Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.Banker,FS,Trojan,Spyagent,DA (XP)


  • This topic is locked This topic is locked
19 replies to this topic

#1 Roland60

Roland60

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 23 February 2009 - 02:51 PM

Hello,

I was receiving following messages:

WARNING! Spyware files: Win32,Banker,FS,Trojan,Spyagent,DA and other detected on your computer! It's highly recommended to scan your system immediately to remove all spyware and adware programs.

SYSTEM CRASHED
CRITICAL ERROR! System halted as a result of the critical kernal error. Windows has detected spyware on your PC. It is recommended to remove spyware immediately to prevent your data and files from deleting.

Desktop background went to red, blue, yellow and green blocks


I began running spybot and detected Win32Agent.pz

A message came up saying spybot needed to reboot. I left the room for a moment and when I returned the computer was off.

When I attempted to re-start the machine would make it to the windows screen then start booting all over again.

I attempted to run Smitfraud fix in safe mode logged in as administrator and when I reach the point to clean registry the machine turns off imediately. (Sometimes I get a brief message to the effect that only administrator can change registry settings.)

Also ran supper Anit spyware in normal mode.

Overall the system is more stable and I am no longer getting pop up warnings but desktop background is still jacked and the machine still turns off if I attempt to run Smitfraud fix.

If I run spybot the scan halts and I receive messages to reboot. If it runs for more than 5 minutes or so the system will shut down.

All system shutdowns are abrupt with no warning.

Shutdowns only occur when I attempt to scan.

I am not very computer savy so thanks in advance for any assistance you can offer.




DDS (Ver_09-02-01.01) - NTFSx86
Run by Roland at 4:20:45.40 on Tue 02/24/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.447 [GMT 9:00]


============== Running Processes ===============

H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
H:\WINDOWS\system32\HPZipm12.exe
H:\WINDOWS\system32\svchost.exe -k imgsvc
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\igfxpers.exe
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
H:\WINDOWS\system32\igfxsrvc.exe
H:\Program Files\Winamp\winampa.exe
H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\Winamp Remote\bin\OrbTray.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
H:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\Documents and Settings\Roland\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - h:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - h:\program files\winamp toolbar\winamptb.dll
mWinlogon: Userinit=h:\windows\system32\userinit.exe,,h:\windows\system32\ntos.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - h:\program files\winamp toolbar\winamptb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - h:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - h:\program files\winamp toolbar\winamptb.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] h:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Orb] "h:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [Messenger (Yahoo!)] "h:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [IMJPMIG8.1] "h:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] h:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] h:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] h:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] h:\windows\system32\hkcmd.exe
mRun: [Persistence] h:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Acrobat Assistant 7.0] "h:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [HP Software Update] h:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Acronis Scheduler2 Service] "h:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [WinampAgent] "h:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "h:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "h:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"
dRun: [userinit] h:\windows\system32\ntos.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - h:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - h:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - h:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Winamp Search - h:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Convert link target to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - h:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - h:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - h:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
STS: IPC Configuration Utility - No File
STS: Windows Installer Class: {020487cc-fc04-4b1e-863f-d9801796230b} - h:\docume~1\admini~1\locals~1\temp\wndutl32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - h:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\roland\applic~1\mozilla\firefox\profiles\8bzcfa1i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: h:\documents and settings\roland\application data\mozilla\firefox\profiles\8bzcfa1i.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;h:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;h:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
S3 SASENUM;SASENUM;h:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-02-23 09:26 281,088 a------- h:\windows\sv.exe
2009-02-23 09:26 281,600 a------- h:\windows\svzip.exe
2009-02-23 09:26 233,472 a------- h:\windows\svc.exe
2009-02-23 09:26 281,600 a------- h:\windows\runsql.exe
2009-02-23 09:26 233,472 a------- h:\windows\svw.exe
2009-02-23 09:26 233,472 a------- h:\windows\wdmon.exe
2009-02-23 09:26 233,472 a------- h:\windows\vlc.exe
2009-02-23 09:26 233,472 a------- h:\windows\svx.exe
2009-02-23 09:25 128 a--sh--- h:\windows\system32\0.dat
2009-02-23 09:25 40,960 ---shr-- h:\windows\system32\actmoviet.exe
2009-02-23 09:25 233,472 a------- h:\windows\odb.exe
2009-02-23 09:25 38,400 a------- h:\windows\Kjozevokoxaxedak.dll
2009-01-31 20:37 <DIR> --d----- h:\program files\Bonjour
2009-01-31 20:36 <DIR> --d----- h:\program files\iPod
2009-01-31 20:36 <DIR> --d----- h:\program files\iTunes
2009-01-31 20:36 <DIR> --d----- h:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2009-02-24 03:10 3,116 a------- h:\windows\system32\tmp.reg
2008-12-12 11:18 87,336 a------- h:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- h:\windows\system32\dnssd.dll
2008-08-29 09:44 89,264 a------- h:\docume~1\roland\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 4:21:03.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:49 AM

Posted 06 March 2009 - 03:20 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Roland60

Roland60
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 06 March 2009 - 07:29 PM

Thank you for getting back to me.

The original problem has changed but I can not run in "safe mode". Approximately 20 seconds or so after booting in "safe mode" I hear a click from the machine and within 5 seconds the machine shuts down.

It is my understanding that there are a number of ways to get into safe mode. The only method I know is the F8 method.

I was able to get through a full spybot scan in normal mode and it detected and removed a number of infected files. (At least 30 files)

Since then the main screen is clean and I can get into the task manager again. I am no longer getting pop-ups and everything seems ok in normal mode on the surface.

Overall I really do not know what I am doing and am bumbling my way through this thing afraid that I am going to completely jack my system.

Any assistance would be greatly appreciated.

Thank you in advance,
Roland


Here is the dds file:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Roland at 8:44:54.78 on Sat 03/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.309 [GMT 9:00]


============== Running Processes ===============

H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
H:\WINDOWS\system32\HPZipm12.exe
H:\WINDOWS\system32\svchost.exe -k imgsvc
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\igfxpers.exe
H:\WINDOWS\RTHDCPL.EXE
H:\WINDOWS\system32\igfxsrvc.exe
H:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
H:\Program Files\Winamp\winampa.exe
H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\Winamp Remote\bin\OrbTray.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
H:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
H:\Documents and Settings\Roland\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - h:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - h:\program files\winamp toolbar\winamptb.dll
mWinlogon: Userinit=h:\windows\system32\userinit.exe,,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - h:\program files\winamp toolbar\winamptb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - h:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - h:\program files\winamp toolbar\winamptb.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] h:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Orb] "h:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [Messenger (Yahoo!)] "h:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [IMJPMIG8.1] "h:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] h:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] h:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] h:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] h:\windows\system32\hkcmd.exe
mRun: [Persistence] h:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Acrobat Assistant 7.0] "h:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [HP Software Update] h:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Acronis Scheduler2 Service] "h:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [WinampAgent] "h:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "h:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "h:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - h:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - h:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - h:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Winamp Search - h:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Convert link target to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - h:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - h:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - h:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - h:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\roland\applic~1\mozilla\firefox\profiles\8bzcfa1i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: h:\documents and settings\roland\application data\mozilla\firefox\profiles\8bzcfa1i.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;h:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;h:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
S3 SASENUM;SASENUM;h:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-02-23 09:25 128 a--sh--- h:\windows\system32\0.dat
2009-02-23 09:25 40,960 ---shr-- h:\windows\system32\actmoviet.exe
2009-02-23 09:25 38,400 a------- h:\windows\Kjozevokoxaxedak.dll

==================== Find3M ====================

2009-03-04 21:35 3,116 a------- h:\windows\system32\tmp.reg
2008-12-12 11:18 87,336 a------- h:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- h:\windows\system32\dnssd.dll
2008-08-29 09:44 89,264 a------- h:\docume~1\roland\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 8:45:09.32 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:49 AM

Posted 09 March 2009 - 11:20 AM

Hi,

It's recommended you change all your online passwords using other, clean system.


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Roland60

Roland60
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 09 March 2009 - 07:45 PM

Thanks Blade!

Reports are attached.

Beyond your instructions the only thing I did was restart in safe mode to see if the shut down symptoms went away. I was able to start the computer in safe mode without it shutting down. So far so good. I am also going to re-enable firewall and tea timer.

Here are the reports:

ComboFix 09-03-06.02 - Roland 2009-03-10 8:58:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.631 [GMT 9:00]
Running from: h:\documents and settings\Roland\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\documents and settings\Roland\Application Data\~tmp.html
h:\windows\Kjozevokoxaxedak.dll
h:\windows\system32\dumphive.exe
h:\windows\system32\IEDFix.exe
h:\windows\system32\Process.exe
h:\windows\system32\SrchSTS.exe
h:\windows\system32\tmp.reg
h:\windows\system32\VCCLSID.exe
h:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-02-23 09:25 . 2009-02-23 09:25 40,960 -r-hs---- h:\windows\system32\actmoviet.exe
2009-02-23 09:25 . 2009-02-23 09:27 128 --ahs---- h:\windows\system32\0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 12:49 --------- d-----w h:\program files\SUPERAntiSpyware
2009-01-31 11:37 --------- d-----w h:\program files\Bonjour
2009-01-31 11:36 --------- d-----w h:\program files\iTunes
2009-01-31 11:36 --------- d-----w h:\program files\iPod
2009-01-31 11:36 --------- d-----w h:\program files\Common Files\Apple
2009-01-31 11:36 --------- d-----w h:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-31 11:35 --------- d-----w h:\program files\QuickTime
2008-12-12 02:18 87,336 ----a-w h:\windows\system32\dns-sd.exe
2008-12-12 02:11 61,440 ----a-w h:\windows\system32\dnssd.dll
2008-08-29 00:44 89,264 ----a-w h:\documents and settings\Roland\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2007-10-31 01:53 360832 64798ecfa43d78c7178375fcdd16d8c8 h:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 19:44 360960 744e57c99232201ae98c49168b918f48 h:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 20:51 361600 9aefa14bd6b182d61e3119fa5f436d3d h:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 20:59 361600 ad978a1b783b5719720cff204b666c8e h:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2006-02-28 21:00 359040 9f4b36614a0fc234525ba224957de55c h:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-31 02:20 360064 90caff4b094573449a0872a0f919b178 h:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-14 04:20 361344 93ea8d04ec73a85db02eb8805988f733 h:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 19:45 360320 1cc09561e21a48a7f649a40f18235860 h:\windows\system32\dllcache\tcpip.sys
2008-06-20 19:45 360320 1cc09561e21a48a7f649a40f18235860 h:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "h:\program files\Winamp Toolbar\winamptb.dll" [2008-07-17 1266992]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="h:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"Orb"="h:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
"Messenger (Yahoo!)"="h:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="h:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"PHIME2002ASync"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"IgfxTray"="h:\windows\system32\igfxtray.exe" [2007-04-20 142104]
"HotKeysCmds"="h:\windows\system32\hkcmd.exe" [2007-04-20 162584]
"Persistence"="h:\windows\system32\igfxpers.exe" [2007-04-20 138008]
"Acrobat Assistant 7.0"="h:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"HP Software Update"="h:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Acronis Scheduler2 Service"="h:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-08-08 148760]
"WinampAgent"="h:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"SunJavaUpdateSched"="h:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="h:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 h:\windows\RTHDCPL.exe]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - h:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-01-18 25214]
HP Digital Imaging Monitor.lnk - h:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Microsoft Office.lnk - h:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 h:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"h:\\Program Files\\Messenger\\msmsgs.exe"=
"h:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\Documents and Settings\\Roland\\Desktop\\SmitfraudFix\\SmiUpdate.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"h:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"h:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"h:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"h:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 32256]
S3 SASENUM;SASENUM;h:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search - h:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Convert link target to Adobe PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - h:\documents and settings\Roland\Application Data\Mozilla\Firefox\Profiles\8bzcfa1i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: h:\documents and settings\Roland\Application Data\Mozilla\Firefox\Profiles\8bzcfa1i.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 08:59:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
h:\program files\SUPERAntiSpyware\SASWINLO.dll
h:\windows\system32\imjp81.ime
h:\windows\system32\imjp81k.dll
h:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
.
Completion time: 2009-03-10 9:00:35
ComboFix-quarantined-files.txt 2009-03-10 00:00:33

Pre-Run: 57,699,512,320 bytes free
Post-Run: 57,865,515,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

178 --- E O F --- 2008-11-19 04:12:58




DDS (Ver_09-02-01.01) - NTFSx86
Run by Roland at 9:06:43.42 on Tue 03/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.541 [GMT 9:00]


============== Running Processes ===============

H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
H:\WINDOWS\system32\HPZipm12.exe
H:\WINDOWS\system32\svchost.exe -k imgsvc
H:\WINDOWS\system32\igfxpers.exe
H:\WINDOWS\RTHDCPL.EXE
H:\WINDOWS\system32\igfxsrvc.exe
H:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
H:\Program Files\Winamp\winampa.exe
H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Winamp Remote\bin\OrbTray.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
H:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
H:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
H:\WINDOWS\System32\svchost.exe -k HTTPFilter
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\system32\notepad.exe
H:\WINDOWS\explorer.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Documents and Settings\Roland\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - h:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - h:\program files\winamp toolbar\winamptb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - h:\program files\winamp toolbar\winamptb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - h:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - h:\program files\winamp toolbar\winamptb.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
uRun: [Orb] "h:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [Messenger (Yahoo!)] "h:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [IMJPMIG8.1] "h:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] h:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] h:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] h:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] h:\windows\system32\hkcmd.exe
mRun: [Persistence] h:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Acrobat Assistant 7.0] "h:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HP Software Update] h:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Acronis Scheduler2 Service] "h:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [WinampAgent] "h:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "h:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "h:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - h:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - h:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - h:\program files\microsoft office\office10\OSA.EXE
IE: &Winamp Search - h:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Convert link target to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - h:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - h:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - h:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - h:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\roland\applic~1\mozilla\firefox\profiles\8bzcfa1i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: h:\documents and settings\roland\application data\mozilla\firefox\profiles\8bzcfa1i.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;h:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;h:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
S3 SASENUM;SASENUM;h:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-03-10 08:58 <DIR> a-dshr-- H:\cmdcons
2009-03-10 08:56 161,792 a------- h:\windows\SWREG.exe
2009-03-10 08:56 98,816 a------- h:\windows\sed.exe
2009-03-10 08:56 <DIR> --d----- H:\ComboFix
2009-02-23 09:25 128 a--sh--- h:\windows\system32\0.dat
2009-02-23 09:25 40,960 ---shr-- h:\windows\system32\actmoviet.exe

==================== Find3M ====================

2008-12-12 11:18 87,336 a------- h:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- h:\windows\system32\dnssd.dll
2008-08-29 09:44 89,264 a------- h:\docume~1\roland\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 9:06:53.10 ===============

Attached Files



#6 Roland60

Roland60
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 09 March 2009 - 10:43 PM

It seems that the system is still shutting down in safe mode except now it will run for approx 3 minutes then abruptly shut down. (Before running combofix it would shut down after approx 20 seconds in safe mode) Everything appears ok in normal mode.

The previous post shows combofix and dds text logs.

Thank you for your time and patience.

#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:49 AM

Posted 10 March 2009 - 11:30 AM

Hi again,



Open notepad and copy/paste the text in the quotebox below into it:

File::
h:\windows\system32\actmoviet.exe
h:\windows\system32\0.dat

DDS::
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 12.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.

Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh dds log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 Roland60

Roland60
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 10 March 2009 - 11:19 PM

Hello again Blade,

As per your instructions here are the reports:
KAS had a couple of hits.
Thanks again for your patience and support.


ComboFix 09-03-06.02 - Roland 2009-03-11 10:26:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.646 [GMT 9:00]
Running from: h:\documents and settings\Roland\Desktop\ComboFix.exe
Command switches used :: h:\documents and settings\Roland\Desktop\CFScript.txt
* Created a new restore point

FILE ::
h:\windows\system32\0.dat
h:\windows\system32\actmoviet.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\windows\system32\0.dat
h:\windows\system32\actmoviet.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 12:49 --------- d-----w h:\program files\SUPERAntiSpyware
2009-01-31 11:37 --------- d-----w h:\program files\Bonjour
2009-01-31 11:36 --------- d-----w h:\program files\iTunes
2009-01-31 11:36 --------- d-----w h:\program files\iPod
2009-01-31 11:36 --------- d-----w h:\program files\Common Files\Apple
2009-01-31 11:36 --------- d-----w h:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-31 11:35 --------- d-----w h:\program files\QuickTime
2008-12-12 02:18 87,336 ----a-w h:\windows\system32\dns-sd.exe
2008-12-12 02:11 61,440 ----a-w h:\windows\system32\dnssd.dll
2008-08-29 00:44 89,264 ----a-w h:\documents and settings\Roland\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2007-10-31 01:53 360832 64798ecfa43d78c7178375fcdd16d8c8 h:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 19:44 360960 744e57c99232201ae98c49168b918f48 h:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 20:51 361600 9aefa14bd6b182d61e3119fa5f436d3d h:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 20:59 361600 ad978a1b783b5719720cff204b666c8e h:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2006-02-28 21:00 359040 9f4b36614a0fc234525ba224957de55c h:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-31 02:20 360064 90caff4b094573449a0872a0f919b178 h:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-14 04:20 361344 93ea8d04ec73a85db02eb8805988f733 h:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
2008-06-20 19:45 360320 1cc09561e21a48a7f649a40f18235860 h:\windows\system32\dllcache\tcpip.sys
2008-06-20 19:45 360320 1cc09561e21a48a7f649a40f18235860 h:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-03-10_ 8.59.58.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-11 01:25:28 16,384 ----atw h:\windows\temp\Perflib_Perfdata_9c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "h:\program files\Winamp Toolbar\winamptb.dll" [2008-07-17 1266992]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="h:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"Orb"="h:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
"Messenger (Yahoo!)"="h:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="h:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"PHIME2002ASync"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="h:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"IgfxTray"="h:\windows\system32\igfxtray.exe" [2007-04-20 142104]
"HotKeysCmds"="h:\windows\system32\hkcmd.exe" [2007-04-20 162584]
"Persistence"="h:\windows\system32\igfxpers.exe" [2007-04-20 138008]
"Acrobat Assistant 7.0"="h:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"HP Software Update"="h:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Acronis Scheduler2 Service"="h:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-08-08 148760]
"WinampAgent"="h:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"SunJavaUpdateSched"="h:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="h:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 h:\windows\RTHDCPL.exe]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - h:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-01-18 25214]
HP Digital Imaging Monitor.lnk - h:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Microsoft Office.lnk - h:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 h:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"h:\\Program Files\\Messenger\\msmsgs.exe"=
"h:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\Documents and Settings\\Roland\\Desktop\\SmitfraudFix\\SmiUpdate.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"h:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"h:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"h:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"h:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 32256]
S3 SASENUM;SASENUM;h:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search - h:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Convert link target to Adobe PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - h:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - h:\documents and settings\Roland\Application Data\Mozilla\Firefox\Profiles\8bzcfa1i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: h:\documents and settings\Roland\Application Data\Mozilla\Firefox\Profiles\8bzcfa1i.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 10:27:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
h:\program files\SUPERAntiSpyware\SASWINLO.dll
h:\windows\system32\imjp81.ime
h:\windows\system32\imjp81k.dll
h:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
.
Completion time: 2009-03-11 10:28:25
ComboFix-quarantined-files.txt 2009-03-11 01:28:24
ComboFix2.txt 2009-03-10 03:32:00
ComboFix3.txt 2009-03-10 00:00:36

Pre-Run: 57,826,889,728 bytes free
Post-Run: 57,828,999,168 bytes free

170 --- E O F --- 2008-11-19 04:12:58




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, March 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, March 11, 2009 01:30:00
Records in database: 1887719
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 57979
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:07:01


File name / Threat name / Threats count
H:\SDFix\backups\backups.zip Infected: Trojan.Win32.Vapsup.yq 2
H:\SDFix\backups\backups.zip Infected: Trojan.Win32.Vapsup.yo 1

The selected area was scanned.







DDS (Ver_09-02-01.01) - NTFSx86
Run by Roland at 13:04:50.43 on Wed 03/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.600 [GMT 9:00]


============== Running Processes ===============

H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
H:\WINDOWS\system32\HPZipm12.exe
H:\WINDOWS\system32\svchost.exe -k imgsvc
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\igfxpers.exe
H:\WINDOWS\RTHDCPL.EXE
H:\WINDOWS\system32\igfxsrvc.exe
H:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
H:\Program Files\Winamp\winampa.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Winamp Remote\bin\OrbTray.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
H:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Java\jre6\bin\java.exe
H:\Documents and Settings\Roland\Local Settings\Temp\jkos-Roland\binaries\ScanningProcess.exe
H:\Documents and Settings\Roland\Local Settings\Temp\jkos-Roland\binaries\ScanningProcess.exe
H:\Documents and Settings\Roland\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - h:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - h:\program files\winamp toolbar\winamptb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - h:\program files\winamp toolbar\winamptb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - h:\program files\winamp toolbar\winamptb.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
uRun: [Orb] "h:\program files\winamp remote\bin\OrbTray.exe" /background
uRun: [Messenger (Yahoo!)] "h:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] h:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "h:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] h:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] h:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] h:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] h:\windows\system32\hkcmd.exe
mRun: [Persistence] h:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Acrobat Assistant 7.0] "h:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HP Software Update] h:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Acronis Scheduler2 Service] "h:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [WinampAgent] "h:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "h:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "h:\program files\java\jre6\bin\jusched.exe"
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - h:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - h:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - h:\program files\microsoft office\office10\OSA.EXE
IE: &Winamp Search - h:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Convert link target to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - h:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - h:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - h:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - h:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\roland\applic~1\mozilla\firefox\profiles\8bzcfa1i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: h:\documents and settings\roland\application data\mozilla\firefox\profiles\8bzcfa1i.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;h:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;h:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
S3 SASENUM;SASENUM;h:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-03-11 10:43 410,984 a------- h:\windows\system32\deploytk.dll
2009-03-11 10:43 73,728 a------- h:\windows\system32\javacpl.cpl
2009-03-11 10:26 <DIR> --d----- H:\ComboFix
2009-03-10 08:58 <DIR> a-dshr-- H:\cmdcons
2009-03-10 08:56 161,792 a------- h:\windows\SWREG.exe
2009-03-10 08:56 98,816 a------- h:\windows\sed.exe

==================== Find3M ====================

2008-12-12 11:18 87,336 a------- h:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- h:\windows\system32\dnssd.dll
2008-08-29 09:44 89,264 a------- h:\docume~1\roland\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 13:05:09.42 ===============

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:49 AM

Posted 11 March 2009 - 09:58 AM

Hi

Both findings seem to be quarantined objects. We clean those later. How's the system running?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 Roland60

Roland60
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 11 March 2009 - 02:30 PM

Hello,

Still have shut down issue attempting to start in safe mode. I noticed that it it will even shut down at the windows log in screen where you click on the user to log in.

In normal mode everything is fine and seems ok.

Firefox updated to 3.0.7 on its own then loaded when I restarted the system.

I just checked the spybot report on the resident screen and noticed that three of the first five entries shown were "Denied (based on user blacklist) value "Alcmtr" (new data: "") deleted in System Startup global entry!"



Here is the report:

3/10/2009 12:29:50 PM Allowed (based on user decision) value "" (new data: "") added in System Startup global entry!
3/10/2009 12:32:01 PM Denied (based on user blacklist) value "Alcmtr" (new data: "") deleted in System Startup global entry!
3/10/2009 12:32:02 PM Denied (based on user blacklist) value "Alcmtr" (new data: "") deleted in System Startup global entry!
3/11/2009 10:31:30 AM Allowed (based on authenticode whitelist) value "SpybotSD TeaTimer" (new data: "H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
3/11/2009 10:31:30 AM Denied (based on user blacklist) value "Alcmtr" (new data: "") deleted in System Startup global entry!
3/11/2009 10:38:38 AM Allowed (based on user decision) value "SunJavaUpdateSched" (new data: "H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe") changed in System Startup global entry!
3/11/2009 10:38:41 AM Allowed (based on user decision) value "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
3/11/2009 10:39:19 AM Allowed (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
3/11/2009 10:39:27 AM Allowed (based on user decision) value "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" (new data: "") deleted in Browser Helper Object!
3/11/2009 10:39:29 AM Allowed (based on user decision) value "{8AD9C840-044E-11D1-B3E9-00805F499D93}" (new data: "") deleted in ActiveX Distribution Unit!
3/11/2009 10:39:29 AM Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
3/11/2009 10:39:30 AM Allowed (based on user decision) value "{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
3/11/2009 10:43:18 AM Allowed (based on user decision) value "SunJavaUpdateSched" (new data: ""H:\Program Files\Java\jre6\bin\jusched.exe"") added in System Startup global entry!
3/11/2009 10:43:22 AM Allowed (based on user decision) value "{DBC80044-A445-435b-BC74-9C25C1C588A9}" (new data: "") added in Browser Helper Object!
3/11/2009 10:43:25 AM Allowed (based on user decision) value "{E7E6F031-17CE-4C07-BC86-EABFE594F69C}" (new data: "") added in Browser Helper Object!
3/11/2009 10:43:27 AM Allowed (based on user decision) value "{8AD9C840-044E-11D1-B3E9-00805F499D93}" (new data: "") added in ActiveX Distribution Unit!
3/11/2009 10:43:28 AM Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}" (new data: "") added in ActiveX Distribution Unit!
3/11/2009 10:43:30 AM Allowed (based on user decision) value "{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}" (new data: "") added in ActiveX Distribution Unit!

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:49 AM

Posted 12 March 2009 - 01:07 PM

Hi


How to View Event Logs
To open Event Viewer, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, click Event Viewer.

The Application, Security, and System logs are displayed in the Event Viewer window.

Are there any events listed that match the time you were trying safe mode?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 Roland60

Roland60
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 12 March 2009 - 07:59 PM

Hello Blade,

Found an error message in "system" event viewer log.
There were no logs corresponding to the time system shut down in the application, security or IE viewer logs.

One other thing I noticed is that after the system shuts down the "number lock" indicator remains illuminated on the keyboard. The tower appears to be completely shut down. (no fans running, no sounds and all indicators are off.) Again, this only occurs when attempting to start in safe mode. System appears to be running fine in normal mode.

Thanks for your help...

Error message follows:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 3/13/2009
Time: 9:35:32 AM
User: NT AUTHORITY\SYSTEM
Computer: RYUCON-HOME
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:49 AM

Posted 13 March 2009 - 12:12 PM

Hi

Can you recall when did that safe mode issue begin to occur?


To change the recovery settings to disable automatic rebooting:

1.Right-click My Computer, and then click Properties.

2.Click the Advanced tab.

3.Under Startup and Recovery, click Settings to open the Startup and Recovery dialog box.

4.Clear the Automatically restart check box, and click OK the necessary number of times.

5.Restart your computer for the settings to take effect.


See if the problem still exists.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 Roland60

Roland60
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 13 March 2009 - 02:20 PM

I did as you said. Machine is still shutting down in safe mode. Still receiving same message in system event log.

The first time I observed this problem was when I initially got infected about 1 week and 1/2 ago and attempted to run smitfraud fix in safe mode. At that time the machine would shut down and restart in a loop. I tried a system restore but was unable to complete the task. I do not remember the message but it would not allow me to restore to an earlier state. It is possible that this is an old issue as I never have any reason to boot in safe mode an therefore would not normally observe the symptoms.

I don't know if this means anything... I could not get into administrative tools by right clicking properties on my computer. I had to go into control panel then system and so on.

In my machines current condition, do you think that I am safe to send emails and conduct purchases without the risk of spreading an infection to my contacts or my personal information being vulnerable?

I sincerely appreciate your continued assistance.

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:49 AM

Posted 14 March 2009 - 04:57 AM

I don't know if this means anything... I could not get into administrative tools by right clicking properties on my computer. I had to go into control panel then system and so on.

Hi

I don't think I instructed you to access admin tools that way in any point with my previous instructions. Don't think it's actually possible to access it that way at all :thumbup2:

In my machines current condition, do you think that I am safe to send emails and conduct purchases without the risk of spreading an infection to my contacts or my personal information being vulnerable?

Yes, I believe it's safe now to do so.


Anyway, to me it looks like there might be some other problem than malware behind that safe mode issue. If you haven't used safe mode earlier you can't be sure if the issue has been there from the beginning. I suggest we'll clean the tools used, do some protection program installations and that you then open a new topic for safe mode problem on other subforum of Bleeping Computer.



Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis


Now lets uninstall ComboFix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
Delete dds.scr file and related logs.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
  • Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
    Antivir
    Avast!
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users