Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gaopdxewmyqvpa.sys and others


  • This topic is locked This topic is locked
23 replies to this topic

#1 Smedlow

Smedlow

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 04 March 2009 - 01:44 AM

New Member
*

Group: Members
Posts: 7
Joined: 26-February 09
Member No.: 301,385




The computer I am working on was infected with Internet Antivirus Pro, iamfamous.dll (Trojan.Agent),gaopdxewmyqvpa.sys (Trojan.Agent),gaopdxppexrmql.dll (Trojan.Agent), Win32/VMalum.ENIQ,coolplay (Trojan.DNSChanger). These were found and removed by running a series of tools including Etrust Antivirus, Malwarebytes Anti Malware, Spybot Search and Destroy, Ad Aware, SD Fix, SuperAntispyware, Smitfraud, and RootRepealer.

I tried to download ComboFix to the computer but as soon as it was downloaded, it would be immediately deleted. Even a zip file containing it would be immediately deleted. I finally archived it with a WinRar and it wasn't deleted, but when removed from the archive, it disappeared.

My last solution was to restart the computer in Safe Mode and try installing ComboFix which I did successfully. I ran the program and when it completed, the offending Trojans were gone and haven't shown up on a scan with any of the above tools since.

Because something is still autodeleting ComboFix.exe, I was referred to this forum for analysis. I realize that I may not need to run ComboFix until instructed, however if it won't exist on the machine, there is still a problem.

A much more detailed explanation of the history of this problem and progress can be found here: http://www.bleepingcomputer.com/forums/t/206819/malware-blocks-scanners-search-engines-and-ie7/


Here is the DDS.txt log





DDS (Ver_09-02-01.01) - NTFSx86
Run by Robert at 23:23:42.76 on Tue 03/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1554 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NTR global\NTRconnect\NTRconnect.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Robert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /M "Stylus CX3800" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Realtime Monitor] c:\progra~1\ca\etrust~1\realmon.exe -s
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert\applic~1\mozilla\firefox\profiles\u1ammvyo.default\

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-26 64160]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 31192]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2000-9-11 10816]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 ntrconnect;NTRConnect;c:\program files\ntr global\ntrconnect\NTRconnect.exe [2008-10-29 89600]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2001-11-2 110651]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-11-23 20992]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-02-27 11:48 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-27 11:48 --d----- c:\program files\SUPERAntiSpyware
2009-02-27 11:48 --d----- c:\docume~1\robert\applic~1\SUPERAntiSpyware.com
2009-02-27 11:48 --d----- c:\program files\common files\Wise Installation Wizard
2009-02-27 10:52 a-dshr-- C:\cmdcons
2009-02-27 10:49 161,792 a------- c:\windows\SWREG.exe
2009-02-27 10:49 98,816 a------- c:\windows\sed.exe
2009-02-27 10:48 --d----- C:\ComboFix
2009-02-26 22:17 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-02-26 18:56 --d----- C:\a706802420c5a8fb1733474f3b0c4299
2009-02-26 18:55 --d----- c:\windows\SxsCaPendDel
2009-02-26 16:32 --d----- c:\docume~1\robert\applic~1\Malwarebytes
2009-02-26 16:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-26 16:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-26 16:32 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-26 16:32 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-26 16:06 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-02-26 16:05 --d----- c:\windows\ERUNT
2009-02-26 16:03 --d----- C:\SDFix
2009-02-26 15:27 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-26 14:19 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-26 14:19 -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-26 14:18 --d----- c:\program files\Lavasoft
2009-02-26 13:24 --d----- c:\program files\TweakNow PowerPack Pro
2009-02-26 13:24 --d----- c:\docume~1\robert\applic~1\TweakNow PowerPack
2009-02-26 13:19 28,460 a------- c:\windows\inoc6.icf
2009-02-26 13:19 47 a------- c:\windows\InoSetup.ini
2009-02-26 13:19 113,728 a------- c:\windows\system32\drivers\ino_fltr.sys
2009-02-26 13:19 36,864 a------- c:\windows\RmvDir.exe
2009-02-26 13:19 19,776 a------- c:\windows\system32\drivers\ino_flpy.sys
2009-02-26 13:19 --d----- c:\program files\CA
2009-02-26 13:18 306,688 a------- c:\windows\IsUninst.exe
2009-02-26 10:53 --d----- c:\program files\NTR global
2009-02-26 10:44 --d----- c:\docume~1\robert\applic~1\ntr
2009-02-20 14:33 120,379 a------- c:\windows\system32\SYMEVNT.386
2009-02-20 14:33 57,968 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-20 14:33 36,864 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-20 14:33 4,032 a------- c:\windows\system32\SYMEVNT1.DLL
2009-02-20 13:56 --d----- c:\docume~1\robert\applic~1\Symantec
2009-02-20 13:56 --d----- c:\program files\common files\Symantec Shared
2009-02-20 13:56 --d----- c:\program files\Symantec
2009-02-20 13:56 --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-02-20 13:27 --d----- c:\windows\system32\appmgmt
2009-02-09 11:27 --d----- c:\program files\Garmin GPS Plugin
2009-02-09 11:27 --d----- c:\program files\Garmin
2009-02-09 11:21 --d----- c:\docume~1\alluse~1\applic~1\WinZipSE
2009-02-09 11:21 --d----- c:\program files\WinZip Self-Extractor
2009-02-03 15:11 0 a------- c:\windows\system32\budda

==================== Find3M ====================

2009-01-28 08:45 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-21 07:49 118,656 a------- c:\windows\system32\drivers\Rtnicxp.sys
2009-01-16 14:45 73,728 a------- c:\windows\system32\RtNicProp32.dll
2008-12-20 16:15 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 23:24:15.40 ===============


Thanks very much for your time and help.

Attached Files


Edited by Smedlow, 04 March 2009 - 01:47 AM.


BC AdBot (Login to Remove)

 


#2 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:24 AM

Posted 12 March 2009 - 08:58 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma. Appologies for taking so long in getting to you and your problem.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Are you having any other problems, or is the auto deleting of combofix all that is left?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#3 Smedlow

Smedlow
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 14 March 2009 - 03:44 AM

I can post all of the steps I have taken in this log, if you wish. I linked to them in my post above. I haven't done anything to the computer for a week, but when I talked to my Dad yesterday, he told me it was working fine. When I left it, all of the scanners were not finding anything. The main fact is that ComboFix can not exist on the computer which indicates something is wrong, I would think.

I am ready to do whatever you ask. A new scan might show if something new has cropped up in the interim, but I was told not to do anything until someone was available to help. There are way too many scanners on his system now which may confuse the issue. If you want all the steps I took in sequence, please say so and I will post them immediately.

Thank you for helping.

#4 Smedlow

Smedlow
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 14 March 2009 - 10:17 AM

After re-reading your initial post, here is everything I have done so far...in one place.

Internet Antivirus Pro was installed, much to my chagrin, but walking him through its removal was impossible. A few days later, I logged in to his XP SP3 computer and uninstalled it as well as removed the files and registry keys associated with it. I used NTR Control (which I recommend, by the way. The only disadvantage with the free edition is no file transfer) He was running AVG Antivirus Free which would not update and did not find any viruses. After being unable to update it, I uninstalled it and installed and updated ETrust Antivirus, and with the current definitions, found one virus (Win32/VMalum.ENIQ) for which I deleted the file. About this time I discovered that IE7 wouldn't load and wanted to send a message to Microsoft. Also, using Firefox, links in the Google or Yahoo search engine would switch to something else when clicked on. Dogpile worked OK though.

I downloaded and installed Ad-aware which I couldn't update normally. I downloaded the definitions on my computer and installed them remotely. Only a dozen cookies and two malware were found which surprised me because there is usually a bigger list of fairly innocuous stuff. I tried to download Spybot Seach and Destroy, but the site was blocked. I downloaded it along with current definitions and uploaded to his computer, but it will not run.

I can get to Microsoft.com on Firefox, but can not get to Windows Update or Microsoft Update. I get sidetracked to Google.

In safe mode, I downloaded SDFix which found nothing I could see. In safe mode, I put Malbytes Anti Malware and it found the following:

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 101118
Time elapsed: 13 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\coolplay (Trojan.DNSChanger) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\internet antivirus pro_is1 (Rogue.InternetAntivirus) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\InternetAntivirusPro.exe (Rogue.Installer) -> No action taken.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> No action take

I rescanned with Etrust and found nothing.

IE7 still will not run. Update....I reset all the IE7 settings from Internet Options in the control panel and I got IE7 running again.
Spybot S and D will not run or update
Ad Aware will not update
Malwarebytes Anti Malware won't update, but its definitions are from Feb 11, 2009

Running Malwarebytges Anti Malware again NOT in Safe Mode gave me two Trojans noted below:

Files Infected:
C:\WINDOWS\system32\gaopdxppexrmql.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxewmyqvpa.sys (Trojan.Agent) -> Quarantined and deleted successfully.


Windows firewall is running, but I created exceptions for all the above programs.
There are no odd processes running.
TCP/IP addresses for the computer and DNS server are being assigned automatically.
LMHosts file has nothing in it.
Something is obviously still going on. I would love some help finding it. Thanks in Advance


I reset all the IE7 settings from Internet Options in the control panel and I got IE7 running again. Then I tried to run Spybot and update Adaware, and they ran and updated properly. There was something in IE7 settings, apparently, that was limiting normal internet access.

I scanned again with Spybot and it brought out the W32.TDSS.rtk and said it removed it from two files. I thought I would go ahead and run Combofix and tried to file transfer from my computer, but although it transferred, it wasn't there when I went to run it. Then, I tried to download it from the links in this forum. From link 1, it downloaded, but wasn't there. Then link 1 was dead. From link 2, same story. From link 3, I changed the name and file type to a zip file just to get it downloaded, and the file download crashed.

I zipped the file into an random file name, then file transferred it to Dad's computer, and it was there on the desktop until I closed the tranfer window, and it disappeared. Another Spybot S and D scan showed nothing.

I have run Malwarebytes AntiMalware in normal mode and have closed down all the malware scanners. The fact that either a zip file containing ComboFix or the program itself can't exist on the comptuer in normal mode is intriguing. A rar archive with combofix in it can exist but not a zip. Changing the name of ComboFix doesn't matter. It is immediately deleted.

I restarted the computer in Safe Mode and have successfully gotten ComboFix on the desktop. I have not yet run it.


I ran RootRepeal and it reveals the following:

ROOTREPEAL AD, 2007-2008
==================================================
Scan Time: 2009/02/27 09:03
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8B87000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5EC000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8B37000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\NTR global\NTRconnect\ntrsm.log
Status: Size mismatch (API: 4246674, Raw: 4245153)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba0f887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba0f8c10

Hidden Services
-------------------
Service Name: gaopdxserv.sys
Image Path: C:\WINDOWS\system32\drivers\gaopdxewmyqvpa.sys

Lbd.sys is apparently part of Ad-Aware.
The hidden service with the funny name however, I can't find on the computer.
The file name doesn't exist. Even from the command prompt.
I tried to delete the file RootRepeal and it can't find it either.

It seems that whoever programmed this thing was scared of ComboFix.

From Safe Mode, I was able to run ComboFix which eliminated (permanently, I hope) gaopdxewmyqvpa.sys from hidden services. As I said before, it has always been invisible in the System32/drivers/ directory, even to the program that reported that is was present and running (RootRepealer). Anyway, I brought Windows back from Safe Mode to normal and, as I feared, ComboFix was no longer on the desktop. I tried again unsuccessfully to extract if from the .rar archive I have it stored in.

Something will not let it exist anywhere in the explorer shell. Without being able to see the file or see it run, it is quite perplexing. The computer seems to be running normally other than that.


The final steps which resulted in the log in my first post here are detailed in that first post.
Thanks again, Hoov.

#5 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:24 AM

Posted 16 March 2009 - 04:05 PM

I am sorry to have left you hanging this weekend. I am having a cat5e cable problem. I have a real ugly fix right now so I can do some catch up and let people know I didn't abandon them intentionally. I won't be able to post again until March 17 at about 5PM East Coast USA time (UCT -4).

Sorry for any inconvenience.

You said that you zipped combofix into a random named file, and this is almost what I want you to try next. Download the file into a clean computer and rename the file. No need to zip it, just rename it to something like multifix.exe and then burn that to a CD and transfer it to the problem computer and then try to run it from the HD with the new name. The same instructions will apply as with the normal named file.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#6 Smedlow

Smedlow
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 18 March 2009 - 12:09 AM

Hoov, sorry about your problems. I failed to include it in my previous post, but I have tried that in a manner of speaking. I am in Alaska and the computer is in Arizona, so I have transferred the file from my computer to my Dad's with NTR Connect (a remote control program). I have tried to send the file with a different name, with a different name zipped, with the zip file zipped with a different name. The only way it would exist on the computer is in a RAR archive until it was unarchived. Then it is deleted. When transferring the file, the file would increase in size normally, but the second the download was completed, it would delete.

My next thought was to try and run it off a CD so it couldn't delete it, but as I understand it, ComboFix has to run from the desktop. Again, the computer seems to be running normally with this exception.
Thanks

#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:24 AM

Posted 18 March 2009 - 02:13 AM

That one exception concerns me. But you may have given me the reason, even though you had said it before, I never really thought that it could be a problem. Is it possible to have your Dad download and run combofix locally? Of course you may need to walk your Dad in shutting off his protection prior to running combofix. He may not even need to run it, just being able to download it would probably prove the point.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 Smedlow

Smedlow
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 18 March 2009 - 03:29 PM

Yeah, I think I can manage it. I can probably have him put a CD in the drive and then I could copy directly it. If all else failed, maybe I could talk him through it, but you know how technical support goes. Ha.
I'll give it a try in the next day or so. Did you see anything in the log that seemed abnormal?

#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:24 AM

Posted 18 March 2009 - 03:45 PM

Well if you removed the problems that Malwarebytes' Anti-Malware found, then no. That was the only thing I see that worries me, but you said the only problem left was not being able to run combofix, so I figured all else was taken care of. As far as the combofix issue, I found nothing that concerns me.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 Smedlow

Smedlow
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 18 March 2009 - 10:50 PM

OK, I'll see if I can do the deed tomorrow. Thanks.

#11 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:24 AM

Posted 22 March 2009 - 06:46 PM

Smedlow, do you still need help?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 Smedlow

Smedlow
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 22 March 2009 - 11:53 PM

Hoov, I finally got to get on his computer today and here are the details:

I had Combofix in a zip in a rar on his computer, so I had him put a CD in the drive and used Nero to copy Combofix to the CD. Still wouldn't run. In trying to make it run, however, I killed not only the anti-malware programs, but every other unfamiliar process and then again tried to unzip ComboFix to the desktop and this time it did not auto-delete. So going with it, I ran ComboFix, and it auto-updated and ran normally. I know you didn't ask for it, but here is the log.

ComboFix 09-03-22.01 - Robert 2009-03-22 21:03:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1600 [GMT -7:00]
Running from: c:\documents and settings\Robert\Desktop\Combofix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-23 to 2009-03-23 )))))))))))))))))))))))))))))))
.

2009-03-16 08:17 . 2009-03-16 08:17 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-14 13:01 . 2009-03-14 13:09 <DIR> d-------- C:\CRIBBAGE
2009-03-05 11:28 . 2009-03-07 22:45 <DIR> d-------- c:\program files\Google
2009-02-27 11:48 . 2009-02-27 11:48 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-27 11:48 . 2009-02-27 11:48 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-27 11:48 . 2009-02-27 11:48 <DIR> d-------- c:\documents and settings\Robert\Application Data\SUPERAntiSpyware.com
2009-02-27 11:48 . 2009-02-27 11:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-26 22:17 . 2009-01-09 12:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-26 19:03 . 2009-02-26 19:03 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-26 18:56 . 2009-02-26 18:56 <DIR> d-------- C:\a706802420c5a8fb1733474f3b0c4299
2009-02-26 18:55 . 2009-02-26 19:06 <DIR> d-------- c:\windows\SxsCaPendDel
2009-02-26 17:45 . 2009-02-26 17:48 <DIR> d-------- c:\documents and settings\LocalService\Application Data\ntr
2009-02-26 16:32 . 2009-02-26 16:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-26 16:32 . 2009-02-26 16:32 <DIR> d-------- c:\documents and settings\Robert\Application Data\Malwarebytes
2009-02-26 16:32 . 2009-02-26 16:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-26 16:32 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-26 16:32 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-26 16:06 . 2009-02-26 16:06 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-26 16:05 . 2009-02-26 16:05 <DIR> d-------- c:\windows\ERUNT
2009-02-26 16:03 . 2009-02-26 16:12 <DIR> d-------- C:\SDFix
2009-02-26 15:27 . 2009-03-05 14:20 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-26 14:19 . 2009-02-26 14:19 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-26 14:19 . 2009-03-05 14:20 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-26 14:18 . 2009-02-26 14:18 <DIR> d-------- c:\program files\Lavasoft
2009-02-26 14:18 . 2009-02-26 14:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-26 13:24 . 2009-02-26 13:24 <DIR> d-------- c:\program files\TweakNow PowerPack Pro
2009-02-26 13:24 . 2009-02-26 13:24 <DIR> d-------- c:\documents and settings\Robert\Application Data\TweakNow PowerPack
2009-02-26 13:19 . 2009-02-26 13:19 <DIR> d-------- c:\program files\CA
2009-02-26 13:19 . 2003-01-03 16:12 113,728 --a------ c:\windows\system32\drivers\ino_fltr.sys
2009-02-26 13:19 . 2003-02-10 14:48 36,864 --a------ c:\windows\RmvDir.exe
2009-02-26 13:19 . 2003-04-16 11:46 28,460 --a------ c:\windows\inoc6.icf
2009-02-26 13:19 . 2003-01-03 14:08 19,776 --a------ c:\windows\system32\drivers\ino_flpy.sys
2009-02-26 13:19 . 2009-02-26 13:19 47 --a------ c:\windows\InoSetup.ini
2009-02-26 13:18 . 1998-10-29 15:45 306,688 --a------ c:\windows\IsUninst.exe
2009-02-26 10:53 . 2009-02-26 10:53 <DIR> d-------- c:\program files\NTR global
2009-02-26 10:44 . 2009-02-26 10:53 <DIR> d-------- c:\documents and settings\Robert\Application Data\ntr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 21:29 --------- d-----w c:\program files\Common Files\Adobe
2009-02-27 20:04 --------- d-----w c:\program files\Anyplace Control 4
2009-02-27 01:01 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-26 22:38 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-26 20:18 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-20 21:33 --------- d-----w c:\program files\Symantec
2009-02-20 21:32 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-20 21:32 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-20 20:56 --------- d-----w c:\documents and settings\Robert\Application Data\Symantec
2009-02-09 18:27 --------- d-----w c:\program files\Garmin GPS Plugin
2009-02-09 18:27 --------- d-----w c:\program files\Garmin
2009-02-09 18:27 --------- d-----w c:\program files\DIFX
2009-02-09 18:21 --------- d-----w c:\program files\WinZip Self-Extractor
2009-02-09 18:21 --------- d-----w c:\documents and settings\All Users\Application Data\WinZipSE
2009-01-30 16:42 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-30 16:42 --------- d-----w c:\program files\FamilySearch
2009-01-28 23:31 --------- d-----w c:\program files\Wootalyzer
2009-01-28 23:31 --------- d-----w c:\documents and settings\Robert\Application Data\wootalyzer
2009-01-28 18:07 --------- d-----w c:\program files\Digital Photo Navigator 1.5
2009-01-28 18:07 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-28 14:48 --------- d-----w c:\documents and settings\Robert\Application Data\GARMIN
2009-01-28 14:48 --------- d-----w c:\documents and settings\All Users\Application Data\GARMIN
2008-11-23 19:57 317,995,280 ----a-w c:\documents and settings\damian\470_b050_multilanguage.exe
2008-11-23 19:04 104,577,368 ----a-w c:\documents and settings\damian\4.2 RIM.exe blackberry desktop.exe
2008-10-01 08:42 2,190,667,690 ----a-w c:\documents and settings\damian\rmu_cnnant2009.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-02-27_11.02.46.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll
+ 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll
+ 2009-02-27 18:48:50 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-02-27 18:48:50 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-09-17 22:29:12 20,040 ----a-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig.dll
- 2009-02-27 05:38:45 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-27 18:23:19 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-27 05:38:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-27 18:23:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-27 05:38:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-27 18:23:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll
- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
- 2007-06-12 06:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-11-12 01:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2009-03-05 21:20:27 64,160 -c--a-w c:\windows\system32\DRVSTORE\lbd_1D149FE61E2CD0936E43877117FE3EF0674B9944\Lbd.sys
- 2009-02-27 02:06:21 161,136 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-11 10:07:11 161,136 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-02-03 02:07:18 240,544 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
- 2008-10-25 15:34:43 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-03-05 18:28:34 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2009-02-12 04:56:17 21,244,872 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-25 20:54:59 24,768,960 ----a-w c:\windows\system32\MRT.exe
- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
- 2007-11-30 11:18:51 26,488 ----a-w c:\windows\system32\spupdsvc.exe
+ 2007-07-27 16:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
- 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\system32\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\system32\win32k.sys
- 2007-06-12 06:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-12 01:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
+ 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-10-09 413696]
"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2003-02-13 493024]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-05 515416]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 c:\windows\RTHDCPL.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2001-11-02 10:50 24636 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Robert\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-26 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 ntrconnect;NTRConnect;c:\program files\NTR global\NTRconnect\NTRconnect.exe [2008-10-29 89600]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-11-23 20992]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-03-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-05 14:19]

2009-03-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\u1ammvyo.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 21:08:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-1364589140-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{278D3AAE-8DEB-E5CD-FDB3-46800F495C5D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hafebpafaemffnkh"=hex:66,61,62,6e,6e,62,63,62,6c,6d,65,70,00,00
"iaifiaohjnjipbomkf"=hex:69,61,64,69,63,62,69,63,6c,68,6d,61,66,6d,6e,6a,6e,63,
00,00
"haofcblpdjpgphba"=hex:6a,61,65,69,6c,62,6d,67,68,66,6a,69,65,6e,64,64,67,6d,
64,68,00,fa
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\awgina.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(1040)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\CA\eTrust Antivirus\InoRpc.exe
c:\program files\CA\eTrust Antivirus\InoRT.exe
c:\program files\CA\eTrust Antivirus\InoTask.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-03-22 21:11:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-23 04:11:23
ComboFix2.txt 2009-02-27 18:03:32

Pre-Run: 138,579,169,280 bytes free
Post-Run: 138,628,370,432 bytes free

227 --- E O F --- 2009-03-20 10:01:09




The only thing that looks too weird to my uneducated eyes are the locked registry keys.
The computer is running OK and ComboFix is staying on the desktop. Any more suggestions?
Thanks.

#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:24 AM

Posted 23 March 2009 - 08:19 AM

I am less concerned now that there is a problem. Some antivirus programs do see it as malware. Especially if they have not been updated in a while, so make sure the virus scanner is updated. You are right about that locked registry Key.

How are you in the registry?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#14 Smedlow

Smedlow
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 24 March 2009 - 09:10 PM

I can delete the keys. Does locked mean that they are not visible, or have to be unlocked to delete them?

#15 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:05:24 AM

Posted 24 March 2009 - 10:59 PM

You will have to set the permissions so that you can delete them. Make sure you backup the registry first, or create a system restore point. Then go in and right click on the main key and select properties. Select the user name you are logged in as, and make sure you have full control. Then delete them. If it causes a problem, then you can run the system restore, or restore the keys.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users