[vahi]

ComboFix 11-02-17.01 - Administrator 02/18/2011 2:35.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.211 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ConduitEngine
c:\program files\ConduitEngine\appContextMenu.xml
c:\program files\ConduitEngine\ConduitEngine.dll
c:\program files\ConduitEngine\ConduitEngineHelper.exe
c:\program files\ConduitEngine\engineContextMenu.xml
c:\program files\ConduitEngine\EngineSettings.json
c:\program files\ConduitEngine\toolbar.cfg
c:\program files\Software_Master
c:\program files\Software_Master\GottenAppsContextMenu.xml
c:\program files\Software_Master\OtherAppsContextMenu.xml
c:\program files\Software_Master\prxtbSoft.dll
c:\program files\Software_Master\SharedAppsContextMenu.xml
c:\program files\Software_Master\Software_MasterToolbarHelper.exe
c:\program files\Software_Master\tbSoft.dll
c:\program files\Software_Master\toolbar.cfg
c:\program files\Software_Master\ToolbarContextMenu.xml
c:\program files\Software_Master\uninstall.exe

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\dllcache\sfcfiles.dll --> c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((( Files Created from 2011-01-18 to 2011-02-18 )))))))))))))))))))))))))))))))
.

2011-02-18 04:18 . 2008-04-14 10:42 1614848 -c----w- c:\windows\system32\dllcache\sfcfiles.dll
2011-02-18 04:18 . 2008-04-14 05:50 361344 -c----w- c:\windows\system32\dllcache\tcpip.sys
2011-02-18 04:14 . 2011-02-18 04:14 -------- d-----w- C:\SP3
2011-02-17 23:32 . 2011-02-17 23:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2011-02-17 23:31 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-02-17 23:31 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-01-25 01:47 . 2011-01-25 01:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\simppulltoolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-14 14:35 . 2010-12-14 14:35 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\tmpidcrl.dll
2010-12-14 14:35 . 2009-08-18 15:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2010-12-14 14:35 . 2009-08-18 15:24 17816 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2010-11-23 22:55 . 2010-11-23 22:55 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-04-29 1652736]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-04-16 818288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-09 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\wowd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"9701:TCP"= 9701:TCP:Services
"9702:TCP"= 9702:TCP:Services
"7489:TCP"= 7489:TCP:Services

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/2/2010 4:55 PM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/2/2010 4:55 PM 20952]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2010 7:29 PM 136176]
.
Contents of the 'Scheduled Tasks' folder

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 00:29]

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-30 00:29]

2011-02-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 20:50]

2011-02-17 c:\windows\Tasks\User_Feed_Synchronization-{D92E767C-5AAF-4F8D-995A-EAB1906AA541}.job
- c:\windows\system32\msfeedssync.exe [2008-04-14 06:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Software_Master Toolbar - c:\progra~1\SOFTWA~1\UNINST~1.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-18 02:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\Ireland: The Emerald Isle.scr 960031 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2011-02-18 02:43:56
ComboFix-quarantined-files.txt 2011-02-18 07:43
ComboFix2.txt 2011-02-18 04:30
ComboFix3.txt 2011-02-18 00:30

Pre-Run: 149,494,165,504 bytes free
Post-Run: 149,471,805,440 bytes free

- - End Of File - - E6A8F763F77B3F474BC40A35873C8272

[Advertisements]

Much better. All what is left is to remove Ask.com amd check for remnants.

After removing Ask.com, make sure the following files and folders are removed:

c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
c:\program files\Ask.com


Launch, update and perform a scan with Malwarebytes antimalware. Post the resulting report.

Install AVAST and perform a full scan. Let me know the outcome.

I also would like to check for another infection due to the globally opened ports.

Download and run HAMeb_check.exe
Post the contents of the resulting log.

[JSntgRvr]

Much better. All what is left is to remove Ask.com amd check for remnants.

After removing Ask.com, make sure the following files and folders are removed:

c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
c:\program files\Ask.com


Launch, update and perform a scan with Malwarebytes antimalware. Post the resulting report.

Install AVAST and perform a full scan. Let me know the outcome.

I also would like to check for another infection due to the globally opened ports.

Download and run HAMeb_check.exe
Post the contents of the resulting log.

[vahi]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5797

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/18/2011 1:05:41 PM
mbam-log-2011-02-18 (13-05-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 163539
Time elapsed: 24 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

got the Avast scan running now, and will run the HAMeb_check.exe when it finishes

Edited by vahi, 18 February 2011 - 12:15 PM.

[vahi]

C:\Documents and Settings\Administrator\Desktop\HAMeb_check.exe
Fri 02/18/2011 at 15:50:47.03

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83733AED]<<
kernel: MBR read successfully
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"9701:TCP"=9701:TCP:*:Enabled:Services
"9702:TCP"=9702:TCP:*:Enabled:Services
"7489:TCP"=7489:TCP:*:Enabled:Services
"2118:TCP"=2118:TCP:*:Enabled:Services
"2736:TCP"=2736:TCP:*:Enabled:Services
"7473:TCP"=7473:TCP:*:Enabled:Services
"4822:TCP"=4822:TCP:*:Enabled:Services
"2423:TCP"=2423:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"9701:TCP"=9701:TCP:*:Enabled:Services
"9702:TCP"=9702:TCP:*:Enabled:Services
"7489:TCP"=7489:TCP:*:Enabled:Services
"2118:TCP"=2118:TCP:*:Enabled:Services
"2736:TCP"=2736:TCP:*:Enabled:Services
"7473:TCP"=7473:TCP:*:Enabled:Services
"4822:TCP"=4822:TCP:*:Enabled:Services
"2423:TCP"=2423:TCP:*:Enabled:Services


~~ EOF ~~

[JSntgRvr]

Note! To use this tool read the following instructions thoroughly first. Dell users pay attention to the last note.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.

• Close out all other open programs and windows.
• Double click the file to run it and follow any prompts.
  From here there are two different routes

• If the tool detects an mbr infection
  
  • Please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes
  • Click Start>Run and type the following bolded command, then hit Enter.
    Note! Make sure you leave a space between helpasst and -mbrt
    

    helpasst -mbrt

  • When it completes, a log will open.
  • Please post the contents of that log.
  
  
• In the event the tool does not detect an mbr infection and completes
  
  • click Start>Run and type the following bolded command, then hit Enter.
    Note! Make sure you leave a space between mbr and -f
    

    mbr -f

  • Now, please do the Start>Run>mbr -f command a second time.
  • Now shut down the computer (do not restart, but shut it down),
  • Wait a few minutes then start it back up.
  • Wait about 5 minutes
  • Click Start>Run and type the following bolded command, then hit Enter.
    Note! Make sure you leave a space between helpasst and -mbrt
    

    helpasst -mbrt

  • When it completes, a log will open.
  • Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

[vahi]

C:\Documents and Settings\Administrator\Desktop\HelpAsst_mebroot_fix.exe
Fri 02/18/2011 at 18:57:17.98

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"9701:TCP"=-
"9702:TCP"=-
"7489:TCP"=-
"2118:TCP"=-
"2736:TCP"=-
"7473:TCP"=-
"4822:TCP"=-
"2423:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"9701:TCP"=-
"9702:TCP"=-
"7489:TCP"=-
"2118:TCP"=-
"2736:TCP"=-
"7473:TCP"=-
"4822:TCP"=-
"2423:TCP"=-

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

mbr infection detected! ~ running mbr -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Fri 02/18/2011 at 20:23:59.06

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

[JSntgRvr]

Lets run HAMeb_check.exe once again to confirm and post the contents of the resulting log.

[vahi]

C:\Documents and Settings\Administrator\Desktop\HAMeb_check.exe
Fri 02/18/2011 at 21:56:49.96

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

[JSntgRvr]

I believe your computer is ready to go, congratulations.

Lets do some housekeeping.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.

• Rename Combofix to Uninstall and click on it. That should remove the application.

Please download OTC by OldTimer.

• Save it to your desktop.
• Please double-click OTC.exe to run it. (Vista users, please right click on OTC.exe and select "Run as an Administrator")
• This will delete the tools we used in the removal of malware, including this program.
• If you are asked to reboot to complete the removal process then please do so

Upon restart, manually remove any remaining tools.

Create a Restore point:

• Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
• In the System Restore dialog box, click Create a restore point, and then click Next.
• Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people.

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes!

[vahi]

Awesome! thank you so much for all the help! would of never got that sorted out myself.

[JSntgRvr]

You are welcome.

[JSntgRvr]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.