Problem: Ursnif and MS RSA Parser - Poster : Levan

LevanLevan
edited July 2009 in Spyware & Virus Removal
Hello and please help!

I had been browsing amazon and my local library with IE 6. I googled to see if a certain radio show was available as a torrent. While reading a resulting page, my computer went down and took a while to reboot (the PC is 10 years old, and I wasn't sure if it was going to reboot or just stay hung).

I hadn't clicked on any links on the torrent description page (got there directly from google), I've never had a torrent app on this PC, and I haven't had any issues in months until now. While I was waiting on my PC to reboot, I turned off my external hard drive.

After it rebooted, I got a message saying windows had recovered from a serious error. Zone Alarm popped up an alert asking if I wanted to grant internet access to " MS RSA Parser ". I clicked no twice and my PC rebooted again. When it came back up, I told Zone Alarm no again, ran my Pest Patrol updater, then started a scan.

Pest Patrol immediately found " Ursnif " in two locations:

C: \Windows\9129837.exe

In Registry : HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ttool

More Pest Patrol Info:

category: password capture

release date: 7/25/2006

certainty: confirmed

risk: High! This file is now running!



PP recommended that I have it delete the file, so I stopped the scan and chose delete. I then ran a new scan of both my hard drives, and PP didn't find anything.

I haven't rebooted my computer or turned my external hard drive back on, and Zone alarm hasn't given me any new alerts.

Thanks for reading and I hope to hear back soon.

My Hijack this log is below:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:09 AM, on 7/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2
(6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\Common Files\Symantec
Shared\ccApp.exe
C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Matrox Graphics
Inc\PowerDesk SE\Matrox.PowerDesk SE.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Common
Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\2Wire 802.11g
Wireless\PRISMCFG.exe
C:\Program Files\Common
Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton
AntiVirus\navapsvc.exe
C:\Program Files\Norton
AntiVirus\AdvTools\NPROTECT.EXE
C:\SUPERFAX\PROGRAM\PICPMON.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec
Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\PestPatrol\ppmemcheck.exe
c:\Program Files\PestPatrol\ppcontrol.exe
C:\Program Files\Internet
Explorer\iexplore.exe
C:\Program Files\PestPatrol\PestPatrol.exe
C:\Program Files\Microsoft
Office\Office\WINWORD.EXE
C:\Program Files\Hewlett-Packard\HP
Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\default\Desktop\PC
Tools\HiJackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page = http://www.rr.com
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Local Page =
C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.
dll
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!
user_pref("Dick
Cox.aim.session.autologin", false);
user_pref("Dick
Cox.aim.session.connectionname", "AIM");
user_pref("Dick Cox.aim.session.password",
"0");
user_pref("Dick
Cox.aim.session.storepassword", false);
user_pref("aim.away.disablesound", false);
user_pref("aim.internal.buddy.MaxBuddies",
220);
user_pref("aim.internal.intproxyprotocol",
1);
user_pref("aim.session.finishedwizard",
true);
user_pref("aim.session.firsttime",
false);
user_pref("aim.session.latestaimscreenname",
"icehelmets");
user_pref("aim.session.migrateBuddyList",
"Dick Cox");
user_pref("aim.session.screenname",
"icehelmets");
user_pref("browser.bookmarks.added_static_roo
t", true);
user_pref("browser.download.dir",
"C:\\WINDOWS\\Desktop");
user_pref("browser.history.last_page_visited"
,
"http://boards.billmaher.com/logout.php?Cat="
);
user_pref("browser.search.defaultengine",
"engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5
CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src
O2 - BHO: &Yahoo! Toolbar Helper -
{02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.
dll
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button -
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -
C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess -
{5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\system\dla\tfswshx.dll
O2 - BHO: NAV Helper -
{BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.
dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Matrox Powerdesk]
C:\WINDOWS\System32\PDesk\PDesk.exe
/Autolaunch
O4 - HKLM\..\Run: [ccApp] "C:\Program
Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [PRISMSVR.EXE]
"C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [Zone Labs Client]
C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Matrox PowerDesk SE]
"c:\Program Files\Matrox Graphics
Inc\PowerDesk SE\Matrox.PowerDesk SE.exe"
O4 - HKLM\..\Run: [PPMemCheck]
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center]
C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [MpsOnn]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\Mp
sOnn.exe
O4 - HKLM\..\Run: [QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKCU\..\Run: [Eraser] C:\Program
Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [default] C:\Documents and
Settings\default\default.exe /i
O4 - Startup: rncsys32.exe
O4 - Global Startup: 2Wire Wireless
Client.lnk = C:\Program Files\2Wire 802.11g
Wireless\PRISMCFG.exe
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console
- {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Yahoo! Services -
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -
C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM -
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no
file)
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows
Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support -
{1B2897F0-7F93-417D-B240-D720DA9B2339} -
http://www.comcastsupport.com (file missing)
(HKCU)
O9 - Extra button: ComcastHSI -
{291EA4D8-C8BC-4D70-82FB-15FE40113ACF} -
http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help -
{E941727A-3ABE-4332-93F2-D20FFF992FC2} -
http://www.comcast.net/memberservices/ (file
missing) (HKCU)
O9 - Extra button: Dell Home -
{EE117DAA-A30B-40FC-945C-38AE1B80C1FA} -
http://www.dellnet.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP:
c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop:
C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF:
{62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52/20040427/
qtinstall.info.apple.com/saba/us/win/QuickTim
eInstaller.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\SYSTEM32\ati2sgag.exe (file
missing)
O23 - Service: Symantec Event Manager
(ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation
(ccPwdSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager
(ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService -
Unknown owner - C:\Program Files\Common
Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2
(EPSONStatusAgent2) - SEIKO EPSON CORPORATION
- C:\Program Files\Common
Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: MGABGEXE - Matrox Graphics
Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: Norton AntiVirus Auto Protect
Service (navapsvc) - Symantec Corporation -
C:\Program Files\Norton
AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection
(NProtectService) - Symantec Corporation -
C:\Program Files\Norton
AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pacific Image Comm. Fax Server
- Unknown owner -
C:\SUPERFAX\PROGRAM\PICPMON.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) -
Unknown owner -
C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation
- C:\Program Files\Norton
AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service
(SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ
.exe
O23 - Service: Symantec Core LC - Symantec
Corporation - C:\Program Files\Common
Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) -
Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor
(vsmon) - Zone Labs, LLC -
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
--
End of file - 9074 bytes

Comments

  • chiazchiaz
    edited July 2009
    Hey there, welcome. :)


    Please download Malwarebytes' Anti-Malware by clicking the link below:
    http://www.besttechie.net/tools/mbam-setup.exe

    Double Click mbam-setup.exe to install the application.

    * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select "Perform Quick Scan", then click Scan.
    * The scan may take some time to finish,so please be patient.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Make sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    * You'll be required to post the contents of this log later.

    Please Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

    ===================================================

    Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

    Go here ======> A guide and tutorial on using ComboFix <====== Go here

    Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should get a prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    (2) Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.


    Please include the MBAM log and C:\ComboFix.txt for further review, so that we may continue cleansing the system.


    Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
  • LevanLevan
    edited July 2009
    Hi Chiaz,

    Thanks for such a quick response!

    After running MBAM, it asked to reboot the PC. Upon reboot, there was a windows error message saying "BN1.tmp has encountered a problem and needs to close".

    I then went back online to start reading the Combofix page, and after a minute or two, my PC rebooted for no reason. It did an automatic disk error check upon reboot.

    I then downloaded and ran Combofix.

    When double clicking on IE to come back online after that, I got a prompt saying " Internet Explorer is not currently your default browser. Would you like to make it your default browser? ". Ummm... yeah I guess so...

    MBAM log posted first, then Combofix log.

    ___________________


    Malwarebytes' Anti-Malware 1.38
    Database version: 2362
    Windows 5.1.2600 Service Pack 2
    7/2/2009 4:23:20 AM
    mbam-log-2009-07-02 (04-23-20).txt
    Scan type: Quick Scan
    Objects scanned: 92314
    Time elapsed: 11 minute(s), 30 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 6
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ksi32sk (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ksi32sk (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ksi32sk (Rootkit.Agent) -> Quarantined and deleted successfully.
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    c:\WINDOWS\SYSTEM32\DRIVERS\ksi32sk.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    c:\Recycled\NPROTECT\00142360.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
    C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\default\Start Menu\Programs\Startup\rncsys32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\default\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
    c:\documents and settings\default\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.


    ____________________



    ComboFix 09-07-01.01 - default 07/02/2009 5:05.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.267 [GMT -5:00]
    Running from: c:\documents and settings\default\Desktop\ComboFix.exe
    AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
    FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\default\default.exe
    c:\program files\Internet Explorer\setup.exe
    c:\windows\start.exe
    c:\windows\system32\drivers\port135sik.sys
    c:\windows\system32\mdm.exe
    c:\windows\system32\setup.ini
    c:\windows\system32\windows.scr
    c:\windows\Web\default.htt
    C:\ZZ.EXE
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    \Legacy_KSI32SK
    \Legacy_PORT135SIK
    \Service_port135sik

    ((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
    .
    2009-07-02 08:58 . 2009-07-02 08:58
    d
    w- c:\documents and settings\default\Application Data\Malwarebytes
    2009-07-02 08:58 . 2009-07-02 08:58
    d
    w- c:\documents and settings\default\Application Data\Malwarebytes
    2009-07-02 08:58 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-07-02 08:58 . 2009-07-02 08:58
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-07-02 08:58 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-07-02 08:58 . 2009-07-02 08:58
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-07-02 09:32 . 2009-07-02 09:40 1540096
    w- c:\windows\Internet Logs\xDB98.tmp
    2009-07-02 09:32 . 2009-07-02 09:39 2333696
    w- c:\windows\Internet Logs\xDB97.tmp
    2009-07-02 07:42 . 2007-04-02 23:03 1316 ----a-w- c:\windows\system32\d3d8caps.dat
    2009-07-02 03:52 . 2009-07-02 03:58 251392
    w- c:\windows\Internet Logs\xDB96.tmp
    2009-07-02 03:52 . 2009-07-02 03:58 2321408
    w- c:\windows\Internet Logs\xDB95.tmp
    2009-06-11 11:46 . 2009-06-11 20:33 1562624
    w- c:\windows\Internet Logs\xDB94.tmp
    2009-06-11 11:46 . 2009-06-11 20:33 2313216
    w- c:\windows\Internet Logs\xDB93.tmp
    2003-11-07 05:11 . 2001-01-30 16:20 1439 ----a-w- c:\program files\GUIDE PLUS+(TM) System (2).lnk
    2003-11-07 05:11 . 2001-01-21 05:30 1439 ----a-w- c:\program files\GUIDE PLUS+(TM) System.lnk
    2003-11-07 05:11 . 1980-01-01 05:00 820 ----a-w- c:\program files\Dell Accessories.lnk
    2001-01-28 22:58 . 2001-01-28 22:58 516 ----a-w- c:\program files\Acrobat Reader 4.0.lnk
    2001-01-21 05:14 . 1980-01-01 05:00 23357 ---h--w- c:\program files\FOLDER.HTT
    2001-01-08 20:46 . 2001-01-08 20:46 594 ----a-w- c:\program files\Launch DellNet by MSN.lnk
    2001-01-08 20:43 . 2001-01-08 20:43 444 ----a-w- c:\program files\Send and Receive a Fax.lnk
    2001-01-08 20:43 . 2001-01-08 20:43 388 ----a-w- c:\program files\PhoneTools.lnk
    1998-12-09 07:53 . 1998-12-09 07:53 99840
    w- c:\program files\Common Files\IRAABOUT.DLL
    1998-12-09 07:53 . 1998-12-09 07:53 70144
    w- c:\program files\Common Files\IRAMDMTR.DLL
    1998-12-09 07:53 . 1998-12-09 07:53 48640
    w- c:\program files\Common Files\IRALPTTR.DLL
    1998-12-09 07:53 . 1998-12-09 07:53 31744
    w- c:\program files\Common Files\IRAWEBTR.DLL
    1998-12-09 07:53 . 1998-12-09 07:53 186368
    w- c:\program files\Common Files\IRAREG.DLL
    1998-12-09 07:53 . 1998-12-09 07:53 17920
    w- c:\program files\Common Files\IRASRIAL.DLL
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Eraser"="c:\program files\Eraser\eraser.exe" [2003-07-25 536576]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  • chiazchiaz
    edited July 2009
    Hi,

    Your ComboFix log seems to be cut off. Can you post it again?
  • LevanLevan
    edited July 2009
    Hmmm... The Combofix log got cut off in my first try... trying again:

    ComboFix 09-07-01.01 - default 07/02/2009 5:05.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.267 [GMT -5:00]
    Running from: c:\documents and settings\default\Desktop\ComboFix.exe
    AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
    FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\default\default.exe
    c:\program files\Internet Explorer\setup.exe
    c:\windows\start.exe
    c:\windows\system32\drivers\port135sik.sys
    c:\windows\system32\mdm.exe
    c:\windows\system32\setup.ini
    c:\windows\system32\windows.scr
    c:\windows\Web\default.htt
    C:\ZZ.EXE
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    \Legacy_KSI32SK
    \Legacy_PORT135SIK
    \Service_port135sik

    ((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
    .
    2009-07-02 08:58 . 2009-07-02 08:58
    d
    w- c:\documents and settings\default\Application Data\Malwarebytes
    2009-07-02 08:58 . 2009-07-02 08:58
    d
    w- c:\documents and settings\default\Application Data\Malwarebytes
    2009-07-02 08:58 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-07-02 08:58 . 2009-07-02 08:58
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-07-02 08:58 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-07-02 08:58 . 2009-07-02 08:58
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-07-02 09:32 . 2009-07-02 09:40 1540096
    w- c:\windows\Internet Logs\xDB98.tmp
    2009-07-02 09:32 . 2009-07-02 09:39 2333696
    w- c:\windows\Internet Logs\xDB97.tmp
    2009-07-02 07:42 . 2007-04-02 23:03 1316 ----a-w- c:\windows\system32\d3d8caps.dat
    2009-07-02 03:52 . 2009-07-02 03:58 251392
    w- c:\windows\Internet Logs\xDB96.tmp
    2009-07-02 03:52 . 2009-07-02 03:58 2321408
    w- c:\windows\Internet Logs\xDB95.tmp
    2009-06-11 11:46 . 2009-06-11 20:33 1562624
    w- c:\windows\Internet Logs\xDB94.tmp
    2009-06-11 11:46 . 2009-06-11 20:33 2313216
    w- c:\windows\Internet Logs\xDB93.tmp
    2003-11-07 05:11 . 2001-01-30 16:20 1439 ----a-w- c:\program files\GUIDE PLUS+(TM) System (2).lnk
    2003-11-07 05:11 . 2001-01-21 05:30 1439 ----a-w- c:\program files\GUIDE PLUS+(TM) System.lnk
    2003-11-07 05:11 . 1980-01-01 05:00 820 ----a-w- c:\program files\Dell Accessories.lnk
    2001-01-28 22:58 . 2001-01-28 22:58 516 ----a-w- c:\program files\Acrobat Reader 4.0.lnk
    2001-01-21 05:14 . 1980-01-01 05:00 23357 ---h--w- c:\program files\FOLDER.HTT
    2001-01-08 20:46 . 2001-01-08 20:46 594 ----a-w- c:\program files\Launch DellNet by MSN.lnk
    2001-01-08 20:43 . 2001-01-08 20:43 444 ----a-w- c:\program files\Send and Receive a Fax.lnk
    2001-01-08 20:43 . 2001-01-08 20:43 388 ----a-w- c:\program files\PhoneTools.lnk
    1998-12-09 07:53 . 1998-12-09 07:53 99840
    w- c:\program files\Common Files\IRAABOUT.DLL
    1998-12-09 07:53 . 1998-12-09 07:53 70144
    w- c:\program files\Common Files\IRAMDMTR.DLL
    1998-12-09 07:53 . 1998-12-09 07:53 48640
    w- c:\program files\Common Files\IRALPTTR.DLL
    1998-12-09 07:53 . 1998-12-09 07:53 31744
    w- c:\program files\Common Files\IRAWEBTR.DLL
    1998-12-09 07:53 . 1998-12-09 07:53 186368
    w- c:\program files\Common Files\IRAREG.DLL
    1998-12-09 07:53 . 1998-12-09 07:53 17920
    w- c:\program files\Common Files\IRASRIAL.DLL
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Eraser"="c:\program files\Eraser\eraser.exe" [2003-07-25 536576]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Matrox Powerdesk"="c:\windows\System32\PDesk\PDesk.exe" [2001-09-21 622592]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-09-15 70776]
    "Advanced Tools Check"="c:\progra~1\NORTON~1\AdvTools\ADVCHK.EXE" [2003-08-18 74920]
    "PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" [2004-04-14 290905]
    "Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-04-19 935688]
    "Matrox PowerDesk SE"="c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" [2006-01-31 180224]
    "PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2003-04-19 148480]
    "PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-11-15 98304]
    "MpsOnn"="c:\windows\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe" [2003-06-09 22528]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-07-10 98304]
    "PCTVOICE"="pctspk.exe" - c:\windows\SYSTEM32\pctspk.exe [2002-08-15 167936]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    2Wire Wireless Client.lnk - c:\program files\2Wire 802.11g Wireless\PRISMCFG.exe [2005-5-30 335979]
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eDualHead Toolbar.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eDualHead Toolbar.lnk
    backup=c:\windows\pss\eDualHead Toolbar.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
    backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
    backup=c:\windows\pss\ymetray.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^default^Start Menu^Programs^Startup^IMsecure.lnk]
    path=c:\documents and settings\default\Start Menu\Programs\Startup\IMsecure.lnk
    backup=c:\windows\pss\IMsecure.lnkStartup
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "AIM"=c:\program files\AIM95\aim.exe -cnetwait.odl
    "ATI Scheduler"=c:\program files\ATI MULTIMEDIA\MAIN\ATISched.EXE
    "MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
    "MSMSGS"="c:\program files\MESSENGER\MSMSGS.EXE" /background
    "ATI Launchpad"="c:\program files\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
    "Mozilla Quick Launch"="c:\program files\Netscape\Netscp.exe" -aim
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adaptec DirectCD"=c:\progra~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    "CreateCD"=c:\progra~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    "hpppta"=c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
    "RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    "ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    "HPID Scheduler"=c:\program files\Hewlett-Packard\HP Instant Delivery\hpidschd.exe
    "LoadQM"=loadqm.exe
    "LTWinModem1"=ltmsg.exe 9
    "QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
    "PestPatrol Control Center"=c:\program files\PestPatrol\PPControl.exe
    "WinampAgent"="c:\program files\WINAMP\WINAMPa.exe"
    "PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s
    "RxMon"=c:\program files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
    "madexe"=c:\program files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
    "Share-to-Web Namespace Daemon"=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    "MMTray"=c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "MotiveMonitor"=c:\program files\Motive\motmon.exe
    "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    "LoadQM"=loadqm.exe
    "PPMemCheck"=c:\progra~1\PESTPA~1\PPMemCheck.exe
    "StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" /r
    "dla"=c:\windows\system\dla\tfswctrl.exe
    "hpppta"=c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
    "Logitech Utility"=LOGI_MWX.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
    "ATIPOLAB"=
    "StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
    "LoadBlackD"=c:\program files\Network ICE\BlackICE\blackd.exe
    "SchedulingAgent"=mstask.exe
    "ATIPOLL"=ati2evxx.exe
    "Machine Debug Manager"=c:\windows\SYSTEM32\MDM.EXE
    "RNBOStart"=c:\windows\SYSTEM\RNBOSENT\SENTSTRT.EXE
    "ATISmart"=c:\windows\SYSTEM\ati2s9ag.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\AIM95\\aim.exe"=
    "c:\\WINDOWS\\System32\\ZoneLabs\\VSMON.EXE"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [9/12/2008 9:18 PM 28544]
    R2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\SYSTEM32\DRIVERS\AliEhci.sys [11/8/2003 8:41 PM 104088]
    R2 NProtectService;Norton Unerase Protection;c:\program files\Norton AntiVirus\AdvTools\NPROTECT.EXE [11/17/2003 11:31 PM 135168]
    R3 aliroothub;USB 2.0 Root Hub;c:\windows\SYSTEM32\DRIVERS\AliRtHub.sys [11/8/2003 8:41 PM 5337]
    R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [11/10/2003 2:17 PM 36224]
    R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\SYSTEM32\DRIVERS\WlanUIG.sys [5/30/2005 10:21 PM 347648]
    S3 G550DH;G550DH;c:\windows\SYSTEM32\DRIVERS\g550dhm.sys [9/28/2001 1:13 PM 324747]
    S3 UtilNT;UtilNT;c:\windows\SYSTEM32\DRIVERS\UtilNt.sys [11/14/2003 10:43 PM 5533]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
    rundll rnasetup.dll,installoptionalcomponent rna
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    "c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    "c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
    "c:\program files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    "c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    "c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
    "c:\program files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
    c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
    .
    Contents of the 'Scheduled Tasks' folder
    2004-10-16 c:\windows\Tasks\Symantec NetDetect.job
    - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-11-18 22:26]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.com/
    mLocal Page = c:\windows\SYSTEM\blank.htm
    mStart Page = hxxp://www.rr.com
    mWindow Title = Microsoft Internet Explorer provided by Comcast
    Trusted Zone: aol.com\free
    DPF: DirectAnimation Java Classes - [URL]file://c:\windows\SYSTEM\dajava.cab[/URL]
    DPF: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
    DPF: Win32 Classes
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-07-02 05:15
    Windows 5.1.2600 Service Pack 2 FAT NTAPI
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    LOCKED REGISTRY KEYS
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\TP*]
    "DisplayName"="?\13?\13"
    "DeviceDesc"="?\13?\13"
    "ProviderName"=""
    "MFG"="???\\"
    "ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
    "DeviceInstanceIds"=multi:"07243.inf\00"
    .
    DLLs Loaded Under Running Processes
    - - - - - - - > 'explorer.exe'(1716)
    c:\progra~1\WINDOW~1\wmpband.dll
    c:\windows\System32\PDesk\PDKERNEL.DLL
    c:\windows\system32\PDesk\PDTOOLS.DLL
    c:\windows\system32\PDesk\PDRESENG.DLL
    c:\windows\system32\browselc.dll
    c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    c:\windows\system\dla\tfswshx.dll
    c:\windows\system32\tfswapi.dll
    c:\windows\system\dla\tfswcres.dll
    c:\program files\Norton AntiVirus\NavShExt.dll
    c:\program files\MICROSOFT OFFICE\OFFICE10\msohev.dll
    .
    Other Running Processes
    .
    c:\program files\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    c:\program files\COMMON FILES\EPSON\EBAPI\EEBSVC.EXE
    c:\program files\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    c:\windows\SYSTEM32\MGABG.EXE
    c:\program files\NORTON ANTIVIRUS\NAVAPSVC.EXE
    c:\program files\PESTPATROL\PPMEMCHECK.EXE
    c:\program files\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
    c:\windows\SYSTEM32\WDFMGR.EXE
    c:\windows\SYSTEM32\ZONELABS\VSMON.EXE
    c:\windows\SYSTEM32\DEVLDR32.EXE
    c:\program files\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    c:\program files\COMMON FILES\SYMANTEC SHARED\SECURITY CENTER\SYMWSC.EXE
    c:\windows\system32\wscntfy.exe
    c:\program files\Common Files\Symantec Shared\NMain.exe
    .
    **************************************************************************
    .
    Completion time: 2009-07-02 5:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-07-02 10:20
    Pre-Run: 4,555,309,056 bytes free
    Post-Run: 5,950,210,048 bytes free
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout = 30
    default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    250
  • chiazchiaz
    edited July 2009
    How's your computer running now?

    Go on to run a free online scan with the ESET Online Scanner
    Note: You will need to use Internet Explorer for this scan.
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the ActiveX control to install
    4. Click Start
    5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    6. Click Scan
      Wait for the scan to finish
    7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    8. Copy and paste that log as a reply to this topic.
  • LevanLevan
    edited July 2009
    "How's your computer running now?"

    I've been away from the PC since starting the scan, but it hasn't rebooted on its own, so that's good. ESET found and cleaned 8 infected files. It's now giving me the option to check " Uninstall application on close" and also "Delete quarantined files" before clicking on "Finish". I haven't done anything yet.

    Here's the log:



    [EMAIL="ESETSmartInstaller@High"]ESETSmartInstaller@High[/EMAIL] as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=6
    # iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    # OnlineScanner.ocx=1.0.0.5863
    # api_version=3.0.2
    # EOSSerial=31c2d161685e104bae9cfd9b91e537d3
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2009-07-02 01:02:29
    # local_time=2009-07-02 08:02:29 (-0600, Central Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=3586 25 100 100 1320540834380976
    # scanned=135443
    # found=8
    # cleaned=8
    # scan_time=3663
    C:\Program Files\AIM95\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000
    C:\Qoobox\Quarantine\C\Documents and Settings\default\default.exe.vir a variant of Win32/Wigon.KT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\port135sik.sys.vir a variant of Win32/TrojanDownloader.Wigon.BS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
    C:\Documents and Settings\default\My Documents\psfonts\psfonts2\SV Install\3DSexVillav31\SV31\3DSexVillaInstall.exe probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000
    C:\System Volume Information\_restore{9BCFB3C7-53A7-4233-A42A-CA6F19ACDCAC}\RP1308\A0248926.sys a variant of Win32/TrojanDownloader.Wigon.BS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
    C:\System Volume Information\_restore{9BCFB3C7-53A7-4233-A42A-CA6F19ACDCAC}\RP1308\A0249954.sys a variant of Win32/TrojanDownloader.Wigon.BS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
    C:\System Volume Information\_restore{9BCFB3C7-53A7-4233-A42A-CA6F19ACDCAC}\RP1308\A0249972.exe a variant of Win32/Wigon.KT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
    C:\System Volume Information\_restore{9BCFB3C7-53A7-4233-A42A-CA6F19ACDCAC}\RP1308\A0250005.sys a variant of Win32/TrojanDownloader.Wigon.BS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000
  • chiazchiaz
    edited July 2009
    Nothing too serious was detected... It's time to remove ComboFix.

    Go to to Start > Run
    Type in box

    combofix /u

    Note: the space between the X and the /u

    Press Enter.

    This command will:

    Delete the following:
    ComboFix and its associated files and folders.
    VundoFix backups, if present
    The C:\Deckard folder, if present
    The C:_OtMoveIt folder, if present

    Reset the clock settings.
    Hide file extensions, if required.
    Hide System/Hidden files, if required.
    Reset System Restore.



    Run your computer for a few days; if there are no more problems, can I get you to post back here once so that I will be able to have this thread archived? Thanks. :)
  • LevanLevan
    edited July 2009
    Okay, I'll remove Combofix per your instructions. Before I do, should I have Eset delete the files it quarantined or leave them quarantined?

    Also:

    Ummm... what was all that stuff? Was it all related to Ursnif? Kinda weird how my PC rebooted on it's own after visiting a web page and Pest Patrol said the file was created right around the time of first reboot. Any guess as to what happened and how that might be related to Zone Alarm asking to grant permission to "MS RSA Parser" before rebooting again?

    Anyway... yeah, I'll post back in a few days to let you know how everything's going, and I really, really appreciate your help!
  • chiazchiaz
    edited July 2009
    Before I do, should I have Eset delete the files it quarantined or leave them quarantined?
    They can be deleted, no problem.

    Ummm... what was all that stuff? Was it all related to Ursnif? Kinda weird how my PC rebooted on it's own after visiting a web page and Pest Patrol said the file was created right around the time of first reboot. Any guess as to what happened and how that might be related to Zone Alarm asking to grant permission to "MS RSA Parser" before rebooting again?
    Not knowing the specifics about this infection, I think what you suspected was right. Also, it was a good idea not to grant permission for an unknown program to gain server/internet access.
  • LevanLevan
    edited July 2009
    Hi Chiaz,

    Everything seems to be fine now. No reboots, no weird things showing on zone alarm.

    Thank you VERY MUCH for your help! I really appreciate it.
  • chiazchiaz
    edited July 2009
    Glad we could be of assistance! The help you received here was free.

    This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.

    If you are not the user who started this thread, you must start your own Thread instead :)
    _______________________________

    Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.
Sign In or Register to comment.