Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot remove bk, bf, iu, mu according to mbam


  • This topic is locked This topic is locked
16 replies to this topic

#1 Penncrow19

Penncrow19

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 31 January 2009 - 12:46 AM

I have already posted this in another forum, but was directed here after unsuccessful attempts made to resolve this issue.

The main issue I have is my google search results keep redirecting me when I click on the links. I used various malware scanners and picked up nothing except for mbam scan, when it turned up 4 trojans bk, bf, iu, mu.


The following is my DDS and attach.txt:


DDS (Ver_09-01-19.01) - NTFSx86
Run by Penncrow19 at 0:35:21.64 on Sat 01/31/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2579 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\System Control Manager\edd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Penncrow19\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - e:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {9afe7c99-2be3-4c76-860e-e435f190a5a9} - c:\windows\system32\lsjek.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\windows\system32\qttask.exe" -atboottime
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "e:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-system: NoHotStart = 1 (0x1)
mPolicies-system: NoHotStart = 1 (0x1)
IE: &D&ownload &with BitComet - e:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://e:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221549720046
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R0 ngsrsddb;ngsrsddb;c:\windows\system32\drivers\ngsrsddb.sys [2001-8-23 23424]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-9-15 54784]
R3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\drivers\enecirhid.sys [2008-9-15 11264]
R3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\drivers\enecirhidma.sys [2008-9-15 5632]
R3 MGHwCtrl;MGHwCtrl;c:\windows\system32\drivers\MGHwCtrl.sys [2008-9-15 9088]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-8-22 41376]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
R4 NishService;SCM Driver Daemon;c:\program files\system control manager\edd.exe [2008-9-15 40960]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-14 24652]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-18 33752]

=============== Created Last 30 ================

2009-01-27 17:37 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-27 17:35 <DIR> --d----- c:\windows\ERUNT
2009-01-27 17:32 <DIR> --d----- C:\SDFix
2009-01-27 17:24 3,426 a------- c:\windows\system32\tmp.reg
2009-01-24 13:46 <DIR> a-dshr-- C:\cmdcons
2009-01-15 12:15 <DIR> --d----- c:\docume~1\penncr~1\applic~1\Malwarebytes
2009-01-15 12:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-15 12:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 12:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-14 10:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-12 15:35 <DIR> --d----- c:\docume~1\penncr~1\applic~1\Macrovision
2009-01-12 15:32 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-01-12 15:32 <DIR> --d----- c:\program files\common files\Data Dynamics
2009-01-12 15:32 401 a------- c:\windows\system32\Graph.lic
2009-01-12 15:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LocalCache
2009-01-12 15:29 <DIR> --d----- c:\windows\system32\URTTEMP
2009-01-12 12:11 <DIR> --d----- c:\documents and settings\penncrow19\DecisionLens
2009-01-12 10:33 95,744 a------- c:\windows\system32\lsjek.dll

==================== Find3M ====================

2009-01-28 23:15 78,426 a------- c:\windows\system32\nvModes.dat
2008-12-18 23:56 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-16 22:07 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-28 11:10 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-10-22 19:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102220081023\index.dat

============= FINISH: 0:35:37.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:01 AM

Posted 31 January 2009 - 12:03 PM

Hi, Penncrow19 :thumbup2:

Welcome.

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a batch file, Seek.bat . Once extracted, open the folder and double click on the Seek.bat file and post the resulting report.

Edited by JSntgRvr, 31 January 2009 - 12:03 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Penncrow19

Penncrow19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 01 February 2009 - 03:06 AM

-c----w 577,024 2004-08-04 04:56:48 C:\Windows\$NtServicePackUninstall$\user32.dll
------w 578,560 2008-04-14 00:12:08 C:\Windows\ServicePackFiles\i386\user32.dll
----a-w 578,560 2008-04-14 00:12:08 C:\Windows\system32\user32.dll
-c--a-w 578,560 2009-01-27 22:37:06 C:\Windows\system32\dllcache\user32.dll

Entries: 4 (4)
Directories: 0 Files: 4
Bytes: 2,312,704 Blocks: 4,517
__________________________________

Thank for staying patient with me. For I am currently very busy and hardly have time to fix this problem. So if I don't respond in days at a time, don't be alarmed. This is a lingering problem is it is very annoying so I do appreciate your help.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:01 AM

Posted 01 February 2009 - 07:51 AM

Hi, Penncrow19 :thumbup2:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as CFScript.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    Collect::c:\windows\system32\lsjek.dllFCopy::C:\Windows\ServicePackFiles\i386\user32.dll | C:\Windows\system32\dllcache\user32.dllRegistry::[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu]

    Posted Image

    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "ComboFix" report saved in the C:\ folder, along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Additonally, ComboFix will generate a zipped file on the C:\Qoobox\Quarantine\ called Submit [Date Time].zip

Please submit this file to:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please include a link to this topic in the message.

Run Malwarebites once again to confirm the entries have been removed and post its report.

Edited by JSntgRvr, 01 February 2009 - 07:56 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Penncrow19

Penncrow19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 02 February 2009 - 03:07 AM

I downloaded Combofix that you have put up. I copy&pasted the CFScript.txt from your quote box. When I dragged the file into combofix, it asked me to update my combofix, I chose no, it then proceeded to scan. It backed up my registry and then it says it will take about 10 minutes to complete. After 10 secs or so, the blue screen disappears and nothing happens. I waited 5 minutes and nothing, even internet is cut off. I repeated this process 3 times to the same result.

I have used combofix before and it did not run like this.

What should I do?

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:01 AM

Posted 02 February 2009 - 04:13 PM

I downloaded Combofix that you have put up. I copy&pasted the CFScript.txt from your quote box. When I dragged the file into combofix, it asked me to update my combofix, I chose no, it then proceeded to scan. It backed up my registry and then it says it will take about 10 minutes to complete. After 10 secs or so, the blue screen disappears and nothing happens. I waited 5 minutes and nothing, even internet is cut off. I repeated this process 3 times to the same result.

I have used combofix before and it did not run like this.

What should I do?

The developer was away. Download the latest copy of Combofix and make sure your Antivirus and Real time protection is disabled as it may interfere. Proceed as instructed.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Penncrow19

Penncrow19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 02 February 2009 - 10:12 PM

I downloaded the Combofix per the link the admin has given me again. I have also copy and pasted the script into txt and dragged into combofix. However same thing is happening. It tells me it is backing up registry, then it says it will scan for roughly 10 minutes, however after 10 secs, the blue window disappears and nothing happens with the exception of discontinued internet. I waited for roughly 2-3 minutes and decided to restart my computer to get internet back.

What should I do now???

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:01 AM

Posted 03 February 2009 - 11:48 AM

Hi, Penncrow19 :thumbup2:

It most definitely be due to your Security protection. Lets try an alternate way.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please navigate to these folders and copy:

C:\Windows\ServicePackFiles\i386\user32.dll

into the

C:\Windows\system32\dllcache folder, overwriting the existing one.


1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:Files to delete:c:\windows\system32\lsjek.dllRegistry keys to delete:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bfHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bkHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iuHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Run Malwarebites once again and the Seek.bat file to confirm the entries have been removed and post their report.

Edited by JSntgRvr, 03 February 2009 - 11:49 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Penncrow19

Penncrow19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 04 February 2009 - 02:47 AM

I ran avenger. I copy and pasted

Begin copying here:Files to delete:c:\windows\system32\lsjek.dllRegistry keys to delete:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bfHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bkHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iuHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu


into the script box. When I clicked execute, it asked me yes/no. After I click yes, it says "error: invalid script. a valid script must begin with a command directive. aborting execution".

Any ideas?

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:01 AM

Posted 04 February 2009 - 01:26 PM

Open Notepad. Select Format from the menu. Make sure Wordwrap is not checked. Also, make sure the fix goes in as:

Begin copying here:Files to delete:c:\windows\system32\lsjek.dllRegistry keys to delete:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bfHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bkHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iuHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu

And not as a single line such as,

Begin copying here:Files to delete:c:\windows\system32\lsjek.dllRegistry keys to delete:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bfHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bkHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iuHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 Penncrow19

Penncrow19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 05 February 2009 - 01:36 AM

Ok, I fixed the word wrap in notepad, however it did not fix the spacing problem in Avenger, it was still pasting as a line of text. I decided to copy and paste one line at a time, that seemed to work.
But it doesn't look like Avenger was able to get rid of these 4 items. Please see the following: avenger.txt, dds.txt, mbamlog



b v vvvvvvvvvvv//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Feb 04 02:44:10 2009

02:44:10: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Feb 04 02:44:22 2009

02:44:22: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Feb 04 02:44:57 2009

02:44:57: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Feb 04 02:47:06 2009

02:47:06: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Feb 04 02:47:50 2009

02:47:50: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Feb 04 02:50:06 2009

02:50:06: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Feb 05 01:11:57 2009

01:11:57: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Feb 05 01:12:38 2009

01:12:38: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "c:\windows\system32\lsjek.dll"
Deletion of file "c:\windows\system32\lsjek.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.





==========================================================================


DDS (Ver_09-01-19.01) - NTFSx86
Run by Penncrow19 at 1:33:02.40 on 2009-02-05
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2513 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\System Control Manager\edd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Penncrow19\Desktop\Virus Scanners\Fix\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - e:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {9afe7c99-2be3-4c76-860e-e435f190a5a9} - c:\windows\system32\lsjek.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\windows\system32\qttask.exe" -atboottime
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "e:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-system: NoHotStart = 1 (0x1)
mPolicies-system: NoHotStart = 1 (0x1)
IE: &D&ownload &with BitComet - e:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://e:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221549720046
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R0 ngsrsddb;ngsrsddb;c:\windows\system32\drivers\ngsrsddb.sys [2001-8-23 23424]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-9-15 54784]
R3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\drivers\enecirhid.sys [2008-9-15 11264]
R3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\drivers\enecirhidma.sys [2008-9-15 5632]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-15 38496]
R3 MGHwCtrl;MGHwCtrl;c:\windows\system32\drivers\MGHwCtrl.sys [2008-9-15 9088]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-8-22 41376]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
R4 NishService;SCM Driver Daemon;c:\program files\system control manager\edd.exe [2008-9-15 40960]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-14 24652]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-18 33752]

=============== Created Last 30 ================

2009-02-05 01:15 389,120 a------- c:\windows\system32\CF31474.exe
2009-02-05 01:15 <DIR> --d----- C:\ComboFix
2009-02-05 01:15 389,120 a------- c:\windows\system32\CF31386.exe
2009-02-02 22:05 389,120 a------- c:\windows\system32\CF19622.exe
2009-02-02 03:00 389,120 a------- c:\windows\system32\CF24770.exe
2009-02-02 02:47 389,120 a------- c:\windows\system32\CF22157.exe
2009-02-01 13:36 389,120 a------- c:\windows\system32\CF31121.exe
2009-01-27 17:37 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-27 17:35 <DIR> --d----- c:\windows\ERUNT
2009-01-27 17:32 <DIR> --d----- C:\SDFix
2009-01-27 17:24 3,426 a------- c:\windows\system32\tmp.reg
2009-01-24 13:46 <DIR> a-dshr-- C:\cmdcons
2009-01-15 12:15 <DIR> --d----- c:\docume~1\penncr~1\applic~1\Malwarebytes
2009-01-15 12:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-15 12:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 12:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-14 10:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-12 15:35 <DIR> --d----- c:\docume~1\penncr~1\applic~1\Macrovision
2009-01-12 15:32 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-01-12 15:32 <DIR> --d----- c:\program files\common files\Data Dynamics
2009-01-12 15:32 401 a------- c:\windows\system32\Graph.lic
2009-01-12 15:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LocalCache
2009-01-12 15:29 <DIR> --d----- c:\windows\system32\URTTEMP
2009-01-12 12:11 <DIR> --d----- c:\documents and settings\penncrow19\DecisionLens
2009-01-12 10:33 95,744 a------- c:\windows\system32\lsjek.dll

==================== Find3M ====================

2009-02-04 15:15 78,426 a------- c:\windows\system32\nvModes.dat
2008-12-18 23:56 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-16 22:07 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-28 11:10 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-10-22 19:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102220081023\index.dat

============= FINISH: 1:33:17.81 ===============



====================================================

Malwarebytes' Anti-Malware 1.33
Database version: 1714
Windows 5.1.2600 Service Pack 3

2009-02-05 01:32:47
mbam-log-2009-02-05 (01-32-47).txt

Scan type: Quick Scan
Objects scanned: 59027
Time elapsed: 6 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:01 AM

Posted 05 February 2009 - 11:36 AM

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, open the folder and click on the RunMe.bat. The computer will restart.

Run Malwarebites to confirm and post a fresh Hijackthis log.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Penncrow19

Penncrow19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 06 February 2009 - 09:30 PM

I ran the program as directed. It ran and restarted my cpu in a matter of seconds. It left a log on my desktop:

file zipped: c:\windows\system32\lsjek.dll -> catchme.zip -> lsjek.dll ( 95744 bytes )
PE file "c:\windows\system32\lsjek.dll" killed successfully
file zipped: c:\windows\system32\lsjek.dll -> catchme.zip -> lsjek.dll.1 ( 95744 bytes )
file "c:\windows\system32\lsjek.dll" deleted successfully


I ran MBAM again and hijack, it seems like the items are still there.

Malwarebytes' Anti-Malware 1.33
Database version: 1736
Windows 5.1.2600 Service Pack 3

2009-02-06 21:25:27
mbam-log-2009-02-06 (21-25-27).txt

Scan type: Quick Scan
Objects scanned: 60114
Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




DDS (Ver_09-01-19.01) - NTFSx86
Run by Penncrow19 at 21:29:08.96 on 2009-02-06
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2534 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\System Control Manager\edd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Penncrow19\Desktop\Virus Scanners\Fix\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - e:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {9afe7c99-2be3-4c76-860e-e435f190a5a9} - c:\windows\system32\lsjek.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\windows\system32\qttask.exe" -atboottime
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "e:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "e:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-system: NoHotStart = 1 (0x1)
mPolicies-system: NoHotStart = 1 (0x1)
IE: &D&ownload &with BitComet - e:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://e:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221549720046
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R0 ngsrsddb;ngsrsddb;c:\windows\system32\drivers\ngsrsddb.sys [2001-8-23 23424]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-9-15 54784]
R3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\drivers\enecirhid.sys [2008-9-15 11264]
R3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\drivers\enecirhidma.sys [2008-9-15 5632]
R3 MGHwCtrl;MGHwCtrl;c:\windows\system32\drivers\MGHwCtrl.sys [2008-9-15 9088]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-8-22 41376]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
R4 NishService;SCM Driver Daemon;c:\program files\system control manager\edd.exe [2008-9-15 40960]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-14 24652]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-18 33752]

=============== Created Last 30 ================

2009-02-05 01:15 389,120 a------- c:\windows\system32\CF31474.exe
2009-02-05 01:15 <DIR> --d----- C:\ComboFix
2009-02-05 01:15 389,120 a------- c:\windows\system32\CF31386.exe
2009-02-02 22:05 389,120 a------- c:\windows\system32\CF19622.exe
2009-02-02 03:00 389,120 a------- c:\windows\system32\CF24770.exe
2009-02-02 02:47 389,120 a------- c:\windows\system32\CF22157.exe
2009-02-01 13:36 389,120 a------- c:\windows\system32\CF31121.exe
2009-01-27 17:37 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-27 17:35 <DIR> --d----- c:\windows\ERUNT
2009-01-27 17:32 <DIR> --d----- C:\SDFix
2009-01-27 17:24 3,426 a------- c:\windows\system32\tmp.reg
2009-01-24 13:46 <DIR> a-dshr-- C:\cmdcons
2009-01-15 12:15 <DIR> --d----- c:\docume~1\penncr~1\applic~1\Malwarebytes
2009-01-15 12:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-15 12:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 12:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-14 10:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-12 15:35 <DIR> --d----- c:\docume~1\penncr~1\applic~1\Macrovision
2009-01-12 15:32 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-01-12 15:32 <DIR> --d----- c:\program files\common files\Data Dynamics
2009-01-12 15:32 401 a------- c:\windows\system32\Graph.lic
2009-01-12 15:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LocalCache
2009-01-12 15:29 <DIR> --d----- c:\windows\system32\URTTEMP
2009-01-12 12:11 <DIR> --d----- c:\documents and settings\penncrow19\DecisionLens

==================== Find3M ====================

2009-02-06 16:09 78,426 a------- c:\windows\system32\nvModes.dat
2008-12-18 23:56 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-16 22:07 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-28 11:10 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-10-22 19:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102220081023\index.dat

============= FINISH: 21:29:24.76 ===============

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:01 AM

Posted 06 February 2009 - 11:29 PM

Hi, Penncrow19 :thumbup2:

Lets take a deeper look:

Download OTScanit2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanit2 on your desktop. OTScanit2 can be detected as malware by your firewall and Ativirus. Chose Ignore on any warning alert.
  • Close any open browsers.
  • Open the OTScanit2 folder and double-click on OTScanit2.exe to start the program.
  • Leave all settings as they appear as default, except for the following:
  • Under Drivers, select "All".
  • Under Rootkit Search, select Yes
  • Under additional Scan select the following:
    • Reg - ControlSets
    • Reg - Disabled MS Config Items
    • Reg - File Associations
    • Reg - Security Center Settings
    • Reg - Tcpip Persistent Routes
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Penncrow19

Penncrow19
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 10 February 2009 - 11:54 PM

OK, the scan log is attached.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users