Another VirTool:Win32/Ursnif.A problem

Unknown · November 2009

Hi, I found this site from my google queries about the problem. I think I got this from carelessly running an .exe file which I don't normally do - but anyway, at first it was causing resources to be eaten and I had another user account called "HelpAssistant"

After running the program at safety.live.com and Spybot a few times, it looks like the only file left with a problem is winlogon.exe but my computer appears to be running perfectly fine - still, I would like to fix the problem. Any help is appreciated!

My HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:06, on 11/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Josh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Josh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Josh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Josh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF2C01A-083A-4F40-B303-2315326F9862}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4640A79-837D-460B-A27F-06B500673D14}: NameServer = 68.87.74.166,68.87.68.166
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 3343 bytes

chiaz · December 2009

Hey there.

A few things before we start....
1. Please Read All Instructions Carefully.
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you.
4. If you have to go away for an extended period of time, let me know.
5. Please continue to respond until I give you the "All Clear".
(Just because you can't see a problem doesn't mean it isn't there)

Please download Malwarebytes' Anti-Malware by clicking the link below:
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

JB2266 · December 2009

Hey, thanks for the response - I noticed Limewire and some other stuff that I have uninstalled already showing up in here (haven't done a format in a while), but I have no p2p file-sharing programs on here anymore that I know of - and before you get any ideas, gspot is for detecting which codecs are in use

here are the logs:

Malwarebytes' Anti-Malware 1.41
Database version: 3225
Windows 5.1.2600 Service Pack 3

12/6/2009 12:50:22 AM
mbam-log-2009-12-06 (00-50-22).txt

Scan type: Quick Scan
Objects scanned: 106660
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFix 09-12-05.03 - Josh 12/06/2009 1:02.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.780 [GMT -5:00]
Running from: c:\documents and settings\Josh\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Josh\My Documents\Downloads\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))
.

2009-12-04 19:18 . 2009-12-06 04:01

d

w- c:\documents and settings\Josh\Application Data\EVEMon
2009-12-04 19:18 . 2009-12-04 19:18

d

w- c:\program files\EVEMon
2009-12-02 16:55 . 2009-12-04 19:17

d

w- c:\documents and settings\Josh\Application Data\GetRight
2009-12-02 16:55 . 2009-12-02 16:55

d

w- c:\program files\GetRight
2009-12-02 02:34 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-11-30 19:35 . 2009-11-30 19:35

d

w- c:\documents and settings\Josh\Local Settings\Application Data\Opera
2009-11-28 16:34 . 2009-11-28 16:34

d

w- c:\program files\CCP
2009-11-23 15:00 . 2009-11-25 01:17

d

w- c:\program files\Windows Live Safety Center
2009-11-23 13:27 . 2009-10-27 15:33 87408 -c--a-w- c:\documents and settings\All Users\Application Data\{CCF7B54F-09A1-41ED-BA1B-471D81BFFC09}\OFFLINE\86D01CB6\597810BF\Sd.InstallManager.XmlSerializers.dll
2009-11-23 11:41 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-11-22 00:42 . 2009-11-22 00:42

d

w- c:\documents and settings\Josh\Local Settings\Application Data\Temp
2009-11-22 00:42 . 2009-11-22 00:42

d

w- c:\documents and settings\Josh\Local Settings\Application Data\Google
2009-11-21 18:55 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-11-16 20:20 . 2009-11-16 20:20

d

w- c:\program files\Combined Community Codec Pack
2009-11-16 18:04 . 2009-12-02 18:42

d

w- c:\documents and settings\Josh\Application Data\vlc
2009-11-16 17:59 . 2009-11-16 17:59

d

w- c:\program files\gspot
2009-11-16 14:47 . 2009-11-22 16:49

d

w- c:\program files\PeerGuardian2
2009-11-12 18:13 . 2009-11-12 18:15

d

w- C:\r4crypt
2009-11-12 18:08 . 2009-10-27 08:39 5809908 ----a-w- c:\temp\USRCHEAT.DAT
2009-11-12 17:57 . 2009-11-12 17:57 760 ----a-w- c:\temp\gui.bat
2009-11-12 17:53 . 2009-11-12 18:08

d

w- C:\temp
2009-11-12 17:27 . 2009-11-12 17:52

d

w- C:\temp2
2009-11-12 17:22 . 2009-11-12 18:14

d

w- C:\YSMenu-DSTT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 20:05 . 2009-07-26 14:44

d

w- c:\documents and settings\Josh\Application Data\Vidalia
2009-12-03 20:05 . 2009-07-26 14:44

d

w- c:\documents and settings\Josh\Application Data\Tor
2009-12-01 21:41 . 2008-03-07 00:33

d

w- c:\program files\Steam
2009-11-30 19:35 . 2008-03-03 15:06

d

w- c:\program files\Opera
2009-11-25 16:00 . 2009-04-27 09:37

d

w- c:\program files\3GP Player
2009-11-25 15:59 . 2009-09-08 23:20

d

w- c:\program files\LimeWire
2009-11-23 13:28 . 2009-11-23 13:28

dc-h--w- c:\documents and settings\All Users\Application Data\{CCF7B54F-09A1-41ED-BA1B-471D81BFFC09}
2009-11-23 13:28 . 2008-06-07 04:49

d

w- c:\program files\Stardock
2009-11-22 16:51 . 2008-11-27 11:39

d

w- c:\program files\Spybot - Search & Destroy
2009-11-20 15:00 . 2009-09-08 23:20

d

w- c:\documents and settings\Josh\Application Data\LimeWire
2009-11-16 18:03 . 2009-01-20 19:41

d

w- c:\program files\VLC
2009-11-15 16:05 . 2008-03-18 04:20

d

w- c:\program files\MySpace
2009-11-15 16:04 . 2009-10-22 17:05

d

w- c:\program files\Common Files\SupportSoft
2009-11-14 22:21 . 2009-06-24 05:07

d

w- c:\program files\EphPod
2009-11-14 22:08 . 2009-08-14 21:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-10 20:42 . 2009-11-23 13:28 3143528 -c--a-w- c:\documents and settings\All Users\Application Data\{CCF7B54F-09A1-41ED-BA1B-471D81BFFC09}\Impulse_setup.exe
2009-11-10 20:40 . 2009-11-23 13:28 30000 -c--a-w- c:\documents and settings\All Users\Application Data\{CCF7B54F-09A1-41ED-BA1B-471D81BFFC09}\OFFLINE\86D01CB6\757C30BC\SDSecurity.dll
2009-11-10 19:12 . 2009-11-23 13:27 464176 -c--a-w- c:\documents and settings\All Users\Application Data\{CCF7B54F-09A1-41ED-BA1B-471D81BFFC09}\OFFLINE\86D01CB6\757C30BC\ImpulseNow.exe
2009-10-29 16:55 . 2008-03-09 01:29

d

w- c:\program files\Common Files\Adobe
2009-10-27 22:41 . 2009-10-17 10:49

d

w- c:\documents and settings\Josh\Application Data\DNA
2009-10-27 17:52 . 2009-11-23 13:27 1119536 -c--a-w- c:\documents and settings\All Users\Application Data\{CCF7B54F-09A1-41ED-BA1B-471D81BFFC09}\OFFLINE\86D01CB6\12FD35EB\impulse.dll
2009-10-24 04:13 . 2009-10-24 04:13 534 ----a-w- c:\windows\eReg.dat
2009-10-24 04:13 . 2009-10-24 04:13

d

w- c:\program files\Maxis
2009-10-23 06:39 . 2008-07-11 21:59

d

w- c:\program files\IrfanView
2009-10-23 06:26 . 2009-10-23 06:26

d

w- c:\documents and settings\Josh\Application Data\Viewpoint
2009-10-22 17:11 . 2009-10-22 17:11

d

w- c:\documents and settings\All Users\Application Data\SupportSoft
2009-10-22 17:06 . 2009-10-22 17:06

d

w- c:\program files\support.com
2009-09-12 08:19 . 2009-05-28 20:59 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-11 14:18 . 2002-09-03 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2008-11-27 11:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-11-27 11:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 16:28 . 2009-11-23 13:27 1433856 -c--a-w- c:\documents and settings\All Users\Application Data\{CCF7B54F-09A1-41ED-BA1B-471D81BFFC09}\OFFLINE\86D01CB6\757C30BC\ImpulseReactor.dll
2009-09-08 04:26 . 2009-09-08 04:26 298 ----a-w- c:\windows\EReg072.dat
2006-05-03 09:06 . 2009-07-28 05:14 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-07-28 05:14 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-07-28 05:14 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 21:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=c:\windows\pss\Belkin Wireless USB Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Josh^Start Menu^Programs^Startup^ImpulseNow.lnk]
path=c:\documents and settings\Josh\Start Menu\Programs\Startup\ImpulseNow.lnk
backup=c:\windows\pss\ImpulseNow.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Josh^Start Menu^Programs^Startup^Product Registration.lnk]
path=c:\documents and settings\Josh\Start Menu\Programs\Startup\Product Registration.lnk
backup=c:\windows\pss\Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Josh^Start Menu^Programs^Startup^Shortcut to iTunes.exe.lnk]
path=c:\documents and settings\Josh\Start Menu\Programs\Startup\Shortcut to iTunes.exe.lnk
backup=c:\windows\pss\Shortcut to iTunes.exe.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nah_Shell
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/9/2008 3:15 PM 716272]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/28/2008 1:21 PM 10384]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/13/2009 8:40 AM 24652]
.

Supplementary Scan

.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
TCP: {0EF2C01A-083A-4F40-B303-2315326F9862} = 192.168.0.1
TCP: {E4640A79-837D-460B-A27F-06B500673D14} = 68.87.74.166,68.87.68.166
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}
FF - ProfilePath - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\egnebz4v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SVCHOST - (no file)
AddRemove-Impulse - c:\documents and settings\All Users\Application Data\{CCF7B54F-09A1-41ED-BA1B-471D81BFFC09}\Impulse_setup.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-mIRC - c:\program files\mIRC\uninstall.exe _?=c:\program files\mIRC
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-Steam App 12910 - c:\program files\Steam\steam.exe steam://uninstall/12910
AddRemove-Steam App 215 - c:\program files\Steam\steam.exe steam://uninstall/215
AddRemove-Steam App 400 - c:\program files\Steam\steam.exe steam://uninstall/400
AddRemove-Steam App 440 - c:\program files\Steam\steam.exe steam://uninstall/440

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-06 01:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys sphn.sys hal.dll >>UNKNOWN [0x86F8B938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf764af28
\Driver\ACPI -> ACPI.sys @ 0xf74a8cb8
\Driver\atapi -> atapi.sys @ 0xf7463b40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Intel(R) PRO/100 M Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf736cbb0
PacketIndicateHandler -> NDIS.sys @ 0xf7379a21
SendHandler -> NDIS.sys @ 0xf735787b
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF7FDFC
malicious code @ sector 0x0DF7FDFF !
PE file found in sector at 0x0DF7FE15 !

**************************************************************************
.

DLLs Loaded Under Running Processes

- - - - - - - > 'winlogon.exe'(668)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(472)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.

Other Running Processes

.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-06 01:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-06 06:12

Pre-Run: 19,929,436,160 bytes free
Post-Run: 19,835,105,280 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - CFCAD71F6B252E90A4694B45F8911FAB

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:26, on 12/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF2C01A-083A-4F40-B303-2315326F9862}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4640A79-837D-460B-A27F-06B500673D14}: NameServer = 68.87.74.166,68.87.68.166
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 3274 bytes

chiaz · December 2009

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
Do the same for each Viewpoint component.
Restart your PC when you're done.

============================================

Now let's have you go HERE to run Panda ActiveScan 2.0

Click the big green Scan now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Once the scan is completed, please hit the notepad icon next to the text Export to:
Save it to a convenient location such as your Desktop
Post the contents of the ActiveScan.txt in your next reply.

JB2266 · December 2009

Thanks again for the help! Here is ActiveScan.txt:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-12-06 16:34:07
PROTECTIONS: 0
MALWARE: 7
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\josh\cookies\josh@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\josh\cookies\josh@atdmt[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\josh\cookies\josh@mediaplex[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\josh\cookies\josh@apmebf[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\josh\cookies\josh@advertising[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\josh\cookies\josh@go[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\documents and settings\josh\cookies\josh@atwola[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

chiaz · December 2009

I think our work is done here - your PC should be clean now.

It's time to remove ComboFix.

Go to to Start > Run
Type in box

combofix /uninstall

Note: the space between the X and the /uninstall

Press Enter.

This command will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Even if you have no more queries, I would appreciate if you can reply once more to this thread so that I will be able to have this archived. Thanks.

JB2266 · December 2009

Very nice, I ran the scan that reported the problem in the first place and it looks like everything is fine - I also removed Viewpoint Media Player as per your advice. Thank you for the help, I really appreciate it!

chiaz · December 2009

You're welcome. Moving this to the Fixed section now.

Another VirTool:Win32/Ursnif.A problem

Comments