Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Hijack (IE)


  • This topic is locked This topic is locked
21 replies to this topic

#1 wiggy

wiggy

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 21 January 2009 - 07:52 PM

Apparently I was hosting a malware party yesterday! At any rate, I've run Mawarebytes 2x today, along with the MicroTrends office scan that my company provides. I seem to be clear of almost all of the problems, but I still have the google hijack giving me nightmares.

I'm attaching the log below and any help is greatly appreciated. Thanks in advance.


DDS (Ver_09-01-18.01) - NTFSx86
Run by sniehoff at 17:26:21.01 on Wed 01/21/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2015.1281 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SafeBoot\SbClientManager.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\WINDOWS\system32\IfxPsdSv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\FALCON\Svc\SvcFALCON.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\WINDOWS\TEMP\RU31AC.EXE
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\sniehoff\Local Settings\Temporary Internet Files\Content.IE5\RJXFXAIM\HiJackThis[1].exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\mobsync.exe
C:\Documents and Settings\sniehoff\Local Settings\Temporary Internet Files\Content.IE5\RFFUNQJ4\dds[1].scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Comcast
uStart Page = hxxp://www.fareis.net/
mDefault_Page_URL = hxxp://www.fareis.net
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {CB7945C8-557D-42AF-81A3-E71C9DBF0999} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [COMMUNICATOR] "c:\program files\microsoft office communicator\Communicator.exe"
uRun: [cogad] "c:\documents and settings\sniehoff\application data\cogad\cogad.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
uRun: [AROReminder] c:\program files\advanced registry optimizer\aro.exe -rem
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [AClntUsr] c:\altiris\aclient\AClntUsr.EXE
mRun: [SafeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\falcon~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: Wallpaper = c:\windows\EglGold1.bmp
uPolicies-system: WallpaperStyle = 0
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: elementk.com
Trusted Zone: famisg.net\*.fareis
Trusted Zone: fareis.com
Trusted Zone: fareis.net
Trusted Zone: fareis.net\www
Trusted Zone: firstam-reis.com
Trusted Zone: firstam-reis.net
Trusted Zone: firstam.com
Trusted Zone: firstam.net
Trusted Zone: elementk.com
Trusted Zone: famisg.net\*.fareis
Trusted Zone: fareis.com
Trusted Zone: fareis.net
Trusted Zone: fareis.net\www
Trusted Zone: firstam-reis.com
Trusted Zone: firstam-reis.net
Trusted Zone: firstam.com
Trusted Zone: firstam.net
Notify: AtiExtEvent - Ati2evxx.dll
Notify: DeviceNP - DeviceNP.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: AMINIT.dll APSHook.dll
LSA: Notification Packages = SbNp scecli ASWLNPkg

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-10-1 101615]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-10-15 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-10-1 11640]
R1 AlKBNT;Altiris Keyboard Filter Driver;c:\windows\system32\drivers\AlKbNT.sys [2002-7-15 5630]
R1 AlMNT;Altiris Mouse Filter Driver;c:\windows\system32\drivers\AlMNT.sys [2002-7-15 5485]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-7-24 38816]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2007-10-1 5840]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2007-10-1 34000]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2007-10-1 14960]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-1-23 41216]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2007-10-1 47616]
R4 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]
R4 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]
R4 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\program files\trend micro\officescan client\OfcPfwSvc.exe [2005-8-31 229456]
R4 SafeBootClientManager;SafeBoot Client Manager;c:\program files\safeboot\SbClientManager.exe [2007-10-1 356352]
R4 SvcFALCON;FALCON System Configuration Monitor;c:\program files\falcon\svc\SvcFALCON.exe [2003-3-29 118784]
R4 SWIHPWMI;SWIHPWMI;c:\program files\hpq\shared\sierra wireless\win32\unicode\SWIHPWMI.exe [2006-12-4 292384]
R4 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2005-11-9 205328]
R4 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2005-11-9 36368]
S1 psdlcc;psdlcc;c:\windows\system32\drivers\psdlcc.sys --> c:\windows\system32\drivers\psdlcc.sys [?]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [2004-2-16 18424]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2008-10-14 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-6-8 172131]
S3 RMBS;RMBS;c:\windows\system32\drivers\rmbs.sys [2004-2-16 17828]
S3 TWXWD;TWXWD;c:\windows\system32\drivers\TwxWD.sys [2004-2-16 26964]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-3-3 176896]

=============== Created Last 30 ================

2009-01-21 14:36 <DIR> --d----- c:\docume~1\sniehoff\applic~1\Malwarebytes
2009-01-21 14:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-21 14:36 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 14:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 14:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-21 14:35 <DIR> --d----- c:\program files\XoftSpySE
2009-01-21 14:07 <DIR> --d----- c:\windows\system32\NtmsData
2009-01-21 12:56 <DIR> --d----- c:\docume~1\sniehoff\applic~1\Sammsoft
2009-01-21 12:55 <DIR> --d----- c:\program files\AskSearch
2009-01-21 12:55 <DIR> --d----- c:\program files\AskBarDis
2009-01-21 12:55 <DIR> --d----- c:\program files\Advanced Registry Optimizer
2009-01-21 10:10 41,984 a------- c:\windows\obecobix.dssll
2009-01-21 09:26 2,669 a------- c:\windows\system32\kfrpyfii.dll
2009-01-21 09:24 2,669 a------- c:\windows\system32\kcscftxt.dll
2009-01-20 22:02 <DIR> --d----- c:\temp\tmp90
2009-01-20 22:02 <DIR> --d----- c:\temp\1cb
2009-01-20 22:02 <DIR> --d----- c:\windows\system32\xp2
2009-01-20 22:02 <DIR> --d----- c:\windows\system32\UZ
2009-01-20 22:01 48,640 a------- c:\windows\system32\ddcYrOGx.dll
2009-01-20 22:00 48,640 a------- c:\windows\system32\wvUkIcCv.dll
2009-01-20 21:59 48,640 a------- c:\windows\system32\fccASjhi.dll
2009-01-20 21:59 48,640 a------- c:\windows\system32\qoMdBtqp.dll
2009-01-20 21:53 258,069 a------- c:\windows\system32\rn.tmp
2009-01-07 22:31 <DIR> --d----- c:\windows\system32\LogFiles
2008-12-24 12:29 <DIR> --d----- C:\finalburner
2008-12-24 12:29 <DIR> --d----- c:\docume~1\sniehoff\applic~1\FinalBurner Video DVD
2008-12-24 12:28 <DIR> --d----- c:\program files\FinalBurner

==================== Find3M ====================

2009-01-21 13:24 2,401 a------- c:\windows\system32\drivers\AlKernel.sys
2008-12-22 11:06 155,136 a------- c:\windows\system32\imapihp.exe
2007-07-18 12:35 28,672 a------- c:\documents and settings\sniehoff\atwbxdet.dll
2007-05-22 10:51 557,056 a------- c:\documents and settings\sniehoff\GoToAssist_phone__317_en.exe
2006-09-25 17:11 557,056 a------- c:\documents and settings\sniehoff\chatlnk.exe
2005-06-06 08:44 19,944 a------- c:\docume~1\sniehoff\applic~1\GDIPFONTCACHEV1.DAT
2003-09-19 13:36 636,416 a------- c:\program files\common files\FALCON.Instructions.doc
2003-09-03 10:32 847,941 a------- c:\program files\common files\FALCON.exe
2003-01-17 15:19 456,249 a----r-- c:\program files\common files\VPN Acknowledgement.rtf

============= FINISH: 17:26:30.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 21 January 2009 - 09:16 PM

Thanks to everyone. I was able to use the SUPERAnti suggested in another post this evening to remove the offending malware.

This is a great forum and I hope to never have cause to use it again!! (not likely)

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:11 AM

Posted 22 January 2009 - 09:34 AM

Thanks for informing us of what you have done.

This thread is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 23 January 2009 - 12:01 PM

New logs attached, as requested: A question to add to this issue.....would the rootkit virus potentially effect my system restore files? I have a separate issue open on the XP forum regarding my system restore, but those issues seem to coincide with my virus issues.....just throwing it out there to see what sticks!


DDS (Ver_09-01-07.01) - NTFSx86
Run by sniehoff at 9:56:16.17 on Fri 01/23/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2015.1355 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SafeBoot\SbClientManager.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\WINDOWS\system32\IfxPsdSv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\FALCON\Svc\SvcFALCON.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\WINDOWS\TEMP\ZF68FB.EXE
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\sniehoff\Desktop\dds.com

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Comcast
uStart Page = hxxp://www.fareis.net/
mDefault_Page_URL = hxxp://www.fareis.net
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
TB: {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {CB7945C8-557D-42AF-81A3-E71C9DBF0999} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [COMMUNICATOR] "c:\program files\microsoft office communicator\Communicator.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [AClntUsr] c:\altiris\aclient\AClntUsr.EXE
mRun: [SafeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\falcon~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: Wallpaper = c:\windows\EglGold1.bmp
uPolicies-system: WallpaperStyle = 0
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: elementk.com
Trusted Zone: famisg.net\*.fareis
Trusted Zone: fareis.com
Trusted Zone: fareis.net
Trusted Zone: fareis.net\www
Trusted Zone: firstam-reis.com
Trusted Zone: firstam-reis.net
Trusted Zone: firstam.com
Trusted Zone: firstam.net
Trusted Zone: elementk.com
Trusted Zone: famisg.net\*.fareis
Trusted Zone: fareis.com
Trusted Zone: fareis.net
Trusted Zone: fareis.net\www
Trusted Zone: firstam-reis.com
Trusted Zone: firstam-reis.net
Trusted Zone: firstam.com
Trusted Zone: firstam.net
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: DeviceNP - DeviceNP.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: AMINIT.dll APSHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = SbNp scecli ASWLNPkg

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-10-1 101615]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-10-15 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-10-1 11640]
R1 AlKBNT;Altiris Keyboard Filter Driver;c:\windows\system32\drivers\AlKbNT.sys [2002-7-15 5630]
R1 AlMNT;Altiris Mouse Filter Driver;c:\windows\system32\drivers\AlMNT.sys [2002-7-15 5485]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-7-24 38816]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2007-10-1 5840]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2007-10-1 34000]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2007-10-1 14960]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-1-23 41216]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2007-10-1 47616]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-3-3 176896]
R4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-1-22 419448]
R4 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]
R4 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]
R4 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\program files\trend micro\officescan client\OfcPfwSvc.exe [2005-8-31 229456]
R4 SafeBootClientManager;SafeBoot Client Manager;c:\program files\safeboot\SbClientManager.exe [2007-10-1 356352]
R4 SvcFALCON;FALCON System Configuration Monitor;c:\program files\falcon\svc\SvcFALCON.exe [2003-3-29 118784]
R4 SWIHPWMI;SWIHPWMI;c:\program files\hpq\shared\sierra wireless\win32\unicode\SWIHPWMI.exe [2006-12-4 292384]
R4 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2005-11-9 205328]
R4 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2005-11-9 36368]
S1 psdlcc;psdlcc;c:\windows\system32\drivers\psdlcc.sys --> c:\windows\system32\drivers\psdlcc.sys [?]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [2004-2-16 18424]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2008-10-14 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-6-8 172131]
S3 RMBS;RMBS;c:\windows\system32\drivers\rmbs.sys [2004-2-16 17828]
S3 TWXWD;TWXWD;c:\windows\system32\drivers\TwxWD.sys [2004-2-16 26964]

=============== Created Last 30 ================

2009-01-22 22:43 552 a------- c:\windows\system32\d3d8caps.dat
2009-01-22 16:31 <DIR> --d----- c:\program files\a-squared Free
2009-01-21 17:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-21 17:59 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-21 17:59 <DIR> --d----- c:\docume~1\sniehoff\applic~1\SUPERAntiSpyware.com
2009-01-21 17:59 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-21 14:36 <DIR> --d----- c:\docume~1\sniehoff\applic~1\Malwarebytes
2009-01-21 14:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-21 14:36 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 14:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 14:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-21 14:07 <DIR> --d----- c:\windows\system32\NtmsData
2009-01-21 12:55 <DIR> --d----- c:\program files\AskSearch
2009-01-21 09:26 2,669 a------- c:\windows\system32\kfrpyfii.dll
2009-01-21 09:24 2,669 a------- c:\windows\system32\kcscftxt.dll
2009-01-20 22:02 <DIR> --d----- c:\temp\tmp90
2009-01-20 22:02 <DIR> --d----- c:\temp\1cb
2009-01-20 22:02 <DIR> --d----- c:\windows\system32\xp2
2009-01-20 22:02 <DIR> --d----- c:\windows\system32\UZ
2009-01-20 21:53 258,069 a------- c:\windows\system32\rn.tmp
2009-01-07 22:31 <DIR> --d----- c:\windows\system32\LogFiles
2008-12-24 12:29 <DIR> --d----- C:\finalburner
2008-12-24 12:29 <DIR> --d----- c:\docume~1\sniehoff\applic~1\FinalBurner Video DVD
2008-12-24 12:28 <DIR> --d----- c:\program files\FinalBurner

==================== Find3M ====================

2009-01-23 08:46 2,401 a------- c:\windows\system32\drivers\AlKernel.sys
2008-12-22 11:06 155,136 a------- c:\windows\system32\imapihp.exe
2007-07-18 12:35 28,672 a------- c:\documents and settings\sniehoff\atwbxdet.dll
2007-05-22 10:51 557,056 a------- c:\documents and settings\sniehoff\GoToAssist_phone__317_en.exe
2006-09-25 17:11 557,056 a------- c:\documents and settings\sniehoff\chatlnk.exe
2005-06-06 08:44 19,944 a------- c:\docume~1\sniehoff\applic~1\GDIPFONTCACHEV1.DAT
2003-09-19 13:36 636,416 a------- c:\program files\common files\FALCON.Instructions.doc
2003-09-03 10:32 847,941 a------- c:\program files\common files\FALCON.exe
2003-01-17 15:19 456,249 a----r-- c:\program files\common files\VPN Acknowledgement.rtf

============= FINISH: 9:56:33.13 ===============

Attached Files



#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:11 PM

Posted 24 January 2009 - 09:33 PM

Hello, wiggy
If you are being worked on here, you should suspend actions going on over in the XP thread. Rootkits can mess up system restore quite a bit yes.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • GMER's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 24 January 2009 - 10:49 PM

Thanks for looking into this Billy. Here's the GMER log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-24 20:46:47
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

Code 8A5C18B8 ZwEnumerateKey
Code 8A5BEC08 ZwFlushInstructionCache
Code F249E323 pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B5642 3 Bytes JMP 8A5BEC0C
PAGE ntkrnlpa.exe!ZwFlushInstructionCache + 4 805B5646 1 Byte [ 0A ]
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622DBE 5 Bytes JMP 8A5C18BC
? C:\WINDOWS\system32\drivers\SafeBoot.sys The process cannot access the file because it is being used by another process.

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\senekaefeaoplr.sys (*** hidden *** ) F249C000-F24BB000 (126976 bytes)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\senekaefeaoplr.sys (*** hidden *** ) [SYSTEM] seneka <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\seneka
Reg HKLM\SYSTEM\ControlSet001\Services\seneka@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\seneka@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\seneka@imagepath \systemroot\system32\drivers\senekaefeaoplr.sys
Reg HKLM\SYSTEM\ControlSet001\Services\seneka@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\seneka\modules
Reg HKLM\SYSTEM\ControlSet001\Services\seneka\modules@seneka.dll \systemroot\system32\senekauksuinxx.dll
Reg HKLM\SYSTEM\ControlSet001\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekaefeaoplr.sys
Reg HKLM\SYSTEM\ControlSet001\Services\seneka\modules@senekalog.dat \systemroot\system32\senekaqqrhnnrd.dat
Reg HKLM\SYSTEM\ControlSet001\Services\seneka\modules@senekawi.dll \systemroot\system32\senekamfcbufds.dll
Reg HKLM\SYSTEM\ControlSet001\Services\seneka\modules@seneka.dat \systemroot\system32\senekagixfaivt.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@imagepath \systemroot\system32\drivers\senekaefeaoplr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.dll \systemroot\system32\senekauksuinxx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekaefeaoplr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@senekalog.dat \systemroot\system32\senekaqqrhnnrd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@senekawi.dll \systemroot\system32\senekamfcbufds.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.dat \systemroot\system32\senekagixfaivt.dat
Reg HKLM\SYSTEM\ControlSet003\Services\seneka
Reg HKLM\SYSTEM\ControlSet003\Services\seneka@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\seneka@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\seneka@imagepath \systemroot\system32\drivers\senekaefeaoplr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\seneka@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\seneka\modules
Reg HKLM\SYSTEM\ControlSet003\Services\seneka\modules@seneka.dll \systemroot\system32\senekauksuinxx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekaefeaoplr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\seneka\modules@senekalog.dat \systemroot\system32\senekaqqrhnnrd.dat
Reg HKLM\SYSTEM\ControlSet003\Services\seneka\modules@senekawi.dll \systemroot\system32\senekamfcbufds.dll
Reg HKLM\SYSTEM\ControlSet003\Services\seneka\modules@seneka.dat \systemroot\system32\senekagixfaivt.dat
Reg HKLM\SYSTEM\ControlSet004\Services\seneka
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@imagepath \systemroot\system32\drivers\senekaefeaoplr.sys
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.dll \systemroot\system32\senekauksuinxx.dll
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekaefeaoplr.sys
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@senekalog.dat \systemroot\system32\senekaqqrhnnrd.dat
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@senekawi.dll \systemroot\system32\senekamfcbufds.dll
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.dat \systemroot\system32\senekagixfaivt.dat

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.14 ----

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:11 PM

Posted 24 January 2009 - 10:53 PM

Hello, wiggy
No problem :thumbup2:

Your System is Infected with a Backdoor!!
Backdoors cause severe damage to windows' internals, and allow an attacker complete control over the infected system. Because this state allows the attacker to download new malware on demand, log keystrokes, execute programs, and/or view the system's screen, it is recommended to reformat and reinstall the operating system on this machine. Several experts in the security community believe that once a system is infected with one of these types of backdoors, the system itself can never be trusted again.

I ask that you disconnect this system from the internet NOW!. While it is attached to the internet, the attacker can modify the system, and prevent fixes from working as intended.

Another danger of this type of infection is that of Identity Theft. Because such malware can read all of your passwords, bank account numbers, etc. from your keystrokes, I would recomend contacting banking institutions accessed from this machine to ensure your accounts are secure. Most banks will not charge to send you new credit/debit cards, and getting these numbers replaced would be a good idea. It would also be a good idea to change passwords for anything you commonly use online. Online stores, Facebook/Myspace, Email, etc. If it has been on that machine it may have been read by someone else. Don't do it from this machine, as it is now compromised. Do it from another known clean machine. A good place to do this is at your local public library.

I would strongly recomend format and reinstallation of this machine. For more information, you may wish to read one of these excellent articles:Please let me know if you wish to continue to clean this machine or if you wish to format.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 24 January 2009 - 11:10 PM

Well isn't that pleasant news!

Okay. I'm currently disconnected from the internet on my other computer.

I would like to procede with the attempted clean because A)I'm extremely curious now and want to take this as far as I can....and B)If I can buy a week or two with some relative sense of security that would be a bonus, since I'll have to ship my laptop to Dallas to have it reimaged. That's at least 4 days offline and I've too much in the hopper right now, so to speak.

If you're willing, I'm game. Worst that happens is I ship the entire thing down if we fail!

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:11 PM

Posted 24 January 2009 - 11:15 PM

Hello, wiggy
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 24 January 2009 - 11:49 PM

Combo fix log:

ComboFix 09-01-21.04 - sniehoff 2009-01-24 21:38:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2015.1560 [GMT -7:00]
Running from: c:\documents and settings\sniehoff\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\temp\1cb
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaefeaoplr.sys
c:\windows\system32\senekagixfaivt.dat
c:\windows\system32\senekamfcbufds.dll
c:\windows\system32\senekaqqrhnnrd.dat
c:\windows\system32\senekauksuinxx.dll
c:\windows\Tasks\qtnaqprb.job
c:\windows\wiaservv.log

----- BITS: Possible infected sites -----

hxxp://childhe.com
hxxp://reisdfw01vopm10
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-25 to 2009-01-25 )))))))))))))))))))))))))))))))
.

2009-01-24 20:44 . 2009-01-24 20:44 250 --a------ c:\windows\gmer.ini
2009-01-22 22:43 . 2009-01-22 22:43 552 --a------ c:\windows\system32\d3d8caps.dat
2009-01-22 22:31 . 2009-01-22 22:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-01-22 17:14 . 2009-01-22 18:33 <DIR> d-------- c:\windows\BDOSCAN8
2009-01-22 16:31 . 2009-01-24 12:21 <DIR> d-------- c:\program files\a-squared Free
2009-01-21 17:59 . 2009-01-21 17:59 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-21 17:59 . 2009-01-21 17:59 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-21 17:59 . 2009-01-21 17:59 <DIR> d-------- c:\documents and settings\sniehoff\Application Data\SUPERAntiSpyware.com
2009-01-21 17:59 . 2009-01-21 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-21 14:36 . 2009-01-21 14:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 14:36 . 2009-01-21 14:36 <DIR> d-------- c:\documents and settings\sniehoff\Application Data\Malwarebytes
2009-01-21 14:36 . 2009-01-21 14:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 14:36 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 14:36 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-21 14:07 . 2009-01-22 09:22 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-21 12:55 . 2009-01-21 12:55 <DIR> d-------- c:\program files\AskSearch
2009-01-21 09:26 . 2009-01-21 09:26 2,669 --a------ c:\windows\system32\kfrpyfii.dll
2009-01-21 09:24 . 2009-01-21 09:24 2,669 --a------ c:\windows\system32\kcscftxt.dll
2009-01-20 22:02 . 2009-01-21 16:25 <DIR> d-------- c:\windows\system32\xp2
2009-01-20 22:02 . 2009-01-20 22:03 <DIR> d-------- c:\windows\system32\UZ
2009-01-20 22:02 . 2009-01-20 22:02 <DIR> d-------- c:\temp\tmp90
2009-01-20 21:53 . 2009-01-20 21:54 258,069 --a------ c:\windows\system32\rn.tmp
2009-01-07 22:31 . 2009-01-07 22:31 <DIR> d-------- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 19:23 2,401 ----a-w c:\windows\system32\drivers\AlKernel.sys
2009-01-21 04:41 --------- d-----w c:\documents and settings\sniehoff\Application Data\Move Networks
2008-12-24 19:29 --------- d-----w c:\documents and settings\sniehoff\Application Data\FinalBurner Video DVD
2008-12-24 19:28 --------- d-----w c:\program files\FinalBurner
2008-12-12 17:44 --------- d-----w c:\program files\PokerStars
2008-12-10 15:27 --------- d-----w c:\program files\iTunes
2008-12-10 15:27 --------- d-----w c:\documents and settings\sniehoff\Application Data\Apple Computer
2008-12-10 15:27 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-10 15:26 --------- d-----w c:\program files\QuickTime
2008-12-10 15:26 --------- d-----w c:\program files\iPod
2008-12-10 15:26 --------- d-----w c:\program files\Common Files\Apple
2008-12-10 15:26 --------- d-----w c:\program files\Bonjour
2008-12-10 15:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-10 15:25 --------- d-----w c:\program files\Apple Software Update
2008-12-10 15:25 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-25 14:26 --------- d-----w c:\documents and settings\sniehoff\Application Data\webex
2007-07-18 19:35 28,672 ----a-w c:\documents and settings\sniehoff\atwbxdet.dll
2007-05-22 17:51 557,056 ----a-w c:\documents and settings\sniehoff\GoToAssist_phone__317_en.exe
2006-09-26 00:11 557,056 ----a-w c:\documents and settings\sniehoff\chatlnk.exe
2005-06-06 15:44 19,944 ----a-w c:\documents and settings\sniehoff\Application Data\GDIPFONTCACHEV1.DAT
2003-09-19 20:36 636,416 ----a-w c:\program files\Common Files\FALCON.Instructions.doc
2003-09-03 17:32 847,941 ----a-w c:\program files\Common Files\FALCON.exe
2003-01-17 22:19 456,249 ----a-r c:\program files\Common Files\VPN Acknowledgement.rtf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{C94E154B-1459-4A47-966B-4B843BEFC7DB}"= "c:\program files\AskSearch\bin\DefaultSearch.dll" [2008-08-06 45056]

[HKEY_CLASSES_ROOT\clsid\{c94e154b-1459-4a47-966b-4b843befc7db}]
[HKEY_CLASSES_ROOT\DefaultSearch.DefaultSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC73A159-0736-4EF3-972D-6EA9B2278495}]
[HKEY_CLASSES_ROOT\DefaultSearch.DefaultSearchHook]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-07 827392]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2006-07-25 139264]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-08-31 335872]
"AClntUsr"="c:\altiris\AClient\AClntUsr.EXE" [2009-01-24 184320]
"SafeBootTrayManager"="c:\program files\SafeBoot Tray Manager\SbTrayManager.exe" [2007-06-12 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-24 677144]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
FALCON Secure Connect - on Startup.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2003-07-18 1459392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-03-14 05:03 74752 c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 08:04 49152 c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbNp scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=RumbaFix.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=SetAdmPW.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=RASPhone.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-73586283-682003330-4033\Scripts\Logon\0\0]
"Script"=check_admin.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^sniehoff^Start Menu^Programs^Startup^Calendar Creator Scheduler.lnk]
path=c:\documents and settings\sniehoff\Start Menu\Programs\Startup\Calendar Creator Scheduler.lnk
backup=c:\windows\pss\Calendar Creator Scheduler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--a------ 2007-05-23 09:00 192512 c:\program files\InterVideo\DVD Check\DVDCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Altiris\\AClient\\AClntUsr.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-10-01 101615]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-10-15 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-10-01 11640]
R1 AlKBNT;Altiris Keyboard Filter Driver;c:\windows\system32\drivers\AlKbNT.sys [2002-07-15 5630]
R1 AlMNT;Altiris Mouse Filter Driver;c:\windows\system32\drivers\AlMNT.sys [2002-07-15 5485]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-07-24 38816]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2007-10-01 5840]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2007-10-01 34000]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2007-10-01 14960]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-01-23 41216]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2007-10-01 47616]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R4 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2006-02-27 14336]
R4 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2006-02-27 14336]
R4 SafeBootClientManager;SafeBoot Client Manager;c:\program files\SafeBoot\SbClientManager.exe [2007-10-01 356352]
R4 SvcFALCON;FALCON System Configuration Monitor;c:\program files\FALCON\Svc\SvcFALCON.exe [2003-03-29 118784]
R4 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R4 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [2005-11-09 205328]
R4 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [2005-11-09 36368]
S1 psdlcc;psdlcc;c:\windows\system32\drivers\psdlcc.sys --> c:\windows\system32\drivers\psdlcc.sys [?]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [2004-02-16 18424]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2008-10-14 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-06-08 172131]
S3 RMBS;RMBS;c:\windows\system32\drivers\rmbs.sys [2004-02-16 17828]
S3 TWXWD;TWXWD;c:\windows\system32\drivers\TwxWD.sys [2004-02-16 26964]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contents of the 'Scheduled Tasks' folder

2009-01-22 c:\windows\Tasks\At1.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-23 c:\windows\Tasks\At10.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-24 c:\windows\Tasks\At11.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-24 c:\windows\Tasks\At12.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-24 c:\windows\Tasks\At13.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-24 c:\windows\Tasks\At14.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-24 c:\windows\Tasks\At15.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-24 c:\windows\Tasks\At16.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-24 c:\windows\Tasks\At17.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-24 c:\windows\Tasks\At18.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-24 c:\windows\Tasks\At19.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-22 c:\windows\Tasks\At2.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-23 c:\windows\Tasks\At20.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-23 c:\windows\Tasks\At21.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-25 c:\windows\Tasks\At22.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-23 c:\windows\Tasks\At23.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-22 c:\windows\Tasks\At24.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-22 c:\windows\Tasks\At25.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-22 c:\windows\Tasks\At26.job
- c:\windows\system32\IRrGMwP2.exe []

2008-12-23 c:\windows\Tasks\At27.job
- c:\windows\system32\IRrGMwP2.exe []

2008-12-23 c:\windows\Tasks\At28.job
- c:\windows\system32\IRrGMwP2.exe []

2008-12-23 c:\windows\Tasks\At29.job
- c:\windows\system32\IRrGMwP2.exe []

2008-12-23 c:\windows\Tasks\At3.job
- c:\windows\system32\2ICfFGA6.exe []

2008-11-27 c:\windows\Tasks\At30.job
- c:\windows\system32\IRrGMwP2.exe []

2008-12-23 c:\windows\Tasks\At31.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-08 c:\windows\Tasks\At32.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-14 c:\windows\Tasks\At33.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-23 c:\windows\Tasks\At34.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-24 c:\windows\Tasks\At35.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-24 c:\windows\Tasks\At36.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-24 c:\windows\Tasks\At37.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-24 c:\windows\Tasks\At38.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-24 c:\windows\Tasks\At39.job
- c:\windows\system32\IRrGMwP2.exe []

2008-12-23 c:\windows\Tasks\At4.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-24 c:\windows\Tasks\At40.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-24 c:\windows\Tasks\At41.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-24 c:\windows\Tasks\At42.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-24 c:\windows\Tasks\At43.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-23 c:\windows\Tasks\At44.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-23 c:\windows\Tasks\At45.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-25 c:\windows\Tasks\At46.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-23 c:\windows\Tasks\At47.job
- c:\windows\system32\IRrGMwP2.exe []

2009-01-22 c:\windows\Tasks\At48.job
- c:\windows\system32\IRrGMwP2.exe []

2008-12-23 c:\windows\Tasks\At5.job
- c:\windows\system32\2ICfFGA6.exe []

2008-11-27 c:\windows\Tasks\At6.job
- c:\windows\system32\2ICfFGA6.exe []

2008-12-23 c:\windows\Tasks\At7.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-08 c:\windows\Tasks\At8.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-14 c:\windows\Tasks\At9.job
- c:\windows\system32\2ICfFGA6.exe []

2009-01-25 c:\windows\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_FAREIS_sniehoff.job
- c:\windows\system32\mobsync.exe [2004-08-04 05:00]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CB7945C8-557D-42AF-81A3-E71C9DBF0999} - (no file)
HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-H/PC Connection Agent - c:\program files\Microsoft ActiveSync\Wcescomm.exe
MSConfigStartUp-Desktop Weather 3 - c:\progra~1\The Weather Channel\The Weather Channel.exe
MSConfigStartUp-Hgugeboqut - c:\windows\Obecobi.dll
MSConfigStartUp-Rfijarik - c:\windows\umobakamo.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.fareis.net/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: elementk.com
Trusted Zone: famisg.net\*.fareis
Trusted Zone: fareis.com
Trusted Zone: fareis.net
Trusted Zone: fareis.net\www
Trusted Zone: firstam-reis.com
Trusted Zone: firstam-reis.net
Trusted Zone: firstam.com
Trusted Zone: firstam.net
Trusted Zone: elementk.com
Trusted Zone: famisg.net\*.fareis
Trusted Zone: fareis.com
Trusted Zone: fareis.net
Trusted Zone: fareis.net\www
Trusted Zone: firstam-reis.com
Trusted Zone: firstam-reis.net
Trusted Zone: firstam.com
Trusted Zone: firstam.net
DPF: {00028C20-0000-0000-0000-000000000046} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\TDBG32.cab
DPF: {08288600-E9D9-11D1-9C84-006008319186} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vantfind.cab
DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vandropbox.cab
DPF: {6313ACD5-705C-11D3-8ACA-004F4E002623} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\EuroSup.cab
DPF: {6D852581-7F1A-11D2-9CAB-006008319186} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanColorPick.CAB
DPF: {99AC51A7-BEFF-11D1-B5B1-00A024CD30C6} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vanfind.cab
DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vanStageTask.CAB
DPF: {ADCBFFBC-DB3F-11D2-AADF-006008936C61} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vangrid.cab
DPF: {B2E0C2EA-A543-11CF-BC8C-207402C10627} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\AGaugeM.cab
DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\edt32x20.cab
DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vanChevron.CAB
DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanPallet.CAB
DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanViewer.CAB
DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\SSCALA32.cab
DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanLiteralDLL.CAB
DPF: {F39FD815-E9C3-11D1-9C83-006008319186} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanTree.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-24 21:44:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1844237615-73586283-682003330-4033\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\program files\SafeBoot\SBGINA.DLL
c:\program files\SafeBoot\SbGinaLib.dll
c:\program files\SafeBoot\SbUserObj.dll
c:\program files\SafeBoot\sbdbmgr.dll
c:\program files\SafeBoot\SbComms.dll
c:\program files\SafeBoot\SBUILIB.DLL
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\SafeBoot\SbAlgs\SBALG.DLL
c:\windows\system32\DeviceNP.dll

- - - - - - - > 'lsass.exe'(924)
c:\windows\system32\SbNp.dll
c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\scardsvr.exe
c:\program files\a-squared Free\a2service.exe
c:\altiris\AClient\AClient.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\system32\IfxPsdSv.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
c:\windows\Temp\PCD148.EXE
c:\program files\Hewlett-Packard\IAM\Bin\asghost.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
.
**************************************************************************
.
Completion time: 2009-01-24 21:47:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-25 04:47:42

Pre-Run: 143,521,632,256 bytes free
Post-Run: 143,583,137,792 bytes free

405 --- E O F --- 2009-01-10 16:23:06

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:11 PM

Posted 25 January 2009 - 12:06 AM

Hello, wiggy
Backdoor components:

c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaefeaoplr.sys
c:\windows\system32\senekagixfaivt.dat
c:\windows\system32\senekamfcbufds.dll
c:\windows\system32\senekaqqrhnnrd.dat
c:\windows\system32\senekauksuinxx.dll


:thumbup2:

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/197109/google-hijack-ie/
    folder::
    c:\windows\system32\xp2
    c:\windows\system32\UZ
    c:\temp
    c:\docume~1\sniehoff\LOCALS~1\Temp
    file::
    c:\windows\system32\kfrpyfii.dll
    c:\windows\system32\kcscftxt.dll
    c:\windows\system32\rn.tmp
    c:\program files\Common Files\FALCON.exe
    c:\program files\Common Files\FALCON.Instructions.doc
    suspect::[54]
    c:\program files\SafeBoot Tray Manager\SbTrayManager.exe
    c:\windows\system32\drivers\SafeBoot.sys
    registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "DisablePersonalDirChange"=-
    "GreyMSIAds"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1844237615-73586283-682003330-4033\Scripts\Logon\0]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    "Cognizance"=-
    DDS::
    Trusted Zone: elementk.com
    Trusted Zone: famisg.net\*.fareis
    Trusted Zone: fareis.com
    Trusted Zone: fareis.net
    Trusted Zone: fareis.net\www
    Trusted Zone: firstam-reis.com
    Trusted Zone: firstam-reis.net
    Trusted Zone: firstam.com
    Trusted Zone: firstam.net
    Trusted Zone: elementk.com
    Trusted Zone: famisg.net\*.fareis
    Trusted Zone: fareis.com
    Trusted Zone: fareis.net
    Trusted Zone: fareis.net\www
    Trusted Zone: firstam-reis.com
    Trusted Zone: firstam-reis.net
    Trusted Zone: firstam.com
    Trusted Zone: firstam.net
    DPF: {00028C20-0000-0000-0000-000000000046} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\TDBG32.cab
    DPF: {08288600-E9D9-11D1-9C84-006008319186} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vantfind.cab
    DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vandropbox.cab
    DPF: {6313ACD5-705C-11D3-8ACA-004F4E002623} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\EuroSup.cab
    DPF: {6D852581-7F1A-11D2-9CAB-006008319186} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanColorPick.CAB
    DPF: {99AC51A7-BEFF-11D1-B5B1-00A024CD30C6} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vanfind.cab
    DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vanStageTask.CAB
    DPF: {ADCBFFBC-DB3F-11D2-AADF-006008936C61} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vangrid.cab
    DPF: {B2E0C2EA-A543-11CF-BC8C-207402C10627} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\AGaugeM.cab
    DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\edt32x20.cab
    DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vanChevron.CAB
    DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanPallet.CAB
    DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanViewer.CAB
    DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\SSCALA32.cab
    DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanLiteralDLL.CAB
    DPF: {F39FD815-E9C3-11D1-9C83-006008319186} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanTree.cab
    regnull::
    [HKEY_USERS\S-1-5-21-1844237615-73586283-682003330-4033\Software\Microsoft\SystemCertificates\AddressBook*]
    atjob::
    driver::
    psdlcc
    ASBroker
    ASChannel
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 25 January 2009 - 12:15 AM

Should have asked this before proceding, but did you just have me remove FALCON and SafeBoot?

#13 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 25 January 2009 - 12:24 AM

New ComboFix log:

ComboFix 09-01-21.04 - sniehoff 2009-01-24 22:13:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2015.1474 [GMT -7:00]
Running from: c:\documents and settings\sniehoff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sniehoff\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\program files\Common Files\FALCON.exe
c:\program files\Common Files\FALCON.Instructions.doc
c:\windows\system32\kcscftxt.dll
c:\windows\system32\kfrpyfii.dll
c:\windows\system32\rn.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\sniehoff\LOCALS~1\Temp
c:\docume~1\sniehoff\LOCALS~1\Temp\Av-test.txt
c:\docume~1\sniehoff\LOCALS~1\Temp\jusched.log
c:\program files\Common Files\FALCON.exe
c:\program files\Common Files\FALCON.Instructions.doc
c:\temp
c:\temp\game1.log
c:\temp\tmp90\v2RI.log
c:\windows\system32\kcscftxt.dll
c:\windows\system32\kfrpyfii.dll
c:\windows\system32\rn.tmp
c:\windows\system32\UZ
c:\windows\system32\xp2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASBROKER
-------\Legacy_ASCHANNEL
-------\Legacy_PSDLCC
-------\Service_ASBroker
-------\Service_ASChannel
-------\Service_psdlcc


((((((((((((((((((((((((( Files Created from 2008-12-25 to 2009-01-25 )))))))))))))))))))))))))))))))
.

2009-01-24 20:44 . 2009-01-24 20:44 250 --a------ c:\windows\gmer.ini
2009-01-22 22:43 . 2009-01-22 22:43 552 --a------ c:\windows\system32\d3d8caps.dat
2009-01-22 22:31 . 2009-01-22 22:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-01-22 17:14 . 2009-01-22 18:33 <DIR> d-------- c:\windows\BDOSCAN8
2009-01-22 16:31 . 2009-01-24 12:21 <DIR> d-------- c:\program files\a-squared Free
2009-01-21 17:59 . 2009-01-21 17:59 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-21 17:59 . 2009-01-21 17:59 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-21 17:59 . 2009-01-21 17:59 <DIR> d-------- c:\documents and settings\sniehoff\Application Data\SUPERAntiSpyware.com
2009-01-21 17:59 . 2009-01-21 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-21 14:36 . 2009-01-21 14:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 14:36 . 2009-01-21 14:36 <DIR> d-------- c:\documents and settings\sniehoff\Application Data\Malwarebytes
2009-01-21 14:36 . 2009-01-21 14:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 14:36 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 14:36 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-21 14:07 . 2009-01-22 09:22 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-21 12:55 . 2009-01-21 12:55 <DIR> d-------- c:\program files\AskSearch
2009-01-07 22:31 . 2009-01-07 22:31 <DIR> d-------- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-25 05:13 --------- d-----w c:\program files\SafeBoot Tray Manager
2009-01-23 19:23 2,401 ----a-w c:\windows\system32\drivers\AlKernel.sys
2009-01-21 04:41 --------- d-----w c:\documents and settings\sniehoff\Application Data\Move Networks
2008-12-24 19:29 --------- d-----w c:\documents and settings\sniehoff\Application Data\FinalBurner Video DVD
2008-12-24 19:28 --------- d-----w c:\program files\FinalBurner
2008-12-12 17:44 --------- d-----w c:\program files\PokerStars
2008-12-10 15:27 --------- d-----w c:\program files\iTunes
2008-12-10 15:27 --------- d-----w c:\documents and settings\sniehoff\Application Data\Apple Computer
2008-12-10 15:27 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-10 15:26 --------- d-----w c:\program files\QuickTime
2008-12-10 15:26 --------- d-----w c:\program files\iPod
2008-12-10 15:26 --------- d-----w c:\program files\Common Files\Apple
2008-12-10 15:26 --------- d-----w c:\program files\Bonjour
2008-12-10 15:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-10 15:25 --------- d-----w c:\program files\Apple Software Update
2008-12-10 15:25 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-25 14:26 --------- d-----w c:\documents and settings\sniehoff\Application Data\webex
2007-07-18 19:35 28,672 ----a-w c:\documents and settings\sniehoff\atwbxdet.dll
2007-05-22 17:51 557,056 ----a-w c:\documents and settings\sniehoff\GoToAssist_phone__317_en.exe
2006-09-26 00:11 557,056 ----a-w c:\documents and settings\sniehoff\chatlnk.exe
2005-06-06 15:44 19,944 ----a-w c:\documents and settings\sniehoff\Application Data\GDIPFONTCACHEV1.DAT
2003-01-17 22:19 456,249 ----a-r c:\program files\Common Files\VPN Acknowledgement.rtf
.

((((((((((((((((((((((((((((( snapshot@2009-01-24_21.47.04.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-07 18:06:33 38,400 ----a-r c:\windows\Installer\{261D5098-173E-4B0C-9D65-E49EF778DEA8}\Icon261D50982.exe
+ 2009-01-25 05:15:20 38,400 ----a-r c:\windows\Installer\{261D5098-173E-4B0C-9D65-E49EF778DEA8}\Icon261D50982.exe
- 2009-01-23 05:59:11 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-25 05:17:31 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-23 05:59:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-25 05:17:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-23 05:59:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-25 05:17:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-25 04:41:48 87,098 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-25 05:15:25 87,616 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-25 04:41:48 464,254 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-25 05:15:25 465,130 ----a-w c:\windows\system32\perfh009.dat
+ 2005-08-31 20:18:42 172,099 ----a-w c:\windows\Temp\DB48BB.EXE
+ 2009-01-25 05:17:40 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_160.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-07 827392]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2006-07-25 139264]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-08-31 335872]
"AClntUsr"="c:\altiris\AClient\AClntUsr.EXE" [2009-01-24 184320]
"SafeBootTrayManager"="c:\program files\SafeBoot Tray Manager\SbTrayManager.exe" [2007-06-12 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-07-24 677144]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
FALCON Secure Connect - on Startup.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2003-07-18 1459392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-03-14 05:03 74752 c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 08:04 49152 c:\windows\system32\DeviceNP.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^sniehoff^Start Menu^Programs^Startup^Calendar Creator Scheduler.lnk]
path=c:\documents and settings\sniehoff\Start Menu\Programs\Startup\Calendar Creator Scheduler.lnk
backup=c:\windows\pss\Calendar Creator Scheduler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--a------ 2007-05-23 09:00 192512 c:\program files\InterVideo\DVD Check\DVDCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Altiris\\AClient\\AClntUsr.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-10-01 101615]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-10-15 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-10-01 11640]
R1 AlKBNT;Altiris Keyboard Filter Driver;c:\windows\system32\drivers\AlKbNT.sys [2002-07-15 5630]
R1 AlMNT;Altiris Mouse Filter Driver;c:\windows\system32\drivers\AlMNT.sys [2002-07-15 5485]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-07-24 38816]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2007-10-01 5840]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2007-10-01 34000]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2007-10-01 14960]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-01-23 41216]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2007-10-01 47616]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R4 SafeBootClientManager;SafeBoot Client Manager;c:\program files\SafeBoot\SbClientManager.exe [2007-10-01 356352]
R4 SvcFALCON;FALCON System Configuration Monitor;c:\program files\FALCON\Svc\SvcFALCON.exe [2003-03-29 118784]
R4 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [2006-12-04 292384]
R4 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [2005-11-09 205328]
R4 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [2005-11-09 36368]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [2004-02-16 18424]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2008-10-14 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-06-08 172131]
S3 RMBS;RMBS;c:\windows\system32\drivers\rmbs.sys [2004-02-16 17828]
S3 TWXWD;TWXWD;c:\windows\system32\drivers\TwxWD.sys [2004-02-16 26964]
.
Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_FAREIS_sniehoff.job
- c:\windows\system32\mobsync.exe [2004-08-04 05:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.fareis.net/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {00028C20-0000-0000-0000-000000000046} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\TDBG32.cab
DPF: {08288600-E9D9-11D1-9C84-006008319186} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vantfind.cab
DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vandropbox.cab
DPF: {6313ACD5-705C-11D3-8ACA-004F4E002623} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\EuroSup.cab
DPF: {6D852581-7F1A-11D2-9CAB-006008319186} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanColorPick.CAB
DPF: {99AC51A7-BEFF-11D1-B5B1-00A024CD30C6} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vanfind.cab
DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vanStageTask.CAB
DPF: {ADCBFFBC-DB3F-11D2-AADF-006008936C61} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vangrid.cab
DPF: {B2E0C2EA-A543-11CF-BC8C-207402C10627} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\AGaugeM.cab
DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\edt32x20.cab
DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\vanChevron.CAB
DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanPallet.CAB
DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanViewer.CAB
DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\SSCALA32.cab
DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanLiteralDLL.CAB
DPF: {F39FD815-E9C3-11D1-9C83-006008319186} - file://c:\docume~1\sniehoff\LOCALS~1\Temp\VanTree.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-24 22:18:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1844237615-73586283-682003330-4033\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\program files\SafeBoot\SBGINA.DLL
c:\program files\SafeBoot\SbGinaLib.dll
c:\program files\SafeBoot\SbUserObj.dll
c:\program files\SafeBoot\sbdbmgr.dll
c:\program files\SafeBoot\SbComms.dll
c:\program files\SafeBoot\SBUILIB.DLL
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\SafeBoot\SbAlgs\SBALG.DLL
c:\windows\system32\DeviceNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\a-squared Free\a2service.exe
c:\altiris\AClient\AClient.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\system32\IfxPsdSv.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
c:\windows\Temp\DB48BB.EXE
c:\program files\Hewlett-Packard\IAM\Bin\asghost.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
.
**************************************************************************
.
Completion time: 2009-01-24 22:21:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-25 05:21:22
ComboFix2.txt 2009-01-25 04:47:47

Pre-Run: 143,554,813,952 bytes free
Post-Run: 143,547,953,152 bytes free

275 --- E O F --- 2009-01-10 16:23:06

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:11 PM

Posted 25 January 2009 - 09:29 AM

Hello, wiggy
I only asked for a sample of some of SafeBoot's files because I couldn't find anything on if it was bad or not.

These should not be in the "Common files" directory:
c:\program files\Common Files\FALCON.exe
c:\program files\Common Files\FALCON.Instructions.doc
If you need them restored I can do that but the reason I had these removed is that's not the correct place for those files.

"SafeBoot" bothers me because of:

- - - - - - - > 'winlogon.exe'(868)
c:\program files\SafeBoot\SBGINA.DLL
c:\program files\SafeBoot\SbGinaLib.dll
c:\program files\SafeBoot\SbUserObj.dll
c:\program files\SafeBoot\sbdbmgr.dll
c:\program files\SafeBoot\SbComms.dll
c:\program files\SafeBoot\SBUILIB.DLL

Most legitimate programs have no reason to be hooking winlogon.

Unfortunately the upload didn't work. Please do these instructions manually:

We need to upload a file for further inspection
  • Please go to this page.
  • Where it asks for the "Link to where the file was requested" copy and paste in
    http://www.bleepingcomputer.com/forums/t/197109/google-hijack-ie/
  • Where it says "Browse to the file you want to submit", browse to
    c:\program files\SafeBoot Tray Manager\SbTrayManager.exe
  • Press the Posted Image button.
We need to upload a file for further inspection
  • Please go to this page.
  • Where it asks for the "Link to where the file was requested" copy and paste in
    http://www.bleepingcomputer.com/forums/t/197109/google-hijack-ie/
  • Where it says "Browse to the file you want to submit", browse to
    c:\windows\system32\drivers\SafeBoot.sys
  • Press the Posted Image button.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 25 January 2009 - 01:31 PM

Hey, Billy. Safeboot is the encryption software running on my laptop...company standard for their infosec program. FALCON is my VPN client to connect to the company network. I'm not sure if the files belong in the common files directory or not.

Both of those programs are currently operational, so if any part of the "clean" worked on these files they are still operating appropriately.

Based on this info, do you want me to proceed with the upload of the safeboot information or just move on to the ESET scanner?

EDIT** I'm going to go ahead and post all as requested. Just wanted to let you know what I know about these two "questionable" programs....

Edited by wiggy, 25 January 2009 - 04:07 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users