Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJackthis and other programs disabled on one user


  • This topic is locked This topic is locked
19 replies to this topic

#1 caminante11

caminante11

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 25 October 2008 - 10:23 PM

Hi

For one user on Windows XP, autorun, hijackthis etc. are completely disabled. Searching for any spyware related term causes any web browser to suddenly close.

I tried to download Hijackthis from the other user and that worked.

I have a number of different scans but they have not found anything.

I believe the offending files are noted below in bold. I can't seem to get rid of them or delete them.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:46 PM, on 10/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nike+ Utility\Nike+ Utility.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070525
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070525
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1870597549-3120526083-1352118541-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Ale')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Nike+ Utility.lnk = C:\Program Files\Nike+ Utility\Nike+ Utility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/...vzTCPConfig.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} (McciUtilsSpecialFolder Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {B1647320-9EC8-4B0F-BF53-93D4A43FA614} (TerminalSvcsTCSX Control) - https://mydesk-pi02.morganstanley.com/prx/0...inalSvcsTCS.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: dbabececbeaca - C:\WINDOWS\system32\dbabececbeaca.dll
O20 - Winlogon Notify: ebdddeedbecdbd - C:\WINDOWS\system32\ebdddeedbecdbd.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

Any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:42 PM

Posted 25 October 2008 - 10:32 PM

Hello, caminante11.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 caminante11

caminante11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 25 October 2008 - 11:22 PM

Billy, I would like to try to clean the PC.

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:42 PM

Posted 25 October 2008 - 11:36 PM

Hello, caminante11.
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
Alrighty.. but you asked for it :thumbsup:

Please download SDFix by AndyManchesta and save it to your desktop.
Note: When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
    • (this is the drive that contains the Windows Directory, typically C:\SDFix).
    • DO NOT use it just yet.
  • Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next reply, along with a new HijackThis log.
Note: If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

Note: If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

Note: If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
In your next reply, please include the following:
  • SDFix's Report
  • OTViewIt.txt
  • Extra.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 caminante11

caminante11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 26 October 2008 - 07:24 AM

Billy,
Thank you so much for your help.

Now both users have the issue where hijackthis and other programs are not available. Also the browsers close when trying to access this page. I had to create a new user in order to post this.

I have done as instructed.

Could I send you the reports rather than post them here?

Thanks!

Edited by caminante11, 26 October 2008 - 07:25 AM.


#6 caminante11

caminante11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 26 October 2008 - 11:52 AM

Billy,

Thanks for your help.

The 3 reports are attached.

Removed attachments - will repost later if needed.

Edited by caminante11, 26 October 2008 - 10:19 PM.


#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:42 PM

Posted 26 October 2008 - 09:11 PM

Hello, caminante11.
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.
  • About 1 in 100 times the computer will not longer be able to boot after running Combofix. This requires experienced hands to restore the system to bootability.
  • There are several malware infections that "target" Combofix. Experienced Helpers are aware of these infections, and take steps to remove them prior to the use of Combofix. If you do not, various things can happen depending on the infection -- from Combofix being unable to run, to the deletion of the folder C:\Windows\System32, requiring a clean install to repair.
  • Combofix makes some rather significant changes to the internals of XP and Vista in order to work. It can therefore be very dangerous!!
  • The real power of Combofix comes not as a general purposed malware remover. It is rather modest in that capacity. Combofix is powerful because it provides to the experienced Helper a convenient and powerful front-end to Scripts. It is because of its scripting strengths, and its unique reporting capabilities, that you see Combofix often recommended. But not because of its abilities as a general malware scanner.
  • Many malware removal experts will not respond to a request for help if they see that Combofix was run by the end-user without supervision. You might find after running Combofix that your system problems are worse, and nobody is willing to help you.
  • There are several general purpose anti-malware utilities where the Author(s) intended the application for general use by end-users without Supervision. Combofix is not one of them, and you would be advised to honor that position taken by its Author.
How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbsup:
In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 caminante11

caminante11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 26 October 2008 - 10:20 PM

Billy,

Thank you again. I will back everything up before running ComboFix.

Will post the log when I have it. It may be a few days.

#9 caminante11

caminante11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 28 October 2008 - 04:40 AM

ComboFix ran successfully. Here is the log:

Thanks again for your help

ComboFix 08-10-27.03 - Ed 2008-10-28 4:58:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.575 [GMT -4:00]
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ana Rocio\Application Data\temp.dll
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\mscon.sio
C:\WINDOWS\system32\asembl~1
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\w21Pu2cJ.exe.a_a
C:\WINDOWS\system32\x64
C:\WINDOWS\wintst32.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSYSINTERV1
-------\Legacy_PLUGPLAYRPC
-------\Service_MSSysInterv1
-------\Service_PlugPlayRPC


((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 )))))))))))))))))))))))))))))))
.

2008-10-26 09:26 . 2008-10-26 09:26 313,871 --------- C:\WINDOWS\system32\b635e5926503dadcdb6ecd0e3bdc41d1.TMP
2008-10-26 09:26 . 2008-10-26 09:26 313,871 --------- C:\WINDOWS\system32\1dfb7b499712226d7125ea98765e1662.TMP
2008-10-26 09:23 . 2008-10-26 09:23 302,096 --------- C:\WINDOWS\system32\f6b9d094f644d9302da42b6fe1b9e17f.TMP
2008-10-26 09:23 . 2008-10-26 09:23 302,096 --------- C:\WINDOWS\system32\03bdae59b75dc535dad1a6a42453f01a.TMP
2008-10-26 09:22 . 2007-05-25 08:14 <DIR> d-------- C:\Documents and Settings\Ed 3\Application Data\Symantec
2008-10-26 09:22 . 2007-05-25 08:10 <DIR> d--h----- C:\Documents and Settings\Ed 3\Application Data\Gtek
2008-10-26 09:22 . 2007-11-20 20:30 <DIR> d-------- C:\Documents and Settings\Ed 3\Application Data\Apple Computer
2008-10-26 09:22 . 2008-10-26 09:22 <DIR> d-------- C:\Documents and Settings\Ed 3
2008-10-26 09:21 . 2008-10-26 09:21 302,096 --------- C:\WINDOWS\system32\e7dcfe450450b287e67511dbff35ab1d.TMP
2008-10-26 08:11 . 2007-05-25 08:14 <DIR> d-------- C:\Documents and Settings\Ed 2\Application Data\Symantec
2008-10-26 08:11 . 2007-05-25 08:10 <DIR> d--h----- C:\Documents and Settings\Ed 2\Application Data\Gtek
2008-10-26 08:11 . 2007-11-20 20:30 <DIR> d-------- C:\Documents and Settings\Ed 2\Application Data\Apple Computer
2008-10-26 08:11 . 2008-10-26 09:21 <DIR> d-------- C:\Documents and Settings\Ed 2
2008-10-26 08:09 . 2008-10-26 08:09 302,096 --------- C:\WINDOWS\system32\7dc962d6f82f05e086c5d56ca6d73997.TMP
2008-10-26 07:53 . 2008-10-26 07:53 302,096 --------- C:\WINDOWS\system32\823b7c13b851a154ee2748450499f0d3.TMP
2008-10-26 07:53 . 2008-10-26 07:53 302,096 --------- C:\WINDOWS\system32\3c557e036e33f7bf4ff82491681cf936.TMP
2008-10-26 05:13 . 2008-10-26 05:13 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-10-26 05:11 . 2008-10-26 05:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-26 05:10 . 2008-10-26 06:31 <DIR> d-------- C:\SDFix
2008-10-26 00:27 . 2008-10-26 00:27 <DIR> d-------- C:\Program Files\Sygate
2008-10-26 00:27 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-10-26 00:27 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-10-26 00:27 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-10-26 00:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-10-26 00:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-10-26 00:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-10-26 00:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-10-25 23:00 . 2008-10-25 23:00 <DIR> d-------- C:\!KillBox
2008-10-23 18:57 . 2008-10-15 12:34 337,408 --------- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-21 19:16 . 2008-10-21 19:16 82,448 --a------ C:\WINDOWS\6C63801E4633A39BEC46289E81FDEDD9.exe
2008-10-16 19:11 . 2008-10-16 19:11 185,360 --a------ C:\WINDOWS\36717ED69B809824CA278DACC48B9D7F.exe
2008-10-15 06:01 . 2008-09-08 06:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 06:00 . 2008-08-14 06:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 06:00 . 2008-08-14 06:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 06:00 . 2008-08-14 05:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 06:00 . 2008-08-14 05:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 06:00 . 2008-09-15 08:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-11 19:06 . 2008-10-11 19:06 177,680 --a------ C:\WINDOWS\97B8837D4FBD42F92937E4238F5D6C1.exe
2008-10-09 07:40 . 2008-10-09 07:40 302,096 --------- C:\WINDOWS\system32\5434fa0282663509b7fb2100be841db8.TMP
2008-10-07 19:08 . 2008-10-07 19:08 <DIR> d-------- C:\Program Files\iTunes
2008-10-07 19:08 . 2008-10-07 19:08 <DIR> d-------- C:\Program Files\iPod
2008-10-07 19:08 . 2008-10-07 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-03 07:51 . 2008-10-03 07:51 <DIR> d-------- C:\Documents and Settings\Ed\DoctorWeb
2008-10-02 22:59 . 2008-10-02 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-02 22:58 . 2008-10-02 22:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-02 22:58 . 2008-10-02 22:58 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 01:43 --------- d-----w C:\Documents and Settings\Ed\Application Data\U3
2008-10-26 01:28 --------- d-----w C:\Program Files\Trend Micro
2008-10-10 00:46 --------- d-----w C:\Program Files\Free Music Zilla
2008-10-03 02:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 08:28 16,384 ----a-w C:\WINDOWS\DCEBoot.exe
2008-09-27 00:04 --------- d-----w C:\Documents and Settings\Ed\Application Data\FMZilla
2008-09-23 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-23 07:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-21 22:42 177,680 ----a-w C:\WINDOWS\C8505DF2B936B7348575C1F0CDC8CC6C.exe
2008-09-16 22:37 177,680 ----a-w C:\WINDOWS\C5C3292C64DCC749AAA8102DE15958.exe
2008-09-13 20:30 --------- d-----w C:\Program Files\Kivela
2008-09-13 16:19 --------- d-----w C:\Program Files\QuickTime
2008-09-13 16:19 --------- d-----w C:\Program Files\Bonjour
2008-09-13 16:18 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-11 22:32 177,680 ----a-w C:\WINDOWS\2123B48C97139115C2F0F3A427165B8A.exe
2008-09-08 10:41 333,824 ------w C:\WINDOWS\system32\drivers\srv.sys
2008-09-06 10:13 177,680 ----a-w C:\WINDOWS\E237CF560F87189E45C661FDE641E3.exe
2007-06-07 23:28 439,296 ------w C:\Documents and Settings\Ed\GoToAssist_phone__317_en.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-06-20 171448]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Nike+ Utility.lnk - C:\Program Files\Nike+ Utility\Nike+ Utility.exe [2008-04-30 1228800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\dmb9\\baseball.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys [2006-01-13 18864]
S3 EraserUtilDrvI2;EraserUtilDrvI2;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI2.sys [ ]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 24064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33dfa828-4ee9-11dd-984b-00038a000015}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bc22d21-1699-11dc-9578-00038a000015}]
\Shell\AutoRun\command - H:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bc22d22-1699-11dc-9578-00038a000015}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL I:\m.exe /s

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc84911a-0e90-11dc-9560-00038a000015}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbb457c0-178d-11dc-9579-00038a000015}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s
.
Contents of the 'Scheduled Tasks' folder

2008-10-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-10-28 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

Notify-!SASWinLogon - (no file)
Notify-AutorunsDisabled - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\hy2zsx13.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 05:22:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\55c3be99545a54d6c9f147bd997b101b.sys 36864 bytes
C:\WINDOWS\system32\_55c3be99545a54d6c9f147bd997b101b.sys_.vir 36864 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\55c3be99545a54d6c9f147bd997b101b]
"ImagePath"="system32\55c3be99545a54d6c9f147bd997b101b.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-10-28 5:28:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-28 09:28:20

Pre-Run: 19,481,112,576 bytes free
Post-Run: 19,681,251,328 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

215 --- E O F --- 2008-10-25 10:13:36

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:42 PM

Posted 28 October 2008 - 03:15 PM

Hello, caminante11.
Your system is infected with a Flash Drive infector
Warning: Any flash / jump drives you have connected to this system since your infection have been compromised by a flash drive infector. We are going to run a tool as part of the following fix which will disinfect your machine, as well as clean any flash drives connected to the system. It is advised you connect any flash drives that have been connected to this machine during this time frame to this system for the following fix, in order to disinfect them.

Please let owners of other machines to which you have connected any flash media or drives that their machines may now be infected.

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/176403/hijackthis-and-other-programs-disabled-on-one-user/
    file::
    C:\WINDOWS\system32\dllcache\netapi32.dll
    C:\WINDOWS\6C63801E4633A39BEC46289E81FDEDD9.exe
    C:\WINDOWS\36717ED69B809824CA278DACC48B9D7F.exe
    C:\WINDOWS\97B8837D4FBD42F92937E4238F5D6C1.exe
    C:\WINDOWS\system32\5434fa0282663509b7fb2100be841db8.TMP
    C:\WINDOWS\system32\b635e5926503dadcdb6ecd0e3bdc41d1.TMP
    C:\WINDOWS\system32\1dfb7b499712226d7125ea98765e1662.TMP
    C:\WINDOWS\system32\f6b9d094f644d9302da42b6fe1b9e17f.TMP
    C:\WINDOWS\system32\03bdae59b75dc535dad1a6a42453f01a.TMP
    C:\WINDOWS\system32\e7dcfe450450b287e67511dbff35ab1d.TMP
    C:\WINDOWS\system32\7dc962d6f82f05e086c5d56ca6d73997.TMP
    C:\WINDOWS\system32\823b7c13b851a154ee2748450499f0d3.TMP
    C:\WINDOWS\system32\3c557e036e33f7bf4ff82491681cf936.TMP
    C:\WINDOWS\C8505DF2B936B7348575C1F0CDC8CC6C.exe
    C:\WINDOWS\C5C3292C64DCC749AAA8102DE15958.exe
    C:\WINDOWS\2123B48C97139115C2F0F3A427165B8A.exe
    C:\WINDOWS\E237CF560F87189E45C661FDE641E3.exe
    E:\m.exe
    I:\m.exe
    folder::
    C:\!KillBox
    suspect::[54]
    C:\WINDOWS\system32\dllcache\user32.dll
    rootkit::
    C:\WINDOWS\system32\55c3be99545a54d6c9f147bd997b101b.sys
    C:\WINDOWS\system32\_55c3be99545a54d6c9f147bd997b101b.sys_.vir
    registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33dfa828-4ee9-11dd-984b-00038a000015}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bc22d22-1699-11dc-9578-00038a000015}]
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

We need to remove the Flash Drive infector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

In your next reply, please include the following:
  • ComboFix.txt

Billy3

Edited by Billy O'Neal, 28 October 2008 - 03:16 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 caminante11

caminante11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 28 October 2008 - 04:01 PM

Billy,

Thank you. Does this infect ipods I have attached to the computer?

Thanks!

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:42 PM

Posted 28 October 2008 - 04:34 PM

Billy,

Thank you. Does this infect ipods I have attached to the computer?

Thanks!

That is possible yes :thumbsup:

So long as the device is connected when you run Flash_Disinfector you should be fine :)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 caminante11

caminante11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 28 October 2008 - 08:55 PM

Billy,

Thanks again for your help!!

I did the two actions. Here is the ComboFix log:

ComboFix 08-10-27.03 - Ed 2008-10-28 20:48:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.620 [GMT -4:00]
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ed\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\2123B48C97139115C2F0F3A427165B8A.exe
C:\WINDOWS\36717ED69B809824CA278DACC48B9D7F.exe
C:\WINDOWS\6C63801E4633A39BEC46289E81FDEDD9.exe
C:\WINDOWS\97B8837D4FBD42F92937E4238F5D6C1.exe
C:\WINDOWS\C5C3292C64DCC749AAA8102DE15958.exe
C:\WINDOWS\C8505DF2B936B7348575C1F0CDC8CC6C.exe
C:\WINDOWS\E237CF560F87189E45C661FDE641E3.exe
C:\WINDOWS\system32\03bdae59b75dc535dad1a6a42453f01a.TMP
C:\WINDOWS\system32\1dfb7b499712226d7125ea98765e1662.TMP
C:\WINDOWS\system32\3c557e036e33f7bf4ff82491681cf936.TMP
C:\WINDOWS\system32\5434fa0282663509b7fb2100be841db8.TMP
C:\WINDOWS\system32\7dc962d6f82f05e086c5d56ca6d73997.TMP
C:\WINDOWS\system32\823b7c13b851a154ee2748450499f0d3.TMP
C:\WINDOWS\system32\b635e5926503dadcdb6ecd0e3bdc41d1.TMP
C:\WINDOWS\system32\dllcache\netapi32.dll
C:\WINDOWS\system32\e7dcfe450450b287e67511dbff35ab1d.TMP
C:\WINDOWS\system32\f6b9d094f644d9302da42b6fe1b9e17f.TMP
E:\m.exe
I:\m.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\!KillBox
C:\!KillBox\Logs\kb.log
C:\WINDOWS\2123B48C97139115C2F0F3A427165B8A.exe
C:\WINDOWS\36717ED69B809824CA278DACC48B9D7F.exe
C:\WINDOWS\6C63801E4633A39BEC46289E81FDEDD9.exe
C:\WINDOWS\97B8837D4FBD42F92937E4238F5D6C1.exe
C:\WINDOWS\C5C3292C64DCC749AAA8102DE15958.exe
C:\WINDOWS\C8505DF2B936B7348575C1F0CDC8CC6C.exe
C:\WINDOWS\E237CF560F87189E45C661FDE641E3.exe
C:\WINDOWS\system32\_55c3be99545a54d6c9f147bd997b101b.sys_.vir
C:\WINDOWS\system32\03bdae59b75dc535dad1a6a42453f01a.TMP
C:\WINDOWS\system32\1dfb7b499712226d7125ea98765e1662.TMP
C:\WINDOWS\system32\3c557e036e33f7bf4ff82491681cf936.TMP
C:\WINDOWS\system32\5434fa0282663509b7fb2100be841db8.TMP
C:\WINDOWS\system32\55c3be99545a54d6c9f147bd997b101b.sys
C:\WINDOWS\system32\7dc962d6f82f05e086c5d56ca6d73997.TMP
C:\WINDOWS\system32\823b7c13b851a154ee2748450499f0d3.TMP
C:\WINDOWS\system32\b635e5926503dadcdb6ecd0e3bdc41d1.TMP
C:\WINDOWS\system32\dllcache\netapi32.dll
C:\WINDOWS\system32\e7dcfe450450b287e67511dbff35ab1d.TMP
C:\WINDOWS\system32\f6b9d094f644d9302da42b6fe1b9e17f.TMP
I:\m.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))
.

2008-10-26 09:22 . 2007-05-25 08:14 <DIR> d-------- C:\Documents and Settings\Ed 3\Application Data\Symantec
2008-10-26 09:22 . 2007-05-25 08:10 <DIR> d--h----- C:\Documents and Settings\Ed 3\Application Data\Gtek
2008-10-26 09:22 . 2007-11-20 20:30 <DIR> d-------- C:\Documents and Settings\Ed 3\Application Data\Apple Computer
2008-10-26 09:22 . 2008-10-26 09:22 <DIR> d-------- C:\Documents and Settings\Ed 3
2008-10-26 08:11 . 2007-05-25 08:14 <DIR> d-------- C:\Documents and Settings\Ed 2\Application Data\Symantec
2008-10-26 08:11 . 2007-05-25 08:10 <DIR> d--h----- C:\Documents and Settings\Ed 2\Application Data\Gtek
2008-10-26 08:11 . 2007-11-20 20:30 <DIR> d-------- C:\Documents and Settings\Ed 2\Application Data\Apple Computer
2008-10-26 08:11 . 2008-10-26 09:21 <DIR> d-------- C:\Documents and Settings\Ed 2
2008-10-26 05:13 . 2008-10-26 05:13 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-10-26 05:11 . 2008-10-26 05:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-26 05:10 . 2008-10-26 06:31 <DIR> d-------- C:\SDFix
2008-10-26 00:27 . 2008-10-26 00:27 <DIR> d-------- C:\Program Files\Sygate
2008-10-26 00:27 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-10-26 00:27 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-10-26 00:27 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-10-26 00:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-10-26 00:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-10-26 00:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-10-26 00:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-10-15 06:01 . 2008-09-08 06:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 06:00 . 2008-08-14 06:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 06:00 . 2008-08-14 06:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 06:00 . 2008-08-14 05:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 06:00 . 2008-08-14 05:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 06:00 . 2008-09-15 08:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-07 19:08 . 2008-10-07 19:08 <DIR> d-------- C:\Program Files\iTunes
2008-10-07 19:08 . 2008-10-07 19:08 <DIR> d-------- C:\Program Files\iPod
2008-10-07 19:08 . 2008-10-07 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-03 07:51 . 2008-10-03 07:51 <DIR> d-------- C:\Documents and Settings\Ed\DoctorWeb
2008-10-02 22:59 . 2008-10-02 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-02 22:58 . 2008-10-02 22:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-02 22:58 . 2008-10-02 22:58 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 01:43 --------- d-----w C:\Documents and Settings\Ed\Application Data\U3
2008-10-26 01:28 --------- d-----w C:\Program Files\Trend Micro
2008-10-10 00:46 --------- d-----w C:\Program Files\Free Music Zilla
2008-10-03 02:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 08:28 16,384 ----a-w C:\WINDOWS\DCEBoot.exe
2008-09-27 00:04 --------- d-----w C:\Documents and Settings\Ed\Application Data\FMZilla
2008-09-23 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-23 07:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-13 20:30 --------- d-----w C:\Program Files\Kivela
2008-09-13 16:19 --------- d-----w C:\Program Files\QuickTime
2008-09-13 16:19 --------- d-----w C:\Program Files\Bonjour
2008-09-13 16:18 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-08 10:41 333,824 ------w C:\WINDOWS\system32\drivers\srv.sys
2007-06-07 23:28 439,296 ------w C:\Documents and Settings\Ed\GoToAssist_phone__317_en.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-06-20 171448]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Nike+ Utility.lnk - C:\Program Files\Nike+ Utility\Nike+ Utility.exe [2008-04-30 1228800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\dmb9\\baseball.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 55c3be99545a54d6c9f147bd997b101b;55c3be99545a54d6c9f147bd997b101b;C:\WINDOWS\system32\55c3be99545a54d6c9f147bd997b101b.sys [ ]
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys [2006-01-13 18864]
S3 EraserUtilDrvI2;EraserUtilDrvI2;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI2.sys [ ]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 24064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbb457c0-178d-11dc-9579-00038a000015}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s
.
Contents of the 'Scheduled Tasks' folder

2008-10-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-10-29 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 21:14:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
.
**************************************************************************
.
Completion time: 2008-10-28 21:21:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-29 01:21:19
ComboFix2.txt 2008-10-28 09:29:18

Pre-Run: 19,341,107,200 bytes free
Post-Run: 18,908,569,600 bytes free

191 --- E O F --- 2008-10-25 10:13:36

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:42 PM

Posted 28 October 2008 - 09:44 PM

Hello, caminante11.
Your log indicates that user32.dll may be patched with an incorrect version.

Please download a replacement user32.dll from here:
http://billy-oneal.com/BleepingComputer/wi...ries/user32.dll

Save this file to the root of your C drive.

The file MUST be placed at C:\user32.dll or the following fix will FAIL!

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    driver::
    55c3be99545a54d6c9f147bd997b101b
    EraserUtilDrvI2
    rootkit::
    C:\WINDOWS\system32\55c3be99545a54d6c9f147bd997b101b.sys
    FCopy::
    C:\user32.dll | C:\Windows\System32\user32.dll
    FCopy::
    C:\user32.dll | C:\Windows\System32\dllcache\user32.dll
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ComboFix.txt
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 caminante11

caminante11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 29 October 2008 - 06:33 PM

Hi,

Thank you again for your help Billy!! You are the man!!

First, one note:

I closed all virus protection etc. ComboFix ran and then restarted the PC. After I logged back in, combofix picked up. But Trend Micro Antivirus also started. It looked like it blocked something ComboFix was trying to do under "unauthorized change prevention"

ComboFix log:

ComboFix 08-10-27.03 - Ed 2008-10-29 4:40:17.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.643 [GMT -4:00]
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ed\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\55c3be99545a54d6c9f147bd997b101b.sys

.
--------------- FCopy ---------------

C:\user32.dll --> C:\Windows\System32\user32.dll
C:\user32.dll --> C:\Windows\System32\dllcache\user32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_55C3BE99545A54D6C9F147BD997B101B
-------\Legacy_ERASERUTILDRVI2
-------\Service_55c3be99545a54d6c9f147bd997b101b
-------\Service_EraserUtilDrvI2


((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))
.

2008-10-29 04:35 . 2008-10-29 04:35 578,560 --------- C:\user32.dll
2008-10-26 09:22 . 2007-05-25 08:14 <DIR> d-------- C:\Documents and Settings\Ed 3\Application Data\Symantec
2008-10-26 09:22 . 2007-05-25 08:10 <DIR> d--h----- C:\Documents and Settings\Ed 3\Application Data\Gtek
2008-10-26 09:22 . 2007-11-20 20:30 <DIR> d-------- C:\Documents and Settings\Ed 3\Application Data\Apple Computer
2008-10-26 09:22 . 2008-10-26 09:22 <DIR> d-------- C:\Documents and Settings\Ed 3
2008-10-26 08:11 . 2007-05-25 08:14 <DIR> d-------- C:\Documents and Settings\Ed 2\Application Data\Symantec
2008-10-26 08:11 . 2007-05-25 08:10 <DIR> d--h----- C:\Documents and Settings\Ed 2\Application Data\Gtek
2008-10-26 08:11 . 2007-11-20 20:30 <DIR> d-------- C:\Documents and Settings\Ed 2\Application Data\Apple Computer
2008-10-26 08:11 . 2008-10-26 09:21 <DIR> d-------- C:\Documents and Settings\Ed 2
2008-10-26 05:13 . 2008-10-29 04:35 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-10-26 05:11 . 2008-10-26 05:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-26 05:10 . 2008-10-26 06:31 <DIR> d-------- C:\SDFix
2008-10-26 00:27 . 2008-10-26 00:27 <DIR> d-------- C:\Program Files\Sygate
2008-10-26 00:27 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-10-26 00:27 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-10-26 00:27 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-10-26 00:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-10-26 00:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-10-26 00:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-10-26 00:27 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-10-15 06:01 . 2008-09-08 06:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 06:00 . 2008-08-14 06:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 06:00 . 2008-08-14 06:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 06:00 . 2008-08-14 05:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 06:00 . 2008-08-14 05:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 06:00 . 2008-09-15 08:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-07 19:08 . 2008-10-07 19:08 <DIR> d-------- C:\Program Files\iTunes
2008-10-07 19:08 . 2008-10-07 19:08 <DIR> d-------- C:\Program Files\iPod
2008-10-07 19:08 . 2008-10-07 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-03 07:51 . 2008-10-03 07:51 <DIR> d-------- C:\Documents and Settings\Ed\DoctorWeb
2008-10-02 22:59 . 2008-10-02 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-02 22:58 . 2008-10-02 22:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-02 22:58 . 2008-10-02 22:58 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 01:43 --------- d-----w C:\Documents and Settings\Ed\Application Data\U3
2008-10-26 01:28 --------- d-----w C:\Program Files\Trend Micro
2008-10-10 00:46 --------- d-----w C:\Program Files\Free Music Zilla
2008-10-03 02:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 08:28 16,384 ----a-w C:\WINDOWS\DCEBoot.exe
2008-09-27 00:04 --------- d-----w C:\Documents and Settings\Ed\Application Data\FMZilla
2008-09-23 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-23 07:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-13 20:30 --------- d-----w C:\Program Files\Kivela
2008-09-13 16:19 --------- d-----w C:\Program Files\QuickTime
2008-09-13 16:19 --------- d-----w C:\Program Files\Bonjour
2008-09-13 16:18 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-08 10:41 333,824 ------w C:\WINDOWS\system32\drivers\srv.sys
2007-06-07 23:28 439,296 ------w C:\Documents and Settings\Ed\GoToAssist_phone__317_en.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-06-20 171448]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Nike+ Utility.lnk - C:\Program Files\Nike+ Utility\Nike+ Utility.exe [2008-04-30 1228800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\dmb9\\baseball.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys [2006-01-13 18864]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 24064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbb457c0-178d-11dc-9579-00038a000015}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s
.
Contents of the 'Scheduled Tasks' folder

2008-10-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-10-29 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-29 04:45:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-29 4:51:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-29 08:51:08
ComboFix2.txt 2008-10-29 01:23:09
ComboFix3.txt 2008-10-28 09:29:18

Pre-Run: 18,187,284,480 bytes free
Post-Run: 18,224,259,072 bytes free

158 --- E O F --- 2008-10-29 08:33:40

ESET log:
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3565 (20081029)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=c087dba47036154fa4d750a18a6740cb
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-29 11:39:09
# local_time=2008-10-29 07:39:09 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=493526
# found=17
# scan_time=8430
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp1.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Documents and Settings\Ana Rocio\Application Data\temp.dll.vir Win32/Dialer.CBS trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\2123B48C97139115C2F0F3A427165B8A.exe.vir probably a variant of Win32/Qhost trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\97B8837D4FBD42F92937E4238F5D6C1.exe.vir probably a variant of Win32/Qhost trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\C5C3292C64DCC749AAA8102DE15958.exe.vir probably a variant of Win32/Qhost trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\C8505DF2B936B7348575C1F0CDC8CC6C.exe.vir probably a variant of Win32/Qhost trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\E237CF560F87189E45C661FDE641E3.exe.vir probably a variant of Win32/Qhost trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\03bdae59b75dc535dad1a6a42453f01a.TMP.vir Win32/Agent.BXE trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\3c557e036e33f7bf4ff82491681cf936.TMP.vir Win32/Agent.BXE trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\5434fa0282663509b7fb2100be841db8.TMP.vir Win32/Agent.BXE trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\7dc962d6f82f05e086c5d56ca6d73997.TMP.vir Win32/Agent.BXE trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\823b7c13b851a154ee2748450499f0d3.TMP.vir Win32/Agent.BXE trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\e7dcfe450450b287e67511dbff35ab1d.TMP.vir Win32/Agent.BXE trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\f6b9d094f644d9302da42b6fe1b9e17f.TMP.vir Win32/Agent.BXE trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\a5237c51b2ae1b37b69a3afb3e3383b0.TMP Win32/Agent.BXE trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\w21Pu2cJ.exe a variant of Win32/TrojanDownloader.Firu trojan (unable to clean - deleted) 00000000000000000000000000000000




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users