Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS JUAN, MS TRACKSYSTEM, VIRTUEMONDE


  • This topic is locked This topic is locked
15 replies to this topic

#1 tarablelawyer

tarablelawyer

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 06 January 2009 - 05:17 PM

Hi all,
Last Friday, my computer started acting all sorts of weird. Specifically, my desktop background has changed to a blue screen, I get random popups, pornographic icons were installed on my desktop, and the computer often tells me that I don't have permission to press CTL+ALT+DELETE or disable certain applications. I've scanned my system with SuperAntiSpyware, and it identified the problem as MS JUAN and MS TRACKSYSTEM. However, after quarantining, removing, rebooting, and rescanning, these files still come up. I'm trying to follow the protocol listed on the "Preparation Guide for use before posting about your potential Malware problem," so bear with me. I would love any help that can be offered. this happened to my work computer, so productivity has been pretty low this week as I deal with this virus. Here are my logs:


DDS (Version 1.1.0) - NTFSx86
Run by Tara Cottrill at 17:02:18.89 on Tue 01/06/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1137 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Total Protection Service *On-access scanning enabled* (Updated)
FW: Total Protection Service *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Tara Cottrill\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080723
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080723
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {c9bcf23e-b183-49bc-a57a-d7fb4bd55035} - c:\windows\system32\mlJYrPJB.dll
TB: BeInSync: {4f2530ba-8c1d-4a6a-8ba0-74e93adc9b12} - c:\progra~1\beinsync\BISShellEx.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\agent\Splash.exe"
mRun: [McAfee Managed Services Tray] c:\program files\mcafee\managed virusscan\agent\StartMyAgtTry.Exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
dRun: [msiexec.exe] msiconf.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {EE84A04D-8992-4b19-970F-6EA7A01F7331} - {4F2530BA-8C1D-4A6A-8BA0-74E93ADC9B12} - c:\progra~1\beinsync\BISShellEx.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\myRmProt4.7.0.566.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: pmnMEUMc - pmnMEUMc.dll
AppInit_DLLs: xycoah.dll,avgrsstx.dll
SEH: DPDblHook Class: {561f5138-43b1-45d9-aec9-478c51c1bd09} - c:\progra~1\beinsync\BISShellEx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJYrPJB

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\taraco~1\applic~1\mozilla\firefox\profiles\luiw1g7t.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-6 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-6 26824]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-22 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 McShield;McShield;c:\program files\mcafee\managed virusscan\vscan\McShield.exe [2008-7-22 144704]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2008-7-22 79304]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2008-7-22 35240]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-2-26 29183504]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-6 231704]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R4 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2008-7-22 14144]
R4 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2008-7-22 540776]
R4 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2008-7-22 169280]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2008-7-22 33832]

=============== Created Last 30 ================

2009-01-06 15:56 <DIR> --d----- C:\VundoFix Backups
2009-01-06 15:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-06 15:55 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-06 15:55 <DIR> --d----- c:\docume~1\taraco~1\applic~1\SUPERAntiSpyware.com
2009-01-06 15:54 5,824,544 a------- c:\program files\SUPERAntiSpyware.exe
2009-01-06 15:30 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-06 10:16 4,140 a------- c:\windows\system32\Config.MPF
2009-01-06 10:16 2,126 a------- c:\windows\system32\wpa.dbl
2009-01-06 09:31 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-06 09:25 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-06 09:25 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-06 09:25 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-06 09:25 <DIR> --d----- c:\docume~1\taraco~1\applic~1\AVGTOOLBAR
2009-01-06 09:25 <DIR> --d----- c:\program files\AVG
2009-01-06 09:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-05 14:03 54,157,776 a------- c:\program files\avg_free_stf_en_8_176a1400.exe
2009-01-05 13:12 <DIR> --d----- c:\program files\Lavasoft
2009-01-05 13:11 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-05 08:56 <DIR> --d----- c:\windows\system32\appmgmt
2009-01-05 08:55 120 ---sh--- c:\windows\system32\pqxytcyx.ini
2009-01-05 08:51 133,632 a------- c:\windows\system32\xycoah.dll
2009-01-02 16:51 1,307,379 ---sh--- c:\windows\system32\kaiydnxd.ini
2009-01-02 16:40 4,429 a--sh--- c:\windows\system32\BJPrYJlm.ini2
2009-01-02 16:40 4,429 a--sh--- c:\windows\system32\BJPrYJlm.ini

==================== Find3M ====================

2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-07 16:45 2,174,976 -------- c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 20:00 666,112 a------- c:\windows\system32\wininet.dll
2008-10-15 20:00 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2008-10-15 20:00 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2008-10-15 20:00 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll

============= FINISH: 17:02:57.70 ===============


Thanks, new internet friends. --- Tara

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 PM

Posted 19 January 2009 - 01:57 PM

Hi tarablelawyer,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your malware issues.

Please give me a little time to go through your log and I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert before I post so there may be a slight delay. Don't worry I won't abandon you :thumbsup:
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes. This can make helping you impossible.
  • Please reply to this post so I know you are there.
Thanks
Posted Image
m0le is a proud member of UNITE

#3 tarablelawyer

tarablelawyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 21 January 2009 - 08:59 AM

Hi there! I'm very excited that you're able to respond to my topic. My work computer is the one that's been sick, and I've been out of the office until today because of MLK day and the inauguration. But now I'm back and am ready to do whatever it takes to get rid of this MS JUAN guy. I appreciate your help!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 PM

Posted 21 January 2009 - 01:07 PM

Hi tarablelawyer,,

Welcome to Bleeping Computer.

There are some things that require attention and I will go over these step by step. If you are unsure of anything I am saying then don’t continue, just post a query and I will get you back on track.

Please avoid changing anything on your computer (ie, downloading software) or taking unsupervised steps to remove any malware as this can make helping you much more difficult.

:) I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Ad-Aware.

You also have Superantispyware (SAS) along with Ad-Aware’s antispyware package. My recommendation would be to uninstall Ad-Aware and leave AVG and SAS but it’s your choice.


:) We have a file that I'm not sure of so we're going to send it off for an online analysis. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\Config.MPF

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


:) Finally, we need you to disable the antispyware if you decided to stick with Ad-Aware. SAS does not have realtime protection so you need not do anything if you chose to keep that one.

Please disable AdWatch, as it may hinder the removal of some entries.
  • Open AdAware SE.
  • Go to AdWatch User Interface.
  • Go to Tools and Preferences.
  • At the bottom of the screen you will see 2 options Active and Automatic.
  • Active: This will turn Ad-Watch On\Off without closing it.
  • Automatic: Suspicious activity will be blocked automatically.
  • Uncheck both options. You can enable these after resolving your problem.
Just to recap, I would like the Jotti/VirusTotal results and a fresh DDS log pasted into your next reply. Then we can start to fix your computer. Thanks :thumbsup:
Posted Image
m0le is a proud member of UNITE

#5 tarablelawyer

tarablelawyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 21 January 2009 - 01:32 PM

Okay m0le, here are my logs!

Jotti malware scan:
Scan taken on 21 Jan 2009 18:28:21 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Last file scanned at least one scanner reported something about: icytower13.exe (MD5: 332309911799d88cd7aab138e363bb78, size: 321536 bytes), detected by:

Scanner Malware name
A-Squared Virus.Win32.Hidrag.A!IK
AntiVir W32/Hidrag.a
ArcaVir W32.Jeefo.35328
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
G DATA X
Ikarus X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X




DDS scan:
DDS (Version 1.1.0) - NTFSx86
Run by Tara Cottrill at 13:19:53.39 on Wed 01/21/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1113 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Total Protection Service *On-access scanning enabled* (Updated)
FW: Total Protection Service *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\Documents and Settings\Tara Cottrill\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: BeInSync: {4f2530ba-8c1d-4a6a-8ba0-74e93adc9b12} - c:\progra~1\beinsync\BISShellEx.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [McAfee Managed Services Tray] c:\program files\mcafee\managed virusscan\agent\StartMyAgtTry.Exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {EE84A04D-8992-4b19-970F-6EA7A01F7331} - {4F2530BA-8C1D-4A6A-8BA0-74E93ADC9B12} - c:\progra~1\beinsync\BISShellEx.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\myRmProt4.7.0.566.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: DPDblHook Class: {561f5138-43b1-45d9-aec9-478c51c1bd09} - c:\progra~1\beinsync\BISShellEx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\taraco~1\applic~1\mozilla\firefox\profiles\luiw1g7t.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - HiddenExtension: XUL Cache: {089C0B1B-BA65-4414-BAB7-EDB86F35224A} - c:\windows\system32\config\systemprofile\local settings\application data\{089c0b1b-ba65-4414-bab7-edb86f35224a}\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-6 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-6 26824]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-22 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 McShield;McShield;c:\program files\mcafee\managed virusscan\vscan\McShield.exe [2008-7-22 144704]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2008-7-22 79304]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2008-7-22 35240]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-2-26 29183504]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-6 231704]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R4 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2008-7-22 14144]
R4 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2008-7-22 540776]
R4 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2008-7-22 169280]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-9 38496]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2008-7-22 33832]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

=============== Created Last 30 ================

2009-01-16 10:15 <DIR> --d----- C:\ComboFix
2009-01-13 08:53 0 a------- c:\windows\system32\null
2009-01-09 10:57 <DIR> --d----- c:\program files\Trend Micro
2009-01-09 10:34 161,792 a------- c:\windows\SWREG.exe
2009-01-09 10:34 98,816 a------- c:\windows\sed.exe
2009-01-09 10:12 <DIR> --d----- c:\docume~1\taraco~1\applic~1\Malwarebytes
2009-01-09 10:12 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-09 10:12 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 10:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-09 10:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 15:56 <DIR> --d----- C:\VundoFix Backups
2009-01-06 15:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-06 15:55 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-06 15:55 <DIR> --d----- c:\docume~1\taraco~1\applic~1\SUPERAntiSpyware.com
2009-01-06 15:54 5,824,544 a------- c:\program files\SUPERAntiSpyware.exe
2009-01-06 15:30 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-06 10:16 5,092 a------- c:\windows\system32\Config.MPF
2009-01-06 10:16 2,126 a------- c:\windows\system32\wpa.dbl
2009-01-06 09:31 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-06 09:25 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-06 09:25 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-06 09:25 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-06 09:25 <DIR> --d----- c:\docume~1\taraco~1\applic~1\AVGTOOLBAR
2009-01-06 09:25 <DIR> --d----- c:\program files\AVG
2009-01-06 09:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-05 14:03 54,157,776 a------- c:\program files\avg_free_stf_en_8_176a1400.exe
2009-01-05 13:11 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-05 08:56 <DIR> --d----- c:\windows\system32\appmgmt

==================== Find3M ====================

2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-07 16:45 2,174,976 -------- c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys

============= FINISH: 13:20:07.89 ===============


Let me know if I completely did this wrong. I removed Ad-aware, so it's just SAS and AVG for now. Thanks for your help!

Attached Files



#6 tarablelawyer

tarablelawyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 21 January 2009 - 01:37 PM

Here's a VirusTotal log, just for kicks and because work is slow right now:

File Config.MPF received on 01.21.2009 19:33:17 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 49 and 70 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.21 -
AhnLab-V3 2009.1.21.2 2009.01.21 -
AntiVir 7.9.0.57 2009.01.21 -
Authentium 5.1.0.4 2009.01.21 -
Avast 4.8.1281.0 2009.01.21 -
AVG 8.0.0.229 2009.01.21 -
BitDefender 7.2 2009.01.21 -
CAT-QuickHeal 10.00 2009.01.21 -
ClamAV 0.94.1 2009.01.21 -
Comodo 940 2009.01.21 -
DrWeb 4.44.0.09170 2009.01.21 -
eSafe 7.0.17.0 2009.01.20 -
eTrust-Vet 31.6.6319 2009.01.21 -
F-Prot 4.4.4.56 2009.01.21 -
F-Secure 8.0.14470.0 2009.01.21 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.21 -
Ikarus T3.1.1.45.0 2009.01.21 -
K7AntiVirus 7.10.598 2009.01.21 -
Kaspersky 7.0.0.125 2009.01.21 -
McAfee 5502 2009.01.21 -
McAfee+Artemis 5501 2009.01.20 -
Microsoft 1.4205 2009.01.21 -
NOD32 3786 2009.01.21 -
Norman 5.93.01 2009.01.21 -
nProtect 2009.1.8.0 2009.01.21 -
Panda 9.5.1.2 2009.01.21 -
PCTools 4.4.2.0 2009.01.21 -
Prevx1 V2 2009.01.21 -
Rising 21.13.22.00 2009.01.21 -
SecureWeb-Gateway 6.7.6 2009.01.21 -
Sophos 4.37.0 2009.01.21 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.21 -
TheHacker 6.3.1.5.225 2009.01.21 -
TrendMicro 8.700.0.1004 2009.01.21 -
VBA32 3.12.8.10 2009.01.21 -
ViRobot 2009.1.21.1572 2009.01.21 -
VirusBuster 4.5.11.0 2009.01.21 -
Additional information
File size: 5092 bytes
MD5...: c4670a5405d1592cfca31c7c34301cd9
SHA1..: 3d0c827d4dc55e788004f23c5df741849f11d758
SHA256: 756b49bb6db7c4102cb28095edd77dd38d9a4a2911437ee4660c032322ee6381
SHA512: 29ff4747c128c5695e38fc5a5a6c16cb66c94e4b6d51456e4ca6867fb06480ba
8445a739727db7cc892f2c1dba293f9228a4b5ba12c2322ffc8880a888e1b2b4
ssdeep: 96:CfpFv23sa8AzDr1vHC/sM+bsa/X/D+H7ihIjay2K:ey2AzDrVHCFcXCH2em
PEiD..: -
TrID..: File type identification
MosASCII Project Workspace (100.0%)
PEInfo: -

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 PM

Posted 22 January 2009 - 03:28 AM

Okay tarablelawyer, thanks for the logs. :thumbsup:

Please download ComboFix from one of these locations (if you already have ComboFix, then delete it and download again) :

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. See this topic to find out how to disable your antivirus and firewall (post #1 and #2).
  • Double click on ComboFix.exe, and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

NOTE**ComboFix was intended to be used under the supervision of a helper, not for general use. This is a powerful tool which can permanently damage your computer.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new DDS scan.

Thanks
Posted Image
m0le is a proud member of UNITE

#8 tarablelawyer

tarablelawyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 22 January 2009 - 09:24 AM

Good morning and hello!
Here's my Combofix log; I wasn't sure if you wanted me to paste it or attach it to this post. I chose to paste it, because I am lazy. Anyhow, here it is:

ComboFix 09-01-21.02 - Tara Cottrill 2009-01-22 9:11:40.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1359 [GMT -5:00]
Running from: c:\documents and settings\Tara Cottrill\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Total Protection Service *On-access scanning disabled* (Updated)
FW: Total Protection Service *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-13 08:53 . 2009-01-20 08:53 0 --a------ c:\windows\system32\null
2009-01-09 10:57 . 2009-01-09 10:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-09 10:12 . 2009-01-09 10:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 10:12 . 2009-01-09 10:12 <DIR> d-------- c:\documents and settings\Tara Cottrill\Application Data\Malwarebytes
2009-01-09 10:12 . 2009-01-09 10:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 10:12 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 10:12 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 15:56 . 2009-01-06 15:56 <DIR> d-------- C:\VundoFix Backups
2009-01-06 15:55 . 2009-01-06 15:55 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-06 15:55 . 2009-01-06 15:55 <DIR> d-------- c:\documents and settings\Tara Cottrill\Application Data\SUPERAntiSpyware.com
2009-01-06 15:55 . 2009-01-06 15:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-06 15:54 . 2009-01-06 15:54 5,824,544 --a------ c:\program files\SUPERAntiSpyware.exe
2009-01-06 15:30 . 2009-01-09 09:35 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-06 10:16 . 2009-01-06 10:16 <DIR> d-------- c:\documents and settings\Harry Tun\Application Data\AVGTOOLBAR
2009-01-06 10:16 . 2009-01-22 09:06 5,092 --a------ c:\windows\system32\Config.MPF
2009-01-06 10:16 . 2009-01-06 10:16 2,126 --a------ c:\windows\system32\wpa.dbl
2009-01-06 09:31 . 2009-01-20 12:27 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-06 09:25 . 2009-01-22 09:10 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-06 09:25 . 2009-01-06 09:25 <DIR> d-------- c:\program files\AVG
2009-01-06 09:25 . 2009-01-09 10:29 <DIR> d-------- c:\documents and settings\Tara Cottrill\Application Data\AVGTOOLBAR
2009-01-06 09:25 . 2009-01-06 09:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-06 09:25 . 2009-01-06 09:25 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-06 09:25 . 2009-01-06 09:25 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-05 14:03 . 2009-01-05 14:06 54,157,776 --a------ c:\program files\avg_free_stf_en_8_176a1400.exe
2009-01-05 13:12 . 2009-01-21 13:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-05 13:11 . 2009-01-21 13:08 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-09 15:02 --------- d-----r c:\documents and settings\Harry Tun\Application Data\BeInSync Settings
2009-01-05 14:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-02 17:17 --------- d-----w c:\documents and settings\Tara Cottrill\Application Data\Roxio
2008-11-07 21:45 2,174,976 ------w c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-09_10.40.22.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-12 08:03:26 20,240 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-01-15 08:00:36 20,240 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-12-12 08:03:26 217,864 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-15 08:00:36 217,864 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\misc.exe
- 2008-12-12 08:03:26 18,704 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-15 08:00:36 18,704 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-12-12 08:03:26 35,088 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-15 08:00:36 35,088 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-12-12 08:03:26 845,584 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-01-15 08:00:35 845,584 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\outicon.exe
- 2008-12-12 08:03:26 922,384 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-01-15 08:00:35 922,384 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pptico.exe
- 2008-12-12 08:03:26 272,648 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-01-15 08:00:36 272,648 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pubs.exe
- 2008-12-12 08:03:26 888,080 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-15 08:00:36 888,080 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-12-12 08:03:26 1,172,240 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-15 08:00:35 1,172,240 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\xlicons.exe
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BeInSyncConflict]
@="{458829D6-C79F-4A99-897C-0DA32AB1A619}"
[HKEY_CLASSES_ROOT\CLSID\{458829D6-C79F-4A99-897C-0DA32AB1A619}]
2008-01-15 19:05 141312 --a------ c:\progra~1\BeInSync\BISShellEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BeInSyncConflictUnsync]
@="{278A95EA-3EAE-4BCE-9986-0A86A98B1407}"
[HKEY_CLASSES_ROOT\CLSID\{278A95EA-3EAE-4BCE-9986-0A86A98B1407}]
2008-01-15 19:05 141312 --a------ c:\progra~1\BeInSync\BISShellEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BeInSyncUnsync]
@="{6E80B8CC-6741-4362-A7E1-467763FC6297}"
[HKEY_CLASSES_ROOT\CLSID\{6E80B8CC-6741-4362-A7E1-467763FC6297}]
2008-01-15 19:05 141312 --a------ c:\progra~1\BeInSync\BISShellEx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-10 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\Agent\StartMyAgtTry.Exe" [2008-02-23 87360]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 995328]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{561F5138-43B1-45D9-AEC9-478C51C1BD09}"= "c:\progra~1\BeInSync\BISShellEx.dll" [2008-01-15 141312]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\BeInSync\\BeInSyncServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-06 97928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-06 231704]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R4 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2008-07-22 14144]
R4 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-07-22 169280]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-09 38496]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Tara Cottrill\Application Data\Mozilla\Firefox\Profiles\luiw1g7t.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 09:12:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\DJZERO]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\JKWL]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\metajuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000
"LBL"=hex:00,00,00,00,00,00,00,00
"MN"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\meta_mg]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\profiling4]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:e6,80,85,aa,67,72,c9,01
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\superjuan]
@DACL=(02 0000)
"LTM"=hex:c0,15,5f,b4,6a,72,c9,01
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\TrackDJuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-22 9:13:24
ComboFix-quarantined-files.txt 2009-01-22 14:13:22
ComboFix2.txt 2009-01-16 15:20:57
ComboFix3.txt 2009-01-09 16:33:01
ComboFix4.txt 2009-01-09 16:25:49
ComboFix5.txt 2009-01-22 14:10:44

Pre-Run: 304,209,027,072 bytes free
Post-Run: 304,203,563,008 bytes free

208 --- E O F --- 2009-01-15 08:00:38




And here is a new DDS log:

DDS (Version 1.1.0) - NTFSx86
Run by Tara Cottrill at 9:17:51.95 on Thu 01/22/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1458 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Total Protection Service *On-access scanning disabled* (Updated)
FW: Total Protection Service *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tara Cottrill\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: BeInSync: {4f2530ba-8c1d-4a6a-8ba0-74e93adc9b12} - c:\progra~1\beinsync\BISShellEx.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [McAfee Managed Services Tray] c:\program files\mcafee\managed virusscan\agent\StartMyAgtTry.Exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {EE84A04D-8992-4b19-970F-6EA7A01F7331} - {4F2530BA-8C1D-4A6A-8BA0-74E93ADC9B12} - c:\progra~1\beinsync\BISShellEx.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\myRmProt4.7.0.566.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: DPDblHook Class: {561f5138-43b1-45d9-aec9-478c51c1bd09} - c:\progra~1\beinsync\BISShellEx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\taraco~1\applic~1\mozilla\firefox\profiles\luiw1g7t.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - HiddenExtension: XUL Cache: {089C0B1B-BA65-4414-BAB7-EDB86F35224A} - c:\windows\system32\config\systemprofile\local settings\application data\{089c0b1b-ba65-4414-bab7-edb86f35224a}\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-6 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-6 26824]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-22 201320]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-2-26 29183504]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-6 231704]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R4 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2008-7-22 14144]
R4 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2008-7-22 540776]
R4 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2008-7-22 169280]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-9 38496]
S3 McShield;McShield;c:\program files\mcafee\managed virusscan\vscan\McShield.exe [2008-7-22 144704]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2008-7-22 79304]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2008-7-22 35240]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2008-7-22 33832]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

=============== Created Last 30 ================

2009-01-22 09:10 <DIR> --d----- C:\ComboFix
2009-01-13 08:53 0 a------- c:\windows\system32\null
2009-01-09 10:57 <DIR> --d----- c:\program files\Trend Micro
2009-01-09 10:34 161,792 a------- c:\windows\SWREG.exe
2009-01-09 10:34 98,816 a------- c:\windows\sed.exe
2009-01-09 10:12 <DIR> --d----- c:\docume~1\taraco~1\applic~1\Malwarebytes
2009-01-09 10:12 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-09 10:12 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 10:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-09 10:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 15:56 <DIR> --d----- C:\VundoFix Backups
2009-01-06 15:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-06 15:55 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-06 15:55 <DIR> --d----- c:\docume~1\taraco~1\applic~1\SUPERAntiSpyware.com
2009-01-06 15:54 5,824,544 a------- c:\program files\SUPERAntiSpyware.exe
2009-01-06 15:30 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-06 10:16 5,092 a------- c:\windows\system32\Config.MPF
2009-01-06 10:16 2,126 a------- c:\windows\system32\wpa.dbl
2009-01-06 09:31 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-06 09:25 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-06 09:25 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-06 09:25 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-06 09:25 <DIR> --d----- c:\docume~1\taraco~1\applic~1\AVGTOOLBAR
2009-01-06 09:25 <DIR> --d----- c:\program files\AVG
2009-01-06 09:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-05 14:03 54,157,776 a------- c:\program files\avg_free_stf_en_8_176a1400.exe
2009-01-05 13:11 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-05 08:56 <DIR> --d----- c:\windows\system32\appmgmt

==================== Find3M ====================

2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-07 16:45 2,174,976 -------- c:\windows\system32\dllcache\WMVCore.dll

============= FINISH: 9:17:57.34 ===============


Thanks for the help and have a good day!

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 PM

Posted 22 January 2009 - 12:55 PM

Hi tarablelawyer and thanks for the log,

The log shows that the very important Recovery Console was not installed.

Do not run Combofix again until this problem is resolved.

The Recovery Console must be installed as Combofix is a powerful tool and if something were lost without backups it could damage your computer immensely. Can you try and install it again please.

Please follow the Recovery Console instructions here and let me know if that helps.


If you don't have the recovery disk then read on.

ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:

1. Click on the following link to go to Microsoft's Web site:

http://support.microsoft.com/kb/310994

2. At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information.

1. Click on the Start button.
2. Click on the Run menu option.
3. In the Open: field type the following: sysdm.cpl and then click on the OK button.
4. A screen will appear showing information about your installation. Under the System: category you should see your Windows version and the installed Service Pack. When you are done determining this information continue with Step 2.

3. Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go.

4. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer. Press Yes and post the new log in your next reply. Then we should be clear to start fixing your computer. :thumbsup:
Posted Image
m0le is a proud member of UNITE

#10 tarablelawyer

tarablelawyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 22 January 2009 - 01:30 PM

Hey there m0le,
I was a little confused, but I think I powered through this Recovery Console thing just fine. Here's my Combofix log:

ComboFix 09-01-21.04 - Tara Cottrill 2009-01-22 13:21:00.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1330 [GMT -5:00]
Running from: c:\documents and settings\Tara Cottrill\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Total Protection Service *On-access scanning disabled* (Updated)
FW: Total Protection Service *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-13 08:53 . 2009-01-20 08:53 0 --a------ c:\windows\system32\null
2009-01-09 10:57 . 2009-01-09 10:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-09 10:12 . 2009-01-09 10:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 10:12 . 2009-01-09 10:12 <DIR> d-------- c:\documents and settings\Tara Cottrill\Application Data\Malwarebytes
2009-01-09 10:12 . 2009-01-09 10:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 10:12 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 10:12 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 15:56 . 2009-01-06 15:56 <DIR> d-------- C:\VundoFix Backups
2009-01-06 15:55 . 2009-01-06 15:55 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-06 15:55 . 2009-01-06 15:55 <DIR> d-------- c:\documents and settings\Tara Cottrill\Application Data\SUPERAntiSpyware.com
2009-01-06 15:55 . 2009-01-06 15:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-06 15:54 . 2009-01-06 15:54 5,824,544 --a------ c:\program files\SUPERAntiSpyware.exe
2009-01-06 15:30 . 2009-01-09 09:35 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-06 10:16 . 2009-01-06 10:16 <DIR> d-------- c:\documents and settings\Harry Tun\Application Data\AVGTOOLBAR
2009-01-06 10:16 . 2009-01-22 13:18 4,982 --a------ c:\windows\system32\Config.MPF
2009-01-06 10:16 . 2009-01-06 10:16 2,126 --a------ c:\windows\system32\wpa.dbl
2009-01-06 09:31 . 2009-01-20 12:27 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-06 09:25 . 2009-01-22 09:10 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-06 09:25 . 2009-01-06 09:25 <DIR> d-------- c:\program files\AVG
2009-01-06 09:25 . 2009-01-09 10:29 <DIR> d-------- c:\documents and settings\Tara Cottrill\Application Data\AVGTOOLBAR
2009-01-06 09:25 . 2009-01-06 09:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-06 09:25 . 2009-01-06 09:25 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-06 09:25 . 2009-01-06 09:25 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-05 14:03 . 2009-01-05 14:06 54,157,776 --a------ c:\program files\avg_free_stf_en_8_176a1400.exe
2009-01-05 13:12 . 2009-01-21 13:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-05 13:11 . 2009-01-21 13:08 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-09 15:02 --------- d-----r c:\documents and settings\Harry Tun\Application Data\BeInSync Settings
2009-01-05 14:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-02 17:17 --------- d-----w c:\documents and settings\Tara Cottrill\Application Data\Roxio
2008-11-07 21:45 2,174,976 ------w c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-09_10.40.22.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-12 08:03:26 20,240 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-01-15 08:00:36 20,240 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-12-12 08:03:26 217,864 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-15 08:00:36 217,864 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\misc.exe
- 2008-12-12 08:03:26 18,704 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-15 08:00:36 18,704 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-12-12 08:03:26 35,088 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-15 08:00:36 35,088 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-12-12 08:03:26 845,584 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-01-15 08:00:35 845,584 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\outicon.exe
- 2008-12-12 08:03:26 922,384 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-01-15 08:00:35 922,384 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pptico.exe
- 2008-12-12 08:03:26 272,648 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-01-15 08:00:36 272,648 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pubs.exe
- 2008-12-12 08:03:26 888,080 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-15 08:00:36 888,080 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-12-12 08:03:26 1,172,240 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-15 08:00:35 1,172,240 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\xlicons.exe
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BeInSyncConflict]
@="{458829D6-C79F-4A99-897C-0DA32AB1A619}"
[HKEY_CLASSES_ROOT\CLSID\{458829D6-C79F-4A99-897C-0DA32AB1A619}]
2008-01-15 19:05 141312 --a------ c:\progra~1\BeInSync\BISShellEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BeInSyncConflictUnsync]
@="{278A95EA-3EAE-4BCE-9986-0A86A98B1407}"
[HKEY_CLASSES_ROOT\CLSID\{278A95EA-3EAE-4BCE-9986-0A86A98B1407}]
2008-01-15 19:05 141312 --a------ c:\progra~1\BeInSync\BISShellEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BeInSyncUnsync]
@="{6E80B8CC-6741-4362-A7E1-467763FC6297}"
[HKEY_CLASSES_ROOT\CLSID\{6E80B8CC-6741-4362-A7E1-467763FC6297}]
2008-01-15 19:05 141312 --a------ c:\progra~1\BeInSync\BISShellEx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-10 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\Agent\StartMyAgtTry.Exe" [2008-02-23 87360]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 995328]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{561F5138-43B1-45D9-AEC9-478C51C1BD09}"= "c:\progra~1\BeInSync\BISShellEx.dll" [2008-01-15 141312]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\BeInSync\\BeInSyncServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-06 97928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-06 231704]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R4 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2008-07-22 14144]
R4 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-07-22 169280]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-09 38496]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Tara Cottrill\Application Data\Mozilla\Firefox\Profiles\luiw1g7t.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 13:21:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\DJZERO]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\JKWL]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\metajuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000
"LBL"=hex:00,00,00,00,00,00,00,00
"MN"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\meta_mg]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\profiling4]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:e6,80,85,aa,67,72,c9,01
"CNT"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\superjuan]
@DACL=(02 0000)
"LTM"=hex:c0,15,5f,b4,6a,72,c9,01
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan\TrackDJuan]
@DACL=(02 0000)
"LTM"=hex:00,00,00,00,00,00,00,00
"CDY"=hex:00,00,00,00,00,00,00,00
"CNT"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-22 13:22:37
ComboFix-quarantined-files.txt 2009-01-22 18:22:35
ComboFix2.txt 2009-01-22 14:13:25
ComboFix3.txt 2009-01-16 15:20:57
ComboFix4.txt 2009-01-09 16:33:01
ComboFix5.txt 2009-01-22 18:08:09

Pre-Run: 304,152,559,616 bytes free
Post-Run: 304,142,852,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

214 --- E O F --- 2009-01-15 08:00:38



Thanks!

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 PM

Posted 23 January 2009 - 11:54 AM

Hi tarablelawyer,

Please make sure that you only run Combofix when asked to do so, The log shows that you have run it nine times.

Okay, we are going to run a script to delete items in your registry that have been added by the infection. Before that though we have to make sure the registry is backed up just in case.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Now we are going to run the script.

1. Close any open browsers.

2. Close/disable all anti virus and anti-malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

REGLOCK::
[HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan]

REGISTRY::
[-HKEY_LOCAL_MACHINE\software\Microsoft\MS Juan]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#12 tarablelawyer

tarablelawyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 23 January 2009 - 02:42 PM

Hey m0le, thanks for your help today. After completing all your steps, here's my log:

ComboFix 09-01-21.04 - Tara Cottrill 2009-01-23 14:33:14.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1457 [GMT -5:00]
Running from: c:\documents and settings\Tara Cottrill\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tara Cottrill\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Total Protection Service *On-access scanning disabled* (Updated)
FW: Total Protection Service *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))
.

2009-01-13 08:53 . 2009-01-20 08:53 0 --a------ c:\windows\system32\null
2009-01-09 10:57 . 2009-01-09 10:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-09 10:12 . 2009-01-09 10:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 10:12 . 2009-01-09 10:12 <DIR> d-------- c:\documents and settings\Tara Cottrill\Application Data\Malwarebytes
2009-01-09 10:12 . 2009-01-09 10:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 10:12 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 10:12 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 15:56 . 2009-01-06 15:56 <DIR> d-------- C:\VundoFix Backups
2009-01-06 15:55 . 2009-01-06 15:55 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-06 15:55 . 2009-01-06 15:55 <DIR> d-------- c:\documents and settings\Tara Cottrill\Application Data\SUPERAntiSpyware.com
2009-01-06 15:55 . 2009-01-06 15:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-06 15:54 . 2009-01-06 15:54 5,824,544 --a------ c:\program files\SUPERAntiSpyware.exe
2009-01-06 15:30 . 2009-01-09 09:35 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-06 10:16 . 2009-01-06 10:16 <DIR> d-------- c:\documents and settings\Harry Tun\Application Data\AVGTOOLBAR
2009-01-06 10:16 . 2009-01-22 13:18 4,982 --a------ c:\windows\system32\Config.MPF
2009-01-06 10:16 . 2009-01-06 10:16 2,126 --a------ c:\windows\system32\wpa.dbl
2009-01-06 09:31 . 2009-01-20 12:27 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-06 09:25 . 2009-01-23 09:03 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-06 09:25 . 2009-01-06 09:25 <DIR> d-------- c:\program files\AVG
2009-01-06 09:25 . 2009-01-09 10:29 <DIR> d-------- c:\documents and settings\Tara Cottrill\Application Data\AVGTOOLBAR
2009-01-06 09:25 . 2009-01-06 09:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-06 09:25 . 2009-01-06 09:25 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-06 09:25 . 2009-01-06 09:25 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-05 14:03 . 2009-01-05 14:06 54,157,776 --a------ c:\program files\avg_free_stf_en_8_176a1400.exe
2009-01-05 13:12 . 2009-01-21 13:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-05 13:11 . 2009-01-21 13:08 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 08:00 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-09 15:02 --------- d-----r c:\documents and settings\Harry Tun\Application Data\BeInSync Settings
2009-01-05 14:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-02 17:17 --------- d-----w c:\documents and settings\Tara Cottrill\Application Data\Roxio
2008-11-07 21:45 2,174,976 ------w c:\windows\system32\dllcache\WMVCore.dll
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-09_10.40.22.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\1-23-2009\ERDNT.EXE
+ 2009-01-23 19:30:33 1,986,560 ----a-w c:\windows\ERDNT\1-23-2009\Users\00000001\NTUSER.DAT
+ 2009-01-23 19:30:33 159,744 ----a-w c:\windows\ERDNT\1-23-2009\Users\00000002\UsrClass.dat
- 2008-12-12 08:03:26 20,240 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-01-15 08:00:36 20,240 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-12-12 08:03:26 217,864 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-15 08:00:36 217,864 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\misc.exe
- 2008-12-12 08:03:26 18,704 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-15 08:00:36 18,704 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-12-12 08:03:26 35,088 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-15 08:00:36 35,088 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-12-12 08:03:26 845,584 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-01-15 08:00:35 845,584 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\outicon.exe
- 2008-12-12 08:03:26 922,384 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-01-15 08:00:35 922,384 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pptico.exe
- 2008-12-12 08:03:26 272,648 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-01-15 08:00:36 272,648 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pubs.exe
- 2008-12-12 08:03:26 888,080 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-15 08:00:36 888,080 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-12-12 08:03:26 1,172,240 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-15 08:00:35 1,172,240 ----a-r c:\windows\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\xlicons.exe
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BeInSyncConflict]
@="{458829D6-C79F-4A99-897C-0DA32AB1A619}"
[HKEY_CLASSES_ROOT\CLSID\{458829D6-C79F-4A99-897C-0DA32AB1A619}]
2008-01-15 19:05 141312 --a------ c:\progra~1\BeInSync\BISShellEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BeInSyncConflictUnsync]
@="{278A95EA-3EAE-4BCE-9986-0A86A98B1407}"
[HKEY_CLASSES_ROOT\CLSID\{278A95EA-3EAE-4BCE-9986-0A86A98B1407}]
2008-01-15 19:05 141312 --a------ c:\progra~1\BeInSync\BISShellEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BeInSyncUnsync]
@="{6E80B8CC-6741-4362-A7E1-467763FC6297}"
[HKEY_CLASSES_ROOT\CLSID\{6E80B8CC-6741-4362-A7E1-467763FC6297}]
2008-01-15 19:05 141312 --a------ c:\progra~1\BeInSync\BISShellEx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-10 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\Agent\StartMyAgtTry.Exe" [2008-02-23 87360]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 995328]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{561F5138-43B1-45D9-AEC9-478C51C1BD09}"= "c:\progra~1\BeInSync\BISShellEx.dll" [2008-01-15 141312]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\BeInSync\\BeInSyncServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-06 97928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-06 231704]
R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R4 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2008-07-22 14144]
R4 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-07-22 169280]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-09 38496]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Tara Cottrill\Application Data\Mozilla\Firefox\Profiles\luiw1g7t.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 14:34:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-01-23 14:34:55
ComboFix-quarantined-files.txt 2009-01-23 19:34:53
ComboFix2.txt 2009-01-22 18:22:38
ComboFix3.txt 2009-01-22 14:13:25
ComboFix4.txt 2009-01-16 15:20:57
ComboFix5.txt 2009-01-23 19:32:52

Pre-Run: 304,111,390,720 bytes free
Post-Run: 304,100,483,072 bytes free

175 --- E O F --- 2009-01-15 08:00:38


Thanks again!

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 PM

Posted 23 January 2009 - 04:03 PM

Hi tarablelawyer,

Thanks again!


You’re welcome. How’s the computer running? It should be freeing up nicely after the last post. :thumbsup:

Next we’ll do a quick scan to clear up any leftovers.

Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image
m0le is a proud member of UNITE

#14 tarablelawyer

tarablelawyer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 23 January 2009 - 04:15 PM

Hey m0le, you appear to be a genius/savior. Here's my log:

Malwarebytes' Anti-Malware 1.33
Database version: 1684
Windows 5.1.2600 Service Pack 3

1/23/2009 4:09:59 PM
mbam-log-2009-01-23 (16-09-59).txt

Scan type: Quick Scan
Objects scanned: 60581
Time elapsed: 1 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


My computer is behaving so much better! Do you think it will stop redirecting me to different html's now? And what antivirus program do you recommend?

Thanks for everything!

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:34 PM

Posted 24 January 2009 - 05:27 AM

Great news, tarablelawyer. Your computer is clean. :)

You will find that without the Vundo infection you won't be getting redirected all over the place.

I'm neither a saviour or a genius, this is a team effort at Bleeping Computer but thanks anyway :thumbsup:

Just before you go we need to tidy up a bit.

Hiding Hidden Files
Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Here's some useful advice, including Bleeping Computer's recommendations for antiviruses and antispyware. The ones you have are fine though.

One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are going to sites that you are not practicing Safe Internet, you are not running the proper security software, and that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.


It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Thanks for your excellent co-operation, tarablelawyer.

Happy surfing!

m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users