these reasons mean that some infections can be an absolute pain to get rid of.

carol_br wrote:How can we be sure the computer is actually clean?

Because I will not stop running scans until I am sure that you are.
If you stick with me, your machine will be clean.

carol_br wrote:2- We have a network and use 3 computers. We've scanned the other ones with Norton, Spybot S&D, and Ad Aware. They seem to be clean (except for non-threatening cookies). Is it a good idea to scan the other computers with MalawareBytes and Kaspersky?
Given the level of infection, and the fact that it looks like it has been there for a while, I recommend that you disconnect the network for the time being, or at the very least only have one machine switched on at any one time.
I would definitely use MalwareBytes on each of the computers, and then scan at Kaspersky and Panda Active Scan (see below) .
If anything is found when scanning the other machines, then I recommend that you leave it switched off until this PC is clean and then start another thread for it.
If you post logs from different machines at the same time, it can get confusing and that is when mistakes are made.

FYI
Each of the files that I am submitting from your machine will find their way into the AntiVirus database's,
so you are helping to stop these infections in the future :)

For this machine, please do the following

Please open LINK >>> THIS PAGE <<<LINK in a new window.


In the box marked Link to topic where this file was requested: please put this text
Code: Select all
http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=32664&p=325115#p325115
( highlite the contents of the code box then press CTRL+C, then go to the new page, click in the Topic box and press CTRL+V )

In the box marked Browse to the file you want to submit: please put this text
Code: Select all
C:\Documents and Settings\User\Desktop\[4]-Submit_2008-07-18@10.32.zip
( highlite the contents of the code box then press CTRL+C, then go to the new page click in the File box and press CTRL+V )

In the Largest box please put
Code: Select all
File Requested By Katana
CF Failed Submit

Finally click SendFile


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=32664&p=325115#p325115
    Comment:: Katana -- Delf files
    
    Collect::[4]
    C:\WINDOWS\system32\cexwxfst.sys
    C:\WINDOWS\system32\mtsycod.sys
    C:\WINDOWS\system32\sxwand.sys
    
    File::
    E:\Backup\Memeo\User's Backup\C_\Documents and Settings\User\Desktop\[4]-Submit_2008-07-18@10.32.zip
    E:\Backup\Memeo\User's Backup\C_\Documents and Settings\User\Desktop\[4]-Submit_2008-07-18@10.32@2008-07-18T14;32;52.zip
    
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  • Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> ActiveScan << LINK
  • Click the Scan Now button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Possible Trojan

Unread postby carol_br » July 18th, 2008, 4:09 pm

Hello again.

We uploaded that previous log from ComboFix and here are the next logs:

########## COMBOFIX LOG #4 ####################################################

ComboFix 08-07-15.4 - User 2008-07-18 15:07:50.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.576 [GMT -4:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE ::
E:\Backup\Memeo\User's Backup\C_\Documents and Settings\User\Desktop\[4]-Submit_2008-07-18@10.32.zip
E:\Backup\Memeo\User's Backup\C_\Documents and Settings\User\Desktop\[4]-Submit_2008-07-18@10.32@2008-07-18T14;32;52.zip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cexwxfst.sys
C:\WINDOWS\system32\mtsycod.sys
C:\WINDOWS\system32\sxwand.sys

.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-18 00:16 . 2008-07-18 00:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-18 00:16 . 2008-07-18 00:16 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-07-18 00:16 . 2008-07-18 00:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-18 00:16 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-18 00:16 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-15 09:40 . 2008-07-15 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-15 09:37 . 2008-07-15 09:40 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-15 09:37 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-07-14 11:27 . 2008-07-14 11:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-14 11:27 . 2008-07-18 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 17:11 . 2008-07-10 17:11 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2008-07-10 17:11 . 2008-07-10 17:24 35,564 --a------ C:\WINDOWS\DIIUnin.dat
2008-07-10 17:11 . 2008-07-10 17:11 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2008-07-10 17:02 . 2008-07-17 18:33 <DIR> d-------- C:\Program Files\Diablo II

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-18 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-07-18 18:36 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-07-18 14:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-18 14:21 --------- d-----w C:\Program Files\Java
2008-06-28 19:19 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 21:19 --------- d-----w C:\Program Files\QuickTime
2008-06-17 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-15 14:36 --------- d-----w C:\Program Files\Apple Software Update
2008-06-15 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 23:05 --------- d--h--r C:\Documents and Settings\User\Application Data\SecuROM
2008-06-06 23:02 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-06 22:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-03 18:30 --------- d-----w C:\Program Files\Last.fm
2008-06-03 02:43 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-03 02:43 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-03 02:43 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-03 02:43 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-03 02:43 --------- d-----w C:\Program Files\Symantec
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-18_ 1.05.04.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-22 05:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 05:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 06:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 07:07 228088]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 22:05 116328]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-26 01:00 771440]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 14:20 190008]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 18:20 451896]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2008-01-18 11:32 451896]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 02:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
AutoBackup Launcher.lnk - C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe [2008-01-14 11:48:32 95456]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{825e6d2c-b27c-11dc-be41-001bfc1ca6eb}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-08 19:49:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-15 00:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - User.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 15:10:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-18 15:12:09
ComboFix-quarantined-files.txt 2008-07-18 19:11:06
ComboFix2.txt 2008-07-18 14:47:08
ComboFix3.txt 2008-07-18 05:05:23

Pre-Run: 219,093,700,608 bytes free
Post-Run: 219,120,365,568 bytes free

138 --- E O F --- 2008-07-09 15:27:34

########## ACTIVESCAN LOG #1 ####################################################

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-07-18 15:55:57
PROTECTIONS: 1
MALWARE: 38
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Norton Antivirus Internet Security 2007 14.4.0.12 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@atdmt[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@247realmedia[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.247realmedia.com/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.mediaplex.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.mediaplex.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.com.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.xiti.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.statcounter.com/]
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.apmebf.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.burstnet.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@serving-sys[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.bs.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[www.burstbeacon.com/]
00168102 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@as1.falkag[1].txt
00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.weborama.fr/]
00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.weborama.fr/]
00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.weborama.fr/]
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@adtech[2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@stat.onestat[2].txt
00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[fl01.ct2.comclick.com/]
00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[fl01.ct2.comclick.com/]
00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[fl01.ct2.comclick.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.advertising.com/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[statse.webtrendslive.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.ads.pointroll.com/]
00170540 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@de.uol.com[1].txt
00170553 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.ig.com.br/]
00170553 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.ig.com.br/]
00170553 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.ig.com.br/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@overture[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.realmedia.com/]
00170557 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.terra.com.br/]
00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@uol.com[2].txt
00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.uol.com.br/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.questionmarket.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.zedo.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.adultfriendfinder.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.did-it.com/]
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.smartadserver.com/]
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.smartadserver.com/]
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.smartadserver.com/]
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f152lkb0.default\cookies.txt[.smartadserver.com/]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{5CFA9E4A-4907-444B-8449-8A29BA31CC45}\RP320\A0025848.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{5CFA9E4A-4907-444B-8449-8A29BA31CC45}\RP325\A0026204.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5CFA9E4A-4907-444B-8449-8A29BA31CC45}\RP325\A0026187.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5CFA9E4A-4907-444B-8449-8A29BA31CC45}\RP320\A0025833.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location 0
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 0
;===================================================================================================================================================================================
;===================================================================================================================================================================================

########## END OF LOGS ####################################################

It seems they're finding less ugly bugs now (to our untrained eyes, at least).

And I'm really glad to inform that the other computers in the network are totally free of bad bugs according to MalwareBytes.

Best regards,

Carol.
carol_br
Active Member
 
Posts: 6
Joined: July 14th, 2008, 1:10 pm

Re: Possible Trojan

Unread postby Katana » July 18th, 2008, 5:23 pm

carol_br wrote:It seems they're finding less ugly bugs now (to our untrained eyes, at least).

And I'm really glad to inform that the other computers in the network are totally free of bad bugs according to MalwareBytes.

Correct, the worst is behind you now :)
That is very good news about the other machines :thumbup:


Congratulations your logs look clean :D

Let's see if I can help you keep it that way

First lets tidy up :D

You can delete any [4]-Submit_2008-07-18@xx.xx.zip files that are on your desktop

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • Image
This will clear your system restore and remove all the files that we have deleted
You can also delete any logs we have produced, and empty your Recycle bin.




The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partne ... bscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware
    AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention
    These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers
    Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
    Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Possible Trojan

Unread postby carol_br » July 18th, 2008, 5:35 pm

Dear Katana,

You will live forever in our hearts (my husband's and mine)! :D

Thanks for all the help and advice.

We already knew some of these programs and we're careful web users, so all of this was a good lesson to make us smarter and to always keep everything updated.

If you may, we would like to use our computers normally for a couple of days before we post our final message here, just in case something weird still happens.

Have a wonderful weekend.

Regards,

Carol.
carol_br
Active Member
 
Posts: 6
Joined: July 14th, 2008, 1:10 pm

Re: Possible Trojan

Unread postby Katana » July 19th, 2008, 1:27 am

carol_br wrote:Dear Katana,

You will live forever in our hearts (my husband's and mine)! :D

Thanks for all the help and advice.

We already knew some of these programs and we're careful web users, so all of this was a good lesson to make us smarter and to always keep everything updated.

If you may, we would like to use our computers normally for a couple of days before we post our final message here, just in case something weird still happens.

Have a wonderful weekend.

Regards,

Carol.


Thank you for your kind words, and you are more than welcome to wait a few days to make sure.
This topic will not be archived for at least a few days.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Possible Trojan

Unread postby Elrond » July 22nd, 2008, 6:54 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware