Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

After clearing Malware AVG found Win32/Rustock.G


  • This topic is locked This topic is locked
7 replies to this topic

#1 herbaklez

herbaklez

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 06 February 2009 - 08:05 PM

Following multiple steps in this thread:

http://www.bleepingcomputer.com/forums/t/199461/multiple-trojan-infection;-help-needed/

AVG spontaneously informed me that virus Win32/Rustock.G had infected my computer

The computer appears to functioning very normally, although we have been using the infected computer very little

here are the logs from HijackThis:

(HJT was launched in normal mode. There was no indication that it needed to be done in Safe mode, however there are clearly far more processes running than the example shown in the guide)


DDS (Ver_09-02-01.01) - NTFSx86
Run by lionel at 11:05:14.64 on Sat 07/02/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.581 [GMT 11:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Hotkey\Hotkey.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\EnhanceKeyboard\kb_2k.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Documents and Settings\lionel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Hotkey] c:\program files\hotkey\Hotkey.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 6\PcSync2.exe" /NoDialog
StartupFolder: c:\docume~1\lionel\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office 97\office\FINDFAST.EXE
StartupFolder: c:\docume~1\lionel\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office 97\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\corelr~1.lnk - c:\program files\corel\wordperfect office 2000\register\Remind32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\enhanc~1.lnk - c:\program files\enhancekeyboard\kb_2k.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: aol.com\free
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218107241868
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !saswinlogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - shdocvw.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lionel\applic~1\mozilla\firefox\profiles\ojyikrxd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npbeatnk.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npswf32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npwmsdrm.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-31 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-31 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-31 107272]
R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-2 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-2 298264]
R3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 BopItU2U;BopIt Serial port driver;c:\windows\system32\drivers\BopItU2U.sys [2008-12-25 26880]

=============== Created Last 30 ================

2009-02-06 06:26 --d----- c:\windows\pss
2009-02-04 01:48 --d----- c:\docume~1\lionel\applic~1\Skinux
2009-02-03 05:42 2,402 a------- c:\windows\system32\tmp.reg
2009-02-03 00:22 --d----- c:\program files\Avira GmbH
2009-02-03 00:10 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-02-03 00:08 --d----- c:\windows\ERUNT
2009-02-03 00:01 --d----- C:\SDFix
2009-02-01 23:52 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-01 23:52 --d----- c:\program files\SUPERAntiSpyware
2009-02-01 23:52 --d----- c:\docume~1\lionel\applic~1\SUPERAntiSpyware.com
2009-02-01 23:51 --d----- c:\program files\common files\Wise Installation Wizard
2009-02-01 09:19 --d----- c:\docume~1\lionel\applic~1\Malwarebytes
2009-02-01 09:19 --d-h--- c:\windows\PIF
2009-02-01 09:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-01 09:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-01 09:14 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-01 09:14 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-31 02:31 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-31 02:31 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-31 02:31 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-31 02:31 --d----- c:\windows\system32\drivers\Avg
2009-01-31 02:30 --d----- c:\program files\AVG
2009-01-30 21:32 --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-11 10:15 --d----- c:\program files\RIP 3 The Last Hero
2009-01-11 10:15 --d----- c:\program files\ReflexiveArcade
2009-01-11 08:27 --d----- c:\program files\common files\PCSuite
2009-01-11 08:27 --d----- c:\program files\common files\Nokia
2009-01-11 08:26 --d----- c:\program files\PC Connectivity Solution

==================== Find3M ====================

2009-01-04 08:45 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-31 20:53 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-11 21:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2004-10-11 19:46 205,312 a------- c:\program files\ltefx13n.dll
2004-01-19 14:31 153,600 a------- c:\program files\ltfil13n.DLL
2004-01-19 13:31 27,648 a------- c:\program files\lfiff13n.dll
2004-01-19 13:31 20,480 a------- c:\program files\lfCUT13n.dll
2004-01-19 12:31 453,120 a------- c:\program files\ltkrn13n.dll
2004-01-19 12:12 89,600 a------- c:\program files\Lfcgm13n.dll
2004-01-19 11:49 278,016 a------- c:\program files\LFJ2K13n.dll
2004-01-19 11:49 180,736 a------- c:\program files\Lfpng13n.dll
2004-01-19 11:47 76,800 a------- c:\program files\Lfwmf13n.dll
2004-01-19 11:47 509,440 a------- c:\program files\LFCMW13n.dll
2004-01-19 11:45 420,352 a------- c:\program files\LFCMP13n.DLL
2004-01-19 11:44 143,872 a------- c:\program files\lftif13n.dll
2004-01-19 11:36 56,832 a------- c:\program files\lfpsd13n.dll
2004-01-19 11:36 19,968 a------- c:\program files\lfpcd13n.dll
2004-01-19 11:36 26,624 a------- c:\program files\lfpcx13n.dll
2004-01-19 11:36 65,536 a------- c:\program files\Lfpct13n.dll
2004-01-19 11:36 18,944 a------- c:\program files\lfmsp13n.dll
2004-01-19 11:35 18,944 a------- c:\program files\lfmac13n.dll
2004-01-19 11:35 20,992 a------- c:\program files\lfimg13n.dll
2004-01-19 11:34 31,744 a------- c:\program files\lfclp13n.dll
2004-01-19 11:34 30,208 a------- c:\program files\lfbmp13n.dll
2004-01-19 11:33 444,928 a------- c:\program files\ltimg13n.dll
2004-01-19 11:32 265,216 a------- c:\program files\LTDIS13n.dll
2000-05-02 04:17 212,480 a------- c:\program files\PCDLIB32.DLL
1999-11-18 23:00 284,032 a------- c:\program files\XceedZip.dll

============= FINISH: 11:05:32.85 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 PM

Posted 13 February 2009 - 05:00 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Download and Run DDS
If you already have a copy of DDS, there is no need to download a new one.

DDS is a tool that gives us a general overview of the condition of your machine.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the DDS logs
-the F-Secure scan log

Please give me an update on the symptoms. Also tell me of any changes you have made to this computer.

With Regards,
The Panda

#3 herbaklez

herbaklez
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 14 February 2009 - 07:17 AM

Thanks Panda,

You really are an endangered species!! (much like our ring-tailed possum since the bushfires have ravaged the nearby countryside)

Firstly, despite instructing my son clearly not to install any software, he forgot, and did so the very next day. He's very downcast and I haven't permitted him to use the computer since. Tough love, I think they call it.

It was a local Australian educational game called Kids Maths Quest (Eureka multimedia).

As for the reports:

DDS:



DDS (Ver_09-02-01.01) - NTFSx86
Run by lionel at 21:42:04.28 on Sat 14/02/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.615 [GMT 11:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Hotkey\Hotkey.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\EnhanceKeyboard\kb_2k.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\lionel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Hotkey] c:\program files\hotkey\Hotkey.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 6\PcSync2.exe" /NoDialog
StartupFolder: c:\docume~1\lionel\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office 97\office\FINDFAST.EXE
StartupFolder: c:\docume~1\lionel\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office 97\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\corelr~1.lnk - c:\program files\corel\wordperfect office 2000\register\Remind32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\enhanc~1.lnk - c:\program files\enhancekeyboard\kb_2k.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: aol.com\free
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218107241868
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !saswinlogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - shdocvw.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lionel\applic~1\mozilla\firefox\profiles\ojyikrxd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npbeatnk.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPDocBox.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\Npindeo.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nppdf32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npswf32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npwmsdrm.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-31 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-31 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-31 107272]
R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-2 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-2 298264]
R3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 BopItU2U;BopIt Serial port driver;c:\windows\system32\drivers\BopItU2U.sys [2008-12-25 26880]

=============== Created Last 30 ================

2009-02-09 17:05 <DIR> --d----- c:\windows\Profiles
2009-02-09 17:04 <DIR> --d----- c:\windows\system32\Adobe
2009-02-09 17:03 136,704 a------- c:\windows\system32\iacenc.dll
2009-02-09 17:03 56,320 -------- c:\windows\system32\iyvu9_32.dll
2009-02-09 17:03 <DIR> --d----- c:\program files\Ligos
2009-02-09 16:54 <DIR> --d----- c:\program files\directx
2009-02-09 16:53 90 a------- c:\windows\EKMQUEST.INI
2009-02-09 16:52 <DIR> --d----- c:\program files\EurekaMultimedia
2009-02-06 06:26 <DIR> --d----- c:\windows\pss
2009-02-04 01:48 <DIR> --d----- c:\docume~1\lionel\applic~1\Skinux
2009-02-03 05:42 2,402 a------- c:\windows\system32\tmp.reg
2009-02-03 00:22 <DIR> --d----- c:\program files\Avira GmbH
2009-02-03 00:10 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-02-03 00:08 <DIR> --d----- c:\windows\ERUNT
2009-02-03 00:01 <DIR> --d----- C:\SDFix
2009-02-01 23:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-01 23:52 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-01 23:52 <DIR> --d----- c:\docume~1\lionel\applic~1\SUPERAntiSpyware.com
2009-02-01 23:51 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-01 09:19 <DIR> --d----- c:\docume~1\lionel\applic~1\Malwarebytes
2009-02-01 09:19 <DIR> --d-h--- c:\windows\PIF
2009-02-01 09:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-01 09:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-01 09:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-01 09:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-31 02:31 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-31 02:31 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-31 02:31 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-31 02:31 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-31 02:30 <DIR> --d----- c:\program files\AVG
2009-01-30 21:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8

==================== Find3M ====================

2009-01-04 08:45 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-31 20:53 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2004-10-11 19:46 205,312 a------- c:\program files\ltefx13n.dll
2004-01-19 14:31 153,600 a------- c:\program files\ltfil13n.DLL
2004-01-19 13:31 27,648 a------- c:\program files\lfiff13n.dll
2004-01-19 13:31 20,480 a------- c:\program files\lfCUT13n.dll
2004-01-19 12:31 453,120 a------- c:\program files\ltkrn13n.dll
2004-01-19 12:12 89,600 a------- c:\program files\Lfcgm13n.dll
2004-01-19 11:49 278,016 a------- c:\program files\LFJ2K13n.dll
2004-01-19 11:49 180,736 a------- c:\program files\Lfpng13n.dll
2004-01-19 11:47 76,800 a------- c:\program files\Lfwmf13n.dll
2004-01-19 11:47 509,440 a------- c:\program files\LFCMW13n.dll
2004-01-19 11:45 420,352 a------- c:\program files\LFCMP13n.DLL
2004-01-19 11:44 143,872 a------- c:\program files\lftif13n.dll
2004-01-19 11:36 56,832 a------- c:\program files\lfpsd13n.dll
2004-01-19 11:36 19,968 a------- c:\program files\lfpcd13n.dll
2004-01-19 11:36 26,624 a------- c:\program files\lfpcx13n.dll
2004-01-19 11:36 65,536 a------- c:\program files\Lfpct13n.dll
2004-01-19 11:36 18,944 a------- c:\program files\lfmsp13n.dll
2004-01-19 11:35 18,944 a------- c:\program files\lfmac13n.dll
2004-01-19 11:35 20,992 a------- c:\program files\lfimg13n.dll
2004-01-19 11:34 31,744 a------- c:\program files\lfclp13n.dll
2004-01-19 11:34 30,208 a------- c:\program files\lfbmp13n.dll
2004-01-19 11:33 444,928 a------- c:\program files\ltimg13n.dll
2004-01-19 11:32 265,216 a------- c:\program files\LTDIS13n.dll
2000-05-02 04:17 212,480 a------- c:\program files\PCDLIB32.DLL
1999-11-18 23:00 284,032 a------- c:\program files\XceedZip.dll

============= FINISH: 21:42:28.34 ===============

The DDS Attach file is zipped and attached

The F-Secure report follows.

Please note, I did not disinfect the Aureate Adware. As far as I know, it only causes bannaer ads on CUTE FTP to operate, and without it, Cute FTP is disabled.

If you have any concerns about using Cute FTP, I'll have to find an alternate app. I only use it occasionally, but I'm getting old and changing apps always presents me with the odd challenge.




Scanning Report
Saturday, February 14, 2009 21:57:18 - 22:46:32
Computer name: LIONEL-BB6A8B59
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 6 malware found
AdWare.Win32.Aureate (spyware)
System
TrackingCookie.Adbrite (spyware)
System
Trojan-Downloader.JS.Iframe.ado (virus)
C:\PROGRAM FILES\NETSCAPE\USERS\DAYNELE\CACHE\MUB9RR56.JS (Renamed & Submitted)
Vundo.DZC (virus)
C:\AVENGER\TDSSDXGP.DLL (Submitted)
W32/Zlob.gen123 (virus)
C:\WINDOWS\SYSTEM32\AGENT.OMZ.FIX.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\LIONEL\DESKTOP\SMITFRAUDFIX\AGENT.OMZ.FIX.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 28445
System: 4096
Not scanned: 6
Actions:
Disinfected: 0
Renamed: 1
Deleted: 0
None: 5
Submitted: 4
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.6.8511, 2009-02-13
F-Secure AVP: 7.0.171, 2009-02-13
F-Secure Pegasus: 1.20.0, 1970-00-01
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 PM

Posted 14 February 2009 - 11:14 AM

Hello.

There is evidence of a rookit infection.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

With Regards,
The Panda

#5 herbaklez

herbaklez
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 14 February 2009 - 03:15 PM

Hi Panda,

Here's the log:


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-15 07:13:21
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAD1CAF20]

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[228] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 PM

Posted 14 February 2009 - 03:21 PM

Hello.

Looks like MalwareBytes had already removed that infection.

It would appear that the infections have been cleared out. Unless there are any issues at the moment, we can wrap up.

Download and Run OTCleanIt
This program will remove the tools we have used.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Delete the file after use, if it did not delete itself.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#7 herbaklez

herbaklez
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:25 AM

Posted 15 February 2009 - 12:30 AM

Thanks so much for all your help. :thumbup2:

Be well.

Regards,

Herbaklez

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 PM

Posted 15 February 2009 - 10:01 AM

Welcome.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users