After quite awhile, my dad ended up catching some malware again. It was a fake antivirus, I believe it was called "System Care Antivirus" It wouldn't allow him to open anything and it repeatedly told him that Symantec was infected. It didn't run in safe mode, so I was able to run Malwarebytes there. It removed (most of) the associated files, but it left the folder behind, so I erased that. However, it wasn't over. In task manager, I noticed several iexplore.exe processes in Task Manager.
Upon closer inspection, it appeared that there were two hidden Internet Explorer windows visiting random sites (along with calling to certain IP addresses). So, I ran Combofix (I know we shouldn't do that, but I didn't have it fix anything major). It found two DLL files, which I the deleted. Afterward, the suspicious IE windows stopped opening and all seemed to be well. All that was left were two DLL errors that ran at login, referring to the missing DLL files. Though, there were just two registry entries leftover that told rundll32.exe to run those DLLs at startup. It was a simple fix in the Registry Editor.
Still, this suspicious activity has me worried. I remember seeing these symptoms as signs of a possible rootkit infection. So, I scanned with TDSSkiller, but it came up clean. So, I just wanted to see if there is anything left over, or if there is a possible rootkit infection that brought in the malware.
Here's the DDS Log:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.17.2
Run by wamcd at 14:27:58 on 2013-04-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.282 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ================
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://education.dellnet.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office 2002\programs\QFSCHD100.EXE"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HPUsageTrackingLEDM] "c:\program files\hp\hp ut ledm\bin\hppusg.exe" "c:\program files\hp\hp ut ledm\"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: d:\docume~1\wamcd~1.wam\startm~1\programs\startup\jacqui~1.lnk - c:\program files\jacquie lawson london advent calendar\Jacquie Lawson London Advent Calendar.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\corelc~1.lnk - c:\windows\installer\{f73e7b59-f951-11d4-884d-00902761a46d}\I_26dadCC.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoWelcomeScreen = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: dontdisplaylastusername = dword:1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0014-0002-0002-ABCDEFFEDCBC} - <orphaned>
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115408060564
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130441725093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_02-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.3092708333
DPF: {CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{4D71D46A-A34A-4F59-8B92-CC51FF0FB026} : DHCPNameServer = 75.75.75.75 75.75.76.76
Notify: igfxcui - igfxdev.dll
SEH: Quick View Plus - ShellExecute Hook - {0cab0400-7395-11d0-a5e5-0020afe2fdd9} -
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\documents and settings\wamcd.wamcd01\application data\mozilla\firefox\profiles\o40f8ch2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=302398&p=
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
FF - ExtSQL: 2013-04-13 20:54; {9857e72b-a491-11e2-8274-b8ac6f996f26}; d:\documents and settings\wamcd.wamcd01\application data\mozilla\firefox\profiles\o40f8ch2.default\extensions\{9857e72b-a491-11e2-8274-b8ac6f996f26}.xpi
FF - ExtSQL: !HIDDEN! 2010-12-20 03:12; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2002-5-8 212992]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-10 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-10 108392]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2009-6-24 136704]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2010-12-17 99896]
R2 IDFEndpointService;Identity Finder Endpoint Service;c:\program files\identity finder 4\idfEndpoint.exe [2010-10-13 6181376]
R2 NetAlrt;NetAlrt;c:\windows\system32\drivers\Netalrt.sys [2002-5-7 39680]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1980-1-1 28672]
R2 PlatAlrt;PlatAlrt;c:\windows\system32\drivers\platalrt.sys [2002-5-7 23744]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2010-11-8 1839776]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-9-3 106656]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2002-10-7 6942]
R3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [2010-12-17 17408]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20130412.016\NAVENG.SYS [2013-4-12 93296]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20130412.016\NAVEX15.SYS [2013-4-12 1603824]
S3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\a302.sys [2003-8-29 11319]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-3-30 23888]
S3 Intel Remote Control Helper;Intel Remote Control Helper;c:\windows\system32\drivers\rch.sys --> c:\windows\system32\drivers\rch.sys [?]
.
=============== File Associations ===============
.
ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~2\office10\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2013-04-14 01:50:41 -------- d-----w- c:\windows\pss
2013-04-14 01:02:27 -------- d-----w- C:\ComboFix
2013-04-10 22:32:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-28 03:31:54 98816 ----a-w- c:\windows\sed.exe
2013-03-28 03:31:54 256000 ----a-w- c:\windows\PEV.exe
2013-03-28 03:31:54 208896 ----a-w- c:\windows\MBR.exe
2013-03-21 18:46:17 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-21 18:46:17 12928 -c----w- c:\windows\system32\dllcache\usb8023.sys
.
==================== Find3M ====================
.
2013-04-10 22:32:14 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-04-10 22:32:13 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-04-10 22:32:13 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-04 18:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-13 02:02:15 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 02:02:15 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06:30 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08:47 385024 ----a-w- c:\windows\system32\html.iec
2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll
.
============= FINISH: 14:28:58.14 ===============
Here's the Malwarebytes log from when System Care Antivirus was removed:
Malwarebytes Anti-Malware 1.75.0.1300
Malwarebytes : Free anti-malware download
Database version: v2013.04.13.08
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
wamcd :: WAMCD01 [administrator]
4/13/2013 8:39:00 PM
mbam-log-2013-04-13 (20-39-00).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 36463
Time elapsed: 10 minute(s), 18 second(s) [aborted]
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|rvoelsow (Trojan.Agent.TSV) -> Data: "D:\Documents and Settings\wamcd.WAMCD01\Local Settings\Application Data\qfppiwim.exe" -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
D:\Documents and Settings\wamcd.WAMCD01\Local Settings\Application Data\qfppiwim.exe (Trojan.Agent.TSV) -> Quarantined and deleted successfully.
D:\Documents and Settings\wamcd.WAMCD01\Local Settings\Temp\AA_E-Ticket.zip (Trojan.Agent.TSV) -> Quarantined and deleted successfully.
D:\Documents and Settings\wamcd.WAMCD01\Local Settings\Application Data\wjavxrwq.exe (Malware.Packer.EGX7) -> Quarantined and deleted successfully.
(end)
Upon closer inspection, it appeared that there were two hidden Internet Explorer windows visiting random sites (along with calling to certain IP addresses). So, I ran Combofix (I know we shouldn't do that, but I didn't have it fix anything major). It found two DLL files, which I the deleted. Afterward, the suspicious IE windows stopped opening and all seemed to be well. All that was left were two DLL errors that ran at login, referring to the missing DLL files. Though, there were just two registry entries leftover that told rundll32.exe to run those DLLs at startup. It was a simple fix in the Registry Editor.
Still, this suspicious activity has me worried. I remember seeing these symptoms as signs of a possible rootkit infection. So, I scanned with TDSSkiller, but it came up clean. So, I just wanted to see if there is anything left over, or if there is a possible rootkit infection that brought in the malware.
Here's the DDS Log:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.17.2
Run by wamcd at 14:27:58 on 2013-04-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.282 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ================
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://education.dellnet.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office 2002\programs\QFSCHD100.EXE"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HPUsageTrackingLEDM] "c:\program files\hp\hp ut ledm\bin\hppusg.exe" "c:\program files\hp\hp ut ledm\"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: d:\docume~1\wamcd~1.wam\startm~1\programs\startup\jacqui~1.lnk - c:\program files\jacquie lawson london advent calendar\Jacquie Lawson London Advent Calendar.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\corelc~1.lnk - c:\windows\installer\{f73e7b59-f951-11d4-884d-00902761a46d}\I_26dadCC.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoWelcomeScreen = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: dontdisplaylastusername = dword:1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0014-0002-0002-ABCDEFFEDCBC} - <orphaned>
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115408060564
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130441725093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_02-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.3092708333
DPF: {CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{4D71D46A-A34A-4F59-8B92-CC51FF0FB026} : DHCPNameServer = 75.75.75.75 75.75.76.76
Notify: igfxcui - igfxdev.dll
SEH: Quick View Plus - ShellExecute Hook - {0cab0400-7395-11d0-a5e5-0020afe2fdd9} -
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\documents and settings\wamcd.wamcd01\application data\mozilla\firefox\profiles\o40f8ch2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=302398&p=
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
FF - ExtSQL: 2013-04-13 20:54; {9857e72b-a491-11e2-8274-b8ac6f996f26}; d:\documents and settings\wamcd.wamcd01\application data\mozilla\firefox\profiles\o40f8ch2.default\extensions\{9857e72b-a491-11e2-8274-b8ac6f996f26}.xpi
FF - ExtSQL: !HIDDEN! 2010-12-20 03:12; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2002-5-8 212992]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-10 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-10 108392]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2009-6-24 136704]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2010-12-17 99896]
R2 IDFEndpointService;Identity Finder Endpoint Service;c:\program files\identity finder 4\idfEndpoint.exe [2010-10-13 6181376]
R2 NetAlrt;NetAlrt;c:\windows\system32\drivers\Netalrt.sys [2002-5-7 39680]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1980-1-1 28672]
R2 PlatAlrt;PlatAlrt;c:\windows\system32\drivers\platalrt.sys [2002-5-7 23744]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2010-11-8 1839776]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-9-3 106656]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2002-10-7 6942]
R3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [2010-12-17 17408]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20130412.016\NAVENG.SYS [2013-4-12 93296]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20130412.016\NAVEX15.SYS [2013-4-12 1603824]
S3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\a302.sys [2003-8-29 11319]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-3-30 23888]
S3 Intel Remote Control Helper;Intel Remote Control Helper;c:\windows\system32\drivers\rch.sys --> c:\windows\system32\drivers\rch.sys [?]
.
=============== File Associations ===============
.
ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~2\office10\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2013-04-14 01:50:41 -------- d-----w- c:\windows\pss
2013-04-14 01:02:27 -------- d-----w- C:\ComboFix
2013-04-10 22:32:33 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-28 03:31:54 98816 ----a-w- c:\windows\sed.exe
2013-03-28 03:31:54 256000 ----a-w- c:\windows\PEV.exe
2013-03-28 03:31:54 208896 ----a-w- c:\windows\MBR.exe
2013-03-21 18:46:17 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-21 18:46:17 12928 -c----w- c:\windows\system32\dllcache\usb8023.sys
.
==================== Find3M ====================
.
2013-04-10 22:32:14 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-04-10 22:32:13 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-04-10 22:32:13 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-04 18:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-13 02:02:15 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 02:02:15 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06:30 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08:47 385024 ----a-w- c:\windows\system32\html.iec
2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll
.
============= FINISH: 14:28:58.14 ===============
Here's the Malwarebytes log from when System Care Antivirus was removed:
Malwarebytes Anti-Malware 1.75.0.1300
Malwarebytes : Free anti-malware download
Database version: v2013.04.13.08
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
wamcd :: WAMCD01 [administrator]
4/13/2013 8:39:00 PM
mbam-log-2013-04-13 (20-39-00).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 36463
Time elapsed: 10 minute(s), 18 second(s) [aborted]
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|rvoelsow (Trojan.Agent.TSV) -> Data: "D:\Documents and Settings\wamcd.WAMCD01\Local Settings\Application Data\qfppiwim.exe" -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
D:\Documents and Settings\wamcd.WAMCD01\Local Settings\Application Data\qfppiwim.exe (Trojan.Agent.TSV) -> Quarantined and deleted successfully.
D:\Documents and Settings\wamcd.WAMCD01\Local Settings\Temp\AA_E-Ticket.zip (Trojan.Agent.TSV) -> Quarantined and deleted successfully.
D:\Documents and Settings\wamcd.WAMCD01\Local Settings\Application Data\wjavxrwq.exe (Malware.Packer.EGX7) -> Quarantined and deleted successfully.
(end)