Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log - Virtumonde


  • Please log in to reply
46 replies to this topic

#1 harlequeen

harlequeen

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 30 August 2008 - 07:12 AM

My computer has had it's wallpaper changed, I can't access update sites for anti-viruses and google searches get diverted to other search pages.

I have run spybot search and destroy, superantispyware, and have avast anti-virus running all the time. As soon as I reboot the wallpaper reverts to show "Warning! Spyware detected on your computer" I know this is bogus so haven't tried to activate it but I can't get rid of it. Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:32:29, on 28/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\lphce8bj0er8p.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ntlworld.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lphce8bj0er8p] C:\WINDOWS\System32\lphce8bj0er8p.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.bigfishgames.com/online/chainz2/mjolauncher.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.bigfishgames.com/online/tumblebugs/axhost.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6675 bytes


Please help

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 AM

Posted 30 August 2008 - 11:57 AM

Please don't post logs in quote or code boxes, it makes them harder to read.

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post back with the Malwarebytes' Anti-Malware log and a new HijackThis log.

#3 harlequeen

harlequeen
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 31 August 2008 - 12:51 AM

I did as instructed, rebooted the machine as the software said and now I cannot get anything other than a blue screen. I get my log on, but nothing after that.

I rebooted again, pressed F8 whilst doing so and have got my windows desktop now.
Here is the log file:


Malwarebytes' Anti-Malware 1.25
Database version: 1098
Windows 5.1.2600 Service Pack 1

01:56:56 31/08/2008
mbam-log-08-31-2008 (01-56-56).txt

Scan type: Full Scan (C:\|D:\|G:\|H:\|)
Objects scanned: 214283
Time elapsed: 43 minute(s), 22 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 30

Memory Processes Infected:
C:\WINDOWS\system32\lphce8bj0er8p.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\blphce8bj0er8p.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphce8bj0er8p (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.starsdoor.com (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blphce8bj0er8p.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\rsyncini.exe (Trojan.Shutdowner) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\lphce8bj0er8p.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phce8bj0er8p.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest32.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Harlequeen\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.



One thing I notice, for some reason I can't open outlook express!

Thanks

Harlequeen

Edited by harlequeen, 31 August 2008 - 01:22 AM.


#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 AM

Posted 31 August 2008 - 07:00 AM

One thing I notice, for some reason I can't open outlook express!


When did this start? Do you get any error messages?

Also, please post a new HijackThis log.

#5 harlequeen

harlequeen
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 31 August 2008 - 07:27 AM

I can only get into my computer if i hit F8 when it's booting so that it asks me which OS to start. (I only have one). I can't access outlook express, no error messages, it just doesn't run at all. I tried redoing hijackthis log but it appears to hang. I am unable to run a full malwarebytes scan as that hangs too. I did run a quick scan and it flagged up 2 rootkits. I can access the internet but it is extremely slow to run my home page. I can boot into safe mode and I did have superantispyware set to run on boot but that appears not to be running now. Once I get a browser open I can access pages quite quickly. If I try and run word the program takes ages to load the complete page. All this has only been happening since running the malwarebyte scan.

Hope you can help

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 AM

Posted 31 August 2008 - 08:45 AM

I don't see anything in the log which indicates that malwarebytes has caused this. However, I think that some of what is left of the infections might be getting in the way.
  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic


#7 harlequeen

harlequeen
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 31 August 2008 - 03:23 PM

Here are the logs

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-31 21:18:27
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF14E0618]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF14E04D4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF14E09B2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF14E00AC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF14E05AE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF14DFFEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF14E0050]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF14E06CE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF14E068E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF14E080E]

---- User code sections - GMER 1.0.14 ----

.rsrc C:\WINDOWS\system32\winlogon.exe[428] C:\WINDOWS\system32\winlogon.exe section is executable [0x01071000, 0xB000, 0x60000060]
.rsrc C:\WINDOWS\system32\winlogon.exe[428] C:\WINDOWS\system32\winlogon.exe entry point in ".rsrc" section [0x0107B000]
.rsrc C:\WINDOWS\system32\services.exe[476] C:\WINDOWS\system32\services.exe section is executable [0x0101A000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\services.exe[476] C:\WINDOWS\system32\services.exe entry point in ".rsrc" section [0x0101B000]
.rsrc C:\WINDOWS\system32\svchost.exe[664] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[664] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01006000]
.rsrc C:\WINDOWS\System32\svchost.exe[692] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\System32\svchost.exe[692] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x01006000]
.rsrc C:\WINDOWS\System32\svchost.exe[828] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\System32\svchost.exe[828] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x01006000]
.rsrc C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x01006000]
.reloc C:\WINDOWS\Explorer.EXE[1188] C:\WINDOWS\Explorer.EXE section is executable [0x010F4000, 0x5000, 0x62000060]
.reloc C:\WINDOWS\Explorer.EXE[1188] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x010F8000]

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[476] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00530002
IAT C:\WINDOWS\system32\services.exe[476] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00530000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Services - GMER 1.0.14 ----

Service system32\drivers\TDSSserv.sys (*** hidden *** ) [SYSTEM] tdssserv <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\tdssserv@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\tdssserv@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\tdssserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\tdssserv@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\tdssserv@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\tdssserv@imagepath \systemroot\system32\drivers\TDSSserv.sys

---- EOF - GMER 1.0.14 ----





GMERAUTOS

GMER 1.0.14.14536 - http://www.gmer.net
Autostart scan 2008-08-31 21:19:51
Windows 5.1.2600 Service Pack 1


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@DLLName = C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aawservice@ = "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"
aswUpdSv@ = "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus@ = "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
Fax@ = %systemroot%\system32\fxssvc.exe
IISADMIN@ = C:\WINDOWS\System32\inetsrv\inetinfo.exe
MDM@ = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
MySql@ = C:/mysql/bin/mysqld-nt.exe /*file not found*/
NVSvc@ = %SystemRoot%\System32\nvsvc32.exe
SMTPSVC@ = C:\WINDOWS\System32\inetsrv\inetinfo.exe
W3SVC@ = %SystemRoot%\System32\inetsrv\inetinfo.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
@EPSON Stylus Photo R300 SeriesC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300" = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
@TkBellExe"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
@AdaptecDirectCD"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Spamihilator"C:\Program Files\Spamihilator\spamihilator.exe" = "C:\Program Files\Spamihilator\spamihilator.exe"
@swgC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
@SUPERAntiSpywareC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@erQeWRQY = C:\WINDOWS\system32\xlf.dll

HKLM\Software\Classes\.scr@ = "%1" %*

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) =
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealOne Player\rpshell.dll = C:\Program Files\Real\RealOne Player\rpshell.dll
@{5a61f7a0-cde1-11cf-9113-00aa00425c62} /*IIS Shell Extension*/C:\WINDOWS\System32\inetsrv\w3ext.dll = C:\WINDOWS\System32\inetsrv\w3ext.dll
@{5E44E225-A408-11CF-B581-008029601108} /*Adaptec DirectCD Shell Extension*/C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll = C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll
@{D0FAC080-AE1A-11ce-8016-CE90976DC901} /*Picture Publisher File Viewer*/ppiv20.dll = ppiv20.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Program Files\Alwil Software\Avast4\ashShell.dll = C:\Program Files\Alwil Software\Avast4\ashShell.dll
@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat Elements\ContextMenu.dll = C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat Elements\ContextMenu.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{A426B331-7F6F-4937-9B08-676A10A62F95} /*Record Image to CD*/C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll = C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat Elements\ContextMenu.dll
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Program Files\MagicISO\misosh.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
WS_FTP@{797F3885-5429-11D4-8823-0050DA59922B} = C:\Program Files\WS_FTP Pro\wsftpsi.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Program Files\MagicISO\misosh.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Program Files\MagicISO\misosh.dll
mbamshlext@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
WS_FTP@{797F3885-5429-11D4-8823-0050DA59922B} = C:\Program Files\WS_FTP Pro\wsftpsi.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program files\google\googletoolbar3.dll = c:\program files\google\googletoolbar3.dll
@{AE7CD045-E861-484f-8273-0445EE161910}C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll = C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll
@{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll = C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.wanadoo.co.uk = http://www.wanadoo.co.uk
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.bbc.co.uk/ = http://www.bbc.co.uk/
@Local PageC:\WINDOWS\System32\blank.htm = C:\WINDOWS\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\System32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-help@CLSID = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\System32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINDOWS\System32\msdxm.ocx

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Acrobat Assistant.lnk = Acrobat Assistant.lnk
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk

---- EOF - GMER 1.0.14 ----


Thanks in advance for your help................

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 AM

Posted 31 August 2008 - 04:45 PM

We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the combofix log and a new HijackThis log as a reply to this topic.

#9 harlequeen

harlequeen
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 02 September 2008 - 12:49 PM

The Preparing Log Report has been up on my screen for over an hour now, and doesn't appear to be doing anything. What should I do. I don't mind leaving it longer, as I am going out shortly, but don't know what to expect.

Cheers

Harlequeen

#10 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 AM

Posted 03 September 2008 - 12:02 PM

Delete your current copy of combofix, then download a new copy and try again. if it freezes, open task manager (ctrl+alt+del) and kill any instances of the processes sed.cfexe, find.cfexe, swreg.cfexe or grep.cfexe.

#11 harlequeen

harlequeen
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 03 September 2008 - 12:40 PM

Hi

Here is the combofix log:

ComboFix 08-08-31.01 - Harlequeen 2008-09-03 17:53:05.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.809 [GMT 1:00]
Running from: C:\Documents and Settings\Harlequeen\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\arrnnjut.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\esguwmij.ini
C:\WINDOWS\system32\gvtjgfyo.ini
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ojvudyoq.ini
C:\WINDOWS\system32\pqstv.bak1
C:\WINDOWS\system32\pqstv.ini
C:\WINDOWS\system32\rstwa.bak2
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\rstwa.tmp
C:\WINDOWS\system32\ututv.bak1
C:\WINDOWS\system32\ututv.bak2
C:\WINDOWS\system32\ututv.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_tdssserv


((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-08-31 21:02 . 2008-08-31 21:02 250 --a------ C:\WINDOWS\gmer.ini
2008-08-30 18:30 . 2008-08-30 18:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-30 18:30 . 2008-08-30 18:30 <DIR> d-------- C:\Documents and Settings\Harlequeen\Application Data\Malwarebytes
2008-08-30 18:30 . 2008-08-30 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-30 18:30 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-30 18:30 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 18:06 . 2008-08-28 18:06 <DIR> d-------- C:\VundoFix Backups
2008-08-28 07:13 . 2008-08-31 12:45 0 --a------ C:\WINDOWS\system32\drivers\4dab105.sys
2008-08-22 16:55 . 2001-08-17 14:03 24,192 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-08-22 16:55 . 2001-08-17 14:03 24,192 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 19:59 --------- d-----w C:\Program Files\Spamihilator
2008-08-27 17:38 --------- d-----w C:\Documents and Settings\Harlequeen\Application Data\Lavasoft
2008-08-26 13:44 --------- d-----w C:\Documents and Settings\Harlequeen\Application Data\Azureus
2008-08-26 08:19 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-07-28 20:36 --------- d-----w C:\Program Files\Azureus
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-17 17:06 72,744 ----a-w C:\Documents and Settings\Harlequeen\Application Data\GDIPFONTCACHEV1.DAT
2007-12-13 18:52 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2004-08-04 08:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\svchost.exe
2004-08-04 08:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\svchost.exe
md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied

2003-03-31 13:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtUninstallKB841533$\winlogon.exe
2004-08-04 08:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\winlogon.exe
2004-08-04 08:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\winlogon.exe
md5deep: C:\WINDOWS\system32\winlogon.exe: error at offset 0: Permission denied

md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied
2004-08-04 08:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe
2004-08-04 08:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\explorer.exe

2004-08-04 08:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\services.exe
2004-08-04 08:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\services.exe
md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied

2004-08-04 08:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\lsass.exe
2004-08-04 08:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\lsass.exe
md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied

2005-06-11 00:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
2005-06-11 01:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2003-03-31 13:00 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2004-08-04 08:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\spoolsv.exe
2004-08-04 08:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\spoolsv.exe
2005-06-11 00:55 54272 c8fb48b83faf1f5d9b218d04941e2d22 C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spamihilator"="C:\Program Files\Spamihilator\spamihilator.exe" [2007-01-24 14:49 619008]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 08:39 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-26 09:19 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-29 20:44 4841472]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 04:00 99840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-26 17:57 180269]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-01-23 10:20 675840]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 15:38 78008]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-14 12:31 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-03-31 13:00 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe [2003-09-16 23:32:58 217183]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-03-29 19:13:32 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-21 17:30 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"erQeWRQY"= {307DD677-9AD7-7CDD-5BA0-DB9E61D4EE0D} - C:\WINDOWS\system32\xlf.dll [2006-07-05 11:46 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 09:19 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

S1 4dab105;4dab105;C:\WINDOWS\System32\drivers\4dab105.sys [2008-08-31 12:45]
S1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-07-19 15:35]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Harlequeen\Application Data\Mozilla\Firefox\Profiles\default.7j8\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.bbc.co.uk/
FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_06\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_06\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_06\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_06\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_06\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_06\bin\NPJPI142_06.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_06\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\nppopcaploader.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npracplug.dll
FF -: plugin - C:\Program Files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 17:57:47
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"
.
Completion time: 2008-09-03 18:01:10
ComboFix-quarantined-files.txt 2008-09-03 17:00:07

Pre-Run: 11,205,443,584 bytes free
Post-Run: 11,192,033,280 bytes free

157 --- E O F --- 2007-09-17 16:45:51



& HJT file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:37:00, on 03/09/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
D:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ntlworld.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.bigfishgames.com/online/chainz2/mjolauncher.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.bigfishgames.com/online/tumblebugs/axhost.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: erQeWRQY - {307DD677-9AD7-7CDD-5BA0-DB9E61D4EE0D} - C:\WINDOWS\system32\xlf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6032 bytes

#12 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 AM

Posted 05 September 2008 - 11:33 AM

You are running a P2P filesharing programme.
  • Many of these programmes come with unwanted components bundled with them.
  • If you wish to find out whether the one you're using does click here.
Please note: Even if you are using a "safe" P2P programme, it is only the programme that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.


Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

My recommendation is you uninstall all P2P programs
  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "erQeWRQY"=-
    [-HKEY_CLASSES_ROOT\CLSID\{307DD677-9AD7-7CDD-5BA0-DB9E61D4EE0D}]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
    Driver::
    4dab105
    File::
    C:\WINDOWS\System32\drivers\4dab105.sys
    C:\WINDOWS\system32\xlf.dll
    FCOPY::
    C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\svchost.exe|C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\winlogon.exe|C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe|C:\WINDOWS\explorer.exe
    C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\services.exe|C:\WINDOWS\system32\services.exe
    C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\lsass.exe|C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe|C:\WINDOWS\system32\spoolsv.exe
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


#13 harlequeen

harlequeen
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 07 September 2008 - 01:13 PM

I've done what you say, but combofix only opens a blue (dos) window and doesn't d o anything else. I left it for hours just in case it would run but was slow. No log file. And as I have been unable to shut down the computer correctly, I only am able to shut it by holding the power button down, so have trouble starting it up.

I appreciate what you say about P2P networks, I have used them very occasionally, but have been stung this time downloading something perfectly legitimate.

Anyway, thanks for your help, I hope you can help further.

Harlequeen

#14 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 AM

Posted 08 September 2008 - 06:36 AM

Delete your current copy of combofix, then download a new copy from here, and follow the instructions again.

#15 harlequeen

harlequeen
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 08 September 2008 - 11:33 AM

Hi

I've downloaded it again, dragged and dropped the text file over it but it still only brings up a blue dos window. It has a flashing cursor, but does nothing else, apparently.

Regards

Harlequeen




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users