Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.Banker.FS Trojan.SpyAgent.DA


  • Please log in to reply
12 replies to this topic

#1 AP85

AP85

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 23 February 2009 - 11:56 AM

Hi there,

I am getting pop-up notifications from a red circle with a white cross in the centre at the bottom right of the screen saying : "Warning! Spyware files Win32.Banker.FS Trojan.SpyAgent.DA and other detected on your computer!. It's highly recommended to scan the system immediately to remove all spyware ad adware programmes", and other messages such as, "Your computer is in danger! Windows Security Center has detected spyware/adware infection. It is recommended to use special antispyware tools to prevent data loss". My desktop wallpaper has also been replaced by some red, blue, green and yellow squares, and task manager is disabled.

My DDS log is attached below, thank you for your help!


DDS (Ver_09-02-01.01) - NTFSx86
Run by Alyn Phillips at 16:35:46.05 on 23/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.512.62 [GMT 0:00]

AV: PCguard Anti-Virus *On-access scanning enabled* (Updated)
FW: PCguard Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\wdmon.exe
C:\WINDOWS\vlc.exe
C:\WINDOWS\svx.exe
C:\WINDOWS\runsql.exe
C:\WINDOWS\svzip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
svchost.exe "C:\WINDOWS\system32\alf2cdl.exe"
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\odb.exe
C:\Documents and Settings\Alyn Phillips\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [UpdateWin] c:\windows\system32\alf2cdl.exe
uRunServices: [UpdateWin] c:\windows\system32\alf2cdl.exe
mRun: [USRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [PCguard] "c:\program files\virgin broadband\pcguard\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\virgin broadband\pcguard\ZkRunOnceR.exe"
mRun: [Dhaqadunu] rundll32.exe "c:\windows\Rhohukijaduxox.dll",e
mRun: [odb] c:\windows\odb.exe
mRun: [UpdateWin] c:\windows\system32\alf2cdl.exe
mRun: [wdmon] c:\windows\wdmon.exe
mRun: [vlc] c:\windows\vlc.exe
mRun: [netx] c:\windows\svx.exe
mRun: [netc] c:\windows\svc.exe
mRun: [runsql] c:\windows\runsql.exe
mRun: [netzip] c:\windows\svzip.exe
mRun: [net64] c:\windows\svhoster.exe
mRun: [brastk] brastk.exe
mRun: [Olahamoqixa] rundll32.exe "c:\windows\acofexem.dll",e
mRunServices: [UpdateWin] c:\windows\system32\alf2cdl.exe
dRun: [userinit] c:\windows\system32\ntos.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164795533705
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: karna.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: characterizing: {b292ec9f-a074-4115-8342-1f459702d8d2} - c:\windows\system32\fyxkaah.dll
STS: IPC Configuration Utility - No File
STS: Windows Installer Class: {020487cc-fc04-4b1e-863f-d9801796230b} - c:\docume~1\alynph~1\locals~1\temp\wndutl32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alynph~1\applic~1\mozilla\firefox\profiles\871pb05i.default\
FF - HiddenExtension: XUL Cache: {A48E39A4-0BEB-45F5-AFA9-E43B59509F6D} - c:\documents and settings\alyn phillips\local settings\application data\{a48e39a4-0beb-45f5-afa9-e43b59509f6d}\

============= SERVICES / DRIVERS ===============

R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2007-2-26 33824]
R2 AtiBt829;ATI WDM Bt829 Video (Microsoft);c:\windows\system32\drivers\ati1btxx.sys [2004-8-4 56623]
R2 TTDec;ATI WDM Teletext Decoder (Microsoft);c:\windows\system32\drivers\ati1ttxx.sys [2004-8-4 21343]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2006-11-29 9344]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\system32\dllhost.exe [2002-8-29 5120]

=============== Created Last 30 ================

2009-02-23 15:51 135,168 a------- c:\windows\acofexem.dll
2009-02-23 13:07 9,728 a------- c:\windows\system32\brastk.exe
2009-02-22 19:05 9,728 a------- c:\windows\brastk.exe
2009-02-22 19:05 6,144 a------- c:\windows\system32\karna.dat
2009-02-22 19:05 6,144 a------- c:\windows\karna.dat
2009-02-22 11:42 282,112 a------- c:\windows\svzip.exe
2009-02-22 11:41 282,112 a------- c:\windows\runsql.exe
2009-02-22 11:41 234,496 a------- c:\windows\svx.exe
2009-02-22 11:41 233,984 a------- c:\windows\svw.exe
2009-02-22 11:41 233,984 a------- c:\windows\vlc.exe
2009-02-22 11:41 233,472 a------- c:\windows\wdmon.exe
2009-02-22 11:39 109 a--sh--- c:\windows\system32\2628955390.dat
2009-02-22 11:39 40,960 ---shr-- c:\windows\system32\alf2cdl.exe
2009-02-22 11:39 233,984 a------- c:\windows\odb.exe
2009-02-22 11:39 <DIR> --dsh--- c:\windows\system32\wsnpoem
2009-02-22 11:39 39,936 a------- c:\windows\Rhohukijaduxox.dll

==================== Find3M ====================

2008-12-20 23:15 826,368 a------- c:\windows\system32\wininet.dll
2008-11-25 19:54 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-25 17:31 97,826 a------- c:\windows\system32\wini10736.exe

============= FINISH: 16:37:26.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:54 PM

Posted 24 February 2009 - 01:09 PM

Hello AP85 and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 AP85

AP85
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 25 February 2009 - 07:05 AM

GooredFix v1.91 by jpshortstuff
Log created at 12:01 on 25/02/2009 running Option #2 (Alyn Phillips)
Firefox version 2.0.0.20 (en-GB)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{A48E39A4-0BEB-45F5-AFA9-E43B59509F6D}"="C:\Documents and Settings\Alyn Phillips\Local Settings\Application Data\{A48E39A4-0BEB-45F5-AFA9-E43B59509F6D}"

#4 AP85

AP85
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 25 February 2009 - 07:30 AM

Hi Thunder, thank you for helping me. I am having a problem with combofix however. I download it as instructed, wih firewalls etc. turned off, but when I double click the icon to run it, and then click 'run' when told the programme cannot be verified, nothing happens.

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:54 PM

Posted 25 February 2009 - 02:15 PM

Hello AP85,

In that case :

Delete your current copy of ComboFix,
then download Combofix again to your desktop. You must however rename it before saving it.

Posted Image

Posted Image

Now reboot your system and start in safe mode :
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode with Networking.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode with Networking option and press Enter.

Now run the renamed ComboFix

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 AP85

AP85
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 03 March 2009 - 06:02 PM

ComboFix 09-03-02.03 - Alyn Phillips 2009-03-03 22:28:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.224 [GMT 0:00]
Running from: c:\documents and settings\Alyn Phillips\Desktop\Combo-Fix.exe
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated)
FW: PCguard Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alyn Phillips\Application Data\~tmp.html
c:\documents and settings\Alyn Phillips\Application Data\urlredir.cfg
c:\documents and settings\Alyn Phillips\Favorites\Online Security Test.url
c:\program files\Microsoft Security Adviser
c:\program files\Microsoft Security Adviser\msavsc.exe
c:\program files\Microsoft Security Adviser\msctrl.exe
c:\program files\Microsoft Security Adviser\msctrl.log
c:\program files\Microsoft Security Adviser\msfw.exe
c:\program files\Microsoft Security Adviser\msiemon.exe
c:\program files\Microsoft Security Adviser\mssadv.exe
c:\program files\Microsoft Security Adviser\mssadv.log
c:\program files\Microsoft Security Adviser\mssadv_sp.log
c:\program files\Microsoft Security Adviser\msscan.exe
c:\program files\Mozilla Firefox\msavsc.dll
c:\program files\Mozilla Firefox\msctrl.dll
c:\program files\Mozilla Firefox\msfw.dll
c:\program files\Mozilla Firefox\msiemon.dll
c:\program files\Mozilla Firefox\mssadv.dll
c:\program files\Mozilla Firefox\msscan.dll
c:\windows\brastk.exe
c:\windows\karna.dat
c:\windows\odb.exe
c:\windows\Rhohukijaduxox.dll
c:\windows\runsql.exe
c:\windows\svw.exe
c:\windows\svx.exe
c:\windows\svzip.exe
c:\windows\system32\brastk.exe
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\karna.dat
c:\windows\system32\wini10736.exe
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll
c:\windows\vlc.exe
c:\windows\wdmon.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
.

2009-02-23 15:51 . 2009-02-23 15:51 135,168 --a------ c:\windows\acofexem.dll
2009-02-22 11:39 . 2009-02-22 11:39 40,960 -r-hs---- c:\windows\system32\alf2cdl.exe
2009-02-22 11:39 . 2009-02-22 11:42 109 --ahs---- c:\windows\system32\2628955390.dat
2009-02-11 13:23 . 2009-02-11 13:29 <DIR> d-------- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 13:32 --------- d-----w c:\program files\Common Files\Scanner
2009-01-08 00:35 --------- d-----w c:\program files\DivX
2008-12-19 17:57 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 17:57 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 17:57 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 17:57 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 17:57 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-11-26 10:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112620081127\index.dat
.

------- Sigcheck -------

2006-04-20 11:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 12:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 16:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 10:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 11:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 10:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 06:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2002-08-29 12:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtUninstallKB917953_0$\tcpip.sys
2006-04-20 11:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 17:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 19:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 11:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 11:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2002-08-29 77891]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 2061552]
"PCguard"="c:\program files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 310000]
"-FreedomNeedsReboot"="c:\program files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 13552]
"Olahamoqixa"="c:\windows\acofexem.dll" [2009-02-23 135168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
UpdateWin REG_SZ c:\windows\system32\alf2cdl.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R2 AtiBt829;ATI WDM Bt829 Video (Microsoft);c:\windows\system32\drivers\ati1btxx.sys [2004-08-04 56623]
R2 TTDec;ATI WDM Teletext Decoder (Microsoft);c:\windows\system32\drivers\ati1ttxx.sys [2004-08-04 21343]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2006-11-29 9344]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\system32\dllhost.exe [2002-08-29 5120]
.
Contents of the 'Scheduled Tasks' folder

2009-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-odb - c:\windows\odb.exe
SharedTaskScheduler-IPC Configuration Utility - (no file)
MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-RoxioAudioCentral - c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
MSConfigStartUp-RoxioDragToDisc - c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
MSConfigStartUp-AtiPTA - atiptaxx.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Alyn Phillips\Application Data\Mozilla\Firefox\Profiles\871pb05i.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 22:35:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Virgin Broadband\PCguard\Fws.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\program files\Java\jre1.5.0_03\bin\jucheck.exe
c:\windows\system32\usrshuta.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\program files\Virgin Broadband\PCguard\rpsupdaterR.exe
.
**************************************************************************
.
Completion time: 2009-03-03 22:42:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-03 22:42:47

Pre-Run: 26,191,601,664 bytes free
Post-Run: 26,100,752,384 bytes free

186 --- E O F --- 2009-02-25 20:03:42

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:54 PM

Posted 04 March 2009 - 05:06 PM

Hello AP85,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/205883/win32bankerfs-trojanspyagentda/
Collect::
c:\windows\acofexem.dll
c:\windows\system32\alf2cdl.exe
File::
c:\windows\system32\2628955390.dat
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Olahamoqixa"=-
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\UpdateWin]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

Additionally, ComboFix wil generate a zipped file, similar to C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Please go to http://www.bleepingcomputer.com/submit-malware.php?channel=9
Then : 1. In the first window (Link to topic where this file was requested:) copy and paste this link :http://www.bleepingcomputer.com/forums/topic=202813
2. In the second window (Browse to the file you want to submit: ) browse to the C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip file
3. Click the Send file button :thumbup2:
Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update12.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windowsi586-p.exe to install the newest version.
Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 AP85

AP85
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 11 March 2009 - 10:24 AM

ComboFix 09-03-10.03 - Alyn Phillips 2009-03-11 15:11:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.263 [GMT 0:00]
Running from: c:\documents and settings\Alyn Phillips\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Alyn Phillips\Desktop\CFScript.txt
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated)
FW: PCguard Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\2628955390.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\acofexem.dll
c:\windows\system32\2628955390.dat
c:\windows\system32\alf2cdl.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-11 14:57 . 2009-03-11 14:57 <DIR> d-------- c:\windows\LastGood
2009-02-11 13:23 . 2009-02-11 13:29 <DIR> d-------- c:\program files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 13:32 --------- d-----w c:\program files\Common Files\Scanner
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-19 17:57 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 17:57 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 17:57 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 17:57 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 17:57 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-11-26 10:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112620081127\index.dat
.

------- Sigcheck -------

2006-04-20 11:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 12:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 16:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 10:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 11:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 11:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 10:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 06:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2002-08-29 12:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtUninstallKB917953_0$\tcpip.sys
2006-04-20 11:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 19:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 17:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 19:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 11:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 11:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-03-03_22.37.18.69 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2002-08-29 77891]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 2061552]
"PCguard"="c:\program files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 310000]
"-FreedomNeedsReboot"="c:\program files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 13552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
UpdateWin REG_SZ c:\windows\system32\alf2cdl.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R2 AtiBt829;ATI WDM Bt829 Video (Microsoft);c:\windows\system32\drivers\ati1btxx.sys [2004-08-04 56623]
R2 TTDec;ATI WDM Teletext Decoder (Microsoft);c:\windows\system32\drivers\ati1ttxx.sys [2004-08-04 21343]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2006-11-29 9344]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\system32\dllhost.exe [2002-08-29 5120]
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Alyn Phillips\Application Data\Mozilla\Firefox\Profiles\871pb05i.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 15:14:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-11 15:17:17
ComboFix-quarantined-files.txt 2009-03-11 15:17:03
ComboFix2.txt 2009-03-03 22:42:56

Pre-Run: 26,201,169,920 bytes free
Post-Run: 26,195,251,200 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

138 --- E O F --- 2009-02-25 20:03:42

#9 AP85

AP85
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 11 March 2009 - 10:25 AM

DDS (Ver_09-02-01.01) - NTFSx86
Run by Alyn Phillips at 15:21:15.34 on 11/03/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.512.220 [GMT 0:00]

AV: PCguard Anti-Virus *On-access scanning disabled* (Updated)
FW: PCguard Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Alyn Phillips\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [USRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [PCguard] "c:\program files\virgin broadband\pcguard\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\virgin broadband\pcguard\ZkRunOnceR.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164795533705
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alynph~1\applic~1\mozilla\firefox\profiles\871pb05i.default\
FF - HiddenExtension: XUL Cache: {A48E39A4-0BEB-45F5-AFA9-E43B59509F6D} - c:\documents and settings\alyn phillips\local settings\application data\{A48E39A4-0BEB-45F5-AFA9-E43B59509F6D}

============= SERVICES / DRIVERS ===============

R2 AtiBt829;ATI WDM Bt829 Video (Microsoft);c:\windows\system32\drivers\ati1btxx.sys [2004-8-4 56623]
R2 TTDec;ATI WDM Teletext Decoder (Microsoft);c:\windows\system32\drivers\ati1ttxx.sys [2004-8-4 21343]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2006-11-29 9344]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\system32\dllhost.exe [2002-8-29 5120]

=============== Created Last 30 ================

2009-03-11 15:10 <DIR> a-dshr-- C:\cmdcons
2009-03-03 22:26 161,792 a------- c:\windows\SWREG.exe
2009-03-03 22:26 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2008-12-20 23:15 826,368 a------- c:\windows\system32\wininet.dll
2008-11-26 10:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112620081127\index.dat

============= FINISH: 15:21:40.44 ===============

Attached Files

  • Attached File  DDS.txt   5.66KB   2 downloads


#10 AP85

AP85
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 11 March 2009 - 10:50 AM

Hi Thunder, my computer is running far more smoothly now, i have submitted the zipped combo fix log to the link you gave me and updated java. Thank you very much for your help!

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:54 PM

Posted 12 March 2009 - 05:09 PM

Hello AP85,

That log does look better, but I still see some FF problem. :thumbup2:

Can you run GooredFix one more time and back it up with a fresh DDS run please ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#12 AP85

AP85
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 13 March 2009 - 10:13 AM

GooredFix v1.91 by jpshortstuff
Log created at 15:05 on 13/03/2009 running Option #2 (Alyn Phillips)
Firefox version 2.0.0.20 (en-GB)
(Subsequent Run)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"
















DDS (Ver_09-02-01.01) - NTFSx86
Run by Alyn Phillips at 15:08:31.80 on 13/03/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.512.183 [GMT 0:00]

AV: PCguard Anti-Virus *On-access scanning enabled* (Updated)
FW: PCguard Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Alyn Phillips\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [USRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [PCguard] "c:\program files\virgin broadband\pcguard\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\virgin broadband\pcguard\ZkRunOnceR.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164795533705
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alynph~1\applic~1\mozilla\firefox\profiles\871pb05i.default\
FF - HiddenExtension: XUL Cache: {A48E39A4-0BEB-45F5-AFA9-E43B59509F6D} - c:\documents and settings\alyn phillips\local settings\application data\{A48E39A4-0BEB-45F5-AFA9-E43B59509F6D}

============= SERVICES / DRIVERS ===============

R2 AtiBt829;ATI WDM Bt829 Video (Microsoft);c:\windows\system32\drivers\ati1btxx.sys [2004-8-4 56623]
R2 TTDec;ATI WDM Teletext Decoder (Microsoft);c:\windows\system32\drivers\ati1ttxx.sys [2004-8-4 21343]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2006-11-29 9344]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\system32\dllhost.exe [2002-8-29 5120]

=============== Created Last 30 ================

2009-03-11 15:45 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-11 15:45 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-11 15:10 <DIR> a-dshr-- C:\cmdcons
2009-03-03 22:26 161,792 a------- c:\windows\SWREG.exe
2009-03-03 22:26 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-02-09 11:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-12-20 23:15 826,368 a------- c:\windows\system32\wininet.dll
2008-11-26 10:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112620081127\index.dat

============= FINISH: 15:09:55.65 ===============


[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{A48E39A4-0BEB-45F5-AFA9-E43B59509F6D}"="C:\Documents and Settings\Alyn Phillips\Local Settings\Application Data\{A48E39A4-0BEB-45F5-AFA9-E43B59509F6D}"

Attached Files



#13 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:54 PM

Posted 14 March 2009 - 08:27 AM

Hello AP85,

Looks like your current copy of GooredFix has some problem removing that last malware entry.

Please remove your current copy from your desktop,
redownload and run the latest version.
That should do the trick. :thumbup2:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users