Attack From Several Sources

Here's the combofix log (I still see the file on my desktop so I don't know if it took, my virus scanner just notified me of another threat! :eek: )

ComboFix 11-10-17.02 - Owner 10/17/2011 20:14:52.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.144 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
/wow section - STAGE 48
.
/wow section - STAGE 50
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\documents and settings\Owner\Desktop\netbt.sys --> c:\windows\system32\drivers\netbt.sys
.
((((((((((((((((((((((((( Files Created from 2011-09-18 to 2011-10-18 )))))))))))))))))))))))))))))))
.
.
2011-10-18 00:26 . 2011-10-18 00:26 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKsle4abfb6b.sys
2011-10-18 00:12 . 2011-10-18 00:12 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKsl2d34d2b9.sys
2011-10-17 20:52 . 2011-10-17 20:52 -------- d-----w- c:\program files\CCleaner
2011-10-17 20:35 . 2011-10-17 20:35 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKslb05f64b9.sys
2011-10-17 20:25 . 2011-10-17 20:25 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKslb6701298.sys
2011-10-17 12:03 . 2011-10-17 12:03 -------- d-----w- c:\program files\Common Files\Java
2011-10-17 12:03 . 2011-10-17 12:02 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-10-17 12:03 . 2011-10-17 12:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-17 12:03 . 2011-10-17 12:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-17 12:02 . 2011-10-17 12:02 -------- d-----w- c:\program files\Java
2011-10-17 11:45 . 2011-10-18 00:25 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\offreg.dll
2011-10-17 11:15 . 2011-09-12 20:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\mpengine.dll
2011-10-16 18:47 . 2011-10-16 18:47 -------- d-----w- c:\program files\ESET
2011-10-16 17:48 . 2011-10-16 17:48 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-16 17:48 . 2011-10-16 17:48 -------- d-----w- c:\program files\Trend Micro
2011-10-16 07:57 . 2011-10-16 07:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-10-16 07:56 . 2011-10-16 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-16 07:56 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-16 07:56 . 2011-10-16 07:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-16 07:26 . 2011-09-12 20:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-16 07:14 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-10-16 07:11 . 2011-10-16 07:11 -------- d-----w- c:\program files\Microsoft Security Client
2011-10-15 21:23 . 2011-10-15 21:23 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-10-15 21:22 . 2011-10-15 21:22 -------- d-----w- c:\program files\Coupons
2011-09-26 15:41 . 2011-09-26 15:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2011-09-26 15:41 220160 -c----w- c:\windows\system32\dllcache\oleacc.dll
2011-09-26 15:41 . 2011-09-26 15:41 20480 -c----w- c:\windows\system32\dllcache\oleaccrc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-17 23:58 . 2005-03-02 23:44 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-09-26 15:41 . 2005-03-02 23:44 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2005-03-02 23:44 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2005-03-02 23:44 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-07 13:26 . 2011-06-16 13:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:20 . 2005-03-02 23:44 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2005-03-02 23:44 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2005-03-02 23:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2005-03-02 23:44 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2005-03-02 23:44 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2005-03-02 23:44 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2004-08-04 12:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2011-02-08 13:33 978944 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
2010-12-20 17:32 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-10 344064]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"CreateCD_Reminder"="c:\windows\Sonysys\VAIO Recovery\reminder.exe" [2004-07-16 53248]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"SoundMan"="SOUNDMAN.EXE" [2004-11-02 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-11-29 2748928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
"HostManager"="c:\program files\Common Files\AOL\1145242537\ee\AOLSoftware.exe" [2006-05-10 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145242537\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145242537\\ee\\aim6.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\TomTom HOME 2\\xulrunner\\TomTomHOMERuntime.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\ArcSoft\\Connection Service\\Bin\\ACDaemon.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\tdsskiller.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 MpKsl2d34d2b9;MpKsl2d34d2b9;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKsl2d34d2b9.sys [10/17/2011 8:12 PM 28752]
R1 MpKsl81ebdd91;MpKsl81ebdd91;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKsl81ebdd91.sys [10/17/2011 8:31 PM 28752]
R1 MpKslb05f64b9;MpKslb05f64b9;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKslb05f64b9.sys [10/17/2011 4:35 PM 28752]
R1 MpKslb6701298;MpKslb6701298;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKslb6701298.sys [10/17/2011 4:25 PM 28752]
R1 MpKsle4abfb6b;MpKsle4abfb6b;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKsle4abfb6b.sys [10/17/2011 8:26 PM 28752]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe --> c:\program files\TomTom HOME 2\TomTomHOMEService.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S4 Rsdpfslrsi;Rsdpfslrsi;c:\windows\system32\drivers\ipsec.sys [3/2/2005 7:44 PM 75264]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL81EBDD91
*NewlyCreated* - MPKSLE4ABFB6B
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
2011-10-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
TCP: DhcpNameServer = 24.178.162.3 97.81.22.195 24.159.64.23
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bfuf2t6g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b1192d1&v=7.008.031.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Full Flat: {6E1A2A2E-AE2A-4A26-A812-46F54288379E} - %profile%\extensions\{6E1A2A2E-AE2A-4A26-A812-46F54288379E}
FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-17 20:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2480)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\Logi_MwX.Exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\taskmgr.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
.
**************************************************************************
.
Completion time: 2011-10-17 20:35:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-18 00:35
ComboFix2.txt 2011-10-17 20:38
ComboFix3.txt 2011-10-16 17:33
ComboFix4.txt 2011-10-16 06:29
.
Pre-Run: 102,866,731,008 bytes free
Post-Run: 102,856,998,912 bytes free
.
- - End Of File - - E9966ED522F44972474F4FC6644998E9
 
I'm having site loading problems online. I've tried to go redownload ESET since it won't connect when I try to run it from my desktop. I tried to go back to the page and it won't work, the virustotal.com website won't load now either.

This is the only page that will load for me at all.

I already had to take today off since I couldn't login to work. :( I don't know if I can make it into work tomorrow now. I haven't even tried to load my email to send my manager a note about what's going on.

Going to try MBAM now though.
 
MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7956

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/17/2011 8:59:24 PM
mbam-log-2011-10-17 (20-59-24).txt

Scan type: Quick scan
Objects scanned: 177421
Time elapsed: 12 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
You still haven't picked the virus program you want to keep, you still have avg and microsoft security essentials installed at the same time. I suggest uninstalling AVG.
 
Hi John, thanks so much for dealing with me!

I have in fact uninstalled AVG, I did it when I deleted all your suggestions. I went ahead and uninstalled AVG. I don't understand why its still showing up. I deleted it and ALL files associated with it through my control panel>add/remove programs.

Do I need to go in and remove a missed component?
 
Thank you John, I got ESET to run... so I'm getting that report for you now.

Downloading the avg removal tool.

Then should I goto My Computer, right click, properties, uncheck system restore, apply... then open and recheck, apply?
 
Yeah, but that should have been done earlier. By the way, the malwarebytes definitions you are using are a few days outdated. Need you to open malwarebytes, click on the update tab, click on check for updates, then rerun a quick scan.
 
I did that earlier, but looked like I need to do it again because ESET found 2 more copies of that rootkit Trojan file since the last cleaning.

ESET log:

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\netbt.sys.vir Win32/Rootkit.Agent.NUT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP2133\A0185820.sys Win32/Rootkit.Agent.NUT trojan cleaned by deleting - quarantined
 
We would have cleaned up the last remnants there when I would have you uninstall combofix.

How's the system running now? Can you do everything that you need to do for work?
 
Thank you John, it seems like all is running well enough that work should be great. I think I may hang around the community and try to be of some help. I'm pretty good at other computer related issues... but viruses and evil things... not so much!

I used the AVG uninstall and it cleaned up all the files missed with the first uninstall and things have sped up more. Must have been clashing with Micro Essent. So I think we're good.

Updated MBAM here's the log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7970

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/17/2011 11:55:40 PM
mbam-log-2011-10-17 (23-55-39).txt

Scan type: Quick scan
Objects scanned: 176772
Time elapsed: 5 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
That's good. Yes, I highly recommend you stay and help out. This is a great community with good members. You may even learn a few things. I'm sure you will enjoy your stay here at CF.

You may now uninstall combofix by clicking on start, run, type combofix /uninstall and click on ok. This will delete combofix and all of its logs and reset system restore and set a new restore point. If you have any more issues just let me know.
 
You must log in or register to reply here.
Back
Top