What Is This Entry? I Think It's An Infection.

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

What Is This Entry? I Think It's An Infection.

Options

joe blow View Member Profile	Jun 16 2008, 03:58 AM Post #1
Member Group: Members Posts: 36 Joined: 24-May 07 Member No.: 132,636	Hi, I ran hijackthis and found this. O23 - Service: UBEGT - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\UBEGT.exe (file missing) I posted a log at Castlecops, but when I went to check back the next day I could not access their site at all. Any other web site was fine, just not Castlecops. I guess that their site might be temporarly down but I am worried that I am being blocked by malware. I will post the log here to see if someone can help. In an attempt to rid myself of the malware, I checked it (to remove) on hijackthis, then I restored to a previous restore point. I will post both logs here, the first one is when I found the entry, before I had done anything, and the second is my current status. I am currently running AVG 7.5 and AVG antispyware, superantispyware, spybot 1.5. AVG anti rootkit and rootkit revealer all find nothing. If I don't check back tomorrow then I have been blocked here too. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:17:00 PM, on 6/14/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\SiteAdvisor\6066\SAService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe C:\Program Files\SiteAdvisor\6066\SiteAdv.exe C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\dlbtcoms.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210917758994 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe O23 - Service: UBEGT - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\UBEGT.exe (file missing) -- End of file - 5383 bytes Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:26:27 PM, on 6/16/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\SiteAdvisor\6066\SAService.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe C:\Program Files\SiteAdvisor\6066\SiteAdv.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210917758994 O17 - HKLM\System\CCS\Services\Tcpip\..\{F1693CC5-A61B-4DA5-966C-0A7CD92CA83E}: NameServer = 203.8.183.1 192.189.54.33 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe -- End of file - 5538 bytes

steamwiz View Member Profile	Jun 18 2008, 03:42 PM Post #2
Forum Addict Group: HJT Team Posts: 1,029 Joined: 14-February 08 Member No.: 190,186	Hi Both logs are clean Yes that was most likely a malware entry, but there is no way of knowing what it was as the file was gone and nothing was being run ... You can run the following scans & see if they find anything, but I doubt it. I've locked your thread at Castlecops, thanks for telling us about it, many of us post on several forums & it wastes time if your problem is being looked at on more than one forum, at any given time over 400 posters are waiting for their first reply to a question in THIS forum alone, it is similar on other forums, there are just not enough helpers to go around http://www.castlecops.com/p1098929-Mystery...this_enrty.html Please run a Kaspersky Online Scan Please do an online scan with Kaspersky WebScanner Click on Kaspersky Online Scanner Click Accept You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make sure that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer The program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Once finished, save the log to your Desktop as filename KAV.txt THEN ... Please Download Malwarebytes' Anti-Malware from Here :- http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html or here :- http://www.besttechie.net/tools/mbam-setup.exe Double Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Quick Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy and Paste the entire report in your next reply. THEN ... Please follow these directions to run Combofix & post a log. http://www.bleepingcomputer.com/combofix/how-to-use-combofix steam -------------------- MICROSOFT MVP - Windows Security 2004/9 member of ASAP since 2004 member of U.N.I.T.E If I have helped you, please consider a small donation to help me continue my online fight in the war against malware

joe blow View Member Profile	Jun 19 2008, 03:09 AM Post #3
Member Group: Members Posts: 36 Joined: 24-May 07 Member No.: 132,636	Hi, Thanks for the reply. I downloaded malwarebytes from from both the links you left and in both cases it would not run. When I clicked on mbam-setup.exe a window would pop up with "run" I clicked on run and nothing happened. I have been chasing my tail with this thing for a while now - http://www.bleepingcomputer.com/forums/topic148460.html. My firewall detected someting trying to connect out using File and Printer Sharing. This continued even after I uninstalled File and Printer Sharing. I thought it might just be the firewall playing up so I reverted to the Windows firewall. But I think that is how the entry that I have posted here arrived "O23 - Service: UBEGT - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\UBEGT.exe (file missing)" as it appared soon after I changed firewalls. So I think I will reinstall as this is all getting out of my league. I will return in a couple of days, after I reinstall and see if I can run the scans then. I am not certain even a reinstall will get rid of this.

joe blow View Member Profile	Jun 19 2008, 04:11 AM Post #4
Member Group: Members Posts: 36 Joined: 24-May 07 Member No.: 132,636	Sorry, my mistake. Being logged on to two user accounts seemed to be the problem with Malwarebytes not running. Here is the log. It was clear. Malwarebytes' Anti-Malware 1.17 Database version: 869 7:03:13 PM 6/19/2008 mbam-log-6-19-2008 (19-03-13).txt Scan type: Quick Scan Objects scanned: 41742 Time elapsed: 4 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I will try the other scans as well before I reinstall.

steamwiz View Member Profile	Jun 19 2008, 02:11 PM Post #5
Forum Addict Group: HJT Team Posts: 1,029 Joined: 14-February 08 Member No.: 190,186	HI QUOTE Being logged on to two user accounts seemed to be the problem with Malwarebytes not running. Thanks for that ... I would never have picked up on that as causing a problem... I shall get in touch with the author of the program & see what they think. QUOTE after I reinstall and see if I can run the scans then. I am not certain even a reinstall will get rid of this. A format & reinstall will give you a clean start ... However reinstalling windows over the top (dirty reinstall) will not remove any malware, just as it will not remove any of your personal files. It will repair/replace any corrupt operating system files. Please DO run the other scans & post the logs, there may be no need to reinstall... steam -------------------- MICROSOFT MVP - Windows Security 2004/9 member of ASAP since 2004 member of U.N.I.T.E If I have helped you, please consider a small donation to help me continue my online fight in the war against malware

joe blow View Member Profile	Jun 20 2008, 12:35 AM Post #6
Member Group: Members Posts: 36 Joined: 24-May 07 Member No.: 132,636	Hi, I think the reason Malwarebytes did not run initially was that the pop-up window from my firewall, asking to allow the program to run, came up in the account I was not currently using. When I went back into that account, the pop-up was still there so I allowed it, then everyting ran fine. Don't know why it did this, it has not happened before. I will try those other scans, may take a day or two. I have done a clean install before without too many problems but I have heard that this does not always remove all malware. If it does then the most likely method of this infection was the disk that I backed up my security and utilities software on, (I had autoplay disabled when I made and installed the disk). Is there a program that you could recomend for scanning a CD Rom for malware, AVG and Superantispyware found nothing. Thanks.

steamwiz View Member Profile	Jun 20 2008, 03:30 AM Post #7
Forum Addict Group: HJT Team Posts: 1,029 Joined: 14-February 08 Member No.: 190,186	Hi Once again, thanks for the extra info about malwarebytes The Kaspersky Online Scan will scan any disc in the CD drive, as long as it is selected under select a target to scan: choose my computer & it will scan all drives ... steam -------------------- MICROSOFT MVP - Windows Security 2004/9 member of ASAP since 2004 member of U.N.I.T.E If I have helped you, please consider a small donation to help me continue my online fight in the war against malware

joe blow View Member Profile	Jun 21 2008, 06:15 AM Post #8
Member Group: Members Posts: 36 Joined: 24-May 07 Member No.: 132,636	Hi, I installed Java 6.3 so that I could use the Kaspersky scan but the scan didn't start. So I updated Java, the download went fine until it started to install. While the Java update was installing someting was downloading to my computer 6 to 8 times faster than I have ever seen anything download to my computer before. I have a slow dialup connection. It was very weird so I disconnected from the net and did a system restore back to before the Java installation. Then I ran Combofix, here is the log. ComboFix 08-06-16.5 - Simon 2008-06-21 19:22:29.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.105 [GMT 10:00] Running from: C:\Documents and Settings\Simon\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-05-21 to 2008-06-21 ))))))))))))))))))))))))))))))) . 2008-06-21 18:10 . 2008-06-21 18:11 <DIR> d-------- C:\Program Files\Java 2008-06-21 18:10 . 2008-06-21 18:10 <DIR> d-------- C:\Program Files\Common Files\Java 2008-06-20 19:46 . 1998-01-09 00:00 1,048,576 --------- C:\WINDOWS\system32\SFMAN.DAT 2008-06-20 19:45 . 2000-12-06 00:11 4,174,814 --a------ C:\WINDOWS\system32\CT4MGM.SF2 2008-06-20 19:45 . 1999-09-23 06:18 2,167,684 -ra------ C:\WINDOWS\system32\ct2mgm.sf2 2008-06-20 19:45 . 2000-02-25 11:49 1,048,576 --a------ C:\WINDOWS\system32\CT1MGM.ROM 2008-06-20 19:45 . 2002-01-03 14:44 59 --a------ C:\WINDOWS\system32\DEFAULT8.SFM 2008-06-20 19:45 . 2002-01-03 14:44 59 --a------ C:\WINDOWS\system32\DEFAULT4.SFM 2008-06-20 19:45 . 2002-01-03 14:44 59 --a------ C:\WINDOWS\system32\DEFAULT.SFM 2008-06-20 19:43 . 2008-06-21 16:50 <DIR> d-------- C:\Program Files\Creative 2008-06-20 19:29 . 2008-06-20 19:29 <DIR> d-------- C:\Documents and Settings\Guest.BART-67DO4UECYT\Application Data\Media Player Classic 2008-06-19 18:45 . 2008-06-19 18:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-19 18:45 . 2008-06-19 18:45 <DIR> d-------- C:\Documents and Settings\Simon\Application Data\Malwarebytes 2008-06-19 18:45 . 2008-06-19 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-19 18:45 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-19 18:45 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-19 16:44 . 2008-06-19 16:44 <DIR> d-------- C:\Documents and Settings\Guest.BART-67DO4UECYT\Application Data\SiteAdvisor 2008-06-19 16:44 . 2008-06-21 16:50 <DIR> d-------- C:\Documents and Settings\Guest.BART-67DO4UECYT\Application Data\AVG7 2008-06-19 16:43 . 2008-06-21 18:59 <DIR> d-------- C:\Documents and Settings\Guest.BART-67DO4UECYT 2008-06-18 18:31 . 2008-06-18 18:31 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\SiteAdvisor 2008-06-18 18:31 . 2008-06-19 16:21 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVG7 2008-06-18 18:25 . 2008-06-19 16:21 <DIR> d---s---- C:\Documents and Settings\Guest 2008-06-18 16:20 . 2008-06-18 16:20 <DIR> d-------- C:\Documents and Settings\Simon\Application Data\Media Player Classic 2008-06-18 16:18 . 2008-06-18 16:18 <DIR> d-------- C:\Program Files\K-Lite Codec Pack 2008-06-18 16:09 . 2008-04-14 04:45 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys 2008-06-11 16:21 . 2008-06-13 21:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-11 16:18 . 2008-05-09 00:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys 2008-06-05 10:20 . 2008-06-16 16:55 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-05-28 16:57 . 2008-06-16 16:55 <DIR> d-------- C:\Program Files\a-squared Anti-Malware 2008-05-28 14:33 . 2008-06-21 18:59 <DIR> d-------- C:\Documents and Settings\Administrator 2008-05-26 16:28 . 2008-05-26 16:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com 2008-05-26 15:38 . 2008-06-21 16:58 <DIR> d-------- C:\hjt 2008-05-25 18:15 . 2008-05-25 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-05-25 18:14 . 2008-05-25 18:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-05-25 18:14 . 2008-05-25 18:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-25 18:14 . 2008-05-25 18:14 <DIR> d-------- C:\Documents and Settings\Simon\Application Data\SUPERAntiSpyware.com 2008-05-23 16:25 . 2008-06-14 18:09 <DIR> d-------- C:\aaa 2008-05-22 18:21 . 2008-05-27 20:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor 2008-05-22 12:05 . 2008-05-22 18:31 445 --a------ C:\WINDOWS\dellstat.ini 2008-05-22 12:03 . 2008-05-22 12:04 <DIR> d-------- C:\Program Files\Dell Photo AIO Printer 922 2008-05-22 12:03 . 2003-10-08 01:56 983,101 --a------ C:\WINDOWS\system32\dlbtgf.dll 2008-05-22 12:03 . 2004-06-15 01:09 401,408 --a------ C:\WINDOWS\system32\dlbtutil.dll 2008-05-22 11:58 . 2008-04-14 04:45 59,520 --a------ C:\WINDOWS\system32\drivers\usbhub.sys 2008-05-22 11:58 . 2008-04-14 04:45 59,520 --a--c--- C:\WINDOWS\system32\dllcache\usbhub.sys 2008-05-22 11:21 . 2008-06-16 19:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-22 10:09 . 2008-05-22 10:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SiteAdvisor 2008-05-21 15:40 . 2008-05-22 18:21 <DIR> d-------- C:\Program Files\SiteAdvisor . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-20 09:48 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-19 08:38 2,240 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err 2008-06-18 05:51 --------- d-----w C:\Documents and Settings\Simon\Application Data\AVG7 2008-06-16 09:15 --------- d-----w C:\Program Files\SpywareBlaster 2008-06-16 06:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-16 06:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-30 05:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7 2008-05-22 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-05-21 05:40 --------- d-----w C:\Documents and Settings\Simon\Application Data\SiteAdvisor 2008-05-21 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-05-18 08:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2008-05-18 03:17 --------- d-----w C:\Program Files\Sunbelt Software 2008-05-18 03:15 --------- d-----w C:\Program Files\PhotoFiltre 2008-05-18 03:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-05-18 03:14 --------- d-----w C:\Program Files\Trend Micro 2008-05-18 03:14 --------- d-----w C:\Program Files\CleanUp! 2008-05-18 03:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll 2008-05-18 03:10 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll 2008-05-18 03:10 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7 2008-05-16 05:44 --------- d-----w C:\Program Files\CONEXANT 2008-05-16 05:42 --------- d-----w C:\Program Files\Intel 2008-05-16 05:40 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-05-15 09:24 --------- d-----w C:\Program Files\microsoft frontpage 2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin 2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe 2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll 2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll 2008-04-14 00:13 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll 2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll 2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll 2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll 2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll 2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll 2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll 2008-04-13 19:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll 2008-04-13 19:42 11,264 ------w C:\WINDOWS\system32\spnpinst.exe 2008-04-13 19:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll 2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys 2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys 2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll 2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll 2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll 2008-04-13 18:14 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll 2008-04-13 17:39 438,784 ------w C:\WINDOWS\system32\xpob2res.dll 2008-04-13 17:39 2,897,920 ------w C:\WINDOWS\system32\xpsp2res.dll 2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll 2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll 2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll 2008-04-13 17:28 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll 2008-04-13 17:27 79,872 ------w C:\WINDOWS\system32\msxml6r.dll 2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll 2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll 2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll 2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll 2008-04-13 17:23 8,192 ----a-w C:\WINDOWS\system32\asferror.dll 2008-04-13 17:23 168,448 ------w C:\WINDOWS\system32\wmerror.dll 2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll 2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll 2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll 2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll 2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll 2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll 2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll 2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll 2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 10:12 15360] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-05-18 16:03 579584] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-05-18 16:27 6731312] "Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-19 01:30 290816] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-03-31 01:42 36904] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-05-18 13:55 219136] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12"= yv12vfw.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"= "C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21] R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21] S2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21] Newly Created Service - CATCHME . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-21 19:27:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-06-21 19:29:11 ComboFix-quarantined-files.txt 2008-06-21 09:29:03 Pre-Run: 35,059,032,064 bytes free Post-Run: 35,109,244,928 bytes free 182 After Combofix I ran Rootkit Revealer and the log came back like this. HKU\.DEFAULT\Control Panel\International 6/21/2008 7:29 PM 0 bytes Security mismatch. HKU\.DEFAULT\Control Panel\International\Geo 6/21/2008 7:29 PM 0 bytes Security mismatch. HKU\S-1-5-21-1417001333-789336058-839522115-1004\Control Panel\International 6/21/2008 7:29 PM 0 bytes Security mismatch. HKU\S-1-5-21-1417001333-789336058-839522115-1004\Control Panel\International\Geo 6/21/2008 7:29 PM 0 bytes Security mismatch. HKU\S-1-5-18\Control Panel\International 6/21/2008 7:29 PM 0 bytes Security mismatch. HKU\S-1-5-18\Control Panel\International\Geo 6/21/2008 7:29 PM 0 bytes Security mismatch. HKLM\SECURITY\Policy\Secrets\SAC* 5/15/2008 7:37 PM 0 bytes Key name contains embedded nulls () HKLM\SECURITY\Policy\Secrets\SAI 5/15/2008 7:37 PM 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 6/21/2008 7:33 PM 4 bytes Data mismatch between Windows API and raw hive data. I don't really know but it didn't look good. Also somewhere during all this an extra Internet Explorer icon has appeared on my desktop.

steamwiz View Member Profile	Jun 21 2008, 02:33 PM Post #9
Forum Addict Group: HJT Team Posts: 1,029 Joined: 14-February 08 Member No.: 190,186	Hi QUOTE Also somewhere during all this an extra Internet Explorer icon has appeared on my desktop. That will be Combofix restoring defaults, it may also have made IE the default browser (if it wasn't already) QUOTE While the Java update was installing someting was downloading to my computer 6 to 8 times faster than I have ever seen anything download to my computer before. I have a slow dialup connection. It was very weird so I disconnected from the net and did a system restore back to before the Java installation. So you panicked AS all you were doing was installing java at the time, like you I've no idea what was actually happening there ... but I doubt it was malware ... a similar thing happened to me several years ago when I was on dial-up. I was using proxy servers at the time, and because they are not reliable to stay on line, I was using a program which would automatically use the fastest proxy, I had a 56k modem which would normally download at well under 56k, when one day suddenly one of the servers started downloading at several hundred... I never found any malware, never had any problems, & it never happened again. it's always been a puzzle. The Rootkit Revealer log is clean ... they are all "false positives"! Take a look here :- http://forum.sysinternals.com/forum_posts.asp?TID=8882 The same goes for all the entries in the Rootkit Revealer log You wont be able to see the HKLM\SECURITY\Policy keys in Regedit, this is by design, for your safety. I could give you a way to see them, but it wouldn't achieve anything, & if you made any changes, you may not be able to boot into windows again. By the way it's only the latest version of Rootkit Revealer which shows those keys, they were always there but earlier versions didn't scan that section of the registry. The Combofix log is clean as well It's a pity about KASPERSKY, it does a good deep scan & may have shown something, but somehow I doubt it ... steam -------------------- MICROSOFT MVP - Windows Security 2004/9 member of ASAP since 2004 member of U.N.I.T.E If I have helped you, please consider a small donation to help me continue my online fight in the war against malware

joe blow View Member Profile	Jun 22 2008, 12:33 AM Post #10
Member Group: Members Posts: 36 Joined: 24-May 07 Member No.: 132,636	Hi, Thanks for the help, and yes, I did panic. It's just that there seemed to be so many funny little things going on. At some point I will download the latest Java and install it offline and then try the Kaspersky scan on more time. Thanks again for the help.

steamwiz View Member Profile	Jun 22 2008, 04:07 PM Post #11
Forum Addict Group: HJT Team Posts: 1,029 Joined: 14-February 08 Member No.: 190,186	You're very welcome steam -------------------- MICROSOFT MVP - Windows Security 2004/9 member of ASAP since 2004 member of U.N.I.T.E If I have helped you, please consider a small donation to help me continue my online fight in the war against malware

steamwiz View Member Profile	Jul 24 2008, 04:33 PM Post #12
Forum Addict Group: HJT Team Posts: 1,029 Joined: 14-February 08 Member No.: 190,186	Due to lack of feedback This thread is now treated as resolved and duly closed. If the original poster would like it re-opened, please send me a PM with a link to this thread. cheers steam -------------------- MICROSOFT MVP - Windows Security 2004/9 member of ASAP since 2004 member of U.N.I.T.E If I have helped you, please consider a small donation to help me continue my online fight in the war against malware

« Next Oldest · HijackThis Logs and Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members: