Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijacked


  • This topic is locked This topic is locked
15 replies to this topic

#1 noobalicious

noobalicious

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 03 December 2008 - 02:58 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:23 PM, on 12/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\DOCUME~1\Alan\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [d06b5f33] rundll32.exe "C:\WINDOWS\system32\ujgtdxuy.dll",b
O4 - HKLM\..\Run: [guolchcixomt] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\fiqgwxaien.dll"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} (FlyLoader Class) - http://www.flysuite.com/flyword/loaderword_win.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189756675406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189756632625
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O20 - AppInit_DLLs: bqmqdy.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\RpcSandraSrv.exe

--
End of file - 7494 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 10 December 2008 - 10:20 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Change the Rootkit Scan setting from "No" to Yes.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 11 December 2008 - 01:19 AM

I think it's here....

thanks so much man.

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 11 December 2008 - 04:46 AM

Hello.

That looks nasty.

AVG7 is outdated. Please uninstall it. We will install a new antivirus after.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. ComboFix will check to see if you have the Windows Recovery Console installed. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose NO.
    Posted Image

  • Click on your Start Menu, then Run... . In the box that appears enter the following and click OK.
    "%USERPROFILE%\Desktop\ComboFix.exe" /killall
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode. However, do not use the MsConfig method to edit the Boot.ini.
Important!:Please do not select the Show all checkbox during the scan..

Please post back with:
-the ComboFix log
-the GMER log

With Regards,
The Panda

#5 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 15 December 2008 - 05:45 PM

Here's the combofix:

ComboFix 08-12-15.01 - Alan 2008-12-15 14:12:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.614 [GMT -8:00]
Running from: c:\documents and settings\Alan\Desktop\Combofix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Alan\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\Alan\Application Data\.rdr.ini
c:\documents and settings\Alan\Application Data\IUpd721
c:\documents and settings\Alan\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\Alan\Application Data\NI.GSCNS
c:\documents and settings\Alan\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Alan\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\Alan\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Judy\Application Data\.rdr.ini
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\temp\tn3
c:\windows\system32\_fiqgwxaien.dll
c:\windows\system32\bcbkoonf.dll
c:\windows\system32\bgaiboca.dll
c:\windows\system32\bin
c:\windows\system32\bqmqdy.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\eLlRCJlm.ini
c:\windows\system32\fiqgwxaien.dll
c:\windows\system32\fPYbefii.ini
c:\windows\system32\fPYbefii.ini2
c:\windows\system32\fsyhau.dll
c:\windows\system32\gavuzeyi.dll
c:\windows\system32\gdxvlkmv.ini
c:\windows\system32\gside.exe
c:\windows\system32\ihhkj.ini
c:\windows\system32\iifebYPf.dll
c:\windows\system32\ilvilopu.dll
c:\windows\system32\invwgigp.dll
c:\windows\system32\iuodaytc.dll
c:\windows\system32\ivaaxn.dll
c:\windows\system32\jdbduxbl.dll
c:\windows\system32\jdblmlps.dll
c:\windows\system32\jrnhkpme.dll
c:\windows\system32\ki3
c:\windows\system32\kifutsva.dll
c:\windows\system32\laraguji.dll
c:\windows\system32\ldclaacy.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mnzmwp.dll
c:\windows\system32\mohafilu.dll
c:\windows\system32\nnnnmlMd.dll
c:\windows\system32\pmnMdbAS.dll
c:\windows\system32\qfdekyui.ini
c:\windows\system32\sedgvjss.dll
c:\windows\system32\sexbvhcn.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\suteniro.dll
c:\windows\system32\tmp.reg
c:\windows\system32\twain_32
c:\windows\system32\ufvfwo.dll
c:\windows\system32\uv9
c:\windows\system32\VC
c:\windows\system32\vmklvxdg.dll
c:\windows\system32\winpfz33.sys
c:\windows\system32\wisepale.dll
c:\windows\system32\wvUlmNdC.dll
c:\windows\system32\xtlhvz.dll
c:\windows\system32\xvsvty.dll
c:\windows\system32\yhjetv.dll
c:\windows\system32\yltmjgqv.ini
c:\windows\system32\zumunope.dll
c:\windows\system32\zxdnt3d.cfg
c:\windows\Tasks\msivuebw.job
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDBG48


((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-15 14:16 . 2008-12-15 14:16 <DIR> d-------- c:\temp\tn3
2008-12-02 20:35 . 2008-12-02 20:35 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-02 18:00 . 2008-12-02 18:00 153,475 --a------ c:\windows\system32\g18.exe
2008-12-02 18:00 . 2008-12-09 16:51 47,586 --a------ c:\windows\system32\zrlzsxycgao.exe
2008-12-02 16:57 . 2008-12-02 16:57 86,272 --a------ c:\windows\system32\drivers\bthusbb.sys
2008-12-02 16:57 . 2008-12-15 14:15 932 --------- c:\windows\system32\drivers\core.cache.dsk
2008-11-28 17:14 . 2008-11-28 17:14 244 --ah----- C:\sqmnoopt19.sqm
2008-11-28 17:14 . 2008-11-28 17:14 232 --ah----- C:\sqmdata19.sqm
2008-11-28 11:29 . 2008-11-28 11:29 <DIR> d-------- c:\documents and settings\Alan\Application Data\Apple Computer
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\program files\iTunes
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\program files\iPod
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\program files\Bonjour
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\program files\Apple Software Update
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-28 11:27 . 2008-11-28 11:27 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-28 11:27 . 2008-11-28 11:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-27 23:39 . 2008-11-27 23:39 268 --ah----- C:\sqmdata18.sqm
2008-11-27 23:39 . 2008-11-27 23:39 244 --ah----- C:\sqmnoopt18.sqm
2008-11-26 19:29 . 2008-11-26 19:29 268 --ah----- C:\sqmdata17.sqm
2008-11-26 19:29 . 2008-11-26 19:29 244 --ah----- C:\sqmnoopt17.sqm
2008-11-26 18:42 . 2008-11-26 18:42 268 --ah----- C:\sqmdata16.sqm
2008-11-26 18:42 . 2008-11-26 18:42 244 --ah----- C:\sqmnoopt16.sqm
2008-11-26 01:49 . 2008-11-26 01:49 268 --ah----- C:\sqmdata15.sqm
2008-11-26 01:49 . 2008-11-26 01:49 244 --ah----- C:\sqmnoopt15.sqm
2008-11-26 00:46 . 2008-11-26 00:46 268 --ah----- C:\sqmdata14.sqm
2008-11-26 00:46 . 2008-11-26 00:46 244 --ah----- C:\sqmnoopt14.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-12-15 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-03 07:33 --------- d-----w c:\program files\a-squared Free
2008-12-03 04:35 --------- d-----w c:\program files\Lavasoft
2008-12-03 04:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 19:28 --------- d-----w c:\program files\QuickTime
2008-11-16 01:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-06 05:28 --------- d-----w c:\documents and settings\Alan\Application Data\U3
2008-10-28 21:13 --------- d-----w c:\program files\MSN Messenger
2008-10-11 00:19 22,200 ----a-w c:\documents and settings\Alan\Application Data\GDIPFONTCACHEV1.DAT
2008-11-16 20:55 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-16 20:55 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-16 20:55 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-16 20:55 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-16 20:55 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-07 00:02 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nSvcAppFlt.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nSvcIp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\ComboFix\\fdsv.cfexe"=
"c:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\guard.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19184:TCP"= 19184:TCP:@xpsp2res.dll,-22005
"10519:TCP"= 10519:TCP:@xpsp2res.dll,-22005
"33082:TCP"= 33082:TCP:@xpsp2res.dll,-22005
"34289:TCP"= 34289:TCP:@xpsp2res.dll,-22005

R1 bthusbb;bthusbb;c:\windows\system32\drivers\bthusbb.sys [2008-12-02 86272]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2007-03-02 4096]
S3 AntiAries;Anti Aries Helper Driver;\??\c:\windows\System32\drivers\RKL66.tmp.sys [2007-05-27 7680]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\65.tmp []
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{02A9C0DC-F1C2-4FD7-964D-A55FBB642D7E} - c:\windows\system32\nnnKdCts.dll
BHO-{079388fa-0753-4e69-96d8-38835c754872} - c:\windows\system32\fsyhau.dll
BHO-{2324b494-629a-64dd-7cb5-472e1262c2fe} - c:\windows\system32\ibpwlrfljxmp.dll
BHO-{70A7B42F-A9EB-22A3-59D7-96EB5688DEEB} - c:\windows\system32\fiqgwxaien.dll
BHO-{776a6de3-cf08-4b82-b1e9-9f7c92269165} - c:\windows\system32\suteniro.dll
BHO-{87A25AF4-B4B1-4F2A-BEA3-4DCAD0FA3468} - c:\windows\system32\iifebYPf.dll
BHO-{A6EE0C37-6152-4435-B986-D96E370B6919} - c:\windows\system32\mlJCRlLe.dll
BHO-{F6CEA2A1-F203-4DD3-B4EE-B85A4A3F4175} - c:\windows\system32\iifcBuUm.dll
ShellIconOverlayIdentifiers-{2D7E38A6-A604-45AE-9A87-4F5F25760650} - (no file)
HKCU-Run-msiexec.exe - ~.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusschlacht.com

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd

c:\windows\Downloaded Program Files\FlyLoader.dll - O16 -: {48DF87EE-F2DE-11D8-BE7F-302050C10801}
hxxp://www.flysuite.com/flyword/loaderword_win.cab
FF - ProfilePath - c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\pfiugin7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 14:16:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\65.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(488)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-15 14:17:49 - machine was rebooted [Alan]
ComboFix-quarantined-files.txt 2008-12-15 22:17:46
ComboFix2.txt 2007-05-31 01:08:11

Pre-Run: 9,051,840,512 bytes free
Post-Run: 9,465,987,072 bytes free

256

#6 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 15 December 2008 - 09:07 PM

And here's the GMER.

I'm flying out to a funeral tomorrow, so I'll be out for another few days. I apologize for the delays.




GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-15 15:04:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT F38EF9A8 ZwClose
SSDT F38EF7E4 ZwCreateKey
SSDT F38EF900 ZwDeleteKey
SSDT F38EF928 ZwDeleteValueKey
SSDT F38EF9A2 ZwLoadKey
SSDT F38EF687 ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF7B988AC]
SSDT F38EF886 ZwQueryValueKey
SSDT F38EF952 ZwReplaceKey
SSDT F38EF97A ZwRestoreKey
SSDT F38EF834 ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF7B98812]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\System32\drivers\bthusbb.sys The process cannot access the file because it is being used by another process.

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)

Device \Driver\bthusbb \Device\bthusbb F38ED58A

---- EOF - GMER 1.0.14 ----

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 15 December 2008 - 10:10 PM

Hello.

Run ComboFix with CFScript
We will run ComboFix again. The instructions are slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/183694/hijacked/
    
    EXTRA::
    
    Suspect::[59]
    c:\windows\System32\drivers\RKL66.tmp.sys
    
    Registry::
    Trusted Zone: *.amaena.com
    Trusted Zone: *.avsystemcare.com
    Trusted Zone: *.onerateld.com
    Trusted Zone: *.safetydownload.com
    Trusted Zone: *.trustedantivirus.com
    Trusted Zone: *.virusschlacht.com
    Trusted Zone: *.amaena.com
    Trusted Zone: *.avsystemcare.com
    Trusted Zone: *.onerateld.com
    Trusted Zone: *.safetydownload.com
    Trusted Zone: *.trustedantivirus.com
    Trusted Zone: *.virusschlacht.com
    
    File::
    c:\windows\system32\g18.exe
    c:\windows\system32\zrlzsxycgao.exe
    
    Rootkit::
    c:\windows\system32\drivers\core.cache.dsk
    
    Driver::
    MEMSWEEP2
    core
    core.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
  • Close all windows at this point.
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Include it in your next reply.
Upload Samples Collected by ComboFix
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
With Regards,
The Panda

#8 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 16 December 2008 - 10:18 AM

Here's what it spit out. Thanks again, and I'll be gone for a few days.


ComboFix 08-12-15.01 - Alan 2008-12-16 7:07:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.674 [GMT -8:00]
Running from: c:\documents and settings\Alan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\g18.exe
c:\windows\system32\zrlzsxycgao.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\tn3
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\g18.exe
c:\windows\system32\zrlzsxycgao.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.

2008-12-16 07:14 . 2008-12-16 07:14 <DIR> d-------- c:\temp\tn3
2008-12-02 20:35 . 2008-12-02 20:35 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-02 16:57 . 2008-12-16 07:09 111,716 --------- c:\windows\system32\drivers\core.cache.dsk
2008-12-02 16:57 . 2008-12-02 16:57 86,272 --a------ c:\windows\system32\drivers\bthusbb.sys
2008-11-28 17:14 . 2008-11-28 17:14 244 --ah----- C:\sqmnoopt19.sqm
2008-11-28 17:14 . 2008-11-28 17:14 232 --ah----- C:\sqmdata19.sqm
2008-11-28 11:29 . 2008-11-28 11:29 <DIR> d-------- c:\documents and settings\Alan\Application Data\Apple Computer
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\program files\iTunes
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\program files\iPod
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\program files\Bonjour
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\program files\Apple Software Update
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-28 11:27 . 2008-11-28 11:27 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-28 11:27 . 2008-11-28 11:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-27 23:39 . 2008-11-27 23:39 268 --ah----- C:\sqmdata18.sqm
2008-11-27 23:39 . 2008-11-27 23:39 244 --ah----- C:\sqmnoopt18.sqm
2008-11-26 19:29 . 2008-11-26 19:29 268 --ah----- C:\sqmdata17.sqm
2008-11-26 19:29 . 2008-11-26 19:29 244 --ah----- C:\sqmnoopt17.sqm
2008-11-26 18:42 . 2008-11-26 18:42 268 --ah----- C:\sqmdata16.sqm
2008-11-26 18:42 . 2008-11-26 18:42 244 --ah----- C:\sqmnoopt16.sqm
2008-11-26 01:49 . 2008-11-26 01:49 268 --ah----- C:\sqmdata15.sqm
2008-11-26 01:49 . 2008-11-26 01:49 244 --ah----- C:\sqmnoopt15.sqm
2008-11-26 00:46 . 2008-11-26 00:46 268 --ah----- C:\sqmdata14.sqm
2008-11-26 00:46 . 2008-11-26 00:46 244 --ah----- C:\sqmnoopt14.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-12-15 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-03 07:33 --------- d-----w c:\program files\a-squared Free
2008-12-03 04:35 --------- d-----w c:\program files\Lavasoft
2008-12-03 04:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 19:28 --------- d-----w c:\program files\QuickTime
2008-11-16 01:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-06 05:28 --------- d-----w c:\documents and settings\Alan\Application Data\U3
2008-10-28 21:13 --------- d-----w c:\program files\MSN Messenger
2008-10-11 00:19 22,200 ----a-w c:\documents and settings\Alan\Application Data\GDIPFONTCACHEV1.DAT
2008-11-16 20:55 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-16 20:55 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-16 20:55 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-16 20:55 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-16 20:55 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-07 00:02 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-15_14.17.23.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-05-23 14:49:47 573,503 ----a-w c:\windows\gmer.dll
+ 2008-12-15 22:30:45 884,736 ----a-w c:\windows\gmer.dll
- 2007-05-23 14:49:47 69,905 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2008-12-15 22:30:45 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nSvcAppFlt.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nSvcIp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\ComboFix\\fdsv.cfexe"=
"c:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\guard.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19184:TCP"= 19184:TCP:@xpsp2res.dll,-22005
"10519:TCP"= 10519:TCP:@xpsp2res.dll,-22005
"33082:TCP"= 33082:TCP:@xpsp2res.dll,-22005
"34289:TCP"= 34289:TCP:@xpsp2res.dll,-22005

R1 bthusbb;bthusbb;c:\windows\system32\drivers\bthusbb.sys [2008-12-02 86272]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2007-03-02 4096]
S3 AntiAries;Anti Aries Helper Driver;\??\c:\windows\System32\drivers\RKL66.tmp.sys [2007-05-27 7680]
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusschlacht.com

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd

c:\windows\Downloaded Program Files\FlyLoader.dll - O16 -: {48DF87EE-F2DE-11D8-BE7F-302050C10801}
hxxp://www.flysuite.com/flyword/loaderword_win.cab
FF - ProfilePath - c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\pfiugin7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 07:15:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(488)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-16 7:16:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-16 15:16:07
ComboFix2.txt 2008-12-15 22:17:49
ComboFix3.txt 2007-05-31 01:08:11

Pre-Run: 9,461,788,672 bytes free
Post-Run: 9,441,968,128 bytes free

188

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 17 December 2008 - 02:41 AM

Hello.

Please disable your protection and run this CFScript:
Rootkit::
C:\WINDOWS\system32\drivers\bthusbb.sys
c:\windows\system32\drivers\core.cache.dsk

Driver::
bthusbb
Also include a new HijackThis log.

With Regards,
The Panda

#10 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 20 December 2008 - 03:04 PM

Combofix log


ComboFix 08-12-15.01 - Alan 2008-12-20 12:08:49.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.640 [GMT -8:00]
Running from: c:\documents and settings\Alan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alan\Desktop\CFScript2.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\tn3
c:\windows\system32\drivers\bthusbb.sys
c:\windows\system32\drivers\core.cache.dsk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BTHUSBB
-------\Service_bthusbb


((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.

2008-12-02 20:35 . 2008-12-02 20:35 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-28 17:14 . 2008-11-28 17:14 244 --ah----- C:\sqmnoopt19.sqm
2008-11-28 17:14 . 2008-11-28 17:14 232 --ah----- C:\sqmdata19.sqm
2008-11-28 11:29 . 2008-11-28 11:29 <DIR> d-------- c:\documents and settings\Alan\Application Data\Apple Computer
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\program files\iTunes
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\program files\iPod
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\program files\Bonjour
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\program files\Apple Software Update
2008-11-28 11:28 . 2008-11-28 11:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-28 11:27 . 2008-11-28 11:27 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-28 11:27 . 2008-11-28 11:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-27 23:39 . 2008-11-27 23:39 268 --ah----- C:\sqmdata18.sqm
2008-11-27 23:39 . 2008-11-27 23:39 244 --ah----- C:\sqmnoopt18.sqm
2008-11-26 19:29 . 2008-11-26 19:29 268 --ah----- C:\sqmdata17.sqm
2008-11-26 19:29 . 2008-11-26 19:29 244 --ah----- C:\sqmnoopt17.sqm
2008-11-26 18:42 . 2008-11-26 18:42 268 --ah----- C:\sqmdata16.sqm
2008-11-26 18:42 . 2008-11-26 18:42 244 --ah----- C:\sqmnoopt16.sqm
2008-11-26 01:49 . 2008-11-26 01:49 268 --ah----- C:\sqmdata15.sqm
2008-11-26 01:49 . 2008-11-26 01:49 244 --ah----- C:\sqmnoopt15.sqm
2008-11-26 00:46 . 2008-11-26 00:46 268 --ah----- C:\sqmdata14.sqm
2008-11-26 00:46 . 2008-11-26 00:46 244 --ah----- C:\sqmnoopt14.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-12-15 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-03 07:33 --------- d-----w c:\program files\a-squared Free
2008-12-03 04:35 --------- d-----w c:\program files\Lavasoft
2008-12-03 04:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 19:28 --------- d-----w c:\program files\QuickTime
2008-11-16 01:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-06 05:28 --------- d-----w c:\documents and settings\Alan\Application Data\U3
2008-10-28 21:13 --------- d-----w c:\program files\MSN Messenger
2008-10-11 00:19 22,200 ----a-w c:\documents and settings\Alan\Application Data\GDIPFONTCACHEV1.DAT
2008-11-16 20:55 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-16 20:55 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-16 20:55 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-16 20:55 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-16 20:55 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-07 00:02 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-15_14.17.23.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-05-23 14:49:47 573,503 ----a-w c:\windows\gmer.dll
+ 2008-12-15 22:30:45 884,736 ----a-w c:\windows\gmer.dll
- 2007-05-23 14:49:47 69,905 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2008-12-15 22:30:45 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nSvcAppFlt.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nSvcIp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\ComboFix\\fdsv.cfexe"=
"c:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\guard.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19184:TCP"= 19184:TCP:@xpsp2res.dll,-22005
"10519:TCP"= 10519:TCP:@xpsp2res.dll,-22005
"33082:TCP"= 33082:TCP:@xpsp2res.dll,-22005
"34289:TCP"= 34289:TCP:@xpsp2res.dll,-22005

S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2007-03-02 4096]
S3 AntiAries;Anti Aries Helper Driver;\??\c:\windows\System32\drivers\RKL66.tmp.sys [2007-05-27 7680]
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusschlacht.com

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd

c:\windows\Downloaded Program Files\FlyLoader.dll - O16 -: {48DF87EE-F2DE-11D8-BE7F-302050C10801}
hxxp://www.flysuite.com/flyword/loaderword_win.cab
FF - ProfilePath - c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\pfiugin7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 12:11:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(488)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-20 12:12:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-20 20:12:30
ComboFix2.txt 2008-12-16 15:16:10
ComboFix3.txt 2008-12-15 22:17:49
ComboFix4.txt 2007-05-31 01:08:11

Pre-Run: 9,233,551,360 bytes free
Post-Run: 9,333,374,976 bytes free

181

#11 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 20 December 2008 - 03:09 PM

And the HJT.

thanks again


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:06 PM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} (FlyLoader Class) - http://www.flysuite.com/flyword/loaderword_win.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189756675406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189756632625
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\RpcSandraSrv.exe

--
End of file - 7160 bytes

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 21 December 2008 - 04:20 AM

Hello.

Looks like we took care of that infection :thumbsup: .

Download and run MalwareBytes Anti-Malware
Let's run MalwareBytes to cleanup anything we missed.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Fix HijackThis Entries
  • Double click the HijackThis icon on your desktop.
  • Close all other open windows.
  • Select Do a System Scan Only.
  • Wait a few moments for the list to be compiled.
  • To the left of each entry you will see a check box. Check the box next to the following entries:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O15 - Trusted Zone: *.amaena.com
    O15 - Trusted Zone: *.avsystemcare.com
    O15 - Trusted Zone: *.onerateld.com
    O15 - Trusted Zone: *.safetydownload.com
    O15 - Trusted Zone: *.trustedantivirus.com
    O15 - Trusted Zone: *.virusschlacht.com
    O15 - Trusted Zone: *.amaena.com (HKLM)
    O15 - Trusted Zone: *.avsystemcare.com (HKLM)
    O15 - Trusted Zone: *.onerateld.com (HKLM)
    O15 - Trusted Zone: *.safetydownload.com (HKLM)
    O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
    O15 - Trusted Zone: *.virusschlacht.com (HKLM)

    If you no longer see some of the entries, skip them.
  • Close all open windows except HijackThis.
  • Click Posted Image and OK at the prompt.
  • The screen will clear itself.
  • Close out of HijackThis.
AVG Antispyware is outdated, and has been incorporated into AVG8. Please uninstall the program.

Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

Please post back with:
-the MalwareBytes log
-a new HijackThis log from after installing an antivirus

With Regards,
The Panda

#13 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 22 December 2008 - 03:13 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1528
Windows 5.1.2600 Service Pack 3

12/21/2008 4:38:46 PM
mbam-log-2008-12-21 (16-38-46).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 110846
Time elapsed: 16 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 44

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000005-0000-0000-0000-100009000004} (Heuristics.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\extra antivir (Rogue.Extraantivir) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\agadoo (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_windev-abf-33d0 (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\bcbkoonf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bgaiboca.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bqmqdy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fsyhau.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\iifebYPf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ilvilopu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\invwgigp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\iuodaytc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ivaaxn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jdbduxbl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jdblmlps.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kifutsva.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mnzmwp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnnmlMd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnMdbAS.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\sedgvjss.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\sexbvhcn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ufvfwo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vmklvxdg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wvUlmNdC.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xtlhvz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xvsvty.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\yhjetv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jrnhkpme.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rehotiza.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\virinida.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rihuhavu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\31.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Cookies\MM2048.DAT (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\LocalService\Cookies\MM2048.DAT (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\MM256.DAT (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\LocalService\Cookies\MM256.DAT (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\bumo.reg (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\LocalService\Cookies\bumo.reg (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\jababug.inf (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\LocalService\Cookies\jababug.inf (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\uwux.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\LocalService\Cookies\uwux.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\jiceji._sy (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\LocalService\Cookies\jiceji._sy (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\esycire._dl (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\LocalService\Cookies\esycire._dl (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\syssp.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\LocalService\Cookies\syssp.exe (Fake.Dropped.Malware) -> Delete on reboot.

and HJT after AntiVir scan. I normally use AVG, but it wouldn't download right:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:26 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} (FlyLoader Class) - http://www.flysuite.com/flyword/loaderword_win.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189756675406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189756632625
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1\RpcSandraSrv.exe

--
End of file - 7193 bytes

Quick question. Should I be quarantining malware, or deleting it? What exactly happens when you quarantine?

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 22 December 2008 - 08:12 PM

Hello.

Should I be quarantining malware, or deleting it? What exactly happens when you quarantine?

You will notice that MalwareBytes says: "Quarantined and deleted successfully". Quarentine is essentially a backup of what is deleted. While the malware items are in the quarentine, they cannot harm your computer.

You log looks good. If it's the same on your side, then we can update you Java and wrap up.

Update Java to Version 6 Update 10
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please then install the latest Java, Java SE Runtime Environment (JRE) 6 Update 10 from this page. Follow the prompts and select the appropriate settings for your machine (most likely "Windows"). Click on the "Required File" jre-6u10-windows-i586-p.exe to download the installer. Double click the installer to run. Delete the installer after use.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear System Restore cache and creates new restore point.
Run Cleanup with OTScantIt
This will remove all the tools we used.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Click the CleanUp bottun.
  • Restart if prompted.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#15 noobalicious

noobalicious
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 23 December 2008 - 12:25 PM

I think it looks OK. Thanks so much.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users