Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is it a virus?


  • This topic is locked This topic is locked
21 replies to this topic

#1 ezooone

ezooone

  • Members
  • 253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Penang, Malaysia
  • Local time:07:58 AM

Posted 20 May 2010 - 01:20 AM

Hello..

I'm here to help my friend's laptop..

I'm not sure her laptop infected with a virus or not but my feeling told me it is regarding a virus..

Whenever I started the laptop..This small 2 windows will appear..

" WinFlip
Sorry! Direct 3D failed to initialize
For help, go to winFlip.stylekings.de/board

WinFlip
Sorry! WinFlip failed to start, and will now close. "

Then I just clicked OK

After that 1 note pad will tell me some message that unable to read..The notepad's name is "ashDisp"

I ran malwarebyte's..It detected 10 malicious data but only one can be removed..

1 more thing is the laptop cannot have any short cut on the dekstop even "my computer"..

What should I do to help my friend? Thanks smile.gif

Edited by ezooone, 20 May 2010 - 01:22 AM.


BC AdBot (Login to Remove)

 


#2 ezooone

ezooone
  • Topic Starter

  • Members
  • 253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Penang, Malaysia
  • Local time:07:58 AM

Posted 20 May 2010 - 07:07 AM

I'm sorry..

I forgot to tell about the malwarebytes..

When malwarebytes tried to removed the selected items..
It will tell me this..

"Regedit has been disabled and will affect the quarrantinning process. Malwarebytes Anti-Malware will now able Regedit."

This is the report from malware..

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

5/20/2010 4:44:10 PM
mbam-log-2010-05-20 (16-44-10).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 86149
Time elapsed: 17 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Then..when I tried to scan again..the 9 items that infected is still there..
I hope anyone can help my friend.. Thanks..

Edited by ezooone, 20 May 2010 - 07:08 AM.


#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,475 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:58 PM

Posted 21 May 2010 - 10:33 PM

Hello ezooone

Let's take a look at what's going on here.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than SystemDrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.log" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and copy/paste its contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


~Blade


In your next reply, please include the following:
GMER log

Edited by Blade Zephon, 21 May 2010 - 10:33 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 ezooone

ezooone
  • Topic Starter

  • Members
  • 253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Penang, Malaysia
  • Local time:07:58 AM

Posted 24 May 2010 - 02:46 AM

Ok..This is the result from the Gmer..

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-24 15:18:49
Windows 5.1.2600 Service Pack 3
Running: dq6i0nuj.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\fwdyqpog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA79196B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA7919574]
SSDT \??\C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes' Anti-Malware/Malwarebytes Corporation) ZwCreateSection [0xA71CDFE0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA7919A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA791914C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA791964E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA791908C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA79190F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA791976E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA791972E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA79198AE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\BTHUSB \Device\0000008f bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\BTHUSB \Device\0000008d bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002269cc3b87
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002269cc3b87 (not active ControlSet)

---- EOF - GMER 1.0.15 ----


I'm sorry Blade..I can't find attach file button..usually it located at the bottom..so I post the log to you..

1 more thing blade..the laptop usually to type by itself..for example if we open microsoft word.. Letter F will come out automatically even I did'nt type it.. Is it because of the virus?


#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,475 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:58 PM

Posted 25 May 2010 - 05:16 PM

Hello ezooone

QUOTE
I'm sorry Blade..I can't find attach file button..usually it located at the bottom..so I post the log to you..

I actually prefer that you do it the way you did, so thanks!

QUOTE
1 more thing blade..the laptop usually to type by itself..for example if we open microsoft word.. Letter F will come out automatically even I did'nt type it.. Is it because of the virus?

This sounds like a malfunctioning keyboard. Try using another keyboard and see if the situation improves.

***************************************************

Please be aware that the following scans may take some time to run.

Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.


***************************************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When logging in, log in under the account that you normally use; do NOT log in under the account titled "Admin" or "Administrator" unless this account is the one used normally.

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

~Blade


In your next reply, please include the following:
SUPERAntiSpyware log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 ezooone

ezooone
  • Topic Starter

  • Members
  • 253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Penang, Malaysia
  • Local time:07:58 AM

Posted 26 May 2010 - 01:43 AM

Here it is Blade the superantispyware log..

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/26/2010 at 02:02 PM

Application Version : 4.38.1004

Core Rules Database Version : 4989
Trace Rules Database Version: 2801

Scan type : Complete Scan
Total Scan Time : 00:50:58

Memory items scanned : 239
Memory threats detected : 1
Registry items scanned : 4549
Registry threats detected : 8
File items scanned : 25517
File threats detected : 21

System.RegistryEditorDisabled
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System#DisableRegistryTools

System.TaskManagerDisabled
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System#DisableTaskMgr

Trojan.Agent/Gen
C:\DOCUME~1\USER\LOCALS~1\TEMP\SVCHOST.COM
C:\DOCUME~1\USER\LOCALS~1\TEMP\SVCHOST.COM
[HotKey] C:\DOCUMENTS AND SETTINGS\USER\TEMPLATES\CACHE\SFCSRVC.PIF
C:\DOCUMENTS AND SETTINGS\USER\TEMPLATES\CACHE\SFCSRVC.PIF
[User Agent] C:\WINDOWS\SYSTEM32\FDISK.COM
C:\WINDOWS\SYSTEM32\FDISK.COM
[HotKey] C:\DOCUMENTS AND SETTINGS\USER\TEMPLATES\CACHE\SFCSRVC.PIF
[User Agent] C:\DOCUME~1\USER\LOCALS~1\TEMP\SVCHOST.COM
[run] C:\DOCUME~1\USER\LOCALS~1\TEMP\SVCHOST.COM
[load] C:\DOCUME~1\USER\LOCALS~1\TEMP\SVCHOST.COM
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\SNDVOL32.EXE
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\SVCHOST.COM
C:\DOCUMENTS AND SETTINGS\USER\START MENU\PROGRAMS\STARTUP\SNDVOL32.EXE
C:\THUMBS.DB
D:\THUMBS.DB
C:\WINDOWS\Prefetch\FDISK.COM-35868186.pf
C:\WINDOWS\Prefetch\SVCHOST.COM-1FD73DCC.pf
C:\WINDOWS\Prefetch\THUMBS.DB-03D889EC.pf
C:\WINDOWS\Prefetch\THUMBS.DB-090C050F.pf

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@serving-sys[1].txt
C:\Documents and Settings\user\Cookies\user@yieldmanager[1].txt
C:\Documents and Settings\user\Cookies\user@ak[1].txt
C:\Documents and Settings\user\Cookies\user@adinterax[1].txt
C:\Documents and Settings\user\Cookies\[email protected][2].txt
C:\Documents and Settings\user\Cookies\[email protected][1].txt
C:\Documents and Settings\user\Cookies\user@atdmt[1].txt
C:\Documents and Settings\user\Cookies\[email protected][1].txt
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,475 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:58 PM

Posted 26 May 2010 - 10:58 PM

How's the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 ezooone

ezooone
  • Topic Starter

  • Members
  • 253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Penang, Malaysia
  • Local time:07:58 AM

Posted 27 May 2010 - 12:45 PM

Remain the same.. mellow.gif

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,475 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:58 PM

Posted 29 May 2010 - 11:59 PM

Hello ezooone.

Sorry for the delay.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
~Blade

In your next reply, please include the following:
ESET Online Scan log

Edited by Blade Zephon, 30 May 2010 - 12:00 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 ezooone

ezooone
  • Topic Starter

  • Members
  • 253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Penang, Malaysia
  • Local time:07:58 AM

Posted 08 June 2010 - 11:25 AM

Blade..there is no virus when I scanned with Eset online scan..what should I do next?

Edited by Orange Blossom, 08 June 2010 - 06:00 PM.
Moving to log forum. ~ OB


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,475 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:58 PM

Posted 08 June 2010 - 06:03 PM

Hello.

I'm having this topic shifted to the specialized Malware Removal Logs forum so we can take a better look at what's going on here.

[*]Download DDS by sUBs from one of the following links. Save it to your desktop.[*]Double click on the DDS icon, allow it to run.
[*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.
[*]Notepad will open with the results.
[*]Follow the instructions that pop up for posting the results.
[*]Close the program window, and delete the program from your desktop.
[/list]Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Blade


In your next reply, please include the following:
DDS.txt
Attach.txt

Edited by Blade Zephon, 08 June 2010 - 06:24 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 ezooone

ezooone
  • Topic Starter

  • Members
  • 253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Penang, Malaysia
  • Local time:07:58 AM

Posted 09 June 2010 - 04:00 AM

Here the report from the dds..

DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 12:39:24.53 on Wed 06/09/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1980.1378 [GMT 8:00]

AV: avast! antivirus 4.8.1335 [VPS 100608-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Utilities\VisualTooltip\VisualToolTip.exe
C:\Program Files\Drive Space Indicator\DrvSpace.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\PLFSetI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\UberIcon\UberIcon Manager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\DOCUME~1\user\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
mWinlogon: Shell=explorer.exe
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\fdisk.com
mWinlogon: Taskman=c:\documents and settings\user\ctfmon.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
TB: QT Breadcrumbs Address Bar: {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll
TB: QT TabBar: {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll
TB: QT Tab Standard Buttons: {d2bf470e-ed1c-487f-a666-2bd8835eb6ce} - mscoree.dll
uRun: [UberIcon] "c:\program files\ubericon\UberIcon Manager.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [WINFLIP] c:\program files\winflip\WinFlip.exe
mRun: [VisualTooltip] c:\program files\utilities\visualtooltip\VisualToolTip.exe
mRun: [DriveSpace] "c:\program files\drive space indicator\DrvSpace.exe" /STARTUP
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [UberIcon] c:\program files\ubericon\UberIcon Manager.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
uPolicies-explorer: NoShellSearchButto = 0 (0x0)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~1\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: ashdisp.exe - notepad
IFEO: AVGNT.EXE - notepad
IFEO: AVP.EXE - notepad
IFEO: mmc.exe - notepad
IFEO: msconfig.exe - notepad

Note: multiple IFEO entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\bdlsfim7.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.bramjnet.com/vb/
FF - prefs.js: network.proxy.ftp - :8181
FF - prefs.js: network.proxy.gopher - :8181
FF - prefs.js: network.proxy.http - :8181
FF - prefs.js: network.proxy.socks - :8181
FF - prefs.js: network.proxy.ssl - :8181
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-5-20 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-20 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-5-20 138680]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-20 170640]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-5-20 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-5-20 352920]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-20 15504]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-5-11 114432]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-6-2 100736]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

=============== Created Last 30 ================

2010-06-02 04:12:07 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-02 03:45:12 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2010-06-02 03:45:05 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-06-02 03:45:04 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2010-06-02 03:45:04 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-06-02 03:45:04 28672 -c----w- c:\windows\system32\dllcache\msvidc32.dll
2010-06-02 03:45:04 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2010-06-02 03:44:59 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-06-02 03:44:38 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe
2010-06-02 03:44:31 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2010-06-02 03:44:16 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2010-06-02 03:44:16 56832 -c----w- c:\windows\system32\dllcache\secur32.dll
2010-06-02 03:44:16 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2010-06-02 03:44:16 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2010-06-02 03:44:16 147456 -c----w- c:\windows\system32\dllcache\schannel.dll
2010-06-02 03:44:16 136704 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2010-06-02 03:43:26 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-06-02 03:43:20 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-06-02 03:43:19 2066816 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-06-02 03:43:19 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-06-02 03:42:08 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-02 03:41:40 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-02 03:41:40 1206508 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-06-02 03:38:57 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-02 03:38:57 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-06-02 03:38:52 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-02 03:33:45 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-06-02 03:33:30 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-06-02 03:32:57 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-06-02 03:29:47 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2010-06-02 03:25:25 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2010-06-02 03:25:01 86016 -c----w- c:\windows\system32\dllcache\cabview.dll
2010-06-02 03:23:12 0 d-----w- c:\program files\ESET
2010-06-02 03:09:34 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-06-02 03:09:33 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-06-02 03:09:19 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-06-02 03:03:26 100736 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2010-06-02 03:03:12 0 d-----w- c:\program files\Celcom Broadband Manager
2010-05-26 05:03:14 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-05-26 05:03:14 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-26 05:03:07 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-20 04:33:42 5632 --sha-w- c:\documents and settings\user\Thumbs.db
2010-05-20 03:55:11 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-05-20 03:55:09 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 03:55:07 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 03:55:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 03:55:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-15 14:15:10 0 ----a-w- c:\documents and settings\user\Desktop.ini
2010-05-11 13:41:28 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-05-11 13:41:28 114432 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-05-11 13:41:28 102912 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys

==================== Find3M ====================

2010-03-23 14:05:03 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 12:39:34.17 ===============

Attached Files



#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,475 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:58 PM

Posted 10 June 2010 - 12:03 AM

Hello.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 ezooone

ezooone
  • Topic Starter

  • Members
  • 253 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Penang, Malaysia
  • Local time:07:58 AM

Posted 10 June 2010 - 10:14 PM

Hi Blade..this is the log..

ComboFix 10-06-10.03 - user 06/11/2010 10:50:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1980.1395 [GMT 8:00]
Running from: c:\documents and settings\user\Desktop\renamed.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\{5F229C11-5039-40E4-8537-6950BB1C9ECC}
C:\autorun.inf
c:\documents and settings\user\Templates\cache
c:\documents and settings\user\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini
c:\documents and settings\user\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\NF2.exe
c:\documents and settings\user\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\rcmd.ini
c:\documents and settings\user\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\RemoteINF.exe
c:\documents and settings\user\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\temp.db
c:\documents and settings\user\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\tmp.db
c:\documents and settings\user\Templates\cache\desktop.ini
d:\$recycle.bin\{5F229C11-5039-40E4-8537-6950BB1C9ECC}
D:\autorun.inf

c:\windows\system32\midimap.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.

2010-06-02 04:12 . 2007-07-27 15:11 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-02 03:45 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2010-06-02 03:45 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-06-02 03:45 . 2009-11-27 16:07 28672 -c----w- c:\windows\system32\dllcache\msvidc32.dll
2010-06-02 03:45 . 2009-11-27 16:07 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2010-06-02 03:45 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-06-02 03:45 . 2009-11-27 16:07 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2010-06-02 03:44 . 2010-01-29 15:01 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-06-02 03:44 . 2009-12-16 18:43 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe
2010-06-02 03:44 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2010-06-02 03:44 . 2009-09-11 14:13 136704 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2010-06-02 03:44 . 2009-06-25 08:41 56832 -c----w- c:\windows\system32\dllcache\secur32.dll
2010-06-02 03:44 . 2009-06-25 08:41 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2010-06-02 03:44 . 2009-06-25 08:41 147456 -c----w- c:\windows\system32\dllcache\schannel.dll
2010-06-02 03:44 . 2009-06-25 08:41 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2010-06-02 03:44 . 2009-06-24 10:28 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2010-06-02 03:43 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-06-02 03:43 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-06-02 03:43 . 2010-02-16 13:25 2066816 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-06-02 03:43 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-06-02 03:42 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-02 03:41 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-02 03:38 . 2009-10-15 16:39 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-02 03:38 . 2009-10-15 16:39 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-06-02 03:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-02 03:33 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-06-02 03:32 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-06-02 03:29 . 2009-08-13 15:16 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2010-06-02 03:25 . 2009-12-24 06:59 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2010-06-02 03:25 . 2010-01-13 14:01 86016 -c----w- c:\windows\system32\dllcache\cabview.dll
2010-06-02 03:23 . 2010-06-02 03:23 -------- d-----w- c:\program files\ESET
2010-06-02 03:09 . 2009-08-06 11:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-06-02 03:03 . 2009-10-12 07:21 100736 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2010-06-02 03:03 . 2010-06-02 03:08 -------- d-----w- c:\program files\Celcom Broadband Manager
2010-05-26 05:03 . 2010-05-26 05:04 63488 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-26 05:03 . 2010-05-26 05:03 52224 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-26 05:03 . 2010-05-26 05:04 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-26 05:03 . 2010-05-26 05:03 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2010-05-26 05:03 . 2010-05-26 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-26 05:03 . 2010-05-26 05:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-20 04:24 . 2010-05-20 04:24 -------- d-----w- c:\program files\Alwil Software
2010-05-20 03:55 . 2010-05-20 03:55 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-05-20 03:55 . 2009-01-14 08:11 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 03:55 . 2009-01-14 08:11 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 03:55 . 2010-05-20 03:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 03:55 . 2010-05-20 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 02:43 . 2010-03-23 14:04 -------- d-----w- c:\program files\WinFlip
2010-06-08 10:02 . 2010-05-02 12:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-02 04:15 . 2010-03-23 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-11 13:41 . 2010-03-22 20:18 -------- d-----w- c:\program files\Mobile Partner
2010-04-22 04:42 . 2010-03-25 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-22 04:38 . 2010-04-22 04:38 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-04-22 04:21 . 2010-04-22 04:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-22 04:16 . 2010-03-27 17:14 -------- d-----w- c:\documents and settings\user\Application Data\CBS Interactive
2010-03-27 06:51 . 2010-03-23 14:07 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-23 14:35 . 2010-03-23 14:21 68848 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-23 14:19 . 2010-03-23 14:19 0 ----a-w- c:\windows\nsreg.dat
2010-03-23 14:05 . 2010-03-23 14:05 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

------- Sigcheck -------

[-] 2009-07-16 . 3D1ABDC3009D6B7CA7F9E66769C126CA . 568832 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2009-07-16 . EA032FC150B9C6276C98EB3DED3B75C6 . 652800 . . [5.82] . . c:\windows\system32\comctl32.dll

[-] 2009-07-16 . 8C578971B2F1A27B961A99CE5D2EFD7D . 3378176 . . [6.00.2900.5803] . . c:\windows\system32\mshtml.dll

[-] 2009-07-16 . 99C1ACB1B8F0F2CECC56515E502B5120 . 575488 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2009-07-16 . CC2883E0A1EBBBAAE185D811720C66B3 . 757248 . . [6.00.2900.5803] . . c:\windows\system32\wininet.dll

[-] 2009-07-16 . E382F43EEAB770932F2727B65BD888B4 . 1723904 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2009-07-16 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UberIcon"="c:\program files\UberIcon\UberIcon Manager.exe" [2007-08-17 159744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-25 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-25 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-25 136192]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"WINFLIP"="c:\program files\WinFlip\WinFlip.exe" [2008-05-21 483328]
"VisualTooltip"="c:\program files\Utilities\VisualTooltip\VisualToolTip.exe" [2007-04-25 956928]
"DriveSpace"="c:\program files\Drive Space Indicator\DrvSpace.exe" [2009-04-18 417761]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-01-14 399504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"UberIcon"="c:\program files\UberIcon\UberIcon Manager.exe" [2007-08-17 159744]

c:\documents and settings\user\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoShellSearchButto"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/18/2010 2:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/11/2010 2:41 AM 67656]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/20/2010 11:55 AM 170640]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [5/11/2010 9:41 PM 114432]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [6/2/2010 11:03 AM 100736]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/20/2010 11:55 AM 15504]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 PM 227232]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: {3FD77C3D-775C-45ED-8DB2-44DB52584C55} = 203.82.64.145 203.82.64.129
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\bdlsfim7.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.bramjnet.com/vb/
FF - prefs.js: network.proxy.ftp - :8181
FF - prefs.js: network.proxy.gopher - :8181
FF - prefs.js: network.proxy.http - :8181
FF - prefs.js: network.proxy.socks - :8181
FF - prefs.js: network.proxy.ssl - :8181
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 10:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\SETUPAPI.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\wdigest.dll
c:\windows\system32\setupapi.dll
.
Completion time: 2010-06-11 10:53:16
ComboFix-quarantined-files.txt 2010-06-11 02:53

Pre-Run: 94,428,663,808 bytes free
Post-Run: 94,485,004,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT

- - End Of File - - 81808DF858D022E56D3567D35EC50156


#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,475 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:58 PM

Posted 12 June 2010 - 10:39 AM

Hello

We need to check some system files.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link--> Virustotal

When the VirusTotal page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\winlogon.exe
c:\windows\system32\ctfmon.exe
c:\windows\system32\comctl32.dll

Please post back the URL of the results page for each file in your next post.

If VirusTotal is busy, try the same at Jotti

***************************************************

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
VirusTotal results (3)
ComboFix log
How is the computer running now?

Edited by Blade Zephon, 12 June 2010 - 10:40 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users