I have been fighting a nasty bug on my home network - all Win XP Pro SP3 systems seemed to be infected with something which redirects all installed browsers randomly. Google Analytics seems to be indicated as part of or related to the problem - it my be that the systems were affected by a java exploit planted by a pdf embedded exe or dll. I suspect it is a java virtual machine spawning malicious processes. Here is the bottom line - All systems were initially protected by ESET NOD32 4 - useless! Since uninstalled. I have run Microsoft Security Essentials, Anti-Malware Bytes, AVG, Avira, and Stinger. All have found nothing but tracking cookies, if that.
If I run Microsoft update, I see multiple iexplorer.exe's running - and it takes 5 or so minutes for it to report that there are no updates. I have noticed other apps running with duplicates at times - notably Fix-it Utilities process MXTask2.exe - at times runs with duplicates - right down to twin tray icons... I suspect that whatever bug I have is spoofing other valid applications credentials to run undetected.
This is the hardest bug I have come across!
Trouble started about the time Firefox 3.6.7 and 3.6.8 (mid July) were released. I have uninstalled and reinstalled all java and sun microsystems components (or tried to). Also removed all .jvs files dated July 2010. Reinstalled Firefox, and other related applications. Fix it was added after the fact as it notifies me of any setup.exe launches, and was not part of the problem. I read the microsoft security bulletin posted on 8/2/2010 at Mcaffe threat center and downloaded the updates from MS but no affect. If the exploit got in that way - then the damage is already done and I am unable to detect it.
Any help would be appreciated - otherwise I will have to wipe all my systems and reinstall.
Currently have Avira running. AntiMalware was reinstalled - running database version 4052 but cannot update: MBAM_ERROR_UPDATING (12007,0, WinHttoSendRequest) is reported and shutting off Avira, and firewall has no effect.
Any HELP would be most appreciated!
I ran ComboFix - here is the log:
ComboFix 10-08-05.07 - K E V i N 08/06/2010 8:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.219 [GMT -7:00]
Running from: c:\documents and settings\K E V i N\desktop\commy.exe
Command switches used :: /stepdel
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira FireWall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.
((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 )))))))))))))))))))))))))))))))
.
2010-08-06 13:10 . 2010-08-06 13:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\Avanquest
2010-08-06 04:38 . 2010-08-06 04:38 -------- d-----w- c:\documents and settings\K E V i N\Application Data\Avanquest
2010-08-05 17:52 . 2010-08-06 14:36 -------- d-----w- c:\windows\system32\NtmsData
2010-08-05 16:11 . 2010-08-05 16:11 -------- d-----w- c:\documents and settings\Z O E\Application Data\Avira
2010-08-05 14:25 . 2010-08-05 14:25 -------- d-----w- c:\documents and settings\K E V i N\Application Data\Avira
2010-08-05 13:37 . 2010-08-05 13:33 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-05 13:37 . 2010-08-05 13:33 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-05 13:37 . 2010-08-05 13:33 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-05 13:37 . 2010-08-05 13:33 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys
2010-08-05 13:37 . 2010-08-05 13:33 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-05 13:37 . 2010-08-05 13:33 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys
2010-08-05 13:37 . 2010-08-05 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-05 13:37 . 2010-08-05 13:37 -------- d-----w- c:\program files\Avira
2010-08-04 16:24 . 2010-08-04 16:26 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-03 16:52 . 2010-01-28 22:12 35000 ----a-w- c:\windows\system32\mxntdfg.exe
2010-08-03 16:52 . 2010-08-03 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Avanquest
2010-08-03 16:51 . 2010-08-03 16:51 -------- d-----r- C:\_Backup.RC
2010-08-03 16:51 . 2010-08-06 14:41 -------- d-----w- C:\_Backup
2010-08-03 16:49 . 2010-08-03 16:49 -------- d-----w- c:\documents and settings\Z O E\Application Data\Avanquest
2010-08-03 16:49 . 2010-08-03 16:49 -------- d-----w- c:\program files\Avanquest
2010-08-03 15:24 . 2010-08-03 15:24 -------- d-----w- c:\program files\AVG
2010-08-03 15:23 . 2010-08-05 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-03 02:13 . 2010-08-03 02:13 -------- d-----w- c:\program files\Common Files\Java
2010-08-03 02:12 . 2010-08-03 02:12 503808 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6849cf42-n\msvcp71.dll
2010-08-03 02:12 . 2010-08-03 02:12 499712 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6849cf42-n\jmc.dll
2010-08-03 02:12 . 2010-08-03 02:12 348160 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6849cf42-n\msvcr71.dll
2010-08-03 02:12 . 2010-08-03 02:12 12800 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4328d9c9-n\decora-d3d.dll
2010-08-03 02:12 . 2010-08-03 02:12 61440 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4328d9c9-n\decora-sse.dll
2010-08-03 02:12 . 2010-08-03 02:12 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 02:12 . 2010-08-03 02:12 -------- d-----w- c:\program files\Java
2010-07-31 23:43 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-31 15:50 . 2010-07-31 15:50 -------- d-sh--w- c:\documents and settings\Z O E\IECompatCache
2010-07-31 15:49 . 2010-07-31 15:49 -------- d-sh--w- c:\documents and settings\Z O E\PrivacIE
2010-07-31 15:35 . 2010-07-31 15:36 -------- d-----w- c:\program files\QuickTime
2010-07-31 15:35 . 2010-07-31 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-26 13:33 . 2010-07-26 13:33 -------- d-----w- c:\documents and settings\Z O E\Application Data\Malwarebytes
2010-07-21 19:58 . 2010-07-21 20:05 -------- d-----w- c:\documents and settings\S A r A\Application Data\U3
2010-07-16 14:36 . 2010-07-16 14:36 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-16 14:36 . 2010-07-16 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-14 13:47 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 21:30 . 2010-07-11 21:30 -------- d-----w- c:\documents and settings\Z O E\Local Settings\Application Data\Identities
2010-07-09 15:03 . 2010-07-09 15:03 -------- d-----w- c:\program files\Harmonic Vision
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 13:31 . 2009-09-25 21:53 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-08-03 16:47 . 2009-09-25 20:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-31 15:44 . 2009-09-26 19:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-09 15:03 . 2009-08-25 23:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-07 04:01 . 2009-11-23 04:46 -------- d-----w- c:\documents and settings\L I Z Z O\Application Data\U3
2010-06-24 23:57 . 2010-06-24 23:57 -------- d-----w- c:\documents and settings\L I Z Z O\Application Data\Apple Computer
2010-06-24 23:57 . 2009-09-25 23:17 29576 ----a-w- c:\documents and settings\L I Z Z O\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 14:31 . 2009-08-25 23:07 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-05 282792]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dialog Helper.lnk - c:\program files\VCOM\PowerDesk\pddlghlp.exe [2005-9-8 40960]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Z O E^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Z O E\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
2001-10-08 19:59 45632 ----a-w- c:\windows\system32\TaskSwitch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-05-25 15:43 126976 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 22:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-12 20:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [8/5/2010 6:37 AM 102856]
R2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [8/5/2010 6:37 AM 536232]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [8/5/2010 6:37 AM 337064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/5/2010 6:37 AM 135336]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [8/5/2010 6:37 AM 405672]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [8/5/2010 6:37 AM 79432]
S2 Fix-It Utilities 10 Essentials Task Manager;Fix-It Utilities 10 Essentials Task Manager;c:\progra~1\AVANQU~1\Fix-It\mxtask.exe -Service --> c:\progra~1\AVANQU~1\Fix-It\mxtask.exe -Service [?]
.
Contents of the 'Scheduled Tasks' folder
2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - c:\documents and settings\K E V i N\Application Data\Mozilla\Firefox\Profiles\v1i0k5ta.default\
FF - prefs.js: browser.startup.homepage - hxxp://odb.org/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 08:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1336)
c:\program files\Avira\AntiVir Desktop\avsda.dll
- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-06 08:43:31
ComboFix-quarantined-files.txt 2010-08-06 15:43
Pre-Run: 20,064,157,696 bytes free
Post-Run: 20,029,243,392 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 81C251BA3362E3DEFFB09A3675ACB685
If I run Microsoft update, I see multiple iexplorer.exe's running - and it takes 5 or so minutes for it to report that there are no updates. I have noticed other apps running with duplicates at times - notably Fix-it Utilities process MXTask2.exe - at times runs with duplicates - right down to twin tray icons... I suspect that whatever bug I have is spoofing other valid applications credentials to run undetected.
This is the hardest bug I have come across!
Trouble started about the time Firefox 3.6.7 and 3.6.8 (mid July) were released. I have uninstalled and reinstalled all java and sun microsystems components (or tried to). Also removed all .jvs files dated July 2010. Reinstalled Firefox, and other related applications. Fix it was added after the fact as it notifies me of any setup.exe launches, and was not part of the problem. I read the microsoft security bulletin posted on 8/2/2010 at Mcaffe threat center and downloaded the updates from MS but no affect. If the exploit got in that way - then the damage is already done and I am unable to detect it.
Any help would be appreciated - otherwise I will have to wipe all my systems and reinstall.
Currently have Avira running. AntiMalware was reinstalled - running database version 4052 but cannot update: MBAM_ERROR_UPDATING (12007,0, WinHttoSendRequest) is reported and shutting off Avira, and firewall has no effect.
Any HELP would be most appreciated!
I ran ComboFix - here is the log:
ComboFix 10-08-05.07 - K E V i N 08/06/2010 8:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.219 [GMT -7:00]
Running from: c:\documents and settings\K E V i N\desktop\commy.exe
Command switches used :: /stepdel
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira FireWall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.
((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 )))))))))))))))))))))))))))))))
.
2010-08-06 13:10 . 2010-08-06 13:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\Avanquest
2010-08-06 04:38 . 2010-08-06 04:38 -------- d-----w- c:\documents and settings\K E V i N\Application Data\Avanquest
2010-08-05 17:52 . 2010-08-06 14:36 -------- d-----w- c:\windows\system32\NtmsData
2010-08-05 16:11 . 2010-08-05 16:11 -------- d-----w- c:\documents and settings\Z O E\Application Data\Avira
2010-08-05 14:25 . 2010-08-05 14:25 -------- d-----w- c:\documents and settings\K E V i N\Application Data\Avira
2010-08-05 13:37 . 2010-08-05 13:33 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-05 13:37 . 2010-08-05 13:33 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-05 13:37 . 2010-08-05 13:33 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-05 13:37 . 2010-08-05 13:33 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys
2010-08-05 13:37 . 2010-08-05 13:33 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-05 13:37 . 2010-08-05 13:33 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys
2010-08-05 13:37 . 2010-08-05 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-05 13:37 . 2010-08-05 13:37 -------- d-----w- c:\program files\Avira
2010-08-04 16:24 . 2010-08-04 16:26 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-03 16:52 . 2010-01-28 22:12 35000 ----a-w- c:\windows\system32\mxntdfg.exe
2010-08-03 16:52 . 2010-08-03 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Avanquest
2010-08-03 16:51 . 2010-08-03 16:51 -------- d-----r- C:\_Backup.RC
2010-08-03 16:51 . 2010-08-06 14:41 -------- d-----w- C:\_Backup
2010-08-03 16:49 . 2010-08-03 16:49 -------- d-----w- c:\documents and settings\Z O E\Application Data\Avanquest
2010-08-03 16:49 . 2010-08-03 16:49 -------- d-----w- c:\program files\Avanquest
2010-08-03 15:24 . 2010-08-03 15:24 -------- d-----w- c:\program files\AVG
2010-08-03 15:23 . 2010-08-05 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-03 02:13 . 2010-08-03 02:13 -------- d-----w- c:\program files\Common Files\Java
2010-08-03 02:12 . 2010-08-03 02:12 503808 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6849cf42-n\msvcp71.dll
2010-08-03 02:12 . 2010-08-03 02:12 499712 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6849cf42-n\jmc.dll
2010-08-03 02:12 . 2010-08-03 02:12 348160 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6849cf42-n\msvcr71.dll
2010-08-03 02:12 . 2010-08-03 02:12 12800 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4328d9c9-n\decora-d3d.dll
2010-08-03 02:12 . 2010-08-03 02:12 61440 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4328d9c9-n\decora-sse.dll
2010-08-03 02:12 . 2010-08-03 02:12 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 02:12 . 2010-08-03 02:12 -------- d-----w- c:\program files\Java
2010-07-31 23:43 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-31 15:50 . 2010-07-31 15:50 -------- d-sh--w- c:\documents and settings\Z O E\IECompatCache
2010-07-31 15:49 . 2010-07-31 15:49 -------- d-sh--w- c:\documents and settings\Z O E\PrivacIE
2010-07-31 15:35 . 2010-07-31 15:36 -------- d-----w- c:\program files\QuickTime
2010-07-31 15:35 . 2010-07-31 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-26 13:33 . 2010-07-26 13:33 -------- d-----w- c:\documents and settings\Z O E\Application Data\Malwarebytes
2010-07-21 19:58 . 2010-07-21 20:05 -------- d-----w- c:\documents and settings\S A r A\Application Data\U3
2010-07-16 14:36 . 2010-07-16 14:36 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-16 14:36 . 2010-07-16 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-14 13:47 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 21:30 . 2010-07-11 21:30 -------- d-----w- c:\documents and settings\Z O E\Local Settings\Application Data\Identities
2010-07-09 15:03 . 2010-07-09 15:03 -------- d-----w- c:\program files\Harmonic Vision
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 13:31 . 2009-09-25 21:53 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-08-03 16:47 . 2009-09-25 20:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-31 15:44 . 2009-09-26 19:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-09 15:03 . 2009-08-25 23:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-07 04:01 . 2009-11-23 04:46 -------- d-----w- c:\documents and settings\L I Z Z O\Application Data\U3
2010-06-24 23:57 . 2010-06-24 23:57 -------- d-----w- c:\documents and settings\L I Z Z O\Application Data\Apple Computer
2010-06-24 23:57 . 2009-09-25 23:17 29576 ----a-w- c:\documents and settings\L I Z Z O\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 14:31 . 2009-08-25 23:07 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-05 282792]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dialog Helper.lnk - c:\program files\VCOM\PowerDesk\pddlghlp.exe [2005-9-8 40960]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Z O E^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Z O E\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
2001-10-08 19:59 45632 ----a-w- c:\windows\system32\TaskSwitch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-05-25 15:43 126976 ----a-w- c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 22:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-12 20:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [8/5/2010 6:37 AM 102856]
R2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [8/5/2010 6:37 AM 536232]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [8/5/2010 6:37 AM 337064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/5/2010 6:37 AM 135336]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [8/5/2010 6:37 AM 405672]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [8/5/2010 6:37 AM 79432]
S2 Fix-It Utilities 10 Essentials Task Manager;Fix-It Utilities 10 Essentials Task Manager;c:\progra~1\AVANQU~1\Fix-It\mxtask.exe -Service --> c:\progra~1\AVANQU~1\Fix-It\mxtask.exe -Service [?]
.
Contents of the 'Scheduled Tasks' folder
2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - c:\documents and settings\K E V i N\Application Data\Mozilla\Firefox\Profiles\v1i0k5ta.default\
FF - prefs.js: browser.startup.homepage - hxxp://odb.org/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 08:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1336)
c:\program files\Avira\AntiVir Desktop\avsda.dll
- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-06 08:43:31
ComboFix-quarantined-files.txt 2010-08-06 15:43
Pre-Run: 20,064,157,696 bytes free
Post-Run: 20,029,243,392 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 81C251BA3362E3DEFFB09A3675ACB685