Free Malware Removal Forum

[tgh0001]

You have peaked my curiosity .... what's up with this computer? I apologize for not seeing enough symptoms to report for you to use. I guess these infections can be quite sneaky and not announce their presence ... except for little out of the ordinary subtle clues that get dismissed as OS quirks. I'm glad I haven't started the "tidy up" phase.

Here's the 2nd ComboFix log:

ComboFix 10-03-06.01 - Owner 03/06/2010 14:40:32.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1628 [GMT -6:00]
Running from: f:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: f:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"f:\windows\system32\drivers\ghjum.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\documents and settings\Owner\Local Settings\Application Data\carewh

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gylxr


((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-06 13:49 . 2010-03-06 13:49 77312 ----a-w- F:\mbr.exe
2010-02-27 21:03 . 2010-02-27 21:03 -------- d-----w- F:\rsit
2010-02-27 19:39 . 2010-02-27 19:39 -------- d-----w- f:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-27 19:39 . 2010-01-07 22:07 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-02-27 19:39 . 2010-02-27 19:39 -------- d-----w- f:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-27 19:39 . 2010-01-07 22:07 19160 ----a-w- f:\windows\system32\drivers\mbam.sys
2010-02-08 03:45 . 2006-11-29 19:06 3426072 ----a-w- f:\windows\system32\d3dx9_32.dll
2010-02-08 03:45 . 2010-02-08 03:45 -------- d-----w- f:\program files\Microsoft SQL Server Compact Edition

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 04:31 . 2008-05-16 01:56 -------- d---a-w- f:\documents and settings\All Users\Application Data\TEMP
2010-03-06 02:25 . 2008-10-10 15:49 1600687 ----a-w- f:\windows\Internet Logs\tvDebug.Zip
2010-03-04 00:16 . 2010-03-04 00:17 2320896 ----a-w- f:\windows\Internet Logs\xDB14.tmp
2010-03-02 16:43 . 2010-03-03 00:42 2318848 ----a-w- f:\windows\Internet Logs\xDB13.tmp
2010-03-02 00:17 . 2010-03-02 00:18 2317824 ----a-w- f:\windows\Internet Logs\xDB12.tmp
2010-03-01 14:45 . 2010-03-01 14:49 2316800 ----a-w- f:\windows\Internet Logs\xDB11.tmp
2010-02-27 18:56 . 2004-10-08 00:19 -------- d-----w- f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-27 17:40 . 2010-02-27 17:40 36733 ----a-w- f:\windows\Internet Logs\vsmon_2nd_2010_02_27_09_04_39_small.dmp.zip
2010-02-24 15:16 . 2009-10-03 13:04 181632 ------w- f:\windows\system32\MpSigStub.exe
2010-02-21 17:55 . 2010-02-21 21:04 2283008 ----a-w- f:\windows\Internet Logs\xDB10.tmp
2010-02-18 16:02 . 2010-02-18 16:03 2275328 ----a-w- f:\windows\Internet Logs\xDBF.tmp
2010-02-08 03:46 . 2010-01-20 00:50 -------- d-----w- f:\program files\Windows Live
2010-01-31 16:53 . 2010-01-31 16:53 112736 ----a-w- f:\documents and settings\Owner\Application Data\Juniper Networks\Host Checker\AV\CrawlerAV.dll
2010-01-31 16:53 . 2010-01-31 16:53 108640 ----a-w- f:\documents and settings\Owner\Application Data\Juniper Networks\Host Checker\AV\AgnitumAV.dll
2010-01-31 16:53 . 2010-01-31 16:53 145504 ----a-w- f:\documents and settings\Owner\Application Data\Juniper Networks\Host Checker\AV\Lavasoft.dll
2010-01-31 16:53 . 2010-01-31 16:53 104544 ----a-w- f:\documents and settings\Owner\Application Data\Juniper Networks\Host Checker\AV\Zone_Labs.dll
2010-01-31 16:53 . 2010-01-31 16:53 125024 ----a-w- f:\documents and settings\Owner\Application Data\Juniper Networks\Host Checker\AV\Check_PointAV.dll
2010-01-31 16:51 . 2010-01-31 16:51 112736 ----a-w- f:\documents and settings\Owner\Application Data\Juniper Networks\Host Checker\AV\SalD.dll
2010-01-20 12:43 . 2010-01-20 15:34 2242560 ----a-w- f:\windows\Internet Logs\xDBE.tmp
2010-01-20 00:53 . 2004-10-05 01:16 60376 ----a-w- f:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-20 00:51 . 2010-01-20 00:51 -------- d-----w- f:\program files\Microsoft
2010-01-20 00:50 . 2010-01-20 00:50 -------- d-----w- f:\program files\Windows Live SkyDrive
2010-01-20 00:48 . 2010-01-20 00:48 -------- d-----w- f:\program files\Common Files\Windows Live
2009-12-31 16:50 . 2003-07-16 20:46 353792 ----a-w- f:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2003-07-16 20:51 916480 ------w- f:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-10-03 23:11 343040 ----a-w- f:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2003-07-16 20:26 33280 ----a-w- f:\windows\system32\csrsrv.dll
2009-12-12 14:59 . 2009-06-13 14:34 56816 ----a-w- f:\windows\system32\drivers\avgntflt.sys
2009-12-12 14:37 . 2009-12-12 14:37 4904 ----a-w- f:\windows\system32\PerfStringBackup.TMP
2009-12-08 19:27 . 2003-07-16 20:39 2189184 ------w- f:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- f:\windows\system32\ntkrnlpa.exe
2006-05-03 09:06 . 2009-08-21 03:40 163328 --sh--r- f:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-08-21 03:40 31232 --sh--r- f:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-08-21 03:40 216064 --sh--r- f:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="f:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Windows Defender"="g:\spyware\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"CTCheck"="g:\musicxfr\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"avgnt"="f:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="f:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"f:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 hotcore3;Hotcore helper;f:\windows\system32\drivers\hotcore3.sys [7/4/2008 6:17 PM 40496]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;f:\program files\Avira\AntiVir Desktop\sched.exe [6/13/2009 8:34 AM 108289]
R2 WinDefend;Windows Defender;g:\spyware\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S4 a2free;a-squared Free Service;g:\spyware\a-squared Free\a2service.exe [6/10/2007 10:57 AM 1858144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 15:14 451872 ----a-w- f:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 f:\windows\Tasks\MP Scheduled Scan.job
- g:\spyware\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.southernstandard.com/
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: adobe.com
Trusted Zone: aedcfcu.org
Trusted Zone: aesoponline.com\kelly
Trusted Zone: amiuptodate.com
Trusted Zone: arcot.com
Trusted Zone: ascendfcu.org
Trusted Zone: balfour.com
Trusted Zone: blomand.net
Trusted Zone: bncollege.com\secure
Trusted Zone: buydig.com
Trusted Zone: capitalone.com
Trusted Zone: careerbuilder.com
Trusted Zone: chase.com
Trusted Zone: checksinthemail.com\secure
Trusted Zone: chegg.com
Trusted Zone: chickasaw.com
Trusted Zone: cmt.com
Trusted Zone: creative.com
Trusted Zone: creative.com\us
Trusted Zone: creative.com\www
Trusted Zone: dell.com
Trusted Zone: diginsite.com\portal-2
Trusted Zone: discovercard.com
Trusted Zone: ebay.com\signin
Trusted Zone: ed.gov
Trusted Zone: ed.gov\*.fafsa
Trusted Zone: google.com
Trusted Zone: irs.gov
Trusted Zone: kellyeducationalstaffing.us
Trusted Zone: live.com
Trusted Zone: magic985.com
Trusted Zone: mcafee.com
Trusted Zone: mcafeehelp.com
Trusted Zone: mesa-robotics.com
Trusted Zone: mesainc.com
Trusted Zone: microsoft.com
Trusted Zone: mscc.edu
Trusted Zone: neonova.net
Trusted Zone: net10.com
Trusted Zone: newegg.com
Trusted Zone: paypal.com\www
Trusted Zone: pcpowercooling.com
Trusted Zone: postini.com
Trusted Zone: principal.com
Trusted Zone: proactiv.com\www
Trusted Zone: taxact.com
Trusted Zone: ticketmaster.com
Trusted Zone: tnlottery.com
Trusted Zone: tntech.edu
Trusted Zone: tracfone.com
Trusted Zone: verizonwireless.com
Trusted Zone: walmart.com
Trusted Zone: wellsfargo.com
Trusted Zone: windowsmedia.com
Trusted Zone: wwbw.com\www
TCP: {43BA827B-8B38-4A65-9169-7C821B43CB13} = 192.168.1.254
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 14:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
f:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4084)
f:\windows\system32\WININET.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
f:\windows\system32\LEXBCES.EXE
f:\windows\system32\LEXPPS.EXE
f:\program files\Avira\AntiVir Desktop\avguard.exe
f:\windows\System32\CTsvcCDA.exe
f:\program files\Common Files\LightScribe\LSSrvc.exe
f:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
f:\windows\System32\MsPMSPSv.exe
f:\windows\system32\wscntfy.exe
f:\windows\BCMSMMSG.exe
.
**************************************************************************
.
Completion time: 2010-03-06 14:53:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 20:53
ComboFix2.txt 2010-03-06 14:45

Pre-Run: 20,083,744,768 bytes free
Post-Run: 19,956,109,312 bytes free

- - End Of File - - BC03024E616949298E6E1ED893FB40D4

[Katana]

Now, your machine is clean

You have peaked my curiosity .... what's up with this computer? I apologize for not seeing enough symptoms to report for you to use.
I guess these infections can be quite sneaky and not announce their presence ... except for little out of the ordinary subtle clues that get dismissed as OS quirks.

Trojan.Mebroot, it infects the Master Boot Record of your machine.
http://www.symantec.com/security_respon ... 18-3448-99
It looks like it didn't get installed properly, that's why the usual signs didn't show up.
It was only when you mentioned the firewall prompts that I got suspiscious about it.

Uninstall Combofix

• This will clear your System Volume Information restore points and remove all the infected files that were quarantined
• Click START then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  
  • 

You can also delete any logs we have produced and any other tools we have downloaded.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partne ... bscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.

• Spybot - Search & Destroy <<< A must have program
  • It includes host protection and registry protection
  • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
• MalwareBytes Anti-malware <<< A New and effective program
• a-squared Free <<< A good "realtime" or "on demand" scanner
• superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one

• Winpatrol
  • An excellent startup manager and then some !!
  • Notifies you if programs are added to startup
  • Allows delayed startup
  • A must have addition
• SpywareBlaster 4.0
  • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
• SpywareGuard 2.2
  • SpywareGuard provides real-time protection against spyware.
  • Not required if you have other "realtime" antispyware or Winpatrol
• ZonedOut
  • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
• MVPS HOSTS
  • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
  • For information on how to download and install, please read this tutorial by WinHelp2002.
  • Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
     
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
     
     • Change the Download signed ActiveX controls to Prompt
     • Change the Download unsigned ActiveX controls to Disable
     • Change the Initialise and script ActiveX controls not marked as safe to Disable
     • Change the Installation of desktop items to Prompt
     • Change the Launching programs and files in an IFRAME to Prompt
     • Change the Navigate sub-frames across different domains to Prompt
     • When all these settings have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
• FireFox
  • With many addons available that make customization easy this is a very popular choice
  • NoScript and AdBlockPlus addons are essential
• Opera
  • Another popular alternative
• Netscape
  • Another popular alternative
  • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program

• ATF Cleaner
  • Free and very simple to use
• CCleaner
  • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

[tgh0001]

Great deductive work! After reading the symantec article, it meakes sense about the services.exe adding port exceptions to WinXP firewall and then my current firewall blocking access to a few IPs.
In the past, I've noticed WINWORD.EXE being blocked for outbound access to odd IPs ... only because I set my firewall to block internet access for office apps. I figured it was our school-age children using office apps for school work ... but .... maybe by using the apps, that triggered a "need" to connect. ... just a minute ... by doing a cut-n-paste from malware.com into MSWord, my firewall blocked an outgoing (connect) access to malware.com ... and ... to a couple more! (example DNS: cdn.photobucket.com, www.countingcows.de). Is this normal? Could it be just a past access still in MSWord memory? Or IPs imbedded somewhere in the cut-n-paste? More-n-likely the last.
Well, I'm rambling again .... thank you for your expert deductive knowledge and currently I haven't noticed any "unprompted" unusual behavior by this computer. Since this is a family access computer. I'll know more by the end of this coming week.

Have a great week.

[Katana]

Could it be just a past access still in MSWord memory? Or IPs imbedded somewhere in the cut-n-paste? More-n-likely the last.

Any web address will prompt office programs to try and connect to the internet.
That is normal behaviour.

[NonSuch]

As this issue appears to be resolved, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal