Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan and worse?


  • This topic is locked This topic is locked
14 replies to this topic

#1 dfgarcia

dfgarcia

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 11 February 2009 - 05:33 AM

I discovered I had a problem when I couldn't keep "Show hidden files and folders" active in Folder Options. I re-download Avast AV and ran a scan and found some bad stuff. For the past 24 hours I've been reading info on the Web and trying to fix things on my own, but I need help, please. Thanks very much in advance!


Here's my DDS log and my attach.txt is attached.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Kiko at 4:08:53.71 on Wed 02/11/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.339 [GMT -6:00]

AV: avast! antivirus 4.8.1335 [VPS 090210-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Portrait Displays\forteManager\DTSRVC.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\One Guy Coding\Blanch.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kiko\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [kvasoft] c:\windows\system32\kva8wr.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\kiko\startm~1\programs\startup\AT&TDS~1.LNK -
StartupFolder: c:\docume~1\kiko\startm~1\programs\startup\konfab~1.lnk - c:\program files\pixoria\konfabulator\Konfabulator.exe
StartupFolder: c:\docume~1\kiko\startm~1\programs\startup\shortc~1.lnk - c:\program files\one guy coding\Blanch.exe
StartupFolder: c:\docume~1\kiko\startm~1\programs\startup\taskma~1.lnk - c:\windows\system32\taskmgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
TCP: {E135242A-482F-457E-A378-9595C78ABE12} = 68.94.156.1 68.94.157.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kiko\applic~1\mozilla\firefox\profiles\mylr3m9c.default\
FF - component: c:\documents and settings\kiko\application data\mozilla\firefox\profiles\mylr3m9c.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\kiko\application data\mozilla\firefox\profiles\mylr3m9c.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\kiko\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-10 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-10 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-10 352920]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\kiko\locals~1\temp\aswarkrn.sys --> c:\docume~1\kiko\locals~1\temp\aswArKrn.sys [?]
S3 cel90xbe;cel90xbe;\??\c:\docume~1\kiko\locals~1\temp\cel90xbe.sys --> c:\docume~1\kiko\locals~1\temp\cel90xbe.sys [?]

=============== Created Last 30 ================

2009-02-11 00:54 149 ---shr-- C:\autorun.inf
2009-02-10 23:52 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-02-10 21:28 <DIR> --d----- C:\ComboFix
2009-02-10 21:27 <DIR> --d----- C:\cmdcons
2009-02-10 21:25 161,792 a------- c:\windows\SWREG.exe
2009-02-10 21:25 98,816 a------- c:\windows\sed.exe
2009-02-10 20:27 <DIR> --d----- c:\program files\Trend Micro
2009-02-10 13:40 <DIR> --d----- c:\docume~1\kiko\applic~1\Malwarebytes
2009-02-10 13:40 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-10 13:40 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 13:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 13:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-10 06:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-10 06:03 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-10 06:03 <DIR> --d----- c:\docume~1\kiko\applic~1\SUPERAntiSpyware.com
2009-02-10 04:00 109,568 ---shr-- c:\windows\system32\uweyiwe1.dll
2009-02-10 01:31 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-02-10 01:31 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-02-10 01:31 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-01-16 10:05 <DIR> --d----- c:\docume~1\kiko\applic~1\BonkEnc
2009-01-16 10:05 160,610 a------- c:\windows\Free Audio Converter CS Uninstaller.exe
2009-01-16 10:05 <DIR> --d----- c:\program files\Free Audio Converter CS
2009-01-16 09:49 <DIR> --d----- c:\program files\ID3-TagIT 3
2009-01-16 09:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ID3-TagIT 3
2009-01-16 09:47 <DIR> --d----- c:\docume~1\kiko\applic~1\ID3-TagIT 3

==================== Find3M ====================

2008-11-14 15:45 131,072 a------- c:\windows\system32\SpoonUninstall.exe
2005-12-29 19:17 159,122 a------- c:\program files\audioscrobbler.wa.1.1.10.exe
2005-07-30 17:13 79,586 a------- c:\program files\old old progs.JPG
2003-09-25 19:05 178,688 a------- c:\program files\hjsplit.exe
1998-08-10 17:25 1,616,384 a------- c:\program files\Font.exe

============= FINISH: 4:09:21.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 18 February 2009 - 07:09 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 dfgarcia

dfgarcia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 18 February 2009 - 07:15 PM

Thank you for your help and reply! I am doing these steps right now and will post once I finish!

Edited by dfgarcia, 18 February 2009 - 07:15 PM.


#4 dfgarcia

dfgarcia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 18 February 2009 - 07:40 PM

Thanks again!

Here's the combofix log:

ComboFix 09-02-17.02 - Kiko 2009-02-18 18:16:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.427 [GMT -6:00]
Running from: c:\documents and settings\Kiko\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090218-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-02-11 13:31 . 2009-02-11 13:31 7,680 --ahs---- c:\windows\Thumbs.db
2009-02-10 23:52 . 2009-02-11 00:30 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-02-10 20:27 . 2009-02-10 20:27 <DIR> d-------- c:\program files\Trend Micro
2009-02-10 13:40 . 2009-02-10 13:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 13:40 . 2009-02-10 13:40 <DIR> d-------- c:\documents and settings\Kiko\Application Data\Malwarebytes
2009-02-10 13:40 . 2009-02-10 13:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-10 13:40 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 13:40 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-10 06:03 . 2009-02-10 06:03 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-10 06:03 . 2009-02-10 06:03 <DIR> d-------- c:\documents and settings\Kiko\Application Data\SUPERAntiSpyware.com
2009-02-10 06:03 . 2009-02-10 06:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-10 04:00 . 2009-02-10 23:00 109,568 -r-hs---- c:\windows\system32\uweyiwe1.dll
2009-02-10 01:31 . 2009-02-10 01:31 <DIR> d-------- c:\program files\Alwil Software
2009-02-10 01:31 . 2003-03-18 14:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-02-10 01:31 . 2003-03-18 13:14 499,712 --a------ c:\windows\system32\MSVCP71.dll
2009-02-10 01:31 . 2003-02-20 21:42 348,160 --a------ c:\windows\system32\MSVCR71.dll
2009-01-21 12:45 . 2009-01-21 12:45 <DIR> d-------- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-18 22:01 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-11 19:31 5,632 --sha-w c:\program files\Thumbs.db
2009-02-11 06:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-11 06:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 12:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-09 08:42 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-31 18:14 --------- d-----w c:\documents and settings\Kiko\Application Data\uTorrent
2009-01-20 23:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-20 23:18 --------- d-----w c:\program files\Fraps
2009-01-19 19:59 --------- d-----w c:\program files\CCleaner
2009-01-18 10:38 --------- d-----w c:\documents and settings\Kiko\Application Data\Bioshock
2009-01-17 17:32 --------- d-----w c:\program files\dBpowerAMP
2009-01-16 16:09 --------- d-----w c:\documents and settings\Kiko\Application Data\BonkEnc
2009-01-16 16:05 160,610 ----a-w c:\windows\Free Audio Converter CS Uninstaller.exe
2009-01-16 16:05 --------- d-----w c:\program files\Free Audio Converter CS
2009-01-16 15:55 --------- d-----w c:\documents and settings\Kiko\Application Data\ID3-TagIT 3
2009-01-16 15:50 --------- d-----w c:\program files\ID3-TagIT 3
2009-01-16 15:49 --------- d-----w c:\documents and settings\All Users\Application Data\ID3-TagIT 3
2009-01-16 08:07 --------- d-----w c:\program files\PeerGuardian2
2009-01-16 03:14 --------- d-----w c:\documents and settings\Kiko\Application Data\mIRC
2009-01-16 02:49 --------- d-----w c:\program files\mIRC
2009-01-11 06:55 --------- d-----w c:\documents and settings\Kiko\Application Data\Skype
2009-01-05 02:30 --------- d-----w c:\program files\NVIDIA
2009-01-05 02:24 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-27 19:32 --------- d-----w c:\program files\Skype
2008-12-27 19:32 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-25 19:46 --------- d-----w c:\program files\PopCap Games
2008-12-23 17:36 --------- d-----w c:\documents and settings\All Users\Application Data\Soulseek
2008-12-22 09:54 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-22 09:53 --------- d-----w c:\documents and settings\Kiko\Application Data\SystemRequirementsLab
2005-12-30 01:17 159,122 ----a-w c:\program files\audioscrobbler.wa.1.1.10.exe
2005-07-30 23:13 79,586 ----a-w c:\program files\old old progs.JPG
2003-09-26 01:05 178,688 ----a-w c:\program files\hjsplit.exe
1998-08-10 23:25 1,616,384 ----a-w c:\program files\Font.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-02-10_21.30.06.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-27 20:49:02 196,683 ----a-w c:\windows\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w c:\windows\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w c:\windows\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w c:\windows\system32\lnod32upd.dll
+ 2008-02-11 15:39:26 253,952 ----a-w c:\windows\system32\OnlineScannerDLLA.dll
+ 2008-02-11 15:39:18 237,568 ----a-w c:\windows\system32\OnlineScannerDLLW.dll
+ 2008-02-08 19:53:46 110,592 ----a-w c:\windows\system32\OnlineScannerLang.dll
+ 2008-02-05 14:48:04 77,824 ----a-w c:\windows\system32\OnlineScannerUninstaller.exe
+ 2004-12-07 16:11:34 258,352 ----a-w c:\windows\system32\unicows.dll
+ 2009-02-11 10:54:13 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_188.dat
+ 2009-02-11 07:14:12 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_57c.dat
+ 2009-02-11 07:15:14 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
--a------ 2007-10-09 16:21 169328 c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2003-09-17 10:43 57344 c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT Task]
--a------ 2006-10-30 17:00 270336 c:\program files\Portrait Displays\forteManager\dthtml.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-07 02:26 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Games\\Steam\\steamapps\\dfgarcia1979\\day of defeat\\hl.exe"=
"c:\\Documents and Settings\\Kiko\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Kiko\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Games\\Steam\\Steam.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Games\\Steam\\steamapps\\dfgarcia1979\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Games\\Steam\\steamapps\\common\\bejeweled deluxe\\WinBej.exe"=
"c:\\Games\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Games\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Games\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-10 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-10 20560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\Kiko\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\Kiko\LOCALS~1\Temp\aswArKrn.sys [?]
S3 cel90xbe;cel90xbe;\??\c:\docume~1\Kiko\LOCALS~1\Temp\cel90xbe.sys --> c:\docume~1\Kiko\LOCALS~1\Temp\cel90xbe.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - RKREVEAL150

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{074a890a-b0a1-11dd-adcc-000000000000}]
\Shell\AutoRun\command - 8bglj.cmd
\Shell\open\Command - 8bglj.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{128fe406-e4da-11dd-ade8-00132044cb7b}]
\Shell\AutoRun\command - h:\jdsecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bb6e42c-ac4c-11dd-a94f-806d6172696f}]
\Shell\AutoRun\command - D:\autoplay.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-kvasoft - c:\windows\system32\kva8wr.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: {E135242A-482F-457E-A378-9595C78ABE12} = 68.94.156.1 68.94.157.1
FF - ProfilePath - c:\documents and settings\Kiko\Application Data\Mozilla\Firefox\Profiles\mylr3m9c.default\
FF - component: c:\documents and settings\Kiko\Application Data\Mozilla\Firefox\Profiles\mylr3m9c.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\Kiko\Application Data\Mozilla\Firefox\Profiles\mylr3m9c.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Kiko\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 18:18:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-18 18:21:03
ComboFix-quarantined-files.txt 2009-02-19 00:20:53
ComboFix2.txt 2009-02-11 03:31:01

Pre-Run: 65,046,732,800 bytes free
Post-Run: 65,146,515,456 bytes free

186







and here's the GMER log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-18 18:36:03
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF3CE66B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF3CE6574]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF746CA20]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF3CE6A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF3CE614C]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF746D2A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF7478910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF3CE664E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF3CE608C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF3CE60F0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF746D2C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF3CE676E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF3CE672E]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF74780B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF3CE68AE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF3DA2F20]

---- Kernel code sections - GMER 1.0.14 ----

? bffcvx.sys The system cannot find the file specified. !
? ezmzjcf.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 86FCF940

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom 86175978

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Cdrom \Device\CdRom0 86B39AD8
Device \FileSystem\Rdbss \Device\FsWrap 86B1F408
Device \Driver\Cdrom \Device\CdRom1 86B39AD8
Device \Driver\atapi \Device\Ide\IdePort0 86B47C70
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 86B47C70
Device \Driver\atapi \Device\Ide\IdePort1 86B47C70
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 86B47C70
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 86B47C70
Device \Driver\Cdrom \Device\CdRom2 86B39AD8
Device \FileSystem\Srv \Device\LanmanServer 86C4C140

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86AFD470
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86AFD470
Device \FileSystem\Npfs \Device\NamedPipe 86B3B240
Device \FileSystem\Msfs \Device\Mailslot 86B3A240
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 86B26AD8
Device \Driver\d347prt \Device\Scsi\d347prt1 86B26AD8
Device \FileSystem\Fastfat \Fat 86175978

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 86FD4538
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 86FD4538
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 86FD4538
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 86FD4538
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 86FD4538
Device \FileSystem\Cdfs \Cdfs 86C6A518

---- Modules - GMER 1.0.14 ----

Module _________ F73CF000-F73E7000 (98304 bytes)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40

---- EOF - GMER 1.0.14 ----






As far as changes since the last post, I think the only significant ones were uninstalling SpybotS&D and uninstalling and installing games through Steam.

I had another question: I am worried that the infection spread to my thumb drive and external hard drive, because I found similar suspicious-looking and re-appearing autorun.inf files on them.

Thanks once again!

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 18 February 2009 - 08:29 PM

Hello.

Let's see what we can do.

I had another question: I am worried that the infection spread to my thumb drive and external hard drive, because I found similar suspicious-looking and re-appearing autorun.inf files on them.

Please plug them into this computer that we are working on. ComboFix will have disabled autorun, so any infections on them won't spread.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/202544/trojan-and-worse/
    File::
    c:\windows\system32\uweyiwe1.dll
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{074a890a-b0a1-11dd-adcc-000000000000}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{128fe406-e4da-11dd-ade8-00132044cb7b}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bb6e42c-ac4c-11dd-a94f-806d6172696f}]
    
    Suspect::[59]
    c:\program files\Font.exe
    
    Driver::
    cel90xbe
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

At the end of its run ComboFix will attempt to upload some files. Please make sure you are connected to the Internet before clicking "OK". Kindly remind me in you next reply that samples were uploaded.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Please post back with:
-the ComboFix log
-a new DDS.txt log

Please tell me of any symptoms that are still present.

With Regards,
The Panda

#6 dfgarcia

dfgarcia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 18 February 2009 - 10:47 PM

Is that CF script gonna nuke my font.exe program? I've been using it for years; it's a font viewer.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 19 February 2009 - 11:42 AM

Hello.

No, I was just collecting a sample of it.

It was suspicious for a program to be located in the root of the Program Files folder.

With Regards,
The Panda

#8 dfgarcia

dfgarcia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 21 February 2009 - 05:04 AM

Having a bit of trouble with the updates. Can I do the CF and DDS stuff first? Or does it need to be completely updated first?

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 21 February 2009 - 11:32 AM

Hello.

Please run the CFScript first.

The directions should be in the order they are given.

If you can't update, we'll skip that for now. Tell me any errors you recieve while trying.

With Regards,
The Panda

#10 dfgarcia

dfgarcia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 24 February 2009 - 11:53 AM

Okay, sorry for the delay.

I am currently asymptomatic and my untrained eye didn't find anything suspicious in the logs.

One concern I have is that after ComboFix rebooted my system and ran after reboot, the program displayed a message to the effect of "Do not begin any other program", yet my startup programs loaded while this message was still displayed, including Avast and SuperAntiSpyware. Would this have interfered or otherwise had a deleterious effect on CF?

Logs

CF:

ComboFix 09-02-21.01 - Kiko 2009-02-24 10:01:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.713 [GMT -6:00]
Running from: c:\documents and settings\Kiko\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kiko\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090223-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\uweyiwe1.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\uweyiwe1.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CEL90XBE
-------\Service_cel90xbe


((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-18 18:25 . 2009-02-18 18:25 250 --a------ c:\windows\gmer.ini
2009-02-11 13:31 . 2009-02-11 13:31 7,680 --ahs---- c:\windows\Thumbs.db
2009-02-10 23:52 . 2009-02-11 00:30 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-02-10 20:27 . 2009-02-10 20:27 <DIR> d-------- c:\program files\Trend Micro
2009-02-10 13:40 . 2009-02-10 13:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 13:40 . 2009-02-10 13:40 <DIR> d-------- c:\documents and settings\Kiko\Application Data\Malwarebytes
2009-02-10 13:40 . 2009-02-10 13:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-10 13:40 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 13:40 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-10 06:03 . 2009-02-10 06:03 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-10 06:03 . 2009-02-10 06:03 <DIR> d-------- c:\documents and settings\Kiko\Application Data\SUPERAntiSpyware.com
2009-02-10 06:03 . 2009-02-10 06:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-10 01:31 . 2009-02-10 01:31 <DIR> d-------- c:\program files\Alwil Software
2009-02-10 01:31 . 2003-03-18 14:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-02-10 01:31 . 2003-03-18 13:14 499,712 --a------ c:\windows\system32\MSVCP71.dll
2009-02-10 01:31 . 2003-02-20 21:42 348,160 --a------ c:\windows\system32\MSVCR71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 01:26 --------- d-----w c:\documents and settings\Kiko\Application Data\uTorrent
2009-02-23 22:54 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-11 19:31 5,632 --sha-w c:\program files\Thumbs.db
2009-02-11 06:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-11 06:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 12:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-09 08:42 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-21 18:45 --------- d-----w c:\program files\Google
2009-01-20 23:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-20 23:18 --------- d-----w c:\program files\Fraps
2009-01-19 19:59 --------- d-----w c:\program files\CCleaner
2009-01-18 10:38 --------- d-----w c:\documents and settings\Kiko\Application Data\Bioshock
2009-01-17 17:32 --------- d-----w c:\program files\dBpowerAMP
2009-01-16 16:09 --------- d-----w c:\documents and settings\Kiko\Application Data\BonkEnc
2009-01-16 16:05 160,610 ----a-w c:\windows\Free Audio Converter CS Uninstaller.exe
2009-01-16 16:05 --------- d-----w c:\program files\Free Audio Converter CS
2009-01-16 15:55 --------- d-----w c:\documents and settings\Kiko\Application Data\ID3-TagIT 3
2009-01-16 15:50 --------- d-----w c:\program files\ID3-TagIT 3
2009-01-16 15:49 --------- d-----w c:\documents and settings\All Users\Application Data\ID3-TagIT 3
2009-01-16 08:07 --------- d-----w c:\program files\PeerGuardian2
2009-01-16 03:14 --------- d-----w c:\documents and settings\Kiko\Application Data\mIRC
2009-01-16 02:49 --------- d-----w c:\program files\mIRC
2009-01-11 06:55 --------- d-----w c:\documents and settings\Kiko\Application Data\Skype
2009-01-05 02:30 --------- d-----w c:\program files\NVIDIA
2009-01-05 02:24 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-27 19:32 --------- d-----w c:\program files\Skype
2008-12-27 19:32 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-25 19:46 --------- d-----w c:\program files\PopCap Games
2005-12-30 01:17 159,122 ----a-w c:\program files\audioscrobbler.wa.1.1.10.exe
2005-07-30 23:13 79,586 ----a-w c:\program files\old old progs.JPG
2003-09-26 01:05 178,688 ----a-w c:\program files\hjsplit.exe
1998-08-10 23:25 1,616,384 ----a-w c:\program files\Font.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-02-10_21.30.06.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-02-19 00:25:41 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 03:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2009-02-19 00:25:41 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2007-07-27 20:49:02 196,683 ----a-w c:\windows\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w c:\windows\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w c:\windows\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w c:\windows\system32\lnod32upd.dll
+ 2008-02-11 15:39:26 253,952 ----a-w c:\windows\system32\OnlineScannerDLLA.dll
+ 2008-02-11 15:39:18 237,568 ----a-w c:\windows\system32\OnlineScannerDLLW.dll
+ 2008-02-08 19:53:46 110,592 ----a-w c:\windows\system32\OnlineScannerLang.dll
+ 2008-02-05 14:48:04 77,824 ----a-w c:\windows\system32\OnlineScannerUninstaller.exe
+ 2004-12-07 16:11:34 258,352 ----a-w c:\windows\system32\unicows.dll
+ 2009-02-24 16:07:12 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4ac.dat
+ 2009-02-24 16:06:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_580.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"P17Helper"="P17.dll" [2004-06-10 c:\windows\system32\P17.dll]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\basicsmssmenu]
--a------ 2007-10-09 16:21 169328 c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2003-09-17 10:43 57344 c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT Task]
--a------ 2006-10-30 17:00 270336 c:\program files\Portrait Displays\forteManager\dthtml.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-07 02:26 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Games\\Steam\\steamapps\\dfgarcia1979\\day of defeat\\hl.exe"=
"c:\\Documents and Settings\\Kiko\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Kiko\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Games\\Steam\\Steam.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Games\\Steam\\steamapps\\dfgarcia1979\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Games\\Steam\\steamapps\\common\\bejeweled deluxe\\WinBej.exe"=
"c:\\Games\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Games\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Games\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-10 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-10 20560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\Kiko\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\Kiko\LOCALS~1\Temp\aswArKrn.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: {E135242A-482F-457E-A378-9595C78ABE12} = 68.94.156.1 68.94.157.1
FF - ProfilePath - c:\documents and settings\Kiko\Application Data\Mozilla\Firefox\Profiles\mylr3m9c.default\
FF - component: c:\documents and settings\Kiko\Application Data\Mozilla\Firefox\Profiles\mylr3m9c.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\Kiko\Application Data\Mozilla\Firefox\Profiles\mylr3m9c.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Kiko\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 10:07:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Portrait Displays\forteManager\DTSRVC.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Pixoria\Konfabulator\Konfabulator.exe
c:\program files\One Guy Coding\Blanch.exe
c:\program files\Pixoria\Konfabulator\Konfabulator.exe
c:\program files\Pixoria\Konfabulator\Konfabulator.exe
c:\windows\system32\taskmgr.exe
c:\progra~1\ALWILS~1\Avast4\Setup\avast.setup
.
**************************************************************************
.
Completion time: 2009-02-24 10:08:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-24 16:08:19
ComboFix2.txt 2009-02-19 00:21:04
ComboFix3.txt 2009-02-11 03:31:01

Pre-Run: 64,880,996,352 bytes free
Post-Run: 64,903,778,304 bytes free

208







DDS:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Kiko at 10:28:16.75 on Tue 02/24/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.654 [GMT -6:00]

AV: avast! antivirus 4.8.1335 [VPS 090224-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Portrait Displays\forteManager\DTSRVC.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\One Guy Coding\Blanch.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Kiko\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\kiko\startm~1\programs\startup\AT&TDS~1.LNK -
StartupFolder: c:\docume~1\kiko\startm~1\programs\startup\konfab~1.lnk - c:\program files\pixoria\konfabulator\Konfabulator.exe
StartupFolder: c:\docume~1\kiko\startm~1\programs\startup\shortc~1.lnk - c:\program files\one guy coding\Blanch.exe
StartupFolder: c:\docume~1\kiko\startm~1\programs\startup\taskma~1.lnk - c:\windows\system32\taskmgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
TCP: {E135242A-482F-457E-A378-9595C78ABE12} = 68.94.156.1 68.94.157.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kiko\applic~1\mozilla\firefox\profiles\mylr3m9c.default\
FF - component: c:\documents and settings\kiko\application data\mozilla\firefox\profiles\mylr3m9c.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\kiko\application data\mozilla\firefox\profiles\mylr3m9c.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\kiko\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-10 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-10 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-10 352920]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\kiko\locals~1\temp\aswarkrn.sys --> c:\docume~1\kiko\locals~1\temp\aswArKrn.sys [?]

=============== Created Last 30 ================

2009-02-18 18:25 250 a------- c:\windows\gmer.ini
2009-02-11 13:31 7,680 a--sh--- c:\windows\Thumbs.db
2009-02-10 23:52 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-02-10 21:27 <DIR> --d----- C:\cmdcons
2009-02-10 21:25 161,792 a------- c:\windows\SWREG.exe
2009-02-10 21:25 98,816 a------- c:\windows\sed.exe
2009-02-10 20:27 <DIR> --d----- c:\program files\Trend Micro
2009-02-10 13:40 <DIR> --d----- c:\docume~1\kiko\applic~1\Malwarebytes
2009-02-10 13:40 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-10 13:40 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-10 13:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 13:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-10 06:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-10 06:03 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-10 06:03 <DIR> --d----- c:\docume~1\kiko\applic~1\SUPERAntiSpyware.com
2009-02-10 01:31 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-02-10 01:31 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-02-10 01:31 348,160 a------- c:\windows\system32\MSVCR71.dll

==================== Find3M ====================

2009-02-11 13:31 5,632 a--sh--- c:\program files\Thumbs.db
2009-01-16 10:05 160,610 a------- c:\windows\Free Audio Converter CS Uninstaller.exe
2005-12-29 19:17 159,122 a------- c:\program files\audioscrobbler.wa.1.1.10.exe
2005-07-30 17:13 79,586 a------- c:\program files\old old progs.JPG
2003-09-25 19:05 178,688 a------- c:\program files\hjsplit.exe
1998-08-10 17:25 1,616,384 a------- c:\program files\Font.exe

============= FINISH: 10:28:38.87 ===============





attach.txt attached

Thanks so much for your help!

Attached Files



#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 24 February 2009 - 03:33 PM

Hello.

It should not have affected ComboFix's run.

Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :services
    aswArKrn
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Please tell me of any problems that are present right now.

With Regards,
The Panda

#12 dfgarcia

dfgarcia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 28 February 2009 - 06:38 PM

Okay, again, sorry for the delay.

OTMoveIt3 log:

========== SERVICES/DRIVERS ==========
Service aswArKrn stopped successfully.
Service aswArKrn deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02282009_122339





ATFCleaner run without problem.





Kaspersky log:

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, February 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, February 28, 2009 18:20:17
Records in database: 1856290
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
J:\
Scan statistics
Files scanned 234966
Threat name 3
Infected objects 2
Suspicious objects 4
Duration of the scan 03:53:35

File name Threat name Threats count
C:\Documents and Settings\Kiko\Application Data\Thunderbird\Profiles\2v2f6lk6.default\Mail\Local Folders\big transfer.sbd\sent Suspicious: Password-protected-EXE 2
C:\Qoobox\Quarantine\C\WINDOWS\system32\uweyiwe1.dll.vir Infected: Trojan-GameThief.Win32.Magania.avav 1
G:\C Drive backup\Documents and Settings\Kiko\Application Data\Thunderbird\Profiles\2v2f6lk6.default\Mail\Local Folders\big transfer.sbd\sent Suspicious: Password-protected-EXE 2
G:\C Drive backup\Documents and Settings\Kiko\Application Data\Thunderbird\Profiles\2v2f6lk6.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.w 1
The selected area was scanned.



Of the above 4 items, #1 and #3 are identical (on my main drive and my external backup) but I don't see any .exe attachments in that folder through Thunderbird, and there haven't been any additions to it since 2004. #2 looks like ComboFix has it quarantined, and #4 is also on my external backup but there is no match on the C drive because I believe I found and eliminated the tainted message. I haven't backed up anything to my external drive since I was symptomatic.


Another question: Is it possible to determine from these procedures whence my problem came? The last stupid thing I remember doing before coming here for help was opening an email Powerpoint attachment that I thought was for my wife but turned out to be spam.

Again, thanks for your help and patience.

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 01 March 2009 - 10:12 AM

Hello.

If possible, I would empty the email folders for Thunderbird.

It is very difficult to trace where exactly an infection came from. Downloaded attachment files are always a possibility.

If you are ever unsure about an attachment, choose to Save it (not open), then upload the file to Jotti to be scanned.

Looks good. Unless there are any issues, we can wrap up.

Run Cleanup! with OTMoveIt
Let's clear out the tools we've used.
  • Double click the OTMoveIt2.exe icon on your desktop to start the program.
  • Click Posted Image.
  • A pop-up box will appear asking "Begin Removal Process?". Click Yes.
  • Click Yes when asked to reboot.
Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#14 dfgarcia

dfgarcia
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 04 March 2009 - 12:30 PM

Okay. Last steps accomplished, with the exception of the Windows updates, which I will proceed with shortly.

Thank you very much once again for your time, patience, and help. Thank you also for the reference links and to bleepingcomputer.com for hosting the forums where people like me can turn to for gratis assistance, and the program writers who provide the tools to combat all this malware. You are truly good people. Cheers!

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 04 March 2009 - 03:22 PM

Glad we could help.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users