Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.BHO, Trojan.Vundo, Trojan.FakeAlert, ...


  • This topic is locked This topic is locked
8 replies to this topic

#1 vitagum

vitagum

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 02 January 2009 - 12:36 AM

I am trying to clean up a neighbor's computer and have had no luck. I'm going to provide as much information as I can remember on what I've done (even if its too much info).

When I first loaded windows in normal mode, the desktop had no icons, no taskbar; just the background. Then only thing I could bring up was the task manager. I booted into safe mode and started loaded programs to try and get rid of the malware. I tried:
AVG 8.0, Malwarebyte's Anti-Malware, SuperAntiSpyware, SDFix. All of these seemed to get rid of some of the trojans, but the computer was never clean.

I was eventually able to load windows in normal mode and get the taskbar. In this state, the computer was very slow to respond. I was able to run MBAM in normal mode and it detected new threats but when I tried to remove them, the computer sat idle (the status bar in MBAM to quarantine the threats never moved). Also, when in normal mode, when I clicked on 'my computer' from the start menu, I would get the "windows cannnot find '(null)'" error message. I tried to update java runtime environment. I was able to delete the old JRE but I was never able to reload the update (the name of the exe is: jre-6u11-windows-i586-p.exe). I was given an error saying the admin had set policies to prevent the installation.

After looking through the bleeping computer forums, I saw that trojans can be in the system restore, so I flushed system restore. I downloaded combofix and started to run it, but I saw a warning message about AVG still running and I killed the run. That's when I decided that I cannot do this on my own and need some help.

Following logs: DDS, HJT, latest MBAM


***************************************************
***************************************************

DDS (Version 1.1.0) - NTFSx86 NETWORK
Run by Administrator at 21:36:30.14 on Thu 01/01/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.335 [GMT -6:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www1.ap.dell.com/content/default.aspx?c=my&l=en&s=gen
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: {a057a204-bacc-4d26-9990-79a187e2698e} - AVG Security Toolbar
{c81c2a1d-be26-4372-8f01-691ca552e92e}
TB: ECO Bar: {10000000-1000-1000-1000-100000000000} -
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - c:\program files\common files\g7ps\shared files\g7psdll\G7PS.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: hgGaxUOf - hgGaxUOf.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-29 12552]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-29 107272]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-12-11 202160]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-29 324872]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-29 27656]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-31 207656]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 8944]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-22 55024]
S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-12-27 13360]
S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-12-27 69168]
S3 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-29 298264]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-31 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-1 34152]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-31 40488]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys [2008-10-23 92464]
S4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-3-31 358736]
S4 McShield;McAfee Real-time Scanner; []
S4 McSysmon;McAfee SystemGuards; []
S4 SBAMSvc;AntiMalware;"c:\program files\sunbelt software\vipre\SBAMSvc.exe" [2008-10-28 886056]

=============== Created Last 30 ================

2009-01-01 21:33 1,092 a------- c:\windows\system32\tmp.reg
2009-01-01 00:04 <DIR> --d----- c:\program files\Trend Micro
2008-12-31 22:38 345 a------- c:\windows\gmer.ini
2008-12-31 15:08 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2008-12-31 14:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-31 14:52 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-31 01:34 <DIR> --d----- c:\windows\ERUNT
2008-12-31 01:32 <DIR> --d----- C:\SDFix
2008-12-31 01:13 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-31 00:16 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2008-12-31 00:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-31 00:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 00:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 00:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-30 22:24 <DIR> --d----- C:\ComboFix
2008-12-30 22:24 388,608 a------- c:\windows\system32\CF10430.exe
2008-12-30 22:10 388,608 a------- c:\windows\system32\CF7615.exe
2008-12-30 21:42 161,792 a------- c:\windows\SWREG.exe
2008-12-30 21:42 98,816 a------- c:\windows\sed.exe
2008-12-30 21:42 388,608 a------- c:\windows\system32\CF2237.exe
2008-12-29 23:01 <DIR> --d----- c:\windows\pss
2008-12-29 22:52 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2008-12-29 22:20 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-29 22:18 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-29 22:18 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2008-12-29 22:18 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-29 22:18 324,872 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-29 22:17 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-29 22:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-29 21:35 <DIR> --d----- c:\program files\AVG
2008-12-27 17:47 69,168 a------- c:\windows\system32\drivers\sbapifs.sys
2008-12-27 17:35 664 a------- c:\windows\system32\d3d9caps.dat
2008-12-27 17:31 <DIR> --d----- c:\docume~1\admini~1\applic~1\Sunbelt Software
2008-12-27 17:27 13,360 a------- c:\windows\system32\drivers\sbaphd.sys
2008-12-27 09:55 <DIR> --d----- c:\docume~1\admini~1\applic~1\Sunbelt
2008-12-11 22:22 130,560 a------- c:\windows\uponedevac.dll
2008-12-11 22:09 9,728 ----h--- c:\windows\20081203051514-downloader_silent.exe
2008-12-11 21:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2008-12-11 21:12 202,160 a------- c:\windows\system32\drivers\sbtis.sys
2008-12-11 21:12 <DIR> --d----- c:\program files\Sunbelt Software
2008-12-11 20:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt Software

==================== Find3M ====================

2008-12-29 22:30 664,296 a--sh--- c:\windows\system32\BegiQqss.ini2
2008-12-12 11:27 3,067,392 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-01 19:42 1,342,980 a--sh--- c:\windows\system32\gvfwoxxc.tmp
2008-11-30 18:57 1,342,980 a--sh--- c:\windows\system32\faeeomss.tmp
2008-10-28 16:28 65,320 a------- c:\windows\system32\sbbd.exe
2008-10-24 05:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 10:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 08:18 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2006-03-23 22:21 3,553,500 a------- c:\program files\ftphome.zip
2007-12-18 20:35 56 ---shr-- c:\windows\system32\5DF705EAAD.sys
2007-12-18 20:35 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-08-20 20:42 1,590,283 a--sh--- c:\windows\system32\srutv.bak1
2007-09-05 17:42 1,987,595 a--sh--- c:\windows\system32\srutv.bak2
2007-09-06 11:44 1,738,904 a--sh--- c:\windows\system32\srutv.ini2

============= FINISH: 21:36:38.56 ===============





*************************************************
*************************************************


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:51 PM, on 1/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: (no name) - {C81C2A1D-BE26-4372-8F01-691CA552E92E} - (no file)
O3 - Toolbar: ECO Bar - {10000000-1000-1000-1000-100000000000} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.4.4.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139113616906
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: hgGaxUOf - hgGaxUOf.dll (file missing)
O20 - Winlogon Notify: iifcATjk - C:\WINDOWS\
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Movie Maker\profsyrtyrtypr.html

--
End of file - 5426 bytes


***********************************************
***********************************************

Malwarebytes' Anti-Malware 1.31
Database version: 1580
Windows 5.1.2600 Service Pack 2

1/1/2009 10:37:04 PM
mbam-log-2009-01-01 (22-36-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 106017
Time elapsed: 46 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{dcd53738-c4f9-414a-a03c-c7405a4ac844} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cf46bfb3-2acc-441b-b82b-36b9562c7ff1} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c6039e6c-bde9-4de5-bb40-768caa584fdc} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:49 AM

Posted 03 January 2009 - 05:06 PM

Hello Vitagum and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 vitagum

vitagum
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 03 January 2009 - 09:49 PM

Hello Thunder, and thank you for your help.

I cleaned up the computer as instructed in step 1.
After downloading combofix and running it, I get the following message:

ComboFix has detected the following real time scanner(s) to be active:
*AVG Anti-Virus
...

How do I disable the real time scanner for AVG 8.0?

Note that I am running in safe mode. Normal mode is not working very well at the moment. In normal mode, there are no icons on the desktop and programs have a tendency to stall while running.

Thanks,
vitagum

#4 vitagum

vitagum
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 03 January 2009 - 10:46 PM

I deleted AVG and was able to run combofix without the warning message.
Here is the combofix log:

***************************************************
***************************************************


ComboFix 09-01-02.01 - Administrator 2009-01-03 21:32:36.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.360 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mom\err.log
c:\documents and settings\Mom\Local Settings\Temporary Internet Files\fbk.sts
c:\temp\0c2
c:\temp\0c2\tmpFF.log
c:\temp\DIV55
c:\temp\DIV55\xDb.log
C:\test.txt
c:\windows\IE4 Error Log.txt
c:\windows\system32\ajmnegiy.ini
c:\windows\system32\amohtfyu.ini
c:\windows\system32\BegiQqss.ini
c:\windows\system32\BegiQqss.ini2
c:\windows\system32\cjyguamr.ini
c:\windows\system32\cpnhceoe.ini
c:\windows\system32\dqeavibi.ini
c:\windows\system32\efrcksbp.ini
c:\windows\system32\evjbbmuv.ini
c:\windows\system32\fkmdseli.ini
c:\windows\system32\fucooltn.ini
c:\windows\system32\gggrguof.ini
c:\windows\system32\ggnkyoyu.ini
c:\windows\system32\gi3
c:\windows\system32\giv
c:\windows\system32\hcpuceuf.ini
c:\windows\system32\iciuallw.ini
c:\windows\system32\iembaoat.ini
c:\windows\system32\IN
c:\windows\system32\iryttyjy.ini
c:\windows\system32\litnvmcb.ini
c:\windows\system32\ltsiwcfk.ini
c:\windows\system32\mhgciige.ini
c:\windows\system32\nbwilvfv.ini
c:\windows\system32\nefiwtwf.ini
c:\windows\system32\onkhiusl.ini
c:\windows\system32\op8
c:\windows\system32\pgiobmhw.ini
c:\windows\system32\pjftmkwd.ini
c:\windows\system32\pmstcdut.ini
c:\windows\system32\rhbpqnhe.ini
c:\windows\system32\sljthkae.ini
c:\windows\system32\srutv.bak1
c:\windows\system32\srutv.bak2
c:\windows\system32\srutv.ini
c:\windows\system32\srutv.ini2
c:\windows\system32\srutv.tmp
c:\windows\system32\T1
c:\windows\system32\T11
c:\windows\system32\T3
c:\windows\system32\T5
c:\windows\system32\T7
c:\windows\system32\TEC
c:\windows\system32\tmp.reg
c:\windows\system32\undguyyc.ini
c:\windows\system32\vi
c:\windows\system32\wdaphtff.ini
c:\windows\system32\win
c:\windows\system32\wkuamwos.ini
c:\windows\system32\wwmwppwn.ini
c:\windows\system32\wwurmiru.ini
c:\windows\system32\ymjyhufb.ini
c:\windows\system32\yraitpjw.ini
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2100-04-01 17:22 . 2008-10-22 15:41 194 --a------ c:\windows\X83_DS.ini
2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ c:\windows\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ c:\windows\system32\LEXUSBCI.INI
2009-01-01 00:04 . 2009-01-01 00:04 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 22:38 . 2008-12-31 22:43 345 --a------ c:\windows\gmer.ini
2008-12-31 15:08 . 2008-12-31 15:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-31 14:52 . 2009-01-01 21:11 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-31 14:52 . 2008-12-31 14:52 <DIR> d-------- c:\documents and settings\Mom\Application Data\SUPERAntiSpyware.com
2008-12-31 14:52 . 2008-12-31 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-31 01:34 . 2008-12-31 01:34 <DIR> d-------- c:\windows\ERUNT
2008-12-31 01:15 . 2008-12-31 01:15 <DIR> d-------- c:\documents and settings\Mom\Application Data\Malwarebytes
2008-12-31 01:13 . 2008-12-31 01:13 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-31 00:16 . 2008-12-31 00:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 00:16 . 2008-12-31 00:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 00:16 . 2008-12-31 00:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-31 00:16 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 00:16 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-29 22:52 . 2008-12-29 22:52 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner
2008-12-29 22:20 . 2009-01-01 02:12 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-29 22:17 . 2009-01-03 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-27 17:47 . 2008-09-12 11:12 69,168 --a------ c:\windows\system32\drivers\sbapifs.sys
2008-12-27 17:35 . 2008-12-29 23:37 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-27 17:31 . 2008-12-27 17:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sunbelt Software
2008-12-27 17:27 . 2008-09-12 11:12 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2008-12-27 09:55 . 2008-12-27 09:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sunbelt
2008-12-11 22:22 . 2008-12-11 22:22 130,560 --a------ c:\windows\uponedevac.dll
2008-12-11 22:09 . 2008-12-11 22:09 9,728 ---h----- c:\windows\20081203051514-downloader_silent.exe
2008-12-11 21:13 . 2008-12-11 21:13 <DIR> d-------- c:\documents and settings\Mom\Application Data\Sunbelt
2008-12-11 21:13 . 2008-12-11 21:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sunbelt
2008-12-11 21:12 . 2008-12-11 21:12 <DIR> d-------- c:\program files\Sunbelt Software
2008-12-11 21:12 . 2008-04-28 14:48 202,160 --a------ c:\windows\system32\drivers\sbtis.sys
2008-12-11 20:26 . 2008-12-11 20:26 <DIR> d-------- c:\documents and settings\Mom\Application Data\Sunbelt Software
2008-12-11 20:26 . 2008-12-11 20:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sunbelt Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 08:12 --------- d-----w c:\program files\DIGStream
2008-12-12 02:56 --------- d-----w c:\program files\NetZero
2008-12-12 02:40 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-12 02:40 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-02 06:28 --------- d-----w c:\program files\Kaspersky Lab
2008-12-02 06:04 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-02 06:01 --------- d-----w c:\program files\McAfee
2008-12-02 06:01 --------- d-----w c:\program files\Common Files\McAfee
2008-12-01 02:13 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-11-30 05:07 5,032 ----a-w c:\documents and settings\Mom\Application Data\wklnhst.dat
2008-11-05 16:25 --------- d--h--w c:\program files\Zero G Registry
2008-04-08 00:08 62,232 ----a-w c:\documents and settings\Mom\Application Data\GDIPFONTCACHEV1.DAT
2006-08-20 21:14 80 ----a-w c:\documents and settings\Mom\Application Data\ftpfile.dat
2006-03-24 04:21 3,553,500 ----a-w c:\program files\ftphome.zip
2007-12-19 02:35 56 --sh--r c:\windows\system32\5DF705EAAD.sys
2007-12-19 02:35 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\program files\Movie Maker\profsyrtyrtypr.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mom^Start Menu^Programs^Startup^p2pmax.lnk]
path=c:\documents and settings\Mom\Start Menu\Programs\Startup\p2pmax.lnk
backup=c:\windows\pss\p2pmax.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 16:33 155648 c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2005-08-31 11:06 106496 c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-09-01 17:24 684032 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 02:04 332800 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 01:05 127035 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 04:04 59392 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-07-19 23:06 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-07-19 23:10 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-07-19 23:09 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2004-10-30 14:59 385024 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 10:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 10:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
--a------ 2001-05-11 11:40 53248 c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
--a------ 2001-03-16 16:28 40960 c:\progra~1\LEXMAR~1\ACMonitor_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 20:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
--a------ 2001-05-25 12:36 36864 c:\windows\system32\spool\drivers\w32x86\2\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-08 13:06 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-12-08 13:05 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBAMTray]
--a------ 2008-10-28 16:53 955688 c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wkoyovanil]
--a------ 2008-12-11 22:22 130560 c:\windows\uponedevac.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Internet\\ICC\\icc2000.exe"=
"c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-12-27 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-12-11 202160]
R4 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-12-27 69168]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-31 38496]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S4 SBAMSvc;AntiMalware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2008-10-28 886056]
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (CHARMAINE-Mom).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{C81C2A1D-BE26-4372-8F01-691CA552E92E} - (no file)
Toolbar-{10000000-1000-1000-1000-100000000000} - (no file)
Notify-hgGaxUOf - hgGaxUOf.dll
Notify-iifcATjk - (no file)
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-b8bfb27c - c:\windows\system32\vkxrnqwb.dll
MSConfigStartUp-GetModule30 - c:\program files\GetModule\GetModule30.exe
MSConfigStartUp-Jnskdfmf9eldfd - c:\docume~1\Mom\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
MSConfigStartUp-Tsirazovecebezud - c:\windows\Kjugujaho.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost;*.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
Trusted Zone: online.musicmatch.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 21:38:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID]
@DACL=(02 0000)
@="URLSearchHook.ToolbarURLSearchHook.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib]
@DACL=(02 0000)
@="{4509D3CC-B642-4745-B030-645B79522C6D}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID]
@DACL=(02 0000)
@="URLSearchHook.ToolbarURLSearchHook"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1068)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dwwin.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-03 21:41:34 - machine was rebooted [Mom]
ComboFix-quarantined-files.txt 2009-01-04 03:41:29

Pre-Run: 13,237,350,400 bytes free
Post-Run: 12,587,679,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

309 --- E O F --- 2009-01-01 05:16:27

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:49 AM

Posted 04 January 2009 - 03:41 PM

Hello Vitagum,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/191368/trojanbho-trojanvundo-trojanfakealert/
Collect::[9]
c:\windows\uponedevac.dll
c:\windows\20081203051514-downloader_silent.exe
Registry::
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= -
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wkoyovanil]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file C:\QooBox\Quarantine\[9]-Submit_Date_Time.zip.

Right click on Desktop, Properties, Desktop page, click Customize and on the Web page make sure 'Lock Desktop ' is not checked.
Right click again, Arrange Icons, make sure 'Show Desktop Icons' is checked.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 vitagum

vitagum
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 04 January 2009 - 10:16 PM

Thunder,

I ran combofix again with the given script and produced another hijack this log.

I am able to boot into normal mode windows again!!! The icons are back and eventhough windows loads slowly, things appear to be getting better. I'll run another scan using mbam and super antispyware to see what they find.


********************************************************
********************************************************

ComboFix 09-01-02.01 - Administrator 2009-01-04 19:30:58.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.362 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\20081203051514-downloader_silent.exe
c:\windows\uponedevac.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2100-04-01 17:22 . 2008-10-22 15:41 194 --a------ c:\windows\X83_DS.ini
2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ c:\windows\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ c:\windows\system32\LEXUSBCI.INI
2009-01-01 00:04 . 2009-01-01 00:04 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 22:38 . 2008-12-31 22:43 345 --a------ c:\windows\gmer.ini
2008-12-31 15:08 . 2008-12-31 15:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-31 14:52 . 2009-01-01 21:11 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-31 14:52 . 2008-12-31 14:52 <DIR> d-------- c:\documents and settings\Mom\Application Data\SUPERAntiSpyware.com
2008-12-31 14:52 . 2008-12-31 14:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-31 01:34 . 2008-12-31 01:34 <DIR> d-------- c:\windows\ERUNT
2008-12-31 01:15 . 2008-12-31 01:15 <DIR> d-------- c:\documents and settings\Mom\Application Data\Malwarebytes
2008-12-31 01:13 . 2008-12-31 01:13 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-31 00:16 . 2008-12-31 00:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 00:16 . 2008-12-31 00:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 00:16 . 2008-12-31 00:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-31 00:16 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 00:16 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-29 22:52 . 2008-12-29 22:52 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner
2008-12-29 22:20 . 2009-01-01 02:12 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-29 22:17 . 2009-01-03 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-27 17:47 . 2008-09-12 11:12 69,168 --a------ c:\windows\system32\drivers\sbapifs.sys
2008-12-27 17:35 . 2008-12-29 23:37 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-27 17:31 . 2008-12-27 17:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sunbelt Software
2008-12-27 17:27 . 2008-09-12 11:12 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2008-12-27 09:55 . 2008-12-27 09:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sunbelt
2008-12-11 21:13 . 2008-12-11 21:13 <DIR> d-------- c:\documents and settings\Mom\Application Data\Sunbelt
2008-12-11 21:13 . 2008-12-11 21:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sunbelt
2008-12-11 21:12 . 2008-12-11 21:12 <DIR> d-------- c:\program files\Sunbelt Software
2008-12-11 21:12 . 2008-04-28 14:48 202,160 --a------ c:\windows\system32\drivers\sbtis.sys
2008-12-11 20:26 . 2008-12-11 20:26 <DIR> d-------- c:\documents and settings\Mom\Application Data\Sunbelt Software
2008-12-11 20:26 . 2008-12-11 20:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sunbelt Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2100-04-08 17:45 69,632 ----a-w c:\windows\system32\Lxasmdm.dll
2009-01-01 08:12 --------- d-----w c:\program files\DIGStream
2008-12-12 17:27 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 02:56 --------- d-----w c:\program files\NetZero
2008-12-12 02:40 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-12 02:40 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-02 06:28 --------- d-----w c:\program files\Kaspersky Lab
2008-12-02 06:04 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-02 06:01 --------- d-----w c:\program files\McAfee
2008-12-02 06:01 --------- d-----w c:\program files\Common Files\McAfee
2008-12-02 01:42 1,342,980 --sha-w c:\windows\system32\gvfwoxxc.tmp
2008-12-01 02:13 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-01 00:57 1,342,980 --sha-w c:\windows\system32\faeeomss.tmp
2008-11-30 05:07 5,032 ----a-w c:\documents and settings\Mom\Application Data\wklnhst.dat
2008-11-05 16:25 --------- d--h--w c:\program files\Zero G Registry
2008-10-28 22:28 65,320 ----a-w c:\windows\system32\sbbd.exe
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 14:18 18,432 ----a-w c:\windows\system32\dllcache\iedw.exe
2008-04-08 00:08 62,232 ----a-w c:\documents and settings\Mom\Application Data\GDIPFONTCACHEV1.DAT
2006-10-03 08:43 2,402,550 ----a-w c:\windows\inf\SET162.tmp
2006-08-20 21:14 80 ----a-w c:\documents and settings\Mom\Application Data\ftpfile.dat
2006-03-24 04:21 3,553,500 ----a-w c:\program files\ftphome.zip
2007-12-19 02:35 56 --sh--r c:\windows\system32\5DF705EAAD.sys
2007-12-19 02:35 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mom^Start Menu^Programs^Startup^p2pmax.lnk]
path=c:\documents and settings\Mom\Start Menu\Programs\Startup\p2pmax.lnk
backup=c:\windows\pss\p2pmax.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 16:33 155648 c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2005-08-31 11:06 106496 c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-09-01 17:24 684032 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 02:04 332800 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 01:05 127035 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 04:04 59392 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-07-19 23:06 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-07-19 23:10 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-07-19 23:09 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2004-10-30 14:59 385024 c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 10:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 10:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
--a------ 2001-05-11 11:40 53248 c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
--a------ 2001-03-16 16:28 40960 c:\progra~1\LEXMAR~1\ACMonitor_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 20:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
--a------ 2001-05-25 12:36 36864 c:\windows\system32\spool\drivers\w32x86\2\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-08 13:06 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-12-08 13:05 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBAMTray]
--a------ 2008-10-28 16:53 955688 c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Internet\\ICC\\icc2000.exe"=
"c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-12-11 202160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-12-27 13360]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-31 38496]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S4 SBAMSvc;AntiMalware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2008-10-28 886056]
S4 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-12-27 69168]
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (CHARMAINE-Mom).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www1.ap.dell.com/content/default.aspx?c=my&l=en&s=gen
IE: {{d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
Trusted Zone: online.musicmatch.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 19:33:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2009-01-04 19:35:00
ComboFix-quarantined-files.txt 2009-01-05 01:34:37
ComboFix2.txt 2009-01-04 03:41:36

Pre-Run: 13,137,821,696 bytes free
Post-Run: 13,118,914,560 bytes free

228 --- E O F --- 2009-01-01 05:16:27




*************************************************
*************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43, on 2009-01-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.4.4.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139113616906
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Movie Maker\profsyrtyrtypr.html

--
End of file - 5131 bytes

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:49 AM

Posted 05 January 2009 - 04:56 AM

Hello Vitagum,

Looking better now. :thumbsup:

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following, if still present :O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O24 - Desktop Component 0: (no name) - C:\Program Files\Movie Maker\profsyrtyrtypr.html

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Navigate, using Windows Explorer, to and delete the following folders and files if still present:C:\windows\system32\gvfwoxxc.tmp <== file
C:\windows\system32\faeeomss.tmp <== file
If you're having problems removing a file/folder, reboot your Computer once again and try to remove it after reboot.

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 vitagum

vitagum
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 06 January 2009 - 10:38 PM

Thank you Thunder,

I used HijackThis to remove the specified files.
When I looked for the 2 tmp files, they were not there.
I uninstalled combofix, and everything was put back to normal except the clock. It still displays the 24-hour format. I changed it back to 12-hr format manually.

I wanted to use the computer for a while to make sure everything was back to normal .... and it is!!!
Thank you for your help.

vitagum

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:49 AM

Posted 07 January 2009 - 04:03 AM

Glad we could help, Vitagum :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users