Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a Rootkit.Agent


  • This topic is locked This topic is locked
27 replies to this topic

#1 Squir3l

Squir3l

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 01 March 2009 - 05:14 AM

Hello, I sometimes get memory reference errors when closing a program or windows. I've also included the log file from Malwarebytes which identifies but can not remove the Rootkit.Agent. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:05:30, on 3/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\BBClean\blackbox.exe
C:\Program Files\ESET Smart Security\egui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\SysTrayMeter\SysTrayMeter.exe
C:\Program Files\Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=C:\BBClean\blackbox.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - Startup: SysTrayMeter.lnk = C:\Program Files\SysTrayMeter\SysTrayMeter.exe
O4 - Global Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://ssl.encorium.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129835243676
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129835234420
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E6F3028-B168-4927-9C06-445D40140952}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F39AAA-64F4-4537-952D-E8FEA3D27A97}: NameServer = 192.168.0.1
O20 - AppInit_DLLs:
O20 - Winlogon Notify: vtUnNFYQ - C:\WINDOWS\
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6281 bytes



Malwarebytes' Anti-Malware 1.34
Database version: 1813
Windows 5.1.2600 Service Pack 3

3/1/2009 5:03:28 AM
mbam-log-2009-03-01 (05-03-24).txt

Scan type: Quick Scan
Objects scanned: 57455
Time elapsed: 5 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\wmymhmbc.dat (Rootkit.Agent) -> No action taken.

BC AdBot (Login to Remove)

 


#2 Odd dude

Odd dude

    I'm weird. Booo!


  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 12 March 2009 - 11:11 AM

Hi :thumbup2:

You have TeaTimer running
This is good as TeaTimer protects you from many malicious changes to your registry. However, TeaTimer is a computer program, which has no way of distinguishing between good or malicious intentions; this means it might hinder the modifications I need to make to your system.

This means that TeaTimer will need to be disabled until you have been cleaned of malware.
  • Right-click on the Tea Timer icon in your system tray. It looks like this: Posted Image
  • If you have the new version 1.5: click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now unchecked. The Spybot icon in the System tray should now be now colourless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
This is not enough, there is a second step attached:
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go to the bottom of the vertical panel on the left and click Tools
  • Now, also in left panel, click Resident - the pictogram shows a red/white shield.
  • In the Resident protection status frame, uncheck the box labelled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File > Exit to close Spybot
  • Reboot your machine for the changes to take effect.
When I give you the all-clear post, remember to reenable it!


Update Malwarebytes' database. Re-run the scan with Malwarebytes' and let it remove what it found. Post the log.


Open Hijackthis, click do a system scan only, put a check next to these, click fix checked:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O20 - AppInit_DLLs:
O20 - Winlogon Notify: vtUnNFYQ - C:\WINDOWS


Do you knowingly use a different shell/window manager than the default Windows Explorer?


Any symptoms?


Post:
- answers to my questions
- new hijackthis log
- uninstall list as per these instructions:
  • Start HijackThis.
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save list...
  • Save the list to your desktop, or any other convenient place and post it in your next reply.

Posted Image

#3 Odd dude

Odd dude

    I'm weird. Booo!


  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 15 March 2009 - 06:55 AM

Do you still need help?
Posted Image

#4 Squir3l

Squir3l
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 15 March 2009 - 11:58 PM

Hi, thank you for your help. I feel really bad now that you did, because I hadn't heard anything for almost two weeks that I gave of hope of getting a response. Because of this I made alterations of my own since my post. SORRY. I was able to remove the not deletable file by using a linux liveCD. The bad registry keys are still there but I don't seem to be having problems. If you are done helping me because of this, I understand. Thanks for your time anyway. If not, hopefully this info can help. Once again, I sorry for not following your rules and thanks for your help.

I do use a different shell than explorer, it's called BlackBox or bblean. I believe it actually performs more efficiently than windows and looks nicer too.

New HiJack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:52:38, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET Smart Security\ekrn.exe
C:\BBClean\blackbox.exe
C:\Program Files\Malwarebytes\mbamgui.exe
C:\Program Files\ESET Smart Security\egui.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\SysTrayMeter\SysTrayMeter.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=C:\BBClean\blackbox.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: SysTrayMeter.lnk = C:\Program Files\SysTrayMeter\SysTrayMeter.exe
O4 - Global Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://ssl.encorium.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129835243676
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129835234420
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E6F3028-B168-4927-9C06-445D40140952}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F39AAA-64F4-4537-952D-E8FEA3D27A97}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: ESET HTTP Server (EHttpSrv) - ESET - C:\Program Files\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes\mbamservice.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6267 bytes

Here is the uninstall list:

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
AC3Filter (remove only)
Ad-Aware
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.3
ALPS Touch Pad Driver
Apple Mobile Device Support
Archimedes 360° (PocketPC and Smartphone) v 11.1.2 by Skyscape
Axialis IconWorkshop 6.0
BS.Player PRO
CCleaner (remove only)
CD Art Display 1.0
Classic Menu 3.x for Office 2007
CleanMyPC - Registry Cleaner
CoreAVC Professional Edition (remove only)
Critical Update for Windows Media Player 11 (KB959772)
CyberLink PowerDVD 8
DFX for Winamp
DivX Web Player
DriveImage XML (Private Edition)
Driver Magician 3.25
DrugGuide (PocketPC and Smartphone) v 10.2.2 by Skyscape
ffdshow [rev 2734] [2009-03-01]
FileAlyzer
FireDaemon Trinity
FireDaemon Trinity
Foxit Reader
GOM Player
Haali Media Splitter
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
InfraRecorder
Intel® Graphics Media Accelerator Driver for Mobile
Internal Network Card Power Management
iTunes
IVDH9 (PocketPC and Smartphone) v 9.0.6 by Skyscape
IVNotes (PocketPC and Smartphone) v 10.1.1 by Skyscape
JaSMiN 3D Color Changer 4
Java™ 6 Update 12
Labs 360° (PocketPC and Smartphone) v 11.0.2 by Skyscape
Last.fm 1.5.1.29527
Logitech MouseWare 9.76
Magic ISO Maker v5.4 (build 0245)
Malwarebytes' Anti-Malware
MedAlert (for Windows PCs) by Skyscape
MedAlert (WinCE & PocketPC) v 10.0.7 by Skyscape
MedSurg (PocketPC and Smartphone) v 9.0.7 by Skyscape
MeediOS 0.1.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MosbyRQ (PocketPC and Smartphone) v 10.0.10 by Skyscape
Mozilla Firefox (3.0.7)
MSXML 4.0
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
NCLEXNotes (PocketPC and Smartphone) v 10.0.7 by Skyscape
NCLEX-RN8 (PocketPC and Smartphone) v #PRODNAME# by Skyscape
NDH (PocketPC and Smartphone) v 10.0.7 by Skyscape
NurProc (PocketPC and Smartphone) v #PRODNAME# by Skyscape
PeerGuardian 2.0
PocketNester
PowerArchiver 2007
PowerISO
QAExam3 (PocketPC and Smartphone) v 9.0.11 by Skyscape
QuickSet
QuickTime
Rainmeter (remove only)
RealPlayer
RegAlyzer (OpenSBI Edition)
RnDisease (PocketPC and Smartphone) v #PRODNAME# by Skyscape
RnDxInt10 (PocketPC and Smartphone) v #PRODNAME# by Skyscape
RnDxTests2 (PocketPC and Smartphone) v #PRODNAME# by Skyscape
RN-NCLEX (PocketPC and Smartphone) v #PRODNAME# by Skyscape
RNotes2 (PocketPC and Smartphone) v 9.0.14 by Skyscape
RunAlyzer
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SFVManager
smARTupdate
SOTI Pocket Controller-Pro
Spb Diary
Spb Mobile Shell
Spb Phone Suite
Spb Weather
SpbPocketPlus
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SUPERAntiSpyware Professional
Tabers20 (PocketPC and Smartphone) v 8.1.18 by Skyscape
The KMPlayer (remove only)
TuneUp Utilities 2008
Unlocker 1.8.7
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Wallpaper Changer (Remove only)
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
xplorerČ professional
Xvid 1.1.3 final uninstall

#5 Squir3l

Squir3l
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 16 March 2009 - 12:38 AM

oops, I forgot here is the Malwarebyte's log:

Malwarebytes' Anti-Malware 1.34
Database version: 1851
Windows 5.1.2600 Service Pack 3

3/16/2009 1:36:40 AM
mbam-log-2009-03-16 (01-36-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 117663
Time elapsed: 30 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Odd dude

Odd dude

    I'm weird. Booo!


  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 16 March 2009 - 01:17 AM

It's okay, I understand. You have waited for two weeks - that's so long anyone would've started desperately trying things of their own.
I will not deny that there is a huge backlog here. All the helpers will need to work together to get that sorted out. Unfortunately, with the nearly 100 people posting new logs here every day, it's not an easy task to accomplish.

Disable Teatimer as per my instructions above and have Malwarebytes actually fix what it finds.

Log looks pretty good, let's scan for hidden infections.

GMER
Do not touch the computer while GMER is running! If you do, it'll go completely unresponsive and you'll have to shut it down using the power switch. Just don't touch the PC while GMER is working.
Please download gmer.zip by GMER and save it to your desktop.
  • Right click the file you just downloaded and choose Extract all
  • Click Next
  • Click Browse
  • Click the + next to My Computer
  • Click Local Disk (C:)
  • Click Make new folder
  • Enter GMER
  • Click OK, then Next
  • Check Show extracted files and click Finish
  • Double click on GMER.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the GMER scan log and post it in your next reply.
  • Close GMER.

Posted Image

#7 Squir3l

Squir3l
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 16 March 2009 - 03:45 AM

Thanks again. I was in no way putting you guys down, I was just explaining why I did what I did. I think what you guys do is great and I was amazed to see how many people post daily!

Anyway, tea timer is disabled
Malwarebytes still can't remove the bad keys, maybe I should just add them to ignore list? Log:

Malwarebytes' Anti-Malware 1.34
Database version: 1853
Windows 5.1.2600 Service Pack 3

3/16/2009 4:41:30 AM
mbam-log-2009-03-16 (04-41-19).txt

Scan type: Quick Scan
Objects scanned: 59701
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Here is the log from GMER as well:

GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-16 04:18:05
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 89F09630 ZwAssignProcessToJobObject
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF764787E]
SSDT 89F08A60 ZwOpenProcess
SSDT 89F08E80 ZwOpenThread
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7647C10]
SSDT 89F09460 ZwSuspendProcess
SSDT 89F09280 ZwSuspendThread
SSDT 89F08C90 ZwTerminateProcess
SSDT 89F090B0 ZwTerminateThread

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 3D 805683FA 7 Bytes JMP 8A584120
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET Smart Security\ekrn.exe[216] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:524] 89F07790

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBB 0xF4 0xA2 0xDF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x98 0x67 0x72 0x2E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA6 0xED 0xF8 0x0C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBB 0xF4 0xA2 0xDF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x98 0x67 0x72 0x2E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA6 0xED 0xF8 0x0C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBB 0xF4 0xA2 0xDF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x98 0x67 0x72 0x2E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA6 0xED 0xF8 0x0C ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 905909888D2A70A0D068990B31E9374F89062F34CFBBB8C1A4BCC0E1062DCCFEF082D2D78DEBB5D8A818D8A39E4E88390BB81FCC453123400A1F4F5C5E97B4AF845179B313AA4F250CC4B52AF07D152AC5C8D2090529E891D0D093CC15B1361C427A7BB761434C7F2FF6313A72363CAAC6B5EBA20167D7E7FDE4EFA86566314649C71DB99B663955E7CE9124D18D5DB4BA915107138741EDB7060D1AF0F20AA3591567C0CB172E0A2E7F5EECFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74C8EDD5E5BE2F6E6675D575E7D6A3B9808120D62496355874B5C8A3E7CBC3DA93CC7B95B362E1F23AEAD51C2D4B15E5A2F9B006493F0DA164114A6EB8DD1D0563FDF5EA68193074C0FF3557C7771514F2A5D72F1A567E0F06E4C4FC3B274649943A1838C3DF97739900FB9F5BDA2E502FE5099062DE03BB891E77F720775209585748807100D0E2E8A93631DF9E8D077C35001A04A9953D21E2C092816CA42AE77A9221B159BFE2F8B788B66768B59F5421E86C59272A666BC400D1A650E9F0DBB7259CCDA989108D598C1C7ECF6DB887A5F5FFD0E71C6DFC7340580677D1D1F2CE48B25641A9F465DB467BA0EBAC97E9E998FD23BBDD86FCE78BC1888FAB396D37A69B2A8DC9A3CCD6EB03FFD0BA5EB94BAF3D50
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION F42398AEE5738AA8EC36149B02785E32CE801B20318EBCB211A72A8565E6E5EB6C14440E78163EC8E26908B3EF3AE309CCCF5CB15BE367B3028C9F60BBDB04D98766756781326DACD06416B2151DB5E017533AC5EDACB1643A1D0E52C7487FE230733C2A4E0111180C467DF574B04A788B8E4648486CB221BF64F773DEC3B120B86AABBBCDCFDD83CE8283D03A9758C66D5A17186B3CC27DFE40E4CFFDFAB4DF55CE5CF59701D099B5E17106B387DFF1E2E3468780C3813EC5625F67C52E68269EF56925E109AABAC280135352C9A058F52D70DE5045CF5B4ACFF3FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667A9C6AECB7A5D1407FEBC9E127BECC74C512199401227F0BB61B0C46D331C062AED610F52458FFCEC56FCF2E338BA0FA84D9921410FE9CA4DAA2DB2A217E26C9009BCAC5569CF09732F92474DC1C581D7CC8D1ABD215B532B8BF7034EC44228196373EA58E682444E4E73D7B1D6B4BDDAC347C98D5D5C830B80B3EBEB6D46366828221895ABFBD3B82F54242EC342AA1A1832834F0BB4A7A5FEA7B7B7755E692A7808120C5AF4ACEBBC0EC02287918481A16333E2A70E5FB9EB3E47B5F7DDE58CE789CE7FC8891A29D89DD73354A7D984310FD66EE3F52208A4078D2AC2FC26437F2ED4F50
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OOPM02.00.00.01PRO 20ED6D36B4EFA7C7374BA8C2293C4AA8978B195FE97E95499DF2DB8C00FCFD65CC67EF292681C3E4E4A22AA92731680293B4B21CD331B32B24D1117B8125CBC75473FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667A6171C11EC38DE3DA6A0AC4980AC7933CEE7BF6F8B8E3F82F3F31BFD30B394B3BF9D05FA40BAE758F5083CB4C24C8A8D1537AA026A95971CE6E5E9BD3380439A9929D31005C1AFDEF164A70469B3DB3D0B8D39F1D3051A171FC3B53779B69F40EB3177BF34E19A299EC0E45B7BDBDFE6D2A3E56CE99EA17D20A363D9D384BD81BA485EDBEF58978B204C0E928AAE7EF35463936E4D152FEBB34B3EE9160B59D1D031DB105E52B76BE0689C58AD88C4623AEB854B2793E814E5B6F0FD19E1CD373B65A4D8A7F334458F28F0AE0037613E740F64AAA3B6173B85960E833A139FCCC9115305F9D3E6281DD74DEA1F80292FB4533C86F00EA63B28CC8CB8599A72BE1314683B87FC4F3842F25A372F9C93ECF3F3FDACC3A02801A5F1C2B25AEC92526E05C37306EE8FAA762DA210D4B53BC26CDD7D4254E5D08C1951F058A76E6C5BFAAAADFAAE1BEE4DF96916483CEDE2911D3673BB5D4C7975E26AB6E42DF912C49881CF713F6BD7FD4C44080614586CCDC9D0FB659DB29EE228701AE9DA5
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DA898608-635A-5EC5-EA7F-9D2587761389}

---- EOF - GMER 1.0.15 ----

#8 Odd dude

Odd dude

    I'm weird. Booo!


  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 16 March 2009 - 03:49 AM

That looks fine too.

What do you mean by "Malwarebytes still can't remove the bad keys"? The log shows you didn't even give it the instruction to remove them. Did you forget that or was it prevented by an error message of some kind?

We'll do two more scans to make sure I'm not missing anything.

DDS (Doesn't Do Squat)
Download DDS by sUBs to your desktop.
Your antivirus software might question the file. If it does, turn it off please :thumbup2:
  • Double click DDS.scr to run it and wait for the scan to finish
  • When finished DDS.txt will open
  • A small while later, a prompt will open. Answer Yes
  • DDS will continue scanning
  • When done, Attach.txt will open
  • Post DDS.txt and attach Attach.txt

Kaspersky Online Scan
I would like you to run an online antivirus scan. Please click here to be taken to the Kaspersky site.
  • The site will present you with a list of important items. Read those. If you're unsure about something, stop and ask! If you're sure everything is all right, close all other windows.
  • Now, click Accept.
  • It will start a download rougly 10 MB in size. If prompted by your firewall to allow internet access, allow.
  • Once the download has finished, click Next.
  • Under Please select a target to scan, choose My Computer
  • Get a cup of coffee and watch some TV. Do not run any other programs while Kaspersky is scanning! If you're on dial-up, you can now terminate the internet connection if you wish.
  • Once finished, you will be presented with the results. Click Save as text and save the log to your desktop.
Post the results in your next reply.


Post:
- answer to question re malwarebytes
- DDS log.txt
- kaspersky log

Attach:
- DDS attach.txt
Posted Image

#9 Squir3l

Squir3l
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 16 March 2009 - 04:05 AM

They reg keys can't be altered in anyway manually. Malwarebytes says can't delete and will add to remove on reboot, but they do get removed. Every log say no action taken no matter what I do. I think they are remnants of something that no longer a problem. I noticed similar reg key remnants in one of the scans from OO Defrag & Partition software that I uninstalled too.

Here is the DDS stuff. I will do the online scan now, just figured I should give you what I have so far, since your still up too. :-)

DDS log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Paul at 4:56:36.81 on Mon 03/16/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1437 [GMT -4:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated)
FW: ESET Personal firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET Smart Security\ekrn.exe
C:\BBClean\blackbox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Malwarebytes\mbamgui.exe
C:\Program Files\ESET Smart Security\egui.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\SysTrayMeter\SysTrayMeter.exe
C:\Program Files\Firefox\firefox.exe
C:\Program Files\Adobe Reader\Reader\AcroRd32.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
mWinlogon: Shell=c:\bbclean\blackbox.exe
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes\mbamgui.exe" /starttray
mRun: [egui] "c:\program files\eset smart security\egui.exe" /hide /waitservice
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\systra~1.lnk - c:\program files\systraymeter\SysTrayMeter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
uPolicies-explorer: MaxRecentDocs = 11 (0xb)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} - hxxps://ssl.encorium.com/dana-cached/setup/NeoterisSetup.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129835243676
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129835234420
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: {5E6F3028-B168-4927-9C06-445D40140952} = 192.168.0.1
TCP: {D2F39AAA-64F4-4537-952D-E8FEA3D27A97} = 192.168.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\5gf12oeq.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\5gf12oeq.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\adobe reader\reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.urlbar.autoFill - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8

============= SERVICES / DRIVERS ===============

R0 ilcffezs;ilcffezs;c:\windows\system32\drivers\ilcffezs.sys [2004-8-11 23424]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-28 64160]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-13 106208]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 ekrn;ESET Service;c:\program files\eset smart security\ekrn.exe [2009-2-13 727720]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-3-28 80384]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-10-24 15504]
S2 MBAMService;MBAMService;c:\program files\malwarebytes\mbamservice.exe [2008-10-24 179856]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2005-10-25 36676]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2005-10-25 24344]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-03-16 03:03 <DIR> --d----- C:\GMER
2009-03-04 15:50 <DIR> --d----- c:\program files\Xplorer2
2009-03-04 15:32 <DIR> --d----- c:\docume~1\admini~1\applic~1\Axialis
2009-03-04 04:46 <DIR> --d----- c:\docume~1\admini~1\applic~1\ESET
2009-03-04 04:44 <DIR> --d----- c:\program files\ESET Smart Security
2009-03-04 00:28 <DIR> --d----- c:\docume~1\admini~1\applic~1\InfraRecorder
2009-03-04 00:24 <DIR> --d----- c:\program files\InfraRecorder
2009-03-03 05:27 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-03-03 04:24 <DIR> --d----- c:\program files\winMd5Sum
2009-03-03 00:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-03 00:03 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-03 00:03 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-03-02 20:56 <DIR> a-dshr-- C:\cmdcons
2009-03-02 19:20 <DIR> --d----- c:\program files\MeediOS
2009-03-02 19:01 <DIR> --d----- c:\windows\Logs
2009-03-01 21:24 <DIR> --d----- c:\program files\BSplayerPro
2009-03-01 21:19 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-03-01 21:19 67,584 a------- c:\windows\system32\ff_vfw.dll
2009-03-01 21:19 <DIR> --d----- c:\program files\Ffdshow
2009-03-01 15:36 <DIR> --d----- c:\docume~1\admini~1\applic~1\Safer Networking
2009-03-01 03:41 <DIR> --d----- c:\program files\DriveImage
2009-02-28 22:32 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-28 22:13 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-28 22:00 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-28 22:00 <DIR> --d----- c:\program files\Lavasoft
2009-02-28 21:57 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-02-28 21:45 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-02-28 21:45 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-02-28 21:45 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-02-28 21:45 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-02-28 21:45 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-02-28 21:45 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-02-28 21:45 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-02-28 21:45 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-02-28 21:45 19,455 a------- c:\windows\system32\dllcache\wvchntxx.sys
2009-02-28 21:43 35,871 a------- c:\windows\system32\dllcache\wbfirdma.sys
2009-02-28 21:42 687,999 a------- c:\windows\system32\dllcache\usrwdxjs.sys
2009-02-28 21:41 69,632 a------- c:\windows\system32\dllcache\umaxu12.dll
2009-02-28 21:41 50,688 a------- c:\windows\system32\dllcache\umaxscan.dll
2009-02-28 21:41 22,912 a------- c:\windows\system32\dllcache\umaxpcls.sys
2009-02-28 21:41 50,176 a------- c:\windows\system32\dllcache\umaxp60.dll
2009-02-28 21:41 47,616 a------- c:\windows\system32\dllcache\umaxcam.dll
2009-02-28 21:41 211,968 a------- c:\windows\system32\dllcache\um54scan.dll
2009-02-28 21:41 216,064 a------- c:\windows\system32\dllcache\um34scan.dll
2009-02-28 21:41 11,520 a------- c:\windows\system32\dllcache\twotrack.sys
2009-02-28 21:41 14,336 a------- c:\windows\system32\dllcache\tsprof.exe
2009-02-28 21:41 166,784 a------- c:\windows\system32\dllcache\tridxpm.sys
2009-02-28 21:41 525,568 a------- c:\windows\system32\dllcache\tridxp.dll
2009-02-28 21:41 159,232 a------- c:\windows\system32\dllcache\tridkbm.sys
2009-02-28 21:41 440,576 a------- c:\windows\system32\dllcache\tridkb.dll
2009-02-28 21:39 37,961 a------- c:\windows\system32\dllcache\tdk100b.sys
2009-02-28 21:38 155,648 a------- c:\windows\system32\dllcache\stlnprop.dll
2009-02-28 21:37 9,600 a------- c:\windows\system32\dllcache\sonymc.sys
2009-02-28 21:36 30,208 a------- c:\windows\system32\dllcache\sm81w.dll
2009-02-28 21:35 98,080 a------- c:\windows\system32\dllcache\sgiulnt5.sys
2009-02-28 21:34 245,632 a------- c:\windows\system32\dllcache\s3savmx.dll
2009-02-28 21:33 30,720 a------- c:\windows\system32\dllcache\rthwcls.sys
2009-02-28 21:32 112,574 a------- c:\windows\system32\dllcache\ptserlp.sys
2009-02-28 21:31 16,384 a------- c:\windows\system32\dllcache\philcam1.dll
2009-02-28 21:30 20,480 a------- c:\windows\system32\dllcache\ovcomc.dll
2009-02-28 21:29 51,552 a------- c:\windows\system32\dllcache\ntgrip.sys
2009-02-28 21:28 59,104 a------- c:\windows\system32\dllcache\n9i128v2.dll
2009-02-28 21:27 1,875,968 a------- c:\windows\system32\dllcache\msir3jp.lex
2009-02-28 21:26 7,424 a------- c:\windows\system32\dllcache\mammoth.sys
2009-02-28 21:24 70,730 a------- c:\windows\system32\dllcache\lne100tx.sys
2009-02-28 21:23 9,216 a------- c:\windows\system32\dllcache\kbdnecat.dll
2009-02-28 21:22 13,056 a------- c:\windows\system32\dllcache\inport.sys
2009-02-28 21:21 109,085 a------- c:\windows\system32\dllcache\ibmtrp.sys
2009-02-28 21:20 67,167 a------- c:\windows\system32\dllcache\hsf_bsc2.sys
2009-02-28 21:19 907,456 a------- c:\windows\system32\dllcache\hcf_msft.sys
2009-02-28 21:18 43,520 a------- c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-02-28 21:17 629,952 a------- c:\windows\system32\dllcache\eqn.sys
2009-02-28 21:16 28,062 a------- c:\windows\system32\dllcache\dp83820.sys
2009-02-28 21:15 110,592 a------- c:\windows\system32\dllcache\dc260usd.dll
2009-02-28 21:14 272,640 a------- c:\windows\system32\dllcache\cinemclc.sys
2009-02-28 21:13 11,008 a------- c:\windows\system32\dllcache\brusbmdm.sys
2009-02-28 21:12 5,632 a------- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-02-28 18:07 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-28 18:07 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-27 22:51 138,384 a------- c:\windows\system32\drivers\tmcomm.sys
2009-02-27 21:56 <DIR> --d----- c:\program files\Registry Cleaner
2009-02-27 19:48 <DIR> --d-h--- C:\6b776ceacf6d6e427b02748d
2009-02-27 19:47 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-02-27 19:44 <DIR> --d-h--- C:\220ba7bb085b904390fc7b
2009-02-27 19:44 <DIR> --d----- c:\windows\SxsCaPendDel
2009-02-27 06:58 971,552 a------- c:\windows\system32\drivers\tdrpm174.sys
2009-02-27 06:58 44,704 a------- c:\windows\system32\drivers\tifsfilt.sys
2009-02-27 06:58 540,000 a------- c:\windows\system32\drivers\timntr.sys
2009-02-21 23:46 <DIR> --d----- c:\documents and settings\administrator\LocalLow
2009-02-21 23:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TVU Networks

==================== Find3M ====================

2009-03-04 14:54 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-03-04 14:54 361,600 a------- c:\windows\system32\dllcache\TCPIP.SYS
2009-02-13 14:08 56,280 a------- c:\windows\system32\drivers\epfwtdi.sys
2009-02-13 14:08 33,096 a------- c:\windows\system32\drivers\epfwndis.sys
2009-02-13 14:08 130,952 a------- c:\windows\system32\drivers\epfw.sys
2009-02-13 14:07 106,208 a------- c:\windows\system32\drivers\ehdrv.sys
2009-02-13 14:06 113,448 a------- c:\windows\system32\drivers\eamon.sys
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 05:10 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 01:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 01:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2007-07-21 17:34 21,736 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2007-10-24 13:23 108 a--shr-- c:\windows\neoqaz2.dll
2008-06-11 02:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061120080612\index.dat

============= FINISH: 4:57:29.59 ===============

Attached Files



#10 Odd dude

Odd dude

    I'm weird. Booo!


  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 16 March 2009 - 04:14 AM

Will go over those logs soon - however, instructions will have to wait until I get the Kaspersky results.
Posted Image

#11 Squir3l

Squir3l
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 16 March 2009 - 04:24 AM

ok, starting the scan as soon as it updates, but I probably won't post anything until tomorrow, getting tired. Thanks for all your help tonight. Talk to you later

#12 Squir3l

Squir3l
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 16 March 2009 - 01:33 PM

The online scan didn't find anything.

Attached Files

  • Attached File  kas.html   2.57KB   22 downloads


#13 Odd dude

Odd dude

    I'm weird. Booo!


  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 16 March 2009 - 01:50 PM

Good news - no active infections :thumbup2:

One file which concerns me, though. Nothing to worry about - most likely a leftover.

But before that - something very important!

Enable System Restore
If something goes wrong during the removal sequence I want you to be able to revert the changes made. To enable the System Restore feature, right-click My Computer on your desktop and select Properties.
On the System Restore tab, remove the check from Disable System Restore. Reboot if required.

Submit a file for analysis
We need to have something checked for malware. Please go to Jotti's.
  • Click Browse next to File to upload & scan and copy and paste the first line of the following list into the browse box:
    c:\windows\neoqaz2.dll
  • Click Submit. The file will now be scanned for malware and the results will be displayed from the screen. Select the part where the virus scan results are shown (the part starting with A-squared and ending with VBA32) and copy and paste this to notepad.
  • Repeat this procedure for any other files I have listed.
  • Copy and paste the whole notepad file you just made into your reply.
Update your Adobe Reader
Your version of Adobe Reader is old and may contain security leaks. Please first uninstall the older version, then download and install the newest version from here.

Also - please be aware that programs like ”torrent very easily allow you to haul in infections. Just something to keep in mind. Use that program with caution.


Now...... the thing with Malwarebytes'....

Let's try the easy, painless way first.

Backup the registry
  • Download ERUNT to your desktop from HERE
  • Double-click on the file to install the program
  • Uncheck the NTREGOPT desktop shortcut option
  • Click No when you get the option to run ERUNT at Windows startup.
  • During the installation, check Launch ERUNT
  • Accept the defaults for running a backup
  • ERUNT will then back up your registry
Modifying the registry
  • Copy/paste the contents of the code box below to notepad
  • Make sure that Word Wrap is turned off in notepad: click the Format menu and uncheck Word Wrap
  • Save the file to your desktop as "fix.reg" and please include the quotation marks!
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu]

Important:
  • Make sure there are NO blank lines before the first line of my code; otherwise the fix will fail
  • Make sure there IS one blank line at the end of the file
  • Make sure that you have copied all of the text!
  • REBOOT to SAFE MODE. To do this, press F8 right before the Windows logo comes up (it's best to start tapping the key once your computer has gone past the first BIOS screen). If you did this correctly, a menu will come up. If it says "Windows XP Professional", press F8 again. You should see an option Safe Mode listed there, pick that.

    Keep in mind that there is no internet in safe mode so you'll have to write down the following.

  • Close notepad and make sure that all other windows are closed!

    Now double-click fix.reg, and when the computer prompts a registry merge choose Yes.
REBOOT to NORMAL MODE (don't press F8, let it boot normally)

Do a fresh scan with Malwarebytes and tell me if the problem persists.

Edited by Odd dude, 16 March 2009 - 01:55 PM.
fixed error in color coding

Posted Image

#14 Squir3l

Squir3l
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 18 March 2009 - 04:26 AM

ok, system restore on
file seems ok
adobe updated
reg backed up
applied fix in safe mode, but didn't remove keys
I uploaded the .reg file that I made, so you can see if I did it correctly
thanks for the help

Attached Files

  • Attached File  Jotti.txt   753bytes   19 downloads
  • Attached File  fix.reg   416bytes   21 downloads


#15 Odd dude

Odd dude

    I'm weird. Booo!


  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 18 March 2009 - 06:39 AM

This is one stubborn thing....

Okay, you did everything correctly but it still won't go.

Let's now use the big gun.

The Avenger
Download The Avenger and save it to your desktop.
  • Right click the file you just downloaded and choose Extract all.
  • Accept all defaults.
  • A folder will be created on your desktop, and it should pop up automatically.
  • Start the tool by double clicking avenger.exe.
  • Click OK when prompted.
  • Put a check next to Scan for rootkits, but not next to Automatically disable any rootkits found.
  • Copy and paste this to the Input script here: box:
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu
  • Click the Execute button.
  • The Avenger will inform you it has been set up and it will kindly offer you to reboot. Please allow it to reboot your computer.
  • It may be that the Avenger needs another reboot to completely remove some deeply entrenched malware. In this case, it will force a blue screen crash error (Blue Screen of Death) after the first reboot. Please don't freak out when this happens.
  • After the reboot(s) have taken place, a command window zipping up all the removed malware should quickly pop up and disappear, along with the log file. The log can also be found as avenger.txt in the root of your drive (usually C:\).
  • Post the log in your next reply along with a new hijackthis log and a new uninstall list.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users