Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't run Spybot; IE and Firefox browsers block access to bleepingcomputer.com


  • This topic is locked This topic is locked
26 replies to this topic

#1 fagenbecker

fagenbecker

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 15 February 2009 - 11:44 AM

Hi. I have some malware that won't allow me to run Spybot or SuperAntiSpyware, even in Safe Mode, but it does allow AVG and AdAware to run. Neither has found anything wrong.
In addition, if I try to access bleepingcomputer.com via Internet Explorer or Firefox, I get page load errors. The same thing happens when I try to access Malwarebytes.com or any other spyware site.
I am able to access your website via Opera.
I've noticed also that many hyperlinks don't work when I attempt to click on them; for example, on your tutorial, I tried to click on the hyperlink to this page, but I got no results. I had to copy and past the link into the URL.
I've also noticed that on Facebook, the Chat and Friends Online features no longer work well. I'm also not able to post anything.
One other thing: sometimes when I put an address in the URL, instead of going to the site, I'm directed to a Yahoo or Google search results page. If I click on the hyperlinks, they usually direct me to the site I desired, EXCEPT for your site, spyware sites, etc.
I was able to update and download Spybot via Opera browser, but the computer isn't allowing me to run it. I dowloaded Malwarebytes startup the same way, but I can't even get that to install Malwarebytes.
I've also noticed a few pop-ups that show only for a few seconds, then go away.
Oh, the AGV update just failed as I was typing this. No server connection.

I'm just afraid this is going to get worse. Please let me know what I need to do. Thanks,

Fagenbecker


DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Owner at 9:04:15.59 on Sun 02/15/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.436 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERANTISPYWARE.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Append to existing PDF
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} - hxxps://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
TCP: {E7C9047D-5A19-4C60-8274-5FDF04B851AF} = 208.186.134.101,208.186.134.102
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\k4qix7qn.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\opera\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\opera\program\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-15 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-15 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-15 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-8-19 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-8-19 55024]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-15 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-15 298264]
S1 9461b0ff;9461b0ff;c:\windows\system32\drivers\9461b0ff.sys --> c:\windows\system32\drivers\9461b0ff.sys [?]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-8-9 3585384]
S3 cdiskdun;cdiskdun;\??\c:\docume~1\hp_owner\locals~1\temp\cdiskdun.sys --> c:\docume~1\hp_owner\locals~1\temp\cdiskdun.sys [?]
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;c:\windows\system32\drivers\hpusbwdm.sys [2004-1-5 1080832]
S3 pxark;pxark;c:\windows\system32\drivers\pxark.sys [2008-1-29 10624]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-8-19 7408]
S3 USTOR;U-Storage Controller;c:\windows\system32\drivers\UStork.sys [2005-11-21 20258]

=============== Created Last 30 ================

2009-02-14 23:10 5,953,568 a------- c:\program files\SUPERAntiSpyware.exe
2009-02-14 23:01 <DIR> --d----- c:\program files\CCleaner
2009-02-14 22:59 925,592 a------- c:\program files\ccsetup216_slim.exe
2009-02-14 15:46 2,876,720 a------- c:\program files\mb.exe

==================== Find3M ====================

2009-02-14 14:46 576 a------- c:\program files\aswclnr.log
2009-01-28 19:47 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-28 19:47 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-28 19:47 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-23 07:52 32,768 a------- c:\windows\system32\userinit.exe
2008-12-20 16:15 826,368 a------- c:\windows\system32\wininet.dll
2008-11-17 18:40 3,072 a------- c:\windows\~DFEEF.tmp
2008-11-14 16:36 1,580,523 a------- c:\program files\SmitfraudFix.exe
2008-07-30 09:02 407,680 a------- c:\program files\aswclnr.exe
2008-05-23 23:37 61,440 a------- c:\program files\FixDrive.exe
2008-05-23 23:16 1,077 a------- c:\program files\readme.txt
2008-01-29 13:38 318,369 a------- c:\program files\HiJackThis.zip
2008-01-29 13:10 8,964 a------- c:\program files\hijackthis.log
2008-01-29 13:04 17 a------- c:\program files\stinger.opt
2008-01-29 12:26 1,953,799 a------- c:\program files\stinger.exe
2008-01-28 18:25 7,467,056 a------- c:\program files\spybotsd15.exe
2008-01-21 20:04 0 ac-sh--- c:\docume~1\hp_owner\applic~1\0000000000e5926225519850219b5868d240ae07bc.dat
2007-04-27 20:34 240,568 a------- c:\program files\k9-webprotection.exe
2005-04-11 15:45 0 ac-sh--- c:\windows\sminst\HPCD.sys
2008-05-30 12:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008053020080531\index.dat

============= FINISH: 9:05:19.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:54 AM

Posted 27 February 2009 - 11:05 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 fagenbecker

fagenbecker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 28 February 2009 - 11:34 AM

Thanks for getting back with me. I ran a new DDS scan. Here is the text and the zipped attachment. The same problems exist, but I did download IE8 browser. It works somewhat better, but I'm still blocked from your website in IE and Firefox. I have no problem getting through on Opera.

I'm looking forward to your response. Thanks.

Fagenbecker

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 28 February 2009 - 03:02 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 fagenbecker

fagenbecker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 01 March 2009 - 12:39 AM

Panda:

I downloaded ComboFix to my desktop, but I can't open it. I'm blocked, just as I was with my antispyware. I deleted Superspyware, Spybot, and Spywareblaster because I couldn't disable them. In essence, I couldn't do anything with them. Please advise.

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 01 March 2009 - 10:28 AM

Hello.

Delete the copy of ComboFix.

When downloading ComboFix, save it as ComboFix123.exe.

Please try running it again.

With Regards,
The Panda

#7 fagenbecker

fagenbecker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 01 March 2009 - 02:01 PM

Panda:
I was able to run ComboFix and GMER. The logs are attached. Please advise. Thanks.

Fagenbecker

ComboFix 09-02-28.01 - HP_Owner 2009-03-01 11:30:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.642 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix123.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\search_res.txt
c:\windows\system32\404Fix.exe
c:\windows\system32\drivers\UACmuirqoxu.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\UACbappxink.log
c:\windows\system32\UACfaknqlrm.dll
c:\windows\system32\UACjndiftoq.log
c:\windows\system32\UAClamijtbo.dll
c:\windows\system32\UAColiqbgql.log
c:\windows\system32\UACpkiwsklt.dat
c:\windows\system32\UACsvxobqrq.dll
c:\windows\system32\UACwpuyfqmu.dll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://bgbtorlopos.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-02-28 16:18 . 2009-02-28 17:19 <DIR> d-------- c:\program files\Video Strip Poker Supreme
2009-02-24 21:27 . 2009-02-24 21:27 <DIR> d--hs---- c:\documents and settings\Dylan\PrivacIE
2009-02-24 21:27 . 2009-02-24 21:27 <DIR> d--hs---- c:\documents and settings\Dylan\IETldCache
2009-02-21 15:40 . 2009-02-21 15:40 <DIR> d--hs---- c:\documents and settings\HP_Owner\IECompatCache
2009-02-21 15:38 . 2009-02-21 15:38 <DIR> d--hs---- c:\documents and settings\HP_Owner\PrivacIE
2009-02-21 15:38 . 2009-02-21 15:38 <DIR> d--hs---- c:\documents and settings\HP_Owner\IETldCache
2009-02-21 15:34 . 2009-02-21 15:34 <DIR> d-------- c:\windows\ie8updates
2009-02-21 15:34 . 2009-02-21 15:34 1,374 --a------ c:\windows\imsins.BAK
2009-02-21 15:32 . 2009-02-21 15:33 <DIR> d--h-c--- c:\windows\ie8
2009-02-21 15:30 . 2009-01-10 22:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-02-14 23:01 . 2009-02-14 23:01 <DIR> d-------- c:\program files\CCleaner
2009-02-14 22:59 . 2009-02-14 22:59 925,592 --a------ c:\program files\ccsetup216_slim.exe
2009-02-14 15:46 . 2009-02-14 15:46 2,876,720 --a------ c:\program files\mb.exe
2009-02-13 16:59 . 2009-03-01 10:50 5,157 --a------ c:\windows\system32\uacinit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-01 05:15 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-01 05:15 --------- d-----w c:\program files\SpywareBlaster
2009-03-01 05:15 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-01 02:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-01 02:26 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 23:21 --------- d-----w c:\program files\Opera
2009-02-15 06:40 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-14 21:46 576 ----a-w c:\program files\aswclnr.log
2009-02-08 22:16 --------- d-----w c:\program files\FLV Player
2009-01-30 21:26 --------- d-----w c:\program files\Common Files\Adobe
2009-01-29 02:47 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-29 02:47 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-29 02:47 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-29 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-23 14:52 32,768 ----a-w c:\windows\system32\userinit.exe
2009-01-15 09:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 09:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 09:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 09:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 09:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 09:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 09:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 09:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 09:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 08:50 156,160 ----a-w c:\windows\system32\msls31.dll
2008-11-14 23:36 1,580,523 ----a-w c:\program files\SmitfraudFix.exe
2008-07-30 16:02 407,680 ----a-w c:\program files\aswclnr.exe
2008-05-24 06:37 61,440 ----a-w c:\program files\FixDrive.exe
2008-05-24 06:16 1,077 ----a-w c:\program files\readme.txt
2008-01-29 20:38 318,369 ----a-w c:\program files\HiJackThis.zip
2008-01-29 20:10 8,964 ----a-w c:\program files\hijackthis.log
2008-01-29 20:04 17 ----a-w c:\program files\stinger.opt
2008-01-29 19:26 1,953,799 ----a-w c:\program files\stinger.exe
2008-01-29 01:25 7,467,056 ----a-w c:\program files\spybotsd15.exe
2008-01-22 03:04 0 -csha-w c:\documents and settings\HP_Owner\Application Data\0000000000e5926225519850219b5868d240ae07bc.dat
2007-04-28 03:34 240,568 ----a-w c:\program files\k9-webprotection.exe
2005-04-11 22:45 0 -csha-w c:\windows\SMINST\HPCD.sys
2008-05-30 19:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008053020080531\index.dat
.

------- Sigcheck -------

2004-08-04 05:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 17:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2009-01-23 07:52 32768 fd4fed5ca14cdc9d4b46bd842e35255e c:\windows\system32\userinit.exe
2008-04-13 17:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-21 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-28 1601304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-08 180269]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-29 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-28 19:47 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-08-09 29808]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-15 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-15 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-15 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-15 298264]
S1 9461b0ff;9461b0ff;c:\windows\system32\drivers\9461b0ff.sys --> c:\windows\system32\drivers\9461b0ff.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 cdiskdun;cdiskdun;\??\c:\docume~1\HP_Owner\LOCALS~1\Temp\cdiskdun.sys --> c:\docume~1\HP_Owner\LOCALS~1\Temp\cdiskdun.sys [?]
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;c:\windows\system32\drivers\hpusbwdm.sys [2004-01-05 1080832]
S3 pxark;pxark;c:\windows\system32\drivers\pxark.sys [2008-01-29 10624]
S3 USTOR;U-Storage Controller;c:\windows\system32\drivers\UStork.sys [2005-11-21 20258]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92a90e60-5bd7-11da-b03b-0011d897c17b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-09-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-05-12 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
HKLM-Run-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: {E7C9047D-5A19-4C60-8274-5FDF04B851AF} = 208.186.134.101,208.186.134.102
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\k4qix7qn.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Opera\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\Opera\program\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-01 11:33:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-01 11:34:53
ComboFix-quarantined-files.txt 2009-03-01 18:34:51

Pre-Run: 153,659,580,416 bytes free
Post-Run: 154,039,222,272 bytes free

210 --- E O F --- 2009-02-25 14:28:38

Attached Files


Edited by PropagandaPanda, 01 March 2009 - 02:46 PM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 01 March 2009 - 03:01 PM

Hello.

There may be some complications here. In addition to being infected with a rootkit, one of your system files were replaced.

They can be removed, though I would suggest that you reinstall.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    KILLALL::
    
    FCopy:
    c:\windows\system32\dllcache\userinit.exe | c:\windows\system32\userinit.exe
    
    File::
    c:\windows\system32\drivers\9461b0ff.sys
    c:\docume~1\HP_Owner\LOCALS~1\Temp\cdiskdun.sys
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=-
    "UpdatesDisableNotify"=-
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92a90e60-5bd7-11da-b03b-0011d897c17b}]
    
    Driver::
    9461b0ff
    cdiskdun
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run FlashDisinfector
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.
In your next reply, please include:
-the ComboFix log
-the MalwareBytes scan log.

Also give me an update on the symptoms.

Something small: I would move the files in the Program Files folder else where. Because there are only suppose to be folders, not files there, some automated tools, or HJT Team members, may accidentally remove them.

With Regards,
The Panda

#9 fagenbecker

fagenbecker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 01 March 2009 - 06:01 PM

Panda:

Here are the logs for ComboFix and Malwarebytes. One question: The written instructions for Malwarebytes said to select Quick Scan, but the graphic had an arrow pointing to Full Scan. I did the Quick Scan. Let me know if I need to run it again.

All of my browsers seem to be working fine now. The hyperlinks all work and all URLs seem to work fine. I read about reinstallation, and I'm concerned that I may need to do it. I used another computer to change my passwords and login info for my banks and credit cards on their sites. I could use my other computer to do all of my banking. I typically use this computer to surf, Facebook, iTunes, games, etc., so I don't know whether to reinstall. I did backup my iTunes folder just in case. I could reinstall all of the other software, if needed, regardless of the hassle.

Thanks so much for all you've done. You are great to have around. Let me know if you think, based on what I've described, that I should reinstall. I don't have discs, so I'm not sure what the process is. Please advise.

Thanks,

Fagenbecker

ComboFix 09-02-28.01 - HP_Owner 2009-03-01 14:48:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.489 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\docume~1\HP_Owner\LOCALS~1\Temp\cdiskdun.sys
c:\windows\system32\drivers\9461b0ff.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDISKDUN
-------\Service_9461b0ff
-------\Service_cdiskdun


((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-03-01 14:20 . 2009-03-01 14:20 <DIR> d-------- C:\New Folder (4)
2009-03-01 11:45 . 2009-03-01 11:45 250 --a------ c:\windows\gmer.ini
2009-03-01 11:18 . 2009-03-01 11:35 <DIR> d-------- C:\ComboFix123
2009-02-28 16:18 . 2009-02-28 17:19 <DIR> d-------- c:\program files\Video Strip Poker Supreme
2009-02-24 21:27 . 2009-02-24 21:27 <DIR> d--hs---- c:\documents and settings\Dylan\PrivacIE
2009-02-24 21:27 . 2009-02-24 21:27 <DIR> d--hs---- c:\documents and settings\Dylan\IETldCache
2009-02-21 15:40 . 2009-02-21 15:40 <DIR> d--hs---- c:\documents and settings\HP_Owner\IECompatCache
2009-02-21 15:38 . 2009-02-21 15:38 <DIR> d--hs---- c:\documents and settings\HP_Owner\PrivacIE
2009-02-21 15:38 . 2009-02-21 15:38 <DIR> d--hs---- c:\documents and settings\HP_Owner\IETldCache
2009-02-21 15:34 . 2009-02-21 15:34 <DIR> d-------- c:\windows\ie8updates
2009-02-21 15:34 . 2009-02-21 15:34 1,374 --a------ c:\windows\imsins.BAK
2009-02-21 15:32 . 2009-02-21 15:33 <DIR> d--h-c--- c:\windows\ie8
2009-02-21 15:30 . 2009-01-10 22:00 79,360 -----c--- c:\windows\system32\dllcache\iecompat.dll
2009-02-14 23:01 . 2009-02-14 23:01 <DIR> d-------- c:\program files\CCleaner
2009-02-13 16:59 . 2009-03-01 10:50 5,157 --a------ c:\windows\system32\uacinit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-01 05:15 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-01 05:15 --------- d-----w c:\program files\SpywareBlaster
2009-03-01 05:15 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-01 02:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-01 02:26 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 23:21 --------- d-----w c:\program files\Opera
2009-02-15 06:40 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-08 22:16 --------- d-----w c:\program files\FLV Player
2009-01-30 21:26 --------- d-----w c:\program files\Common Files\Adobe
2009-01-29 02:47 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-29 02:47 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-29 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-01-22 03:04 0 -csha-w c:\documents and settings\HP_Owner\Application Data\0000000000e5926225519850219b5868d240ae07bc.dat
2005-04-11 22:45 0 -csha-w c:\windows\SMINST\HPCD.sys
2008-05-30 19:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008053020080531\index.dat
.

------- Sigcheck -------

2004-08-04 05:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 17:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2009-01-23 07:52 32768 fd4fed5ca14cdc9d4b46bd842e35255e c:\windows\system32\userinit.exe
2008-04-13 17:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-01_11.33.42.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 03:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-03-01 18:45:44 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 04:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2009-03-01 18:45:44 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-21 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-28 1601304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-08 180269]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-29 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-28 19:47 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-08-09 29808]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-15 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-15 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-15 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-15 298264]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;c:\windows\system32\drivers\hpusbwdm.sys [2004-01-05 1080832]
S3 pxark;pxark;c:\windows\system32\drivers\pxark.sys [2008-01-29 10624]
S3 USTOR;U-Storage Controller;c:\windows\system32\drivers\UStork.sys [2005-11-21 20258]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-09-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-05-12 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: {E7C9047D-5A19-4C60-8274-5FDF04B851AF} = 208.186.134.101,208.186.134.102
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\k4qix7qn.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Opera\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\Opera\program\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-01 14:52:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-03-01 14:55:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-01 21:55:41
ComboFix2.txt 2009-03-01 18:34:54

Pre-Run: 154,092,003,328 bytes free
Post-Run: 153,989,550,080 bytes free

181 --- E O F --- 2009-02-25 14:28:38

Attached Files


Edited by PropagandaPanda, 01 March 2009 - 06:04 PM.


#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 01 March 2009 - 06:06 PM

Hello.

Quick Scan is fine.

If you have no disks, then we can't perform a reinstall.

Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead only clicked "Save Logfile. Please read this thread and rescan again only using the (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing the new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • c:\windows\system32\userinit.exe
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.

With Regards,
The Panda

#11 fagenbecker

fagenbecker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 01 March 2009 - 07:15 PM

Panda:

Sorry about that. The instructions are a bit dichotomous in that step. I did place three trojans in quarantine, then clicked Remove Items. I guess the log was saved before I did that. Funny, but when I ran Malwarebytes this time, it found two more. I did remove them first, then saved the log.

Anyway, attached is the log and here are the scanner results:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.01 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.98 2009.03.01 TR/Dropper.Gen
Authentium 5.1.0.4 2009.03.01 W32/Zbot.1!Generic
Avast 4.8.1335.0 2009.03.01 -
AVG 8.0.0.237 2009.03.01 -
BitDefender 7.2 2009.03.02 -
CAT-QuickHeal 10.00 2009.02.28 -
ClamAV 0.94.1 2009.03.01 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.03.02 Trojan.Packed.458
eSafe 7.0.17.0 2009.02.26 -
eTrust-Vet 31.6.6379 2009.03.02 -
F-Prot 4.4.4.56 2009.03.01 W32/Zbot.1!Generic
F-Secure 8.0.14470.0 2009.03.01 Packed.Win32.Krap.h
Fortinet 3.117.0.0 2009.03.02 -
GData 19 2009.03.02 -
Ikarus T3.1.1.45.0 2009.03.01 -
K7AntiVirus 7.10.649 2009.02.27 -
Kaspersky 7.0.0.125 2009.03.02 Packed.Win32.Krap.h
McAfee 5540 2009.03.01 -
McAfee+Artemis 5540 2009.03.01 -
Microsoft 1.4306 2009.03.01 TrojanDownloader:Win32/Obitel.gen!A
NOD32 3899 2009.03.02 -
Norman 6.00.06 2009.02.27 -
nProtect 2009.1.8.0 2009.03.01 -
Panda 10.0.0.10 2009.03.01 -
PCTools 4.4.2.0 2009.03.01 -
Prevx1 V2 2009.03.02 -
Rising 21.18.62.00 2009.03.01 -
SecureWeb-Gateway 6.7.6 2009.03.02 Trojan.Dropper.Gen
Sophos 4.39.0 2009.03.02 -
Sunbelt 3.2.1858.2 2009.02.28 -
Symantec 10 2009.03.02 -
TheHacker 6.3.2.6.268 2009.03.01 -
TrendMicro 8.700.0.1004 2009.03.01 -
VBA32 3.12.10.1 2009.03.01 Trojan-Downloader.Win32.Agent.atzz
ViRobot 2009.2.28.1628 2009.02.28 -
VirusBuster 4.5.11.0 2009.03.01 -
Additional information
File size: 32768 bytes
MD5...: fd4fed5ca14cdc9d4b46bd842e35255e
SHA1..: 39ed7d767709b57745bb718b972834233d3262b6
SHA256: f0841f9ba47c41a05e2f2cc84f5f6b6f069980ab575b978c438aab95bc8e1eb5
SHA512: 0b2288fda351b31da1f2b05672f4d00daf06e5f02ae00aaf1cee66e0fc52b2f7
daff51a82eaee61bff22dc970b824d8b8ef3ebdee4557fde58de22b73e73fb9d
ssdeep: 384:gsMuVF2QU2QEjadGu41xmYf2uxxdQ3eta:TVF+2pOdGT1caBft

PEiD..: -
TrID..: File type identification
Win32 Dynamic Link Library (generic) (55.7%)
Clipper DOS Executable (14.8%)
Generic Win/DOS Executable (14.7%)
DOS Executable Generic (14.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x11f5
timedatestamp.....: 0x47c16166 (Sun Feb 24 12:21:58 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xa3b 0x1000 3.27 b8d6152cf3294d8fcb6d66032fa3889d
.xdata 0x2000 0x3be0 0x4000 4.95 58579247c84c0a0d171c34207b9e6cfa
.hdata 0x6000 0xfc8 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.resr 0x7000 0xcc8 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110

( 4 imports )
> advapi32.dll: RegDeleteKeyA, RegQueryValueA, RegOpenKeyA, RegEnumKeyExA, RegReplaceKeyA, RegOpenKeyExA, RegOpenKeyExW, RegQueryInfoKeyA, RegEnumValueW, RegFlushKey, RegGetKeySecurity, RegQueryValueW, RegQueryValueExW, RegEnumValueA, RegLoadKeyA, RegOpenKeyW, RegEnumKeyExW, RegDeleteKeyW, RegEnumKeyA
> comctl32.dll: ImageList_ReplaceIcon, ImageList_DragMove, ImageList_Draw, ImageList_Remove, ImageList_GetIconSize, ImageList_GetImageCount, ImageList_AddIcon, InitCommonControls, ImageList_DragEnter, ImageList_Read, ImageList_Copy, ImageList_LoadImageW, ImageList_Replace, ImageList_DrawEx, ImageList_GetDragImage, ImageList_GetImageInfo, ImageList_GetIcon, ImageList_Create, ImageList_Destroy
> kernel32.dll: lstrcpyA, lstrcpynA, GetStdHandle, GetModuleHandleA, GetStringTypeA, WideCharToMultiByte, GetLastError, SetLastError, HeapFree, GetFileSize, GetCPInfo, GetStringTypeW, GetModuleFileNameA, lstrlenA, FreeLibrary, GetLocalTime, HeapAlloc, CloseHandle, GlobalFree
> user32.dll: CopyIcon, CreateIcon, AppendMenuA, IsMenu, DrawIcon, DrawIconEx, GetCursor, AlignRects, AppendMenuW, DrawTextA, CopyRect, EndDialog, GetWindowTextA, IsWindow, CopyImage, InsertMenuA, GetFocus, CloseWindow, LoadMenuA, GetMenu

( 0 exports )

Thanks,

Fagenbecker

Attached Files



#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 01 March 2009 - 08:28 PM

Hello.

Let's try something else to remove that file.

Please note that there is a slight change of the machine being unbootable if something goes wrong. If this occurs, we will use the Recovery Console installed by ComboFix to restore any changes.

Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.
  • Right click avenger.zip and extract the contents to your desktop
  • Start the Avenger.exe.
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Files to move:
    c:\windows\ServicePackFiles\i386\userinit.exe | c:\windows\system32\userinit.exe
  • Click Posted Image to paste the script from the clipboard.
  • Click the Execute button
  • Answer Yes twice when prompted.
The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt (considering your operating drive is C:). Post back with it in your next reply.
After, run ComboFix by double clicking it and post back that log.

With Regards,
The Panda

#13 fagenbecker

fagenbecker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 01 March 2009 - 09:25 PM

I tried Avenger, but when I clicked on Execute and Yes, I got an error message: "Invalid script. A valid script must begin with a command directive. Aborting execution!"

Please advise.

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 02 March 2009 - 08:25 AM

Hello.

Please make sure the whole script is copied into the box.

I have included an attached copy.

With Regards,
The Panda

#15 fagenbecker

fagenbecker
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:54 PM

Posted 02 March 2009 - 10:05 AM

Panda:

I copied the entire script into the box, but the same error message appeared. I'm stumped!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users