BleepingComputer.com: i think i have a hacker or virus!! please help

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 6 Pages +
  • 1
  • 2
  • 3
  • Last »
  • You cannot start a new topic
  • This topic is locked

i think i have a hacker or virus!! please help

#1 User is offline   kshoney44 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 43
  • Joined: 28-December 09

Posted 01 January 2010 - 04:54 AM

first time here..... i've been having a ton of problems and i think maybe someone is accessing my computer.here is a few of MANY problems....slow, crashing, freezing, visual c++ errors, many different antivirus progams not updating or starting or they close mid scan. someone recommended doing a hijack this scan so here it is!! any help you can offer would be greatly appreciated!! i'm ripping my hair out and about to throw my computer out the window!! Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:24:53 AM, on 1/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
c:Program FilesMicrosoft Security EssentialsMsMpEng.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSystem32hkcmd.exe
C:PROGRA~1SBCSEL~1SMARTB~1MotiveSB.exe
C:Program FilesJavajre1.6.0_06binjusched.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32rundll32.exe
C:Program FilesMicrosoft Security Essentialsmsseces.exe
c:PROGRA~1COMMON~1MICROS~1DWDW20.EXE
C:WINDOWSsystem32rundll32.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:WINDOWSsystem32rundll32.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:WINDOWSpchealthhelpctrbinarieshelpctr.exe
C:WINDOWSPCHealthHelpCtrBinariesHelpSvc.exe
C:Documents and SettingsOwnerDesktopHiJackThis2HijackThis.exe
C:WINDOWSsystem32spider.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = about:blank
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_06binssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:Program FilesYahoo!CompanionInstallscpnYTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM..Run: [IgfxTray] C:WINDOWSSystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSSystem32hkcmd.exe
O4 - HKLM..Run: [Motive SmartBridge] C:PROGRA~1SBCSEL~1SMARTB~1MotiveSB.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_06binjusched.exe"
O4 - HKLM..Run: [MSSE] "c:Program FilesMicrosoft Security Essentialsmsseces.exe" -hide
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_06binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_06binssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O15 - Trusted Zone: *.att.net
O15 - Trusted Zone: http://*.att.net
O15 - Trusted Zone: www.ebay.com
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1211409827093
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1150Intel 32IDriverT.exe
O23 - Service: Windows Live OneCare (winss) - Unknown owner - C:Program FilesMicrosoft Windows OneCare Livewinss.exe (file missing)

--
End of file - 4756 bytes


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 23:54:39.78 on Fri 01/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.126.21 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
c:Program FilesMicrosoft Security EssentialsMsMpEng.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:WINDOWSExplorer.EXE
C:PROGRA~1SBCSEL~1SMARTB~1MotiveSB.exe
C:Program FilesJavajre1.6.0_06binjusched.exe
C:Program FilesMicrosoft Security Essentialsmsseces.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32taskmgr.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingsOwnerDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:program filesyahoo!companioninstallscpnyt.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0_06binssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:program filesyahoo!companioninstallscpnYTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [SUPERAntiSpyware] c:program filessuperantispywareSUPERAntiSpyware.exe
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [Motive SmartBridge] c:progra~1sbcsel~1smartb~1MotiveSB.exe
mRun: [SunJavaUpdateSched] "c:program filesjavajre1.6.0_06binjusched.exe"
mRun: [MSSE] "c:program filesmicrosoft security essentialsmsseces.exe" -hide
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_06binssv.dll
Trusted Zone: att.net
Trusted Zone: ebay.comwww
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
Trusted Zone: yahoo.compn1.adserver
DPF: DirectAnimation Java Classes - file://c:windowsjavaclassesdajava.cab
DPF: Microsoft XML Parser for Java - file://c:windowsjavaclassesxmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196a.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211409827093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:windowssystem32driversMpFilter.sys [2009-6-18 142832]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2009-11-23 74480]
R3 SASENUM;SASENUM;c:program filessuperantispywareSASENUM.SYS [2009-11-23 7408]

=============== Created Last 30 ================

2010-01-01 22:21:19 0 d-----w- c:program filescommon filesWise Installation Wizard
2010-01-01 22:10:40 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-01-01 06:53:06 0 d-s---w- c:documents and settingsowner%USERPROFILE%
2009-12-29 13:20:24 274288 ----a-w- c:windowssystem32mucltui.dll
2009-12-29 13:20:24 215920 ----a-w- c:windowssystem32muweb.dll
2009-12-29 13:20:24 16736 ----a-w- c:windowssystem32mucltui.dll.mui
2009-12-29 09:43:37 0 d-----w- C:8d1f879bc5941325460c55907fa7
2009-12-29 09:34:09 195456 ------w- c:windowssystem32MpSigStub.exe
2009-12-29 09:28:25 0 d-----w- c:program filesMicrosoft Security Essentials
2009-12-29 05:06:31 25992 ----a-w- c:windowssystem32pgdfgsvc.exe
2009-12-29 04:55:52 8832 -c--a-w- c:windowssystem32dllcachewmiacpi.sys
2009-12-29 04:54:55 98304 -c--a-w- c:windowssystem32dllcacheverifier.exe
2009-12-29 04:53:57 149376 -c--a-w- c:windowssystem32dllcachetffsport.sys
2009-12-29 04:52:29 58368 -c--a-w- c:windowssystem32dllcachesmiminib.sys
2009-12-29 04:51:51 18400 -c--a-w- c:windowssystem32dllcachesgsmld.sys
2009-12-29 04:50:57 20992 -c--a-w- c:windowssystem32dllcachertl8139.sys
2009-12-29 04:50:57 19017 -c--a-w- c:windowssystem32dllcachertl8029.sys
2009-12-29 04:50:56 30720 -c--a-w- c:windowssystem32dllcacherthwcls.sys
2009-12-29 04:50:54 132608 -c--a-w- c:windowssystem32dllcachersvp.exe
2009-12-29 04:50:53 9216 -c--a-w- c:windowssystem32dllcachersmgrstr.dll
2009-12-29 04:50:52 3840 -c--a-w- c:windowssystem32dllcacherpfun.sys
2009-12-29 04:50:48 79104 -c--a-w- c:windowssystem32dllcacherocket.sys
2009-12-29 04:50:47 37563 -c--a-w- c:windowssystem32dllcacherlnet5.sys
2009-12-29 04:50:46 9728 -c--a-w- c:windowssystem32dllcachereset.exe
2009-12-29 04:50:46 86097 -c--a-w- c:windowssystem32dllcachereslog32.dll
2009-12-29 04:50:02 19584 -c--a-w- c:windowssystem32dllcacherasirda.sys
2009-12-29 04:50:00 899146 -c--a-w- c:windowssystem32dllcacher2mdkxga.sys
2009-12-29 04:50:00 714762 -c--a-w- c:windowssystem32dllcacher2mdmkxx.sys
2009-12-29 04:48:59 39424 -c--a-w- c:windowssystem32dllcacheovcoms.exe
2009-12-29 04:47:59 91488 -c--a-w- c:windowssystem32dllcachen9i3disp.dll
2009-12-29 04:46:56 6528 -c--a-w- c:windowssystem32dllcacheminiqic.sys
2009-12-29 04:45:55 37376 -c--a-w- c:windowssystem32dllcachekousd.dll
2009-12-29 04:45:52 253952 -c--a-w- c:windowssystem32dllcachekdsusd.dll
2009-12-29 04:45:51 48640 -c--a-w- c:windowssystem32dllcachekdsui.dll
2009-12-29 04:44:50 8192 -c--a-w- c:windowssystem32dllcachekbdkor.dll
2009-12-29 04:44:49 8704 -c--a-w- c:windowssystem32dllcachekbdjpn.dll
2009-12-29 04:44:10 14592 -c--a-w- c:windowssystem32dllcachekbdhid.sys
2009-12-29 04:44:00 6144 -c--a-w- c:windowssystem32dllcachekbd106.dll
2009-12-29 04:44:00 5632 -c--a-w- c:windowssystem32dllcachekbd103.dll
2009-12-29 04:42:52 102463 -c--a-w- c:windowssystem32dllcacheimepadsm.dll
2009-12-29 04:41:55 10129408 -c--a-w- c:windowssystem32dllcachehwxkor.dll
2009-12-29 04:40:59 322432 -c--a-w- c:windowssystem32dllcacheg400m.sys
2009-12-29 04:39:11 24618 -c--a-w- c:windowssystem32dllcachefa410nd5.sys
2009-12-29 04:39:10 16074 -c--a-w- c:windowssystem32dllcachefa312nd5.sys
2009-12-29 04:39:08 12362 -c--a-w- c:windowssystem32dllcachef3ab18xi.sys
2009-12-29 04:39:08 11850 -c--a-w- c:windowssystem32dllcachef3ab18xj.sys
2009-12-29 04:39:01 7040 -c--a-w- c:windowssystem32dllcacheexabyte2.sys
2009-12-29 04:39:01 16998 -c--a-w- c:windowssystem32dllcacheex10.sys
2009-12-29 04:37:59 334208 -c--a-w- c:windowssystem32dllcacheds1wdm.sys
2009-12-29 04:36:55 91305 -c--a-w- c:windowssystem32dllcachedimaint.sys
2009-12-29 04:35:55 49792 -c--a-w- c:windowssystem32dllcachecyzport.sys
2009-12-29 04:34:59 49182 -c--a-w- c:windowssystem32dllcachecem56n5.sys
2009-12-29 04:33:57 54271 -c--a-w- c:windowssystem32dllcachebcm42xx5.sys
2009-12-29 04:29:55 101888 -c--a-w- c:windowssystem32dllcacheadpu160m.sys
2009-12-29 04:28:59 66048 -c--a-w- c:windowssystem32dllcaches3legacy.dll
2009-12-24 19:52:13 0 d-sh--w- c:documents and settingsownerIECompatCache
2009-12-24 18:39:53 0 d-sh--w- c:documents and settingsownerPrivacIE
2009-12-24 18:26:31 0 d-sh--w- c:documents and settingsownerIETldCache
2009-12-24 17:54:52 12800 -c----w- c:windowssystem32dllcachexpshims.dll
2009-12-24 17:54:49 55296 -c----w- c:windowssystem32dllcachemsfeedsbs.dll
2009-12-24 17:54:48 594432 -c----w- c:windowssystem32dllcachemsfeeds.dll
2009-12-24 17:54:48 246272 -c----w- c:windowssystem32dllcacheieproxy.dll
2009-12-24 17:54:48 1985536 -c----w- c:windowssystem32dllcacheiertutil.dll
2009-12-24 17:54:45 11069952 -c----w- c:windowssystem32dllcacheieframe.dll
2009-12-24 17:54:14 0 d-----w- c:windowsie8updates
2009-12-24 17:53:24 92160 -c----w- c:windowssystem32dllcacheiecompat.dll
2009-12-24 17:49:59 0 dc-h--w- c:windowsie8
2009-12-24 09:39:55 1089593 -c----w- c:windowssystem32dllcachentprint.cat
2009-12-14 14:34:39 0 ----a-w- c:windowsCyoyoxo.bin
2009-12-14 14:34:36 120 ----a-w- c:windowsLyeseburi.dat
2009-12-14 14:27:23 0 ----a-w- c:windowssystem32driversbvszpf.sys
2009-12-13 22:50:36 0 d-----w- c:docume~1alluse~1applic~1McAfee Security Scan
2009-12-10 00:44:41 0 d-----w- c:docume~1alluse~1applic~1SUPERAntiSpyware.com
2009-12-10 00:43:29 0 d-----w- c:program filesSUPERAntiSpyware
2009-12-10 00:43:28 0 d-----w- c:docume~1ownerapplic~1SUPERAntiSpyware.com
2009-12-10 00:29:13 0 d-----w- c:docume~1ownerapplic~1Malwarebytes
2009-12-10 00:28:54 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2009-12-06 07:21:37 235520 ----a-w- c:documents and settingsownersysdump.tar

==================== Find3M ====================

2009-11-30 05:45:03 61224 ----a-w- c:documents and settingsownerGoToAssistDownloadHelper.exe
2009-10-29 07:45:38 916480 ----a-w- c:windowssystem32wininet.dll
2009-10-29 04:48:52 499712 ----a-w- c:windowssystem32msvcp71.dll
2009-10-29 04:48:52 348160 ----a-w- c:windowssystem32msvcr71.dll
2009-10-21 05:38:36 75776 ----a-w- c:windowssystem32strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:windowssystem32httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:windowssystem32oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:windowssystem32rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:windowssystem32raschap.dll

============= FINISH: 23:55:51.98 ===============
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/01 23:44
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:WINDOWSSystem32Driversdump_atapi.sys
Address: 0xF3A2A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xFCA6B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xF3378000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:documents and settingsall usersapplication datamicrosoftmicrosoft antimalwaresupportmpwpptracing.bin
Status: Allocation size mismatch (API: 1048576, Raw: 65536)

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:Program FilesSUPERAntiSpywareSASKUTIL.sys" at address 0xf30510b0

==EOF==

here is the other scan!

also, just so you know i came across a file citrix online go to assist. i'm not sure if thats a windows thing or what?? but i don't have a wireless router and i never added that. i was debating deleting it but i'll wait til i hear back from you!

Attached File(s)


This post has been edited by garmanma: 06 January 2010 - 11:50 AM

#2 User is offline   elise025 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 36,056
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 10 January 2010 - 10:18 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image

  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.

Thanks and again sorry for the delay.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#3 User is offline   kshoney44 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 43
  • Joined: 28-December 09

Posted 10 January 2010 - 03:11 PM

DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 15:01:41.54 on Sun 01/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.126.19 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
Trusted Zone: att.net
Trusted Zone: ebay.com\www
Trusted Zone: facebook.com\apps
Trusted Zone: facebook.com\www
Trusted Zone: popcap.com\www
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196a.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211409827093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-05 02:10:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 02:09:22 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 02:09:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-01 22:21:19 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-01 06:53:06 0 d-s---w- c:\documents and settings\owner\%USERPROFILE%
2009-12-29 13:20:24 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-29 13:20:24 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-29 13:20:24 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-12-29 09:43:37 0 d-----w- C:\8d1f879bc5941325460c55907fa7
2009-12-29 09:34:09 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-29 09:28:25 0 d-----w- c:\program files\Microsoft Security Essentials
2009-12-29 05:06:31 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2009-12-29 04:55:52 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2009-12-29 04:54:55 98304 -c--a-w- c:\windows\system32\dllcache\verifier.exe
2009-12-29 04:53:57 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2009-12-29 04:52:29 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2009-12-29 04:51:51 18400 -c--a-w- c:\windows\system32\dllcache\sgsmld.sys
2009-12-29 04:50:57 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2009-12-29 04:50:57 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2009-12-29 04:50:56 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2009-12-29 04:50:54 132608 -c--a-w- c:\windows\system32\dllcache\rsvp.exe
2009-12-29 04:50:53 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2009-12-29 04:50:52 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2009-12-29 04:50:48 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2009-12-29 04:50:47 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2009-12-29 04:50:46 9728 -c--a-w- c:\windows\system32\dllcache\reset.exe
2009-12-29 04:50:46 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2009-12-29 04:50:02 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2009-12-29 04:50:00 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2009-12-29 04:50:00 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2009-12-29 04:48:59 39424 -c--a-w- c:\windows\system32\dllcache\ovcoms.exe
2009-12-29 04:47:59 91488 -c--a-w- c:\windows\system32\dllcache\n9i3disp.dll
2009-12-29 04:46:56 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2009-12-29 04:45:55 37376 -c--a-w- c:\windows\system32\dllcache\kousd.dll
2009-12-29 04:45:52 253952 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2009-12-29 04:45:51 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2009-12-29 04:44:50 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-12-29 04:44:49 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-12-29 04:44:10 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-12-29 04:44:00 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-12-29 04:44:00 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2009-12-29 04:42:52 102463 -c--a-w- c:\windows\system32\dllcache\imepadsm.dll
2009-12-29 04:41:55 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2009-12-29 04:40:59 322432 -c--a-w- c:\windows\system32\dllcache\g400m.sys
2009-12-29 04:39:11 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2009-12-29 04:39:10 16074 -c--a-w- c:\windows\system32\dllcache\fa312nd5.sys
2009-12-29 04:39:08 12362 -c--a-w- c:\windows\system32\dllcache\f3ab18xi.sys
2009-12-29 04:39:08 11850 -c--a-w- c:\windows\system32\dllcache\f3ab18xj.sys
2009-12-29 04:39:01 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
2009-12-29 04:39:01 16998 -c--a-w- c:\windows\system32\dllcache\ex10.sys
2009-12-29 04:37:59 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2009-12-29 04:36:55 91305 -c--a-w- c:\windows\system32\dllcache\dimaint.sys
2009-12-29 04:35:55 49792 -c--a-w- c:\windows\system32\dllcache\cyzport.sys
2009-12-29 04:34:59 49182 -c--a-w- c:\windows\system32\dllcache\cem56n5.sys
2009-12-29 04:33:57 54271 -c--a-w- c:\windows\system32\dllcache\bcm42xx5.sys
2009-12-29 04:29:55 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2009-12-29 04:28:59 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-12-24 19:52:13 0 d-sh--w- c:\documents and settings\owner\IECompatCache
2009-12-24 18:39:53 0 d-sh--w- c:\documents and settings\owner\PrivacIE
2009-12-24 18:26:31 0 d-sh--w- c:\documents and settings\owner\IETldCache
2009-12-24 17:54:52 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-24 17:54:49 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-24 17:54:48 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-24 17:54:48 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-24 17:54:48 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-12-24 17:54:45 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-12-24 17:54:14 0 d-----w- c:\windows\ie8updates
2009-12-24 17:53:24 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-24 17:49:59 0 dc----w- c:\windows\ie8
2009-12-24 09:39:55 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2009-12-14 14:34:39 0 ----a-w- c:\windows\Cyoyoxo.bin
2009-12-14 14:34:36 120 ----a-w- c:\windows\Lyeseburi.dat
2009-12-14 14:27:23 0 ----a-w- c:\windows\system32\drivers\bvszpf.sys

==================== Find3M ====================

2009-11-30 05:45:03 61224 ----a-w- c:\documents and settings\owner\GoToAssistDownloadHelper.exe
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 04:48:52 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-29 04:48:52 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

============= FINISH: 15:03:48.03 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/8/2008 07:37:35 PM
System Uptime: 1/7/2010 09:59:32 PM (66 hours ago)

Motherboard: Dell Computer Corporation | |
Processor: Intel® Pentium® 4 CPU 1.80GHz | Socket 478 | 1794/400mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 27.997 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== Installed Programs ======================

Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Shockwave Player 11.5
AusLogics Disk Defrag
AusLogics Registry Defrag
Auto Care
B44Inst
BCM V.92 56K Modem
Broadcom 440x Driver Installer
BroadJump Client Foundation
CCleaner (remove only)
CheckIt Diagnostics
Dell ResourceCD
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Intel® Extreme Graphics Driver Software
Java™ 6 Update 6
LimeWire 4.16.7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Easy Assist
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Windows Live OneCare Resources v2.0.2500.32
Microsoft Windows OneCare Live v2.0.2500.32
PerformanceTest
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
SoundMAX
SUPERAntiSpyware Free Edition
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows XP Service Pack 3
Yahoo! Toolbar

==== End Of File ===========================
thank you elise so much for taking the time to help me. i hope that i did the log thing right!! i will follow your instuctions but the may be in seperate posts. my computer stops responding constantly so while i have it working i'm just going to send itquickly before it crashes again!!

#4 User is offline   elise025 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 36,056
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 10 January 2010 - 03:33 PM

Okay, see if you can post the GMER log. Try to run GMER with Devices unchecked if it is giving you troubles.

If you are not able to complete it, just let me know.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#5 User is offline   kshoney44 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 43
  • Joined: 28-December 09

Posted 10 January 2010 - 03:57 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-10 15:31:09
Windows 5.1.2600 Service Pack 3
Running: yhn41ggb.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kfqcqaog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF39460B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 451 804E2AAD 3 Bytes [60, 94, F3]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
here is the gmer log. i'm not sure if this one is right. i did not see a prompt saying automatic quick scan....just scan!let me know if i did something wrong and if you need me to redo it!! THANKS AGAIN!!!

#6 User is offline   elise025 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 36,056
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 10 January 2010 - 04:10 PM

Hello kshoney44,

P2P WARNING
-------------------
Going over your logs I noticed that you have LimeWire installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#7 User is offline   kshoney44 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 43
  • Joined: 28-December 09

Posted 10 January 2010 - 06:13 PM

ComboFix 10-01-04.01 - Owner 01/10/2010 17:16:24.1.1 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2010-01-08 15:13 . 2010-01-08 15:13 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-03 03:33 . 2010-01-03 03:33 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-03 03:33 . 2010-01-03 03:33 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-03 03:33 . 2010-01-03 03:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-12-21 21:14 . 2010-01-10 19:02 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-16 18:55 . 2009-12-16 18:55 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-16 18:54 . 2009-12-16 18:54 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-13 22:49 . 2009-12-13 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 18:53 . 2009-12-10 00:46 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-08 15:18 . 2010-01-05 02:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-07 21:07 . 2010-01-05 02:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2010-01-05 02:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 02:18 . 2008-05-22 06:09 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-01-03 06:07 . 2009-12-10 00:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-01 22:21 . 2010-01-01 22:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-29 23:19 . 2009-12-29 23:19 13104 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-29 09:29 . 2009-12-29 09:28 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-12-29 05:06 . 2009-12-29 05:06 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2009-12-16 19:00 . 2008-05-22 03:39 -------- d-----w- c:\program files\Java
2009-12-16 18:51 . 2008-05-22 03:29 -------- d-----w- c:\program files\LimeWire
2009-12-14 15:32 . 2009-12-14 14:27 0 ----a-w- c:\windows\system32\drivers\bvszpf.sys
2009-12-14 14:34 . 2009-12-14 14:34 0 ----a-w- c:\windows\Cyoyoxo.bin
2009-12-14 14:34 . 2009-12-14 14:34 120 ----a-w- c:\windows\Lyeseburi.dat
2009-12-13 22:49 . 2009-12-13 22:49 -------- d-----w- c:\program files\NOS
2009-12-10 00:44 . 2009-12-10 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-10 00:43 . 2009-12-10 00:43 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-12-10 00:29 . 2009-12-10 00:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-12-10 00:28 . 2009-12-10 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-07 05:10 . 2008-06-05 20:55 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-01 17:46 . 2008-05-22 03:09 13104 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-01 16:25 . 2009-12-01 16:25 -------- dc----w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-01 15:42 . 2009-12-01 15:42 -------- d-----w- c:\program files\MSBuild
2009-12-01 15:42 . 2009-12-01 15:42 -------- d-----w- c:\program files\Reference Assemblies
2009-11-30 05:45 . 2009-11-30 05:45 61224 ----a-w- c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
2009-11-30 05:30 . 2009-11-30 05:30 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee
2009-11-30 01:31 . 2009-11-30 01:31 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2009-11-03 01:42 . 2009-12-29 09:34 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 04:48 . 2009-10-29 04:48 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-29 04:48 . 2009-10-29 04:48 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2002-09-03 16:50 270336 ----a-w- c:\windows\system32\oakley.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-06-20 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-06-20 114688]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 11:59 122880 ----a-w- c:\windows\BCMSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - KFQCQAOG
*Deregistered* - kfqcqaog

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: att.net
Trusted Zone: ebay.com\www
Trusted Zone: facebook.com\apps
Trusted Zone: facebook.com\www
Trusted Zone: popcap.com\www
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 17:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-01-10 18:07:11
ComboFix-quarantined-files.txt 2010-01-10 23:06

Pre-Run: 29,973,143,552 bytes free
Post-Run: 30,075,691,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 3EAA32719776B61936061E9919EF27B1

#8 User is offline   elise025 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 36,056
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 11 January 2010 - 03:21 AM

Hello again, we need to export a service key in order to see if it is bad or not.

Click start > run, type notepad in the runbox and press enter.
Copy/paste the text in the codebox below in Notepad and save it as export.bat to your desktop.
@echo off
regedit /e "export.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kfqcqaog"
start export.txt
del %0
Exit Notepad and doubleclick on export.bat to run it. A text file (export.txt) will open. Please post its contents in your next reply.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#9 User is offline   kshoney44 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 43
  • Joined: 28-December 09

  Posted 11 January 2010 - 10:53 AM

export.txt will not run. i recieved the following error message. windows cannot find 'export.txt'. make sure you typed the name correctly, and then try again. to search a file, click the start button, and then click search. i tried it three times????

#10 User is offline   elise025 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 36,056
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 11 January 2010 - 01:24 PM

Hello kshoney44,

UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
File::
c:\windows\Cyoyoxo.bin
c:\windows\Lyeseburi.dat
c:\windows\system32\drivers\bvszpf.sys

DDS::
Trusted Zone: att.net
Trusted Zone: ebay.com\www
Trusted Zone: facebook.com\apps
Trusted Zone: facebook.com\www
Trusted Zone: popcap.com\www
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Combofix.txt
  • A description of the remaining problems.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#11 User is offline   kshoney44 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 43
  • Joined: 28-December 09

Posted 11 January 2010 - 02:15 PM

i was able to download JRE 6 update 17 but not java runtime. i think i have 6. in my add/remove programs, mine says java 6?? what to do???

#12 User is offline   elise025 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 36,056
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 11 January 2010 - 02:26 PM

JRE stands for Jave Runtime Environment :(

Install JRE 6 update 17 as instructed and remove all earlier updates afterwards as instructed.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#13 User is offline   kshoney44 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 43
  • Joined: 28-December 09

Posted 11 January 2010 - 04:39 PM

sorry...i am a total computer idiot!!! :( here is the combo fix log
ComboFix 10-01-04.01 - Owner 01/11/2010 15:21:38.2.1 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\Cyoyoxo.bin"
"c:\windows\Lyeseburi.dat"
"c:\windows\system32\drivers\bvszpf.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Cyoyoxo.bin
c:\windows\Lyeseburi.dat
c:\windows\system32\drivers\bvszpf.sys

.
((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-11 19:22 . 2010-01-11 19:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-08 15:13 . 2010-01-08 15:13 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-05 02:10 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 02:09 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 02:09 . 2010-01-08 15:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-04 15:40 . 2010-01-04 15:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth
2010-01-04 09:01 . 2010-01-04 09:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-01-03 04:18 . 2010-01-03 04:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-01-03 03:33 . 2010-01-03 03:33 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-03 03:33 . 2010-01-03 03:33 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-03 03:33 . 2010-01-03 03:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-01-01 22:21 . 2010-01-01 22:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-01 06:53 . 2010-01-01 06:53 -------- d-s---w- c:\documents and settings\Owner\%USERPROFILE%
2009-12-29 23:31 . 2009-12-29 23:31 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-12-29 23:19 . 2009-12-29 23:19 13104 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-29 23:18 . 2009-12-29 23:18 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-12-29 13:20 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-29 13:20 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-29 09:43 . 2009-12-29 09:44 -------- d-----w- C:\8d1f879bc5941325460c55907fa7
2009-12-29 09:34 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-29 09:28 . 2009-12-29 09:29 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-12-29 05:31 . 2009-12-29 05:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-12-29 05:06 . 2009-12-29 05:06 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2009-12-29 04:55 . 2008-04-13 19:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2009-12-29 04:54 . 2008-04-14 01:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-12-29 04:53 . 2008-04-13 19:40 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2009-12-29 04:52 . 2001-08-17 17:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2009-12-29 04:51 . 2001-07-21 19:29 18400 -c--a-w- c:\windows\system32\dllcache\sgsmld.sys
2009-12-29 04:50 . 2004-08-04 06:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2009-12-29 04:50 . 2001-08-17 17:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2009-12-29 04:50 . 2001-08-17 17:19 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2009-12-29 04:50 . 2002-09-03 16:56 132608 -c--a-w- c:\windows\system32\dllcache\rsvp.exe
2009-12-29 04:50 . 2001-08-18 03:36 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2009-12-29 04:50 . 2001-08-17 17:19 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2009-12-29 04:50 . 2008-04-13 19:40 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2009-12-29 04:50 . 2001-08-17 17:12 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2009-12-29 04:50 . 2002-09-03 16:56 9728 -c--a-w- c:\windows\system32\dllcache\reset.exe
2009-12-29 04:50 . 2001-08-18 03:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2009-12-29 04:50 . 2001-08-17 18:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2009-12-29 04:50 . 2001-08-17 18:28 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2009-12-29 04:50 . 2001-08-17 18:28 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2009-12-29 04:48 . 2001-08-18 03:36 39424 -c--a-w- c:\windows\system32\dllcache\ovcoms.exe
2009-12-29 04:47 . 2008-04-13 19:46 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2009-12-29 04:46 . 2001-08-17 18:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2009-12-29 04:45 . 2001-08-18 03:36 37376 -c--a-w- c:\windows\system32\dllcache\kousd.dll
2009-12-29 04:45 . 2008-04-14 01:11 253952 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2009-12-29 04:45 . 2008-04-14 01:11 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2009-12-29 04:44 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-12-29 04:44 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-12-29 04:44 . 2008-04-13 19:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-12-29 04:44 . 2008-04-14 01:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-12-29 04:44 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2009-12-29 04:42 . 2002-09-03 16:24 102463 -c--a-w- c:\windows\system32\dllcache\imepadsm.dll
2009-12-29 04:41 . 2002-09-03 16:24 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2009-12-29 04:40 . 2001-08-17 19:56 1733120 -c--a-w- c:\windows\system32\dllcache\g400d.dll
2009-12-29 04:39 . 2001-08-17 17:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2009-12-29 04:39 . 2001-08-17 17:12 16074 -c--a-w- c:\windows\system32\dllcache\fa312nd5.sys
2009-12-29 04:39 . 2001-08-17 17:11 11850 -c--a-w- c:\windows\system32\dllcache\f3ab18xj.sys
2009-12-29 04:39 . 2001-08-17 17:11 12362 -c--a-w- c:\windows\system32\dllcache\f3ab18xi.sys
2009-12-29 04:39 . 2001-08-17 18:52 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
2009-12-29 04:39 . 2001-08-17 17:12 16998 -c--a-w- c:\windows\system32\dllcache\ex10.sys
2009-12-29 04:37 . 2001-08-17 17:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2009-12-29 04:36 . 2001-08-17 17:13 91305 -c--a-w- c:\windows\system32\dllcache\dimaint.sys
2009-12-29 04:35 . 2001-08-18 03:36 27648 -c--a-w- c:\windows\system32\dllcache\cyzports.dll
2009-12-29 04:34 . 2001-08-17 17:13 49182 -c--a-w- c:\windows\system32\dllcache\cem56n5.sys
2009-12-29 04:33 . 2001-08-17 17:11 26568 -c--a-w- c:\windows\system32\dllcache\bcm4e5.sys
2009-12-29 04:29 . 2001-08-17 19:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2009-12-29 04:28 . 2001-08-17 19:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-12-24 19:52 . 2009-12-24 19:52 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-12-24 18:39 . 2009-12-24 18:39 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-12-24 18:26 . 2009-12-24 18:26 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-12-24 17:54 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-24 17:54 . 2009-10-29 07:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-24 17:54 . 2009-10-29 07:45 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-24 17:54 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-24 17:54 . 2009-10-29 07:45 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-12-24 17:54 . 2009-10-29 07:45 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-12-24 17:54 . 2009-12-29 06:32 -------- d-----w- c:\windows\ie8updates
2009-12-24 17:53 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-24 17:49 . 2009-12-24 17:52 -------- dc----w- c:\windows\ie8
2009-12-21 21:14 . 2010-01-11 15:12 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-16 18:55 . 2009-12-16 18:55 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-16 18:54 . 2009-12-16 18:54 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-13 22:49 . 2009-12-13 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-13 22:49 . 2009-12-13 22:49 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 19:26 . 2008-05-22 03:39 -------- d-----w- c:\program files\Java
2010-01-11 15:10 . 2009-12-10 00:46 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-06 02:18 . 2008-05-22 06:09 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-01-03 06:07 . 2009-12-10 00:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-16 18:51 . 2008-05-22 03:29 -------- d-----w- c:\program files\LimeWire
2009-12-10 00:44 . 2009-12-10 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-10 00:43 . 2009-12-10 00:43 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-12-10 00:29 . 2009-12-10 00:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-12-10 00:28 . 2009-12-10 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-07 05:10 . 2008-06-05 20:55 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-01 17:46 . 2008-05-22 03:09 13104 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-01 16:25 . 2009-12-01 16:25 -------- dc----w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-01 15:42 . 2009-12-01 15:42 -------- d-----w- c:\program files\MSBuild
2009-12-01 15:42 . 2009-12-01 15:42 -------- d-----w- c:\program files\Reference Assemblies
2009-11-30 05:45 . 2009-11-30 05:45 61224 ----a-w- c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
2009-11-30 05:30 . 2009-11-30 05:30 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee
2009-11-30 01:31 . 2009-11-30 01:31 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2009-10-29 07:45 . 2002-09-03 17:12 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 04:48 . 2009-10-29 04:48 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-29 04:48 . 2009-10-29 04:48 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-06-20 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-06-20 114688]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 11:59 122880 ----a-w- c:\windows\BCMSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/search?q=internet+explorer&rls=com.microsoft:en-us:IE-Address&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7ADBF_en
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 15:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-01-11 16:05:33
ComboFix-quarantined-files.txt 2010-01-11 21:05
ComboFix2.txt 2010-01-10 23:07

Pre-Run: 29,880,143,872 bytes free
Post-Run: 29,904,666,624 bytes free

- - End Of File - - FD18480C89FB4EC6901EB3ADDE5B5023

#14 User is offline   elise025 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 36,056
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 12 January 2010 - 06:09 AM

Hello kshoney44,

No problem, just ask if you are not sure, better safe than sorry :(

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#15 User is offline   kshoney44 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 43
  • Joined: 28-December 09

Posted 12 January 2010 - 10:45 AM

ok well i tried to update the mbam definitions from the link that you provided me and recieved the following message.... the setup files are corrupted. please obtain a new copy of the program.
while i able to connect to the internet let me tell you whats been going on with this crappy computer since yeasterday. i haven't been able to get online it just says connecting for hours.or when i do get on it says errors on page. windows application errors...1 said failed to initialize properly, next one said insufficient system resources ( and nothing was running), and one said the link no longer existed. i couldn't open task manager, programs wouldn't close.my pages didn't look right -there were little squares in place of some letters.still "not responding" and very slow! sorry to overload you with questions just trying to put them down in writing before i forget!! i have windows NT in my program files but my computer has XP? also, microsoft NET framework, i have 3 versions in my add/ remove programs as well as 2 versions of visual c++ , should i only have 1 of each?? lastly (for now :( ) what is a smart card and why is my access denied?? well thanks again !! and sorry in advance!!( i know you are kicking yourself for taking on my problem LOL!!!)

Share this topic:


  • 6 Pages +
  • 1
  • 2
  • 3
  • Last »
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users