Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.delf.uc won't go away, no matter what I try


  • This topic is locked This topic is locked
28 replies to this topic

#1 percypage

percypage

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 08 February 2009 - 07:04 PM

I want to first of all, thank all the moderators/malware experts for their continued advice and help on this site. Even if you feel that you've helped just one person, chances are that 100 times that amount were lurking and followed your advice. Having said that, I would like advice on the following .. but additionally, perhaps you could explain what is going on, as I help others too (even though I'm no malware expert). I'm a firm believer in "feed me a fish, fed for a day ... teach me how to fish and I'm fed for a lifetime", so please don't roll out the "don't attempt any of this if you are not a malware expert". I'm giving my own disclaimer that I'm aware that my pc is probably compromised, but since I just bought this new hard-drive and installed it one month ago, I really don't mind experimenting and if necessary, having to reformat. I'm a pc enthusiast ...

I run Windows XP Professional Corporate Edition, but I was lazy (couldn't find the stupid disk and no longer have the key) and did not install any of the Service Packs yet. Stupid me.

I've run SuperAtispyware, Malwarebytes AntiMalware, Spybot Search and Sestroy - usually in Safe Mode (tried without too). I've run Combofix, though it likes to hang on phase 50. SDFix will intially run (for about 5 seconds) and then all-of-a-sudden the computer shuts off and reboots. I've done most of this with System Restore shut off, as Spybot S&D still finds this stupid delf virus. I will post the last Combofix log and Hijack this. Spybot S&D lists the following 2 entries (one is ControlSet001, the other ControlSet002):

Hkey_local_machine\system\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:Windows\System32\winlogon.exe


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:31, on 2009-02-07
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\bgsvcgen.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\windows\pp1.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7070
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pp] C:\windows\pp1.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE44EDED-ED0E-44FF-B333-CA0966678C5C}: NameServer = 24.93.41.127,24.93.41.128
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\System32\bgsvcgen.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 2484 bytes


ComboFix 09-02-06.01 - Mikael 2009-02-06 23:44:57.6 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.1023.859 [GMT -6:00]
Running from: c:\documents and settings\Mikael\Desktop\ComboFix.exe
Command switches used :: /killall

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ntndis.sys

.
((((((((((((((((((((((((( Files Created from 2009-01-07 to 2009-02-07 )))))))))))))))))))))))))))))))
.

2009-02-04 03:39 . 2009-02-04 03:39 32,768 --a------ c:\windows\system32\drivers\ati1rwxx.sys
2009-02-04 03:04 . 2009-02-04 03:04 <DIR> d-------- C:\_OTMoveIt
2009-02-04 02:43 . 2009-02-04 02:43 32,768 --ah----- c:\documents and settings\Mikael\wwjnrkm.exe
2009-02-04 02:17 . 2009-02-04 02:17 32,768 --ah----- c:\documents and settings\Mikael\gbo.exe
2009-02-03 23:40 . 2009-02-04 02:39 <DIR> d-------- c:\program files\Autorun Eater
2009-02-03 22:45 . 2009-02-04 02:43 66,560 ---h----- c:\windows\system32\secupdat.dat
2009-02-03 22:45 . 2009-02-03 22:45 32,768 --ah----- c:\documents and settings\Mikael\oyobu.exe
2009-02-03 21:17 . 2001-08-17 13:48 1,869,824 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 21:16 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2009-02-03 21:15 . 2001-08-17 22:24 1,897,984 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-02 21:28 . 2009-02-02 21:28 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-02-02 21:17 . 2009-02-02 21:17 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-02 21:17 . 2009-02-02 21:17 <DIR> d-------- c:\documents and settings\Mikael\Application Data\SUPERAntiSpyware.com
2009-02-02 21:17 . 2009-02-02 21:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-02 19:47 . 2009-02-02 19:47 <DIR> d-------- c:\program files\XoftSpySE
2009-02-02 19:26 . 2009-02-03 22:45 130 --a------ c:\windows\adobe.bat
2009-02-02 19:26 . 2009-02-02 19:26 5 --a------ c:\windows\_id.dat
2009-02-02 02:19 . 2009-02-06 23:44 <DIR> d-------- c:\windows\system32\CatRoot2
2009-02-02 01:36 . 2009-02-02 01:36 <DIR> d-------- c:\windows\ERUNT
2009-02-02 01:34 . 2009-02-06 22:29 <DIR> d-------- C:\SDFix
2009-02-01 14:14 . 2009-02-01 14:14 61,440 --a------ c:\windows\system32\chert13-303374.exe
2009-02-01 12:41 . 2009-02-01 12:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-01 12:40 . 2009-02-01 12:40 <DIR> d-------- c:\documents and settings\Administrator
2009-01-31 22:27 . 2009-01-31 22:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 22:27 . 2009-01-31 22:27 <DIR> d-------- c:\documents and settings\Mikael\Application Data\Malwarebytes
2009-01-31 22:27 . 2009-01-31 22:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-31 22:27 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 22:27 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-31 20:21 . 2009-02-06 21:32 <DIR> d-------- c:\program files\System
2009-01-31 20:06 . 2009-01-31 20:06 31,232 --ah----- c:\windows\pp1.exe
2009-01-31 18:46 . 2009-01-31 18:46 240 --a------ c:\windows\wininit.ini
2009-01-31 18:29 . 2009-01-31 18:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-31 18:29 . 2009-01-31 18:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-31 18:23 . 2009-01-31 18:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-31 18:20 . 2009-01-31 18:20 16,409,960 --a------ c:\program files\spybotsd162.exe
2009-01-31 18:11 . 2001-08-23 07:00 38,912 --a------ c:\windows\system32\stu2.exe
2009-01-31 17:57 . 2009-01-31 17:57 <DIR> d--h----- c:\windows\PIF
2009-01-31 16:59 . 2009-01-31 16:59 <DIR> d-------- c:\documents and settings\Mikael\Application Data\Pegasys Inc
2009-01-31 15:44 . 2009-01-31 15:41 145,504 --a------ c:\windows\system32\bgsvcgen.exe
2009-01-31 15:44 . 2009-01-31 15:41 59,488 --a------ c:\windows\system32\GenSvcInst.exe
2009-01-31 15:44 . 2009-01-31 15:41 33,408 --a------ c:\windows\system32\drivers\CDRBSDRV.SYS
2009-01-31 15:43 . 2009-01-31 15:43 <DIR> d-------- c:\program files\Pegasys Inc
2009-01-31 13:45 . 2009-01-31 13:45 754 --a------ c:\windows\WORDPAD.INI
2009-01-28 00:48 . 2009-01-28 01:36 <DIR> d-------- c:\documents and settings\Mikael\Application Data\ImgBurn
2009-01-26 20:39 . 2009-01-26 20:39 <DIR> d-------- c:\program files\ImgBurn
2009-01-24 15:15 . 2009-01-25 14:48 <DIR> d-------- c:\documents and settings\Mikael\Application Data\mIRC
2009-01-20 21:40 . 2009-01-20 21:40 <DIR> d-------- c:\program files\uTorrent
2009-01-20 21:39 . 2009-02-04 16:29 <DIR> d-------- c:\documents and settings\Mikael\Application Data\uTorrent
2009-01-20 20:47 . 2009-01-20 20:47 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-20 20:47 . 2009-01-20 20:47 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-18 12:17 . 2009-01-18 12:17 316,640 --a------ c:\windows\WMSysPr9.prx
2009-01-13 00:26 . 2009-01-21 20:04 <DIR> d-------- c:\documents and settings\Mikael\Application Data\COWON
2009-01-13 00:22 . 2009-01-21 20:04 <DIR> d-------- c:\program files\JetAudio
2009-01-13 00:22 . 2009-01-13 00:22 <DIR> d-------- c:\program files\Common Files\COWON
2009-01-13 00:20 . 2009-01-13 00:20 <DIR> d-------- c:\documents and settings\Mikael\Application Data\InstallShield
2009-01-11 23:28 . 2009-01-11 23:28 <DIR> d-------- c:\program files\The Extractor
2009-01-11 23:28 . 2009-01-11 23:28 757,760 --a------ c:\windows\iun6002.exe
2009-01-11 22:59 . 2009-01-11 22:59 <DIR> d-------- c:\program files\Trader's Little Helper
2009-01-11 22:47 . 2009-01-11 22:47 0 --a------ c:\windows\nsreg.dat
2009-01-11 20:34 . 2009-01-12 02:55 334 --a------ c:\windows\setup.iss
2009-01-11 20:33 . 2001-08-17 13:52 37,504 --a------ c:\windows\system32\drivers\sbp2port.sys
2009-01-11 20:33 . 2001-08-17 13:52 37,504 --a--c--- c:\windows\system32\dllcache\sbp2port.sys
2009-01-10 22:20 . 2009-01-30 00:30 169 --a------ c:\windows\RtlRack.ini
2009-01-10 20:46 . 2009-01-10 20:46 <DIR> d---s---- c:\windows\system32\Microsoft
2009-01-10 20:46 . 2009-01-10 20:46 <DIR> d-------- c:\program files\Lavasoft
2009-01-10 20:46 . 2009-01-10 20:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-10 20:45 . 2009-02-02 21:17 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-10 20:44 . 2009-01-11 15:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVG7
2009-01-10 20:44 . 2009-01-10 20:44 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-01-10 20:44 . 2009-01-10 20:44 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-01-10 20:35 . 2009-01-10 20:35 <DIR> d---s---- c:\documents and settings\Mikael\UserData
2009-01-10 17:07 . 2009-01-10 17:07 <DIR> d-------- c:\windows\nview
2009-01-10 17:07 . 2009-02-06 20:34 <DIR> d-------- c:\windows\LastGood
2009-01-10 17:07 . 2009-01-10 17:07 <DIR> d-------- C:\NVIDIA
2009-01-10 17:07 . 2008-12-26 00:08 453,152 --a------ c:\windows\system32\nvudisp.exe
2009-01-10 17:07 . 2008-12-26 00:08 18,725 --a------ c:\windows\system32\nvdisp.nvu
2009-01-10 17:07 . 2009-02-06 23:51 104 --a------ c:\windows\system32\nvapps.xml
2009-01-10 17:03 . 2009-01-10 17:03 552 --a------ c:\windows\system32\d3d8caps.dat
2009-01-10 16:57 . 2009-01-10 16:57 <DIR> d-------- c:\program files\AMD
2009-01-10 16:57 . 2005-03-09 15:53 36,352 --a------ c:\windows\system32\drivers\AmdK8.sys
2009-01-10 16:55 . 2009-01-10 16:55 <DIR> d-------- c:\program files\Realtek Sound Manager
2009-01-10 16:55 . 2009-01-10 16:55 <DIR> d-------- c:\program files\Realtek AC97
2009-01-10 16:55 . 2009-01-13 00:22 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-01-10 16:55 . 2009-01-10 16:55 <DIR> d-------- c:\program files\AvRack
2009-01-10 16:54 . 2008-12-23 21:58 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2009-01-10 16:54 . 2004-06-24 18:57 192,512 --a------ c:\windows\system32\nvusmb.exe
2009-01-10 16:54 . 2004-05-10 08:52 192,512 --a------ c:\windows\system32\nvunrm.exe
2009-01-10 16:54 . 2004-05-20 10:11 192,512 --a------ c:\windows\system32\nvuide.exe
2009-01-10 16:54 . 2004-03-21 02:30 2,509 --a------ c:\windows\system32\nvnrm.nvu
2009-01-10 16:54 . 2004-06-18 02:30 789 --a------ c:\windows\system32\nvsmb.nvu
2009-01-10 16:54 . 2004-03-21 02:30 464 --a------ c:\windows\system32\nvide.nvu
2009-01-10 16:53 . 2009-01-10 16:57 <DIR> d-------- c:\windows\LastGood.Tmp
2009-01-10 16:53 . 2009-01-31 15:41 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-01-10 16:53 . 2004-04-27 15:22 192,512 --a------ c:\windows\system32\nvugart.exe
2009-01-10 16:53 . 2004-04-27 15:22 2,124 --a------ c:\windows\system32\nvgart.nvu
2009-01-10 16:51 . 2004-06-03 10:40 294,400 --a------ c:\windows\system32\idecoi.dll
2009-01-10 16:51 . 2004-06-03 10:40 79,360 --a------ c:\windows\system32\drivers\nvatabus.sys
2009-01-10 16:51 . 2004-03-25 15:29 32,256 --a------ c:\windows\system32\NVCOG.DLL
2009-01-10 16:51 . 2003-10-29 13:02 21,120 --a------ c:\windows\system32\drivers\nv_agp.SYS
2009-01-10 16:50 . 2004-05-17 13:49 198,656 --a------ c:\windows\system32\fdco1.dll
2009-01-10 16:50 . 2004-05-17 14:00 191,232 --a------ c:\windows\system32\drivers\nvsnpu.sys
2009-01-10 16:50 . 2004-05-17 14:00 56,960 --a------ c:\windows\system32\drivers\nvnrm.sys
2009-01-10 16:50 . 2004-05-17 14:00 33,280 --a------ c:\windows\system32\drivers\NVENETFD.sys
2009-01-10 16:50 . 2004-05-10 08:53 32,256 --a------ c:\windows\system32\nvconrm.dll
2009-01-10 16:50 . 2004-05-17 14:00 12,928 --a------ c:\windows\system32\drivers\nvnetbus.sys
2009-01-10 16:50 . 2004-05-17 13:48 8,192 --a------ c:\windows\system32\bdco1.dll
2009-01-10 16:48 . 2001-08-17 14:03 21,760 --a--c--- c:\windows\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 09:12 161,536 ----a-w c:\windows\system32\drivers\ndis.sys
2009-01-10 19:41 --------- d-----w c:\program files\microsoft frontpage
.

------- Sigcheck -------

2001-08-23 07:00 30208 bf3f7fa12bd4caac1b1d82c1b85adf54 c:\windows\LastGood\System32\svchost.exe
2001-08-23 07:00 30208 9787f3105918e9727c58795178cfd76c c:\windows\system32\svchost.exe

2009-02-04 03:12 192512 3efd4f59ba0a340de0a3ab984001dbf7 c:\windows\system32\dllcache\ndis.sys
2009-02-04 03:12 192512 3efd4f59ba0a340de0a3ab984001dbf7 c:\windows\system32\drivers\ndis.sys

2001-08-23 07:00 1018368 c2b4b766ed8e8a9df379d41f468a4108 c:\windows\explorer.exe
2001-08-23 07:00 1018368 677301567c287635ade8849ca1d26664 c:\windows\LastGood\explorer.exe

2001-08-23 07:00 30720 454ad398604e9fa9ded021131ac05a97 c:\windows\LastGood\System32\ctfmon.exe
2001-08-23 07:00 30720 96ebc15d5bf9e74338ab8da65e0fd269 c:\windows\system32\ctfmon.exe

2001-08-23 07:00 68608 9468bd3bd9e633b39142aa38164ed375 c:\windows\LastGood\System32\spoolsv.exe
2001-08-23 07:00 68608 e876093514d0a8d64e1c8dfaef55cb81 c:\windows\system32\spoolsv.exe

2001-08-23 07:00 129536 e269627ae4eea5daba6fadf9118cf69e c:\windows\LastGood\System32\wuauclt.exe
2001-08-23 07:00 129536 ebcc0fd7fd5f55fa3ec547e134cb6391 c:\windows\system32\wuauclt.exe

2009-01-31 18:12 26112 14938cef80d9da27430ab26c0e5f0203 c:\windows\LastGood\System32\userinit.exe
2001-08-23 07:00 38912 a415acc8a06c1bad2d8a09f5f04bc939 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-02-06_23.06.46.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-07 05:06:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-07 05:51:26 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-07 05:06:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-07 05:51:26 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-07 05:06:23 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-07 05:51:26 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2008-12-26 13680640]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2008-12-26 86016]
"pp"="c:\windows\pp1.exe" [2009-01-31 31232]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
S0 rcxibbi;rcxibbi;c:\windows\System32\drivers\btbc.sys --> c:\windows\System32\drivers\btbc.sys [?]
S1 d1691e5f;d1691e5f;c:\windows\System32\drivers\d1691e5f.sys --> c:\windows\System32\drivers\d1691e5f.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 08:29]

2009-02-03 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 08:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:7070
uInternet Settings,ProxyOverride = *.local;<local>
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: {EE44EDED-ED0E-44FF-B333-CA0966678C5C} = 24.93.41.127,24.93.41.128
FF - ProfilePath - c:\documents and settings\Mikael\Application Data\Mozilla\Firefox\Profiles\7jywqnk0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 4
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 23:51:37
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_ZYZNJEXU\0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(500)
c:\windows\system32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\bgsvcgen.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-02-06 23:52:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-07 05:52:21
ComboFix2.txt 2009-02-07 05:07:22
ComboFix3.txt 2009-02-04 08:29:47
ComboFix4.txt 2009-02-04 08:15:50

Pre-Run: 47,944,220,672 bytes free
Post-Run: 47,898,865,664 bytes free

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 10 February 2009 - 06:22 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
rcxibbi
d1691e5f
ZYZNJEXU

File::
c:\windows\system32\drivers\ati1rwxx.sys
c:\documents and settings\Mikael\wwjnrkm.exe
c:\windows\system32\secupdat.dat
c:\documents and settings\Mikael\oyobu.exe
c:\documents and settings\Mikael\gbo.exe
c:\windows\adobe.bat
c:\windows\_id.dat
c:\windows\system32\chert13-303374.exe
c:\windows\pp1.exe
c:\windows\System32\drivers\btbc.sys
c:\windows\System32\drivers\d1691e5f.sys

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pp"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 percypage

percypage
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 11 February 2009 - 09:33 AM

Thank you, Fenzodahl!

For the last few days, I was able to use a laptop (from work) to get online, avoiding further infestation. However, I couldn't take it home last night ... I was forced to use my infected desktop to go online and get these instructions. Just wanted to mention that, if it affects anything.

My PC may be clean now, but after doing the ComboFix and having it reboot upon completion, I have not been able to go online at all. I checked ipconfig and everything - it does not list any address information, just a line saying "Windows IP Configuration". I tried several reboots, in combination with resetting my modem (I do not have a router hooked up to it yet) and I still get nothing. I'm guessing that something was deleted/corrupted on this last fix, as I was just online prior to that. Any help on this part would be great (I realize I may be screwed, as far as that goes)


ComboFix 09-02-06.01 - Mikael 2009-02-10 22:52:16.9 - NTFSx86 MINIMAL
Microsoft Windows XP Professional
Running from: c:\documents and settings\Mikael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mikael\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\documents and settings\Mikael\gbo.exe
c:\documents and settings\Mikael\oyobu.exe
c:\documents and settings\Mikael\wwjnrkm.exe
c:\windows\_id.dat
c:\windows\adobe.bat
c:\windows\pp1.exe
c:\windows\system32\chert13-303374.exe
c:\windows\system32\drivers\ati1rwxx.sys
c:\windows\System32\drivers\btbc.sys
c:\windows\System32\drivers\d1691e5f.sys
c:\windows\system32\secupdat.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mikael\gbo.exe
c:\documents and settings\Mikael\oyobu.exe
c:\documents and settings\Mikael\wwjnrkm.exe
c:\windows\_id.dat
c:\windows\adobe.bat
c:\windows\pp1.exe
c:\windows\system32\chert13-303374.exe
c:\windows\system32\dagnqlq.dll
c:\windows\system32\drivers\ati1rwxx.sys
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\secupdat.dat
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RUPACJNA
-------\Legacy_ZYZNJEXU
-------\Service_d1691e5f
-------\Service_Passthru
-------\Service_rcxibbi
-------\Service_rupacjna


((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-10 22:39 . 2009-02-10 22:39 53,248 --a------ c:\windows\system32\drivers\ndisio.sys
2009-02-10 22:39 . 2009-02-10 22:39 32,768 --ah----- c:\documents and settings\Mikael\hdie.exe
2009-02-10 22:39 . 2009-02-10 22:40 616 --a------ c:\windows\system32\8.tmp
2009-02-10 22:37 . 2009-02-10 22:37 88 --a------ c:\windows\system32\4.tmp
2009-02-04 03:04 . 2009-02-04 03:04 <DIR> d-------- C:\_OTMoveIt
2009-02-03 23:40 . 2009-02-04 02:39 <DIR> d-------- c:\program files\Autorun Eater
2009-02-03 21:17 . 2001-08-17 13:48 1,869,824 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 21:16 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2009-02-03 21:15 . 2001-08-17 22:24 1,897,984 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-02 21:28 . 2009-02-02 21:28 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-02-02 21:17 . 2009-02-02 21:17 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-02 21:17 . 2009-02-02 21:17 <DIR> d-------- c:\documents and settings\Mikael\Application Data\SUPERAntiSpyware.com
2009-02-02 21:17 . 2009-02-02 21:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-02 19:47 . 2009-02-02 19:47 <DIR> d-------- c:\program files\XoftSpySE
2009-02-02 02:19 . 2009-02-10 22:39 <DIR> d-------- c:\windows\system32\CatRoot2
2009-02-02 01:36 . 2009-02-02 01:36 <DIR> d-------- c:\windows\ERUNT
2009-02-02 01:34 . 2009-02-07 03:03 <DIR> d-------- C:\SDFix
2009-02-01 12:41 . 2009-02-01 12:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-01 12:40 . 2009-02-01 12:40 <DIR> d-------- c:\documents and settings\Administrator
2009-01-31 22:27 . 2009-01-31 22:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 22:27 . 2009-01-31 22:27 <DIR> d-------- c:\documents and settings\Mikael\Application Data\Malwarebytes
2009-01-31 22:27 . 2009-01-31 22:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-31 22:27 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 22:27 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-31 20:21 . 2009-02-06 21:32 <DIR> d-------- c:\program files\System
2009-01-31 18:46 . 2009-01-31 18:46 240 --a------ c:\windows\wininit.ini
2009-01-31 18:29 . 2009-01-31 18:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-31 18:29 . 2009-01-31 18:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-31 18:23 . 2009-01-31 18:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-31 18:20 . 2009-01-31 18:20 16,409,960 --a------ c:\program files\spybotsd162.exe
2009-01-31 18:11 . 2001-08-23 07:00 38,912 --a------ c:\windows\system32\stu2.exe
2009-01-31 17:57 . 2009-01-31 17:57 <DIR> d--h----- c:\windows\PIF
2009-01-31 16:59 . 2009-01-31 16:59 <DIR> d-------- c:\documents and settings\Mikael\Application Data\Pegasys Inc
2009-01-31 15:44 . 2009-01-31 15:41 145,504 --a------ c:\windows\system32\bgsvcgen.exe
2009-01-31 15:44 . 2009-01-31 15:41 59,488 --a------ c:\windows\system32\GenSvcInst.exe
2009-01-31 15:44 . 2009-01-31 15:41 33,408 --a------ c:\windows\system32\drivers\CDRBSDRV.SYS
2009-01-31 15:43 . 2009-01-31 15:43 <DIR> d-------- c:\program files\Pegasys Inc
2009-01-31 13:45 . 2009-01-31 13:45 754 --a------ c:\windows\WORDPAD.INI
2009-01-28 00:48 . 2009-01-28 01:36 <DIR> d-------- c:\documents and settings\Mikael\Application Data\ImgBurn
2009-01-26 20:39 . 2009-01-26 20:39 <DIR> d-------- c:\program files\ImgBurn
2009-01-24 15:15 . 2009-01-25 14:48 <DIR> d-------- c:\documents and settings\Mikael\Application Data\mIRC
2009-01-20 21:40 . 2009-01-20 21:40 <DIR> d-------- c:\program files\uTorrent
2009-01-20 21:39 . 2009-02-04 16:29 <DIR> d-------- c:\documents and settings\Mikael\Application Data\uTorrent
2009-01-20 20:47 . 2009-01-20 20:47 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-20 20:47 . 2009-01-20 20:47 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-18 12:17 . 2009-01-18 12:17 316,640 --a------ c:\windows\WMSysPr9.prx
2009-01-13 00:26 . 2009-01-21 20:04 <DIR> d-------- c:\documents and settings\Mikael\Application Data\COWON
2009-01-13 00:22 . 2009-01-21 20:04 <DIR> d-------- c:\program files\JetAudio
2009-01-13 00:22 . 2009-01-13 00:22 <DIR> d-------- c:\program files\Common Files\COWON
2009-01-13 00:20 . 2009-01-13 00:20 <DIR> d-------- c:\documents and settings\Mikael\Application Data\InstallShield
2009-01-11 23:28 . 2009-01-11 23:28 <DIR> d-------- c:\program files\The Extractor
2009-01-11 23:28 . 2009-01-11 23:28 757,760 --a------ c:\windows\iun6002.exe
2009-01-11 22:59 . 2009-01-11 22:59 <DIR> d-------- c:\program files\Trader's Little Helper
2009-01-11 22:47 . 2009-01-11 22:47 0 --a------ c:\windows\nsreg.dat
2009-01-11 20:34 . 2009-01-12 02:55 334 --a------ c:\windows\setup.iss
2009-01-11 20:33 . 2001-08-17 13:52 37,504 --a------ c:\windows\system32\drivers\sbp2port.sys
2009-01-11 20:33 . 2001-08-17 13:52 37,504 --a--c--- c:\windows\system32\dllcache\sbp2port.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 09:12 161,536 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-03 03:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-31 21:41 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-13 06:22 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 21:44 --------- d-----w c:\documents and settings\All Users\Application Data\AVG7
2009-01-11 02:46 --------- d-----w c:\program files\Lavasoft
2009-01-11 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-11 02:44 499,712 ----a-w c:\windows\system32\msvcp71.dll
2009-01-11 02:44 348,160 ----a-w c:\windows\system32\msvcr71.dll
2009-01-10 22:57 --------- d-----w c:\program files\AMD
2009-01-10 22:55 --------- d-----w c:\program files\Realtek Sound Manager
2009-01-10 22:55 --------- d-----w c:\program files\Realtek AC97
2009-01-10 22:55 --------- d-----w c:\program files\AvRack
2009-01-10 19:41 --------- d-----w c:\program files\microsoft frontpage
2008-12-24 03:58 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
.

------- Sigcheck -------

2001-08-23 07:00 30208 bf3f7fa12bd4caac1b1d82c1b85adf54 c:\windows\LastGood\System32\svchost.exe
2001-08-23 07:00 30208 9787f3105918e9727c58795178cfd76c c:\windows\system32\svchost.exe

2009-02-04 03:12 192512 3efd4f59ba0a340de0a3ab984001dbf7 c:\windows\system32\dllcache\ndis.sys
2009-02-04 03:12 192512 3efd4f59ba0a340de0a3ab984001dbf7 c:\windows\system32\drivers\ndis.sys

2001-08-23 07:00 1018368 c2b4b766ed8e8a9df379d41f468a4108 c:\windows\explorer.exe
2001-08-23 07:00 1018368 677301567c287635ade8849ca1d26664 c:\windows\LastGood\explorer.exe

2001-08-23 07:00 30720 454ad398604e9fa9ded021131ac05a97 c:\windows\LastGood\System32\ctfmon.exe
2001-08-23 07:00 30720 96ebc15d5bf9e74338ab8da65e0fd269 c:\windows\system32\ctfmon.exe

2001-08-23 07:00 68608 9468bd3bd9e633b39142aa38164ed375 c:\windows\LastGood\System32\spoolsv.exe
2001-08-23 07:00 68608 e876093514d0a8d64e1c8dfaef55cb81 c:\windows\system32\spoolsv.exe

2001-08-23 07:00 129536 e269627ae4eea5daba6fadf9118cf69e c:\windows\LastGood\System32\wuauclt.exe
2001-08-23 07:00 129536 ebcc0fd7fd5f55fa3ec547e134cb6391 c:\windows\system32\wuauclt.exe

2009-01-31 18:12 26112 14938cef80d9da27430ab26c0e5f0203 c:\windows\LastGood\System32\userinit.exe
2001-08-23 07:00 38912 a415acc8a06c1bad2d8a09f5f04bc939 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-02-06_23.06.46.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-07 04:29:18 495,616 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-02-07 09:03:11 4,952,064 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2009-02-07 04:29:18 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-02-07 09:03:11 24,576 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2009-02-07 05:06:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-11 04:58:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-07 05:06:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-11 04:58:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-07 05:06:23 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-11 04:58:58 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2001-08-23 13:00:00 105,472 ----a-w c:\windows\system32\vpsgine.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2008-12-26 13680640]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2008-12-26 86016]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-02-11 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 08:29]

2009-02-03 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 08:29]
.
- - - - ORPHANS REMOVED - - - -

BHO-{DC11D4D6-E94E-45DB-9096-A52F425681E6} - c:\windows\system32\dagnqlq.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:7070
uInternet Settings,ProxyOverride = *.local;<local>
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: {EE44EDED-ED0E-44FF-B333-CA0966678C5C} = 24.93.41.127,24.93.41.128
FF - ProfilePath - c:\documents and settings\Mikael\Application Data\Mozilla\Firefox\Profiles\7jywqnk0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 4
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 22:59:07
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_ZYZNJEXU\0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(428)
c:\windows\system32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(496)
c:\windows\system32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\bgsvcgen.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-02-10 22:59:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-11 04:59:50
ComboFix2.txt 2009-02-07 10:33:36
ComboFix3.txt 2009-02-07 07:10:41
ComboFix4.txt 2009-02-07 05:52:23
ComboFix5.txt 2009-02-11 04:51:49

Pre-Run: 47,934,930,944 bytes free
Post-Run: 47,924,609,024 bytes free

239


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:08, on 2009-02-10
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\bgsvcgen.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7070
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE44EDED-ED0E-44FF-B333-CA0966678C5C}: NameServer = 24.93.41.127,24.93.41.128
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\System32\bgsvcgen.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 2454 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 11 February 2009 - 10:31 AM

Please download WinsockXPFix from HERE.
  • Double-click on WinsockXPFix and click on Fix
It will ask you to restart your computer in attempt to fix the internet connection. Please do so..


Now, do you get the internet connection?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 percypage

percypage
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 11 February 2009 - 09:44 PM

Yes, thank you (it took a modem reset and another reboot). What would you like me to do next?

Also, is SP2 still the most stable update to get for Windows or should I get something more recent? If so, can I get it somewhere without my original key?

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 11 February 2009 - 10:44 PM

Wait.. The computer is not fully clean yet.. Lets do this first...


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
ndisio

File::
c:\windows\system32\drivers\ndisio.sys
c:\documents and settings\Mikael\hdie.exe
c:\windows\system32\8.tmp
c:\windows\system32\4.tmp

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 percypage

percypage
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 12 February 2009 - 01:41 AM

I believe you are quite right (too soon to be online with it?). I think I may be catching on, to a very small extent, of what may constitute as malware in the combo log. My guess is that the following lines are infections and still on my pc. You can let me know if I'm on the right track ...

c:\documents and settings\Mikael\nxcj.exe
c:\windows\zzftllhh.exe
c:\windows\system32\5.tmp
c:\windows\system32\drivers\hsgxknof.sys




ComboFix 09-02-06.01 - Mikael 2009-02-11 12:12:46.10 - NTFSx86 MINIMAL
Microsoft Windows XP Professional
Running from: c:\documents and settings\Mikael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mikael\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\documents and settings\Mikael\hdie.exe
c:\windows\system32\4.tmp
c:\windows\system32\8.tmp
c:\windows\system32\drivers\ndisio.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mikael\hdie.exe
c:\windows\services.exe
c:\windows\system32\4.tmp
c:\windows\system32\6.tmp
c:\windows\system32\8.tmp
c:\windows\system32\drivers\ndisio.sys
c:\windows\system32\drivers\ntndis.sys

.
((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-11 20:22 . 2009-02-11 20:22 67,072 ---h----- c:\windows\system32\secupdat.dat
2009-02-11 20:22 . 2009-02-11 20:22 32,256 --ah----- c:\documents and settings\Mikael\nxcj.exe
2009-02-11 20:22 . 2009-02-11 20:22 3,584 --a------ c:\windows\zzftllhh.exe
2009-02-11 20:20 . 2009-02-11 20:20 128 --a------ c:\windows\system32\5.tmp
2009-02-11 08:33 . 2009-02-11 08:33 33,920 --a------ c:\windows\system32\drivers\hsgxknof.sys
2009-02-04 03:04 . 2009-02-04 03:04 <DIR> d-------- C:\_OTMoveIt
2009-02-03 23:40 . 2009-02-04 02:39 <DIR> d-------- c:\program files\Autorun Eater
2009-02-03 21:17 . 2001-08-17 13:48 1,869,824 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 21:16 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2009-02-03 21:15 . 2001-08-17 22:24 1,897,984 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-02 21:28 . 2009-02-02 21:28 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-02-02 21:17 . 2009-02-11 20:23 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-02 21:17 . 2009-02-02 21:17 <DIR> d-------- c:\documents and settings\Mikael\Application Data\SUPERAntiSpyware.com
2009-02-02 21:17 . 2009-02-02 21:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-02 19:47 . 2009-02-02 19:47 <DIR> d-------- c:\program files\XoftSpySE
2009-02-02 02:19 . 2009-02-11 11:44 <DIR> d-------- c:\windows\system32\CatRoot2
2009-02-02 01:36 . 2009-02-02 01:36 <DIR> d-------- c:\windows\ERUNT
2009-02-02 01:34 . 2009-02-07 03:03 <DIR> d-------- C:\SDFix
2009-02-01 12:41 . 2009-02-01 12:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-01 12:40 . 2009-02-01 12:40 <DIR> d-------- c:\documents and settings\Administrator
2009-01-31 22:27 . 2009-01-31 22:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 22:27 . 2009-01-31 22:27 <DIR> d-------- c:\documents and settings\Mikael\Application Data\Malwarebytes
2009-01-31 22:27 . 2009-01-31 22:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-31 22:27 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 22:27 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-31 20:21 . 2009-02-06 21:32 <DIR> d-------- c:\program files\System
2009-01-31 18:46 . 2009-01-31 18:46 240 --a------ c:\windows\wininit.ini
2009-01-31 18:29 . 2009-01-31 18:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-31 18:29 . 2009-01-31 18:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-31 18:23 . 2009-01-31 18:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-31 18:20 . 2009-01-31 18:20 16,409,960 --a------ c:\program files\spybotsd162.exe
2009-01-31 18:11 . 2001-08-23 07:00 38,912 --a------ c:\windows\system32\stu2.exe
2009-01-31 17:57 . 2009-01-31 17:57 <DIR> d--h----- c:\windows\PIF
2009-01-31 16:59 . 2009-01-31 16:59 <DIR> d-------- c:\documents and settings\Mikael\Application Data\Pegasys Inc
2009-01-31 15:44 . 2009-01-31 15:41 145,504 --a------ c:\windows\system32\bgsvcgen.exe
2009-01-31 15:44 . 2009-01-31 15:41 59,488 --a------ c:\windows\system32\GenSvcInst.exe
2009-01-31 15:44 . 2009-01-31 15:41 33,408 --a------ c:\windows\system32\drivers\CDRBSDRV.SYS
2009-01-31 15:43 . 2009-01-31 15:43 <DIR> d-------- c:\program files\Pegasys Inc
2009-01-31 13:45 . 2009-01-31 13:45 754 --a------ c:\windows\WORDPAD.INI
2009-01-28 00:48 . 2009-01-28 01:36 <DIR> d-------- c:\documents and settings\Mikael\Application Data\ImgBurn
2009-01-26 20:39 . 2009-01-26 20:39 <DIR> d-------- c:\program files\ImgBurn
2009-01-24 15:15 . 2009-01-25 14:48 <DIR> d-------- c:\documents and settings\Mikael\Application Data\mIRC
2009-01-20 21:40 . 2009-01-20 21:40 <DIR> d-------- c:\program files\uTorrent
2009-01-20 21:39 . 2009-02-04 16:29 <DIR> d-------- c:\documents and settings\Mikael\Application Data\uTorrent
2009-01-20 20:47 . 2009-01-20 20:47 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-20 20:47 . 2009-01-20 20:47 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-18 12:17 . 2009-01-18 12:17 316,640 --a------ c:\windows\WMSysPr9.prx
2009-01-13 00:26 . 2009-01-21 20:04 <DIR> d-------- c:\documents and settings\Mikael\Application Data\COWON
2009-01-13 00:22 . 2009-01-21 20:04 <DIR> d-------- c:\program files\JetAudio
2009-01-13 00:22 . 2009-01-13 00:22 <DIR> d-------- c:\program files\Common Files\COWON
2009-01-13 00:20 . 2009-01-13 00:20 <DIR> d-------- c:\documents and settings\Mikael\Application Data\InstallShield
2009-01-11 23:28 . 2009-01-11 23:28 <DIR> d-------- c:\program files\The Extractor
2009-01-11 23:28 . 2009-01-11 23:28 757,760 --a------ c:\windows\iun6002.exe
2009-01-11 22:59 . 2009-01-11 22:59 <DIR> d-------- c:\program files\Trader's Little Helper
2009-01-11 22:47 . 2009-01-11 22:47 0 --a------ c:\windows\nsreg.dat
2009-01-11 20:34 . 2009-01-12 02:55 334 --a------ c:\windows\setup.iss
2009-01-11 20:33 . 2001-08-17 13:52 37,504 --a------ c:\windows\system32\drivers\sbp2port.sys
2009-01-11 20:33 . 2001-08-17 13:52 37,504 --a--c--- c:\windows\system32\dllcache\sbp2port.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 09:12 161,536 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-03 03:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-31 21:41 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-13 06:22 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 21:44 --------- d-----w c:\documents and settings\All Users\Application Data\AVG7
2009-01-11 02:46 --------- d-----w c:\program files\Lavasoft
2009-01-11 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-11 02:44 499,712 ----a-w c:\windows\system32\msvcp71.dll
2009-01-11 02:44 348,160 ----a-w c:\windows\system32\msvcr71.dll
2009-01-10 22:57 --------- d-----w c:\program files\AMD
2009-01-10 22:55 --------- d-----w c:\program files\Realtek Sound Manager
2009-01-10 22:55 --------- d-----w c:\program files\Realtek AC97
2009-01-10 22:55 --------- d-----w c:\program files\AvRack
2009-01-10 19:41 --------- d-----w c:\program files\microsoft frontpage
2008-12-24 03:58 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
.

------- Sigcheck -------

2001-08-23 07:00 30208 bf3f7fa12bd4caac1b1d82c1b85adf54 c:\windows\LastGood\System32\svchost.exe
2001-08-23 07:00 30208 9787f3105918e9727c58795178cfd76c c:\windows\system32\svchost.exe

2009-02-04 03:12 192512 3efd4f59ba0a340de0a3ab984001dbf7 c:\windows\system32\dllcache\ndis.sys
2009-02-04 03:12 192512 3efd4f59ba0a340de0a3ab984001dbf7 c:\windows\system32\drivers\ndis.sys

2001-08-23 07:00 1018368 5e952500b5620157bf2ac7a53700fdd7 c:\windows\explorer.exe
2001-08-23 07:00 1018368 677301567c287635ade8849ca1d26664 c:\windows\LastGood\explorer.exe

2001-08-23 07:00 30720 454ad398604e9fa9ded021131ac05a97 c:\windows\LastGood\System32\ctfmon.exe
2001-08-23 07:00 30720 4dea2bb0abb645e572c468da98ad6ee8 c:\windows\system32\ctfmon.exe

2001-08-23 07:00 68608 9468bd3bd9e633b39142aa38164ed375 c:\windows\LastGood\System32\spoolsv.exe
2001-08-23 07:00 68608 e876093514d0a8d64e1c8dfaef55cb81 c:\windows\system32\spoolsv.exe

2001-08-23 07:00 129536 e269627ae4eea5daba6fadf9118cf69e c:\windows\LastGood\System32\wuauclt.exe
2001-08-23 07:00 129536 ebcc0fd7fd5f55fa3ec547e134cb6391 c:\windows\system32\wuauclt.exe

2009-01-31 18:12 26112 14938cef80d9da27430ab26c0e5f0203 c:\windows\LastGood\System32\userinit.exe
2001-08-23 07:00 38912 a415acc8a06c1bad2d8a09f5f04bc939 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-02-06_23.06.46.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-07 04:29:18 495,616 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-02-07 09:03:11 4,952,064 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2009-02-07 04:29:18 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-02-07 09:03:11 24,576 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2009-02-07 05:06:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-11 18:19:34 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-07 05:06:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-11 18:19:34 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-07 05:06:23 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-11 18:19:34 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2001-08-23 13:00:00 29,184 -c--a-w c:\windows\system32\dllcache\lsass.exe
+ 2001-08-23 13:00:00 11,776 -c--a-w c:\windows\system32\dllcache\lsass.exe
- 2001-08-23 13:00:00 447,488 -c--a-w c:\windows\system32\dllcache\winlogon.exe
+ 2001-08-23 13:00:00 430,080 -c--a-w c:\windows\system32\dllcache\winlogon.exe
+ 2001-08-23 13:00:00 105,472 ----a-w c:\windows\system32\vpsgine.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2008-12-26 13680640]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2008-12-26 86016]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"zzftllhh.exe"="c:\windows\zzftllhh.exe" [2009-02-11 3584]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hsgxknof.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

R0 hsgxknof;hsgxknof;c:\windows\system32\drivers\hsgxknof.sys [2009-02-11 33920]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-02-11 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 08:29]

2009-02-03 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-28 08:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:7070
uInternet Settings,ProxyOverride = *.local;<local>
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath - c:\documents and settings\Mikael\Application Data\Mozilla\Firefox\Profiles\7jywqnk0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 4
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 12:19:47
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_ZYZNJEXU\0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(448)
c:\windows\system32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(516)
c:\windows\system32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\bgsvcgen.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-02-11 12:20:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-11 18:20:36
ComboFix2.txt 2009-02-11 04:59:54
ComboFix3.txt 2009-02-07 10:33:36
ComboFix4.txt 2009-02-07 07:10:41
ComboFix5.txt 2009-02-11 18:09:40

Pre-Run: 47,557,140,480 bytes free
Post-Run: 47,548,469,248 bytes free


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27, on 2009-02-11
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\bgsvcgen.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7070
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [zzftllhh.exe] C:\WINDOWS\zzftllhh.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [zzftllhh.exe] C:\WINDOWS\zzftllhh.exe (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\System32\bgsvcgen.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 2542 bytes

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 12 February 2009 - 02:01 AM

Hello.. I realize one thing about your computer... You have no service pack whatsoever inside the computer.. Firstly you have to patch Service Pack 1a to your computer. This patch contains critical securities updates for your computer. Without it your computer is wide open to re-infection and any fix attempt is useless.
Please visit this webpage to update your Windows to Service Pack 1a. Apply the update. After that please reboot before proceed to the next step.

Please DO NOT apply Service Pack 2 into your computer until we give it all clear.



Tell me after you successfully install Service Pack 1a

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 percypage

percypage
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 12 February 2009 - 02:19 AM

I just installed it. Oh - and before the last Combofix actually started going through the stages, it had an error that said:

Windows cannot find 32788R22FWJFW\nircmd.com ...


EDIT : Looks like I spoke too soon. I have my laptop online and started the installation process, thinking it was sure to finish through. It did not. It gave me a :

Service Pack 1 Setup Error ... connection with the server cannot be established. (even though I checked and I'm able to surf online??)


It tells me that I should go to the Windows XP Services Web site and select "Problems downloading te Service pack". (this does not work either)

What do I do?

Edited by percypage, 12 February 2009 - 02:49 AM.


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 12 February 2009 - 03:09 AM

Sorry, but we really need you to patch your Windows to at least Service Pack 1a.. Yours are unpatched, so it is useless for us to get it clean because it will get reinfected as soon as you connected to the internet..

Here's another two links for you to try..

http://www.microsoft.com/downloads/info.as...isplayLang%3den

http://www.microsoft.com/downloads/info.as...isplayLang%3den

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 percypage

percypage
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 12 February 2009 - 03:22 AM

I did mention it in the first few paragraphs of my original post. But I can see how it was overlooked. I will try to make a bootable floppy tomorrow (need sleep!)

btw - you said here's another 2 links to try and they were both the same link.

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 12 February 2009 - 03:24 AM

Err.. Nope.. One is for Home Edition, another is Professional Edition :)

Depending on what version of your XP :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 percypage

percypage
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 14 February 2009 - 04:16 PM

I was out of town the last few days and not able to get anything done until just now. I had problems getting the 'validation' to work, which finally allowed me to download the floppy files. So after I get it and print to a floppy I happen to still have, it tells me I need another (probably need 6 total, from the 4.2 MB size). I don't have more floppies - its 2009! So tell me if these are the options I'm left with; obtain 5 more floppies somehow or give up on this altogether? Why can't I load this SP1A to a CD? Is that possible?

Edited by percypage, 14 February 2009 - 04:26 PM.


#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 14 February 2009 - 11:15 PM

its 2009!


Yes, exactly.. And that's why currently its Windows XP Service Pack 3!

I'm left with; obtain 5 more floppies somehow or give up on this altogether?


It's really up to you whether to wipe clean your computer but as I said before, You'll really need to patch your Windows to the very least SP1a, or otherwise, our fixes will takes forever.. As soon the computer connected to internet, without SP1a, it will get reinfected..

Why can't I load this SP1A to a CD? Is that possible?


I'm not sure about that, never tried it before..


Waiting for your effort of SP1a :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 percypage

percypage
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 15 February 2009 - 02:01 AM

The "Its 2009" quip was in reference to how obsolete floppies are - can you even buy one anymore? I honestly don't know where I'm gonna get 5 of them. If this was 4-5 years ago or more, sure, I had some. But I checked everywhere and I only have one. Maybe Goodwill?

Is it not possible to upgrade to one of the other Service Packs, after recleaning my Windows partition?

Can I reformat just the Windows partition? I have a 1TB hard-drive that has a 50 GB partition just for Windows and other essentials ... everything else is on the other one (all the 'valuable' stuff!).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users