Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove Win32 Rootkit Podnuha


  • This topic is locked This topic is locked
12 replies to this topic

#1 fuelc13

fuelc13

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 22 February 2009 - 02:04 PM

Computer infested with: Win32 Rootkit. I have applied a variety of free malware/spyware programs without success. Using Adaware, combofix, HJT, etc. I think I have located the source (or maybe just a symptom), but I believe the registry will need to be changed to complete a fix and I do not possess the experience to confidently make those types of changes. I appreciate any assistance you could provide.

Source/symptom? BHO: {59c5df85-9341-4fec-8ea0-0d4e43eb6c35} - c:\windows\system32\bidispli.dll

Anyway, Here is the DDS.txt log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by at 12:39:33.64 on Sun 02/22/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.37 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\aniServ.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Tony Stoecker\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {59c5df85-9341-4fec-8ea0-0d4e43eb6c35} - c:\windows\system32\bidispli.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [RealPlayer] "c:\program files\real\realplayer\realplay.exe" /RunUPGToolCommandReBoot
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\tonyst~1\startm~1\programs\startup\eventr~1.lnk - c:\pmw\PMREMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: marquette.edu
Trusted Zone: marquette.edu\checkmarq
Trusted Zone: marquette.edu\sa
Trusted Zone: marquette.edu\survey
Trusted Zone: marquette.edu\www
Trusted Zone: marquettecard.com
Trusted Zone: mu.edu
Trusted Zone: mu.edu\checkmarq
Trusted Zone: mu.edu\d2l
Trusted Zone: mu.edu\dn
Trusted Zone: mu.edu\sa
Trusted Zone: mu.edu\sp
Trusted Zone: mu.edu\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1118675602173
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37985.8798032407
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 islglaol;islglaol;c:\windows\system32\drivers\islglaol.sys [2001-8-18 23424]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-19 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R3 EraserUtilDrv10633;EraserUtilDrv10633;c:\program files\common files\symantec shared\eengine\EraserUtilDrv10633.sys [2006-12-18 102712]
R3 Ich;Ich;c:\windows\system32\drivers\Ich.sys [2002-1-13 65916]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20061217.006\naveng.sys [2006-12-18 80408]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20061217.006\navex15.sys [2006-12-18 833048]
S0 rkesnvlw;rkesnvlw;c:\windows\system32\drivers\xldt.sys --> c:\windows\system32\drivers\xldt.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-02-22 11:13 136 a---h--- C:\aaw7boot.cmd
2009-02-22 08:30 <DIR> --d----- c:\windows\pss
2009-02-22 07:39 <DIR> a-dshr-- C:\cmdcons
2009-02-22 07:36 161,792 a------- c:\windows\SWREG.exe
2009-02-22 07:36 98,816 a------- c:\windows\sed.exe
2009-02-21 16:48 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-21 16:48 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 16:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-02-21 10:39 <DIR> --d----- c:\program files\common files\iS3
2009-02-21 10:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-02-21 07:59 142,096 a------- c:\windows\system32\drivers\tmcomm.sys
2009-02-21 07:59 <DIR> --d----- c:\documents and settings\tony stoecker\log
2009-02-21 06:56 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-19 20:08 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-19 20:01 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-19 20:01 <DIR> --d----- c:\program files\Lavasoft
2009-02-19 18:57 <DIR> --d----- C:\VundoFix Backups
2009-02-18 19:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-18 19:55 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-18 19:55 <DIR> --d----- c:\docume~1\tonyst~1\applic~1\SUPERAntiSpyware.com
2009-02-17 21:00 <DIR> --d----- c:\docume~1\tonyst~1\applic~1\Malwarebytes
2009-02-17 20:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-17 20:53 <DIR> --d----- c:\program files\Trend Micro
2009-02-16 19:00 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-02-16 19:00 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-02-16 18:17 0 a------- c:\docume~1\alluse~1\applic~1\123478687123.dat
2009-02-16 18:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\276812317
2009-02-14 07:35 101,376 a------- c:\windows\system32\bidispli.dll
2009-02-07 09:46 <DIR> --d----- c:\program files\Yahoo!

==================== Find3M ====================

2005-06-15 07:33 28,040 a------- c:\docume~1\tonyst~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 12:41:39.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:32 AM

Posted 23 February 2009 - 06:31 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 fuelc13

fuelc13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 23 February 2009 - 08:05 PM

Hello miekiemoes,

Thank you very much. Here is the combofix log.

ComboFix 09-02-21.01 - 2009-02-23 18:21:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.89 [GMT -6:00]
Running from: c:\documents and settings\Tony Stoecker\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-21 16:48 . 2009-02-21 16:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 16:48 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 16:48 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-21 10:43 . 2009-02-21 13:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-02-21 10:39 . 2009-02-21 10:39 <DIR> d-------- c:\program files\Common Files\iS3
2009-02-21 10:38 . 2009-02-21 13:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-02-21 07:59 . 2009-02-21 07:59 <DIR> d-------- c:\documents and settings\Tony Stoecker\log
2009-02-21 07:59 . 2009-02-21 07:59 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-02-21 06:56 . 2009-02-19 20:08 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-19 20:08 . 2009-02-19 20:08 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-19 20:08 . 2009-02-19 20:07 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-19 20:01 . 2009-02-19 20:01 <DIR> d-------- c:\program files\Lavasoft
2009-02-19 20:01 . 2009-02-19 20:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-19 20:01 . 2009-02-19 20:02 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-19 19:42 . 2009-02-19 19:42 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-02-19 19:38 . 2009-02-19 19:38 <DIR> d-------- c:\documents and settings\Administrator
2009-02-19 18:57 . 2009-02-19 18:57 <DIR> d-------- C:\VundoFix Backups
2009-02-18 19:56 . 2009-02-18 19:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-18 19:55 . 2009-02-23 18:09 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-18 19:55 . 2009-02-23 18:09 <DIR> d-------- c:\documents and settings\Tony Stoecker\Application Data\SUPERAntiSpyware.com
2009-02-17 21:00 . 2009-02-17 21:00 <DIR> d-------- c:\documents and settings\Tony Stoecker\Application Data\Malwarebytes
2009-02-17 20:59 . 2009-02-17 20:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 20:53 . 2009-02-17 20:53 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 19:00 . 2009-02-16 19:00 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-02-16 19:00 . 2009-02-16 19:00 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-02-16 18:17 . 2009-02-16 18:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\276812317
2009-02-16 18:17 . 2009-02-16 18:17 0 --a------ c:\documents and settings\All Users\Application Data\123478687123.dat
2009-02-14 07:35 . 2008-04-13 18:11 101,376 --a------ c:\windows\system32\bidispli.dll
2009-02-07 09:48 . 2009-02-07 09:48 <DIR> d-------- c:\documents and settings\Tony Stoecker\Application Data\Yahoo!
2009-02-07 09:48 . 2009-02-07 11:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-02-07 09:46 . 2009-02-07 09:48 <DIR> d-------- c:\program files\Yahoo!
2009-02-07 09:46 . 2009-02-07 09:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 00:17 --------- d-----w c:\program files\Symantec AntiVirus
2009-02-24 00:10 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-24 00:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-24 00:02 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-22 13:31 --------- d-----w c:\documents and settings\Tony Stoecker\Application Data\MSN6
2009-02-21 20:28 --------- d-----w c:\program files\Google
2009-02-20 01:52 --------- d-----w c:\documents and settings\Tony Stoecker\Application Data\Lavasoft
2005-06-15 13:33 28,040 ----a-w c:\documents and settings\Tony Stoecker\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-02-22_ 7.48.15.63 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-08-26 00:06:50 115,808 ----a-w c:\windows\system32\iuctl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59C5DF85-9341-4FEC-8EA0-0D4E43EB6C35}]
2008-04-13 18:11 101376 --a------ c:\windows\system32\bidispli.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-17 68856]
"RealPlayer"="c:\program files\Real\RealPlayer\realplay.exe" [2006-05-30 1003520]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-15 618496]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-24 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-09 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-19 509784]
"nwiz"="nwiz.exe" [2003-06-24 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2005-03-31 263824]

c:\documents and settings\Tony Stoecker\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\pmw\PMREMIND.EXE [1997-10-20 255408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2004-01-04 136192]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2002-01-09 200704]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 24633]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"\\\\its-piso\\psoft\\sa\\bin\\client\\winx86\\pside.exe"=
"\\\\its-piso\\psoft\\sa\\bin\\client\\winx86\\psdbgsrv.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 islglaol;islglaol;c:\windows\system32\drivers\islglaol.sys [2001-08-18 23424]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-19 64160]
R2 ANISERVICE;Airgo Networks NIC Service;c:\windows\system32\aniServ.exe [2004-08-11 143360]
R3 Ich;Ich;c:\windows\system32\drivers\Ich.sys [2002-01-13 65916]
S0 rkesnvlw;rkesnvlw;c:\windows\system32\drivers\xldt.sys --> c:\windows\system32\drivers\xldt.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10633
*Deregistered* - SASENUM
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-19 20:07]

2009-02-23 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 16:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: marquette.edu
Trusted Zone: marquette.edu\checkmarq
Trusted Zone: marquette.edu\sa
Trusted Zone: marquette.edu\survey
Trusted Zone: marquette.edu\www
Trusted Zone: marquettecard.com
Trusted Zone: mu.edu
Trusted Zone: mu.edu\checkmarq
Trusted Zone: mu.edu\d2l
Trusted Zone: mu.edu\dn
Trusted Zone: mu.edu\sa
Trusted Zone: mu.edu\sp
Trusted Zone: mu.edu\www
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 18:25:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-02-23 18:31:04
ComboFix-quarantined-files.txt 2009-02-24 00:30:53
ComboFix2.txt 2009-02-23 23:45:19

Pre-Run: 19,689,369,600 bytes free
Post-Run: 19,676,295,168 bytes free

166 --- E O F --- 2009-02-12 15:07:18

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:32 AM

Posted 23 February 2009 - 08:33 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\drivers\islglaol.sys
c:\windows\system32\bidispli.dll
c:\documents and settings\All Users\Application Data\123478687123.dat
Folder::
C:\VundoFix Backups
Dirlook::
c:\documents and settings\All Users\Application Data\276812317
Driver::
rkesnvlw
islglaol
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59C5DF85-9341-4FEC-8EA0-0D4E43EB6C35}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 fuelc13

fuelc13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 23 February 2009 - 10:01 PM

I have rerun combofix usig the CFScript file. Here is the new logfile:

ComboFix 09-02-21.01 - Jeanine 2009-02-23 20:28:59.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.109 [GMT -6:00]
Running from: c:\documents and settings\Tony Stoecker\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tony Stoecker\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-23 20:26 . 2009-02-23 20:27 <DIR> d-------- C:\32788R22FWJFW
2009-02-21 16:48 . 2009-02-21 16:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 16:48 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 16:48 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-21 10:43 . 2009-02-21 13:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-02-21 10:39 . 2009-02-21 10:39 <DIR> d-------- c:\program files\Common Files\iS3
2009-02-21 10:38 . 2009-02-21 13:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-02-21 07:59 . 2009-02-21 07:59 <DIR> d-------- c:\documents and settings\Tony Stoecker\log
2009-02-21 07:59 . 2009-02-21 07:59 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-02-21 06:56 . 2009-02-19 20:08 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-19 20:08 . 2009-02-19 20:08 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-19 20:08 . 2009-02-19 20:07 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-19 20:01 . 2009-02-19 20:01 <DIR> d-------- c:\program files\Lavasoft
2009-02-19 20:01 . 2009-02-19 20:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-19 20:01 . 2009-02-19 20:02 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-19 19:42 . 2009-02-19 19:42 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-02-19 19:38 . 2009-02-19 19:38 <DIR> d-------- c:\documents and settings\Administrator
2009-02-19 18:57 . 2009-02-19 18:57 <DIR> d-------- C:\VundoFix Backups
2009-02-18 19:56 . 2009-02-18 19:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-18 19:55 . 2009-02-23 18:09 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-18 19:55 . 2009-02-23 18:09 <DIR> d-------- c:\documents and settings\Tony Stoecker\Application Data\SUPERAntiSpyware.com
2009-02-17 21:00 . 2009-02-17 21:00 <DIR> d-------- c:\documents and settings\Tony Stoecker\Application Data\Malwarebytes
2009-02-17 20:59 . 2009-02-17 20:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 20:53 . 2009-02-17 20:53 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 19:00 . 2009-02-16 19:00 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-02-16 19:00 . 2009-02-16 19:00 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-02-16 18:17 . 2009-02-16 18:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\276812317
2009-02-16 18:17 . 2009-02-16 18:17 0 --a------ c:\documents and settings\All Users\Application Data\123478687123.dat
2009-02-14 07:35 . 2008-04-13 18:11 101,376 --a------ c:\windows\system32\bidispli.dll
2009-02-07 09:48 . 2009-02-07 09:48 <DIR> d-------- c:\documents and settings\Tony Stoecker\Application Data\Yahoo!
2009-02-07 09:48 . 2009-02-07 11:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-02-07 09:46 . 2009-02-07 09:48 <DIR> d-------- c:\program files\Yahoo!
2009-02-07 09:46 . 2009-02-07 09:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 02:25 --------- d-----w c:\program files\Symantec AntiVirus
2009-02-24 00:10 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-24 00:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-24 00:02 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-22 13:31 --------- d-----w c:\documents and settings\Tony Stoecker\Application Data\MSN6
2009-02-21 20:28 --------- d-----w c:\program files\Google
2009-02-20 01:52 --------- d-----w c:\documents and settings\Tony Stoecker\Application Data\Lavasoft
2005-06-15 13:33 28,040 ----a-w c:\documents and settings\Tony Stoecker\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-02-22_ 7.48.15.63 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-08-26 00:06:50 115,808 ----a-w c:\windows\system32\iuctl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59C5DF85-9341-4FEC-8EA0-0D4E43EB6C35}]
2008-04-13 18:11 101376 --a------ c:\windows\system32\bidispli.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-17 68856]
"RealPlayer"="c:\program files\Real\RealPlayer\realplay.exe" [2006-05-30 1003520]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-15 618496]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-24 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-09 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-19 509784]
"nwiz"="nwiz.exe" [2003-06-24 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2005-03-31 263824]

c:\documents and settings\Tony Stoecker\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\pmw\PMREMIND.EXE [1997-10-20 255408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2004-01-04 136192]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2002-01-09 200704]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 24633]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"\\\\its-piso\\psoft\\sa\\bin\\client\\winx86\\pside.exe"=
"\\\\its-piso\\psoft\\sa\\bin\\client\\winx86\\psdbgsrv.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 islglaol;islglaol;c:\windows\system32\drivers\islglaol.sys [2001-08-18 23424]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-19 64160]
R2 ANISERVICE;Airgo Networks NIC Service;c:\windows\system32\aniServ.exe [2004-08-11 143360]
R3 Ich;Ich;c:\windows\system32\drivers\Ich.sys [2002-01-13 65916]
S0 rkesnvlw;rkesnvlw;c:\windows\system32\drivers\xldt.sys --> c:\windows\system32\drivers\xldt.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10633
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-19 20:07]

2009-02-23 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 16:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: marquette.edu
Trusted Zone: marquette.edu\checkmarq
Trusted Zone: marquette.edu\sa
Trusted Zone: marquette.edu\survey
Trusted Zone: marquette.edu\www
Trusted Zone: marquettecard.com
Trusted Zone: mu.edu
Trusted Zone: mu.edu\checkmarq
Trusted Zone: mu.edu\d2l
Trusted Zone: mu.edu\dn
Trusted Zone: mu.edu\sa
Trusted Zone: mu.edu\sp
Trusted Zone: mu.edu\www
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 20:33:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-23 20:39:37
ComboFix-quarantined-files.txt 2009-02-24 02:39:27
ComboFix2.txt 2009-02-24 01:04:06
ComboFix3.txt 2009-02-23 23:45:19

Pre-Run: 19,685,429,248 bytes free
Post-Run: 19,674,267,648 bytes free

164 --- E O F --- 2009-02-12 15:07:18

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:32 AM

Posted 24 February 2009 - 05:08 AM

Hi,

I think you did something wrong with the cfscript file. Did you use notepad to create it?

Please try again and make sure it contains this txt:

File::
c:\windows\system32\drivers\islglaol.sys
c:\windows\system32\bidispli.dll
c:\documents and settings\All Users\Application Data\123478687123.dat
Folder::
C:\VundoFix Backups
Dirlook::
c:\documents and settings\All Users\Application Data\276812317
Driver::
rkesnvlw
islglaol
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59C5DF85-9341-4FEC-8EA0-0D4E43EB6C35}]


Also, disable Adwatch during its run.

Edited by miekiemoes, 24 February 2009 - 05:09 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 fuelc13

fuelc13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 24 February 2009 - 07:41 AM

Hello,

I did use notepad to create the file.

One thing I did notice; after dragging the cfscript file onto the combofix icon, an error message appeared briefly stating that combofix.exe could not be renamed. The error message stayed up briefly, then disappeared shortly after the combofix run prep window came up.

I will try again later today if the same message comes up I will let you know in my next post. Thank you.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:32 AM

Posted 24 February 2009 - 07:47 AM

Maybe, just maybe it's because there's a space in your username.
If you're still having the same, try it from another useraccount if present - or administrator account (from Windows safe mode)
In that case, make sure the Combofix.exe is present on the other users (or administrators) desktop.

Edited by miekiemoes, 24 February 2009 - 07:50 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 fuelc13

fuelc13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 24 February 2009 - 10:21 PM

Hello,

I was able to successfully run combofix as administrator. The logfile is attached.

Also, combofix kept telling me it determined Symantec antivirus real time scan was running eventhough I shutdown all components using the services.msc. Is this something out of the ordinary? After spending quite some time trying to find another component of symantec running, I gave up and just ran combofix anyway.

Thank You

ComboFix 09-02-21.01 - Administrator 2009-02-24 20:37:04.5 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.158 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated)

FILE ::
c:\documents and settings\All Users\Application Data\123478687123.dat
c:\windows\system32\bidispli.dll
c:\windows\system32\drivers\islglaol.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\123478687123.dat
C:\VundoFix Backups
c:\windows\system32\bidispli.dll
c:\windows\system32\drivers\islglaol.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ISLGLAOL
-------\Service_islglaol
-------\Service_rkesnvlw


((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-21 16:48 . 2009-02-21 16:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 16:48 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 16:48 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-21 10:43 . 2009-02-21 13:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2009-02-21 10:39 . 2009-02-21 10:39 <DIR> d-------- c:\program files\Common Files\iS3
2009-02-21 07:59 . 2009-02-21 07:59 <DIR> d-------- c:\documents and settings\Tony Stoecker\log
2009-02-21 07:59 . 2009-02-21 07:59 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-02-21 06:56 . 2009-02-19 20:08 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-19 20:08 . 2009-02-19 20:08 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-19 20:08 . 2009-02-19 20:07 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-19 20:01 . 2009-02-19 20:01 <DIR> d-------- c:\program files\Lavasoft
2009-02-19 20:01 . 2009-02-19 20:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-19 20:01 . 2009-02-19 20:02 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-19 19:42 . 2009-02-19 19:42 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-02-19 19:38 . 2009-02-19 19:38 <DIR> d-------- c:\documents and settings\Administrator
2009-02-18 19:56 . 2009-02-18 19:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-18 19:55 . 2009-02-23 18:09 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-18 19:55 . 2009-02-23 18:09 <DIR> d-------- c:\documents and settings\Tony Stoecker\Application Data\SUPERAntiSpyware.com
2009-02-17 21:00 . 2009-02-17 21:00 <DIR> d-------- c:\documents and settings\Tony Stoecker\Application Data\Malwarebytes
2009-02-17 20:59 . 2009-02-17 20:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 20:53 . 2009-02-17 20:53 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 19:00 . 2009-02-16 19:00 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-02-16 19:00 . 2009-02-16 19:00 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-02-16 18:17 . 2009-02-16 18:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\276812317
2009-02-07 09:48 . 2009-02-07 09:48 <DIR> d-------- c:\documents and settings\Tony Stoecker\Application Data\Yahoo!
2009-02-07 09:48 . 2009-02-07 11:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-02-07 09:46 . 2009-02-07 09:48 <DIR> d-------- c:\program files\Yahoo!
2009-02-07 09:46 . 2009-02-07 09:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 22:06 --------- d-----w c:\program files\Symantec AntiVirus
2009-02-24 00:10 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-24 00:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-24 00:02 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-22 13:31 --------- d-----w c:\documents and settings\Tony Stoecker\Application Data\MSN6
2009-02-21 20:28 --------- d-----w c:\program files\Google
2009-02-20 01:52 --------- d-----w c:\documents and settings\Tony Stoecker\Application Data\Lavasoft
2005-06-15 13:33 28,040 ----a-w c:\documents and settings\Tony Stoecker\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\All Users\Application Data\276812317 ----

2009-02-18 04:14 0 --a------ c:\documents and settings\All Users\Application Data\276812317\config.udb
2009-02-16 18:17 241 --a------ c:\documents and settings\All Users\Application Data\276812317\init.udb
2009-02-16 18:17 2198560 --a------ c:\documents and settings\All Users\Application Data\276812317\2136818729.exe
2009-02-16 18:17 12930 --a------ c:\documents and settings\All Users\Application Data\276812317\Langs.udb


((((((((((((((((((((((((((((( SnapShot@2009-02-22_ 7.48.15.63 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2003-08-26 00:06:50 115,808 ----a-w c:\windows\system32\iuctl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-17 68856]
"RealPlayer"="c:\program files\Real\RealPlayer\realplay.exe" [2006-05-30 1003520]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-15 618496]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-24 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-09 282624]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-19 509784]
"nwiz"="nwiz.exe" [2003-06-24 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2005-03-31 263824]

c:\documents and settings\Tony Stoecker\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\pmw\PMREMIND.EXE [1997-10-20 255408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2004-01-04 136192]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2002-01-09 200704]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 24633]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"\\\\its-piso\\psoft\\sa\\bin\\client\\winx86\\pside.exe"=
"\\\\its-piso\\psoft\\sa\\bin\\client\\winx86\\psdbgsrv.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-19 64160]
R2 ANISERVICE;Airgo Networks NIC Service;c:\windows\system32\aniServ.exe [2004-08-11 143360]
R3 Ich;Ich;c:\windows\system32\drivers\Ich.sys [2002-01-13 65916]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ISLGLAOL
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - EPSONStatusAgent2
*Deregistered* - EraserUtilDrv10633
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - iPodService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - Lavasoft Ad-Aware Service
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - NVSvc
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UMWdf
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-19 20:07]

2009-02-23 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 16:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: marquette.edu
Trusted Zone: marquette.edu\checkmarq
Trusted Zone: marquette.edu\sa
Trusted Zone: marquette.edu\survey
Trusted Zone: marquette.edu\www
Trusted Zone: marquettecard.com
Trusted Zone: mu.edu
Trusted Zone: mu.edu\checkmarq
Trusted Zone: mu.edu\d2l
Trusted Zone: mu.edu\dn
Trusted Zone: mu.edu\sa
Trusted Zone: mu.edu\sp
Trusted Zone: mu.edu\www
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 20:44:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ntvdm.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-02-24 21:00:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 02:59:56
ComboFix2.txt 2009-02-24 03:12:42
ComboFix3.txt 2009-02-24 01:04:06
ComboFix4.txt 2009-02-23 23:45:19

Pre-Run: 19,657,711,616 bytes free
Post-Run: 19,578,359,808 bytes free

240 --- E O F --- 2009-02-12 15:07:18

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:32 AM

Posted 25 February 2009 - 05:02 AM

Hi,

Also, combofix kept telling me it determined Symantec antivirus real time scan was running eventhough I shutdown all components using the services.msc. Is this something out of the ordinary? After spending quite some time trying to find another component of symantec running

Yes, that may happen. Don't worry about it though..
By the way, your Symantec is outdated, so is this because it's a trial? If so, then I suggest you uninstall Symantec and install another Antivirus instead. Look in my signature below under Antivirus for the ones I recommend.

Just one leftover to delete, so navigate to and delete the following folder:

c:\documents and settings\All Users\Application Data\276812317

The rest looks OK again and I see the malware is gone.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 fuelc13

fuelc13
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 25 February 2009 - 09:55 AM

Hello miekiemoes,

Everything is running great and no sign of malware.

Regarding the outdated antivirus, it is not a trial version. The computer is a company laptop inherited from a former employee. Unfortunately, the organization that owns it is very small and has no IT experience/training and they do not fully understand the cost of keeping their security current outweighs the potential cost of infection. Anyway, I am not confident they will renew their subscription to Norton, so I want to delete the symantec software and install one of the software packages you have listed.

Thank you for all your help and advice. I will post again if anything changes in the next few days.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:32 AM

Posted 25 February 2009 - 09:57 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:32 AM

Posted 01 March 2009 - 12:48 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users