Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this log... some sort of virus


  • This topic is locked This topic is locked
11 replies to this topic

#1 sadj2885

sadj2885

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 15 March 2009 - 11:53 PM

Keep getting pop ups with firefox, background keeps changing, and Avast antivirus keeps showing C:\WINDOWS\system32\drivers\48a05659.sys is a virus but i cannot remove it no matter what i try. I have ran: avast, malwarebytes and spy sweeper. Heres a log file of hijackthis.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:32 AM, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\docume~1\admini~1\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\admini~1\locals~1\temp\ntdll64.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1228027478212
O20 - AppInit_DLLs: C:\WINDOWS\system32\sozawalu.dll tskjlt.dll c:\windows\
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5161 bytes

BC AdBot (Login to Remove)

 


#2 sadj2885

sadj2885
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 16 March 2009 - 10:23 PM

Ran Microsoft MSRT, it found a few things. Deleted all temporary files. Seems ok now. Heres the updated hijack this log. any advice would be appreciated. Thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:46 PM, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1237249829940
O20 - AppInit_DLLs: C:\WINDOWS\system32\sozawalu.dll tskjlt.dll c:\windows\
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5103 bytes

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:46 PM

Posted 27 March 2009 - 08:43 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 sadj2885

sadj2885
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 29 March 2009 - 01:43 PM

Results form DDS are attached.

thanks

Attached Files

  • Attached File  DDS.zip   2.57KB   21 downloads

Edited by sadj2885, 29 March 2009 - 01:44 PM.


#5 jmw3

jmw3

    MRU Teacher


  • Malware Response Team
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 30 March 2009 - 02:47 AM

Hello & Welcome to Bleeping Computer
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Options, then click Track this Topic. Make sure it is set to Immediate Email Notification, then click Proceed.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Thanks

ATF Cleaner
Download ATF Cleaner here by Atribune. Double-click ATF-Cleaner.exe to run the program
Under Main choose: Select All
Click the Empty Selected button
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button
NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button
NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.

GooredFix
Download GooredFix from one of the locations below & save it to your Desktop
Download Mirror #1
Download Mirror #2
Ensure all instances of Firefox are closed
  • Double-click GooredFix.exe to run it
  • Select 2. Fix Goored by typing 2 & pressing Enter
  • Type y at the prompt then press Enter
  • A log will open, post the contents of that log in your next reply
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Combofix
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

**IMPORTANT !!! Save ComboFix.exe to your Desktop**
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
    The ones that need to be closed/disabled are:
    List the programs that need to be closed/ Disabled here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply along with a new HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Click Start>Run & copy/paste the following single-line command into the Run box and click OK:
C:\Qoobox\Add-Remove Programs.txt
A text file should open. Please post the contents of that file in your next reply.

To post in next reply:
Gooredfix log
Combofix log
Add-Remove Programs log

Posted Image
Teacher, Malware Removal University - You too could train to help others
Member - UNITE, Alliance of Security Analysis Professionals


#6 sadj2885

sadj2885
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 30 March 2009 - 10:30 PM

GooredFix v1.92 by jpshortstuff
Log created at 23:00 on 30/03/2009 running Option #2 (admin)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{E6F5E278-4B46-4D14-B5C5-167074FDC776}"="C:\Documents and Settings\admin\Local Settings\Application Data\{E6F5E278-4B46-4D14-B5C5-167074FDC776}\"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\admin\Local Settings\Application Data\{E6F5E278-4B46-4D14-B5C5-167074FDC776}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"




ComboFix 09-03-30.01 - admin 2009-03-30 23:15:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.219 [GMT -4:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090330-0] *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-29 20:42 . 2004-03-29 16:23 90,112 --a------ c:\windows\unvise32.exe
2009-03-29 20:41 . 2009-03-29 20:42 <DIR> d-------- c:\program files\The Rosetta Stone
2009-03-29 14:25 . 2009-03-29 20:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-29 14:24 . 2009-03-29 14:24 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-03-23 19:08 . 2009-03-23 19:13 <DIR> d-------- c:\program files\UltraVNC
2009-03-16 00:40 . 2009-03-16 00:40 <DIR> d-------- c:\program files\Trend Micro
2009-03-15 23:53 . 2009-03-15 23:53 <DIR> d-------- c:\documents and settings\Administrator
2009-03-14 19:21 . 2009-03-14 19:21 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-03-14 18:53 . 2009-03-14 18:53 <DIR> d-------- c:\program files\Alwil Software
2009-03-14 18:53 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-03-14 17:46 . 2009-03-14 17:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-14 17:46 . 2009-03-14 17:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-14 17:46 . 2009-03-14 17:46 <DIR> d-------- c:\documents and settings\admin\Application Data\Malwarebytes
2009-03-14 17:46 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-14 17:46 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-14 17:36 . 2008-04-14 06:42 26,112 --a--c--- c:\windows\system32\dllcache\userinit.exe
2009-03-14 17:35 . 2009-03-14 17:35 2 --a------ C:\338000835
2009-03-13 19:14 . 2007-07-27 04:26 37,768 -ra------ c:\windows\system32\drivers\wceusbsh.sys
2009-03-13 19:14 . 2007-07-27 04:26 37,768 -ra------ c:\windows\system32\drivers\OLD243.tmp
2009-03-13 19:14 . 2008-04-14 00:15 31,744 --a--c--- c:\windows\system32\dllcache\wceusbsh.sys
2009-03-09 19:22 . 2009-03-09 19:22 <DIR> d-------- c:\program files\Alex Feinman
2009-03-08 19:07 . 2009-03-08 19:07 <DIR> d-------- c:\program files\ATI Technologies
2009-02-16 18:44 . 2009-02-16 18:53 <DIR> d-------- c:\program files\Google
2009-02-16 18:44 . 2009-03-30 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-02-11 00:10 . 2009-02-11 00:10 <DIR> d-------- c:\documents and settings\admin\Application Data\Aim
2009-02-11 00:09 . 2009-02-11 00:11 <DIR> d-------- c:\program files\AIM
2009-02-01 03:37 . 2009-02-01 03:37 <DIR> d-------- c:\program files\MagicISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 02:30 --------- d-----w c:\documents and settings\admin\Application Data\uTorrent
2009-02-11 04:09 --------- d-----w c:\program files\Common Files\AOL
2009-02-11 04:09 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-01 07:46 --------- d-----w c:\program files\DivX
2009-02-01 00:15 --------- d-----w c:\documents and settings\admin\Application Data\U3
2009-01-30 02:09 --------- d-----w c:\documents and settings\admin\Application Data\AdobeUM
2009-01-30 02:08 --------- d-----w c:\program files\Common Files\Adobe
2008-12-11 04:17 472,576 ----a-w c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-30 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 16:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R1 aswsp;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-14 114768]
R2 aswfsblk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-14 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-19 24652]
S1 48a05659;48a05659;c:\windows\system32\drivers\48a05659.sys --> c:\windows\system32\drivers\48a05659.sys [?]
S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys --> c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46531850-0cfc-11de-882f-0015e975088d}]
\Shell\AutoRun\command - e:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b4030f5-bea7-11dd-8821-e784ef23b244}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-26 00:01]

2009-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1563985344-1343024091-1003.job
- c:\documents and settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-29 19:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\vd4z7kpt.default\
FF - plugin: c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\vd4z7kpt.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\admin\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 23:20:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-30 23:23:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-31 03:22:56

Pre-Run: 25,695,166,464 bytes free
Post-Run: 25,646,006,272 bytes free

147



Add-remove
µTorrent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.7
Agere Systems AC'97 Modem
AOL Instant Messenger
Apple Software Update
ATI - Software Uninstall Utility
ATI Display Driver
AutoUpdate
avast! Antivirus
DivX Codec
DivX Converter
DivX Player
DivX Version Checker
Google Chrome
Google Updater
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel® PRO Network Connections Drivers
ISO Recorder
Java™ 6 Update 10
Magic ISO Maker v5.5 (build 0273)
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.8)
On Screen Display
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SoundMAX
The Rosetta Stone
ThinkPad Power Management Driver
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VC80CRTRedist - 8.0.50727.762
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver

#7 jmw3

jmw3

    MRU Teacher


  • Malware Response Team
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 31 March 2009 - 01:20 AM

P2P Warning!
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

µTorrent

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur.
P2P file sharing used to be fairly safe. That is no longer true. I'd like you to read the Perils of P2P File Sharing where we explain why it's not a good idea to have them.
References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

I would recommend you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) & any other P2P programs.

Upload Files for Scanning
Go to VirSCAN & upload the following File & Path for scanning.
  • Copy and paste the following File & Path in the text box next to the Browse button.
    c:\windows\system32\drivers\48a05659.sys
  • Click Upload.
  • Wait for scans to finish then copy & paste the results into your next reply.
Is there some reason you did not install the Recovery Console. With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Go to Microsoft's website => http://support.microsoft.com/kb/310994
  • Select the download that's appropriate for your Operating System
    Posted Image
  • Download the file & save it as it's originally named. Save the file to the desktop of your computer
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    Posted Image
  • Drag the setup package onto ComboFix.exe and drop it
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console
    Posted Image
  • At the next prompt, click No to exit
CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

File::
C:\338000835
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46531850-0cfc-11de-882f-0015e975088d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b4030f5-bea7-11dd-8821-e784ef23b244}]
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 13.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the Download button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel
Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
To post in next reply:
VirSCAN results log
Combofix log
Kaspersky Scan log
Let me know how the computer is running / problems

Posted Image
Teacher, Malware Removal University - You too could train to help others
Member - UNITE, Alliance of Security Analysis Professionals


#8 sadj2885

sadj2885
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 01 April 2009 - 06:53 PM

I tried scanning the file,but it doesnt exist anymore.


ComboFix 09-03-30.01 - admin 2009-03-31 18:21:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.163 [GMT -4:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090331-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\338000835
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\338000835

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-29 20:42 . 2004-03-29 16:23 90,112 --a------ c:\windows\unvise32.exe
2009-03-29 20:41 . 2009-03-29 20:42 <DIR> d-------- c:\program files\The Rosetta Stone
2009-03-29 14:25 . 2009-03-29 20:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-29 14:24 . 2009-03-29 14:24 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-03-23 19:08 . 2009-03-23 19:13 <DIR> d-------- c:\program files\UltraVNC
2009-03-16 00:40 . 2009-03-16 00:40 <DIR> d-------- c:\program files\Trend Micro
2009-03-15 23:53 . 2009-03-15 23:53 <DIR> d-------- c:\documents and settings\Administrator
2009-03-14 19:21 . 2009-03-14 19:21 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-03-14 18:53 . 2009-03-14 18:53 <DIR> d-------- c:\program files\Alwil Software
2009-03-14 18:53 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-03-14 17:46 . 2009-03-14 17:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-14 17:46 . 2009-03-14 17:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-14 17:46 . 2009-03-14 17:46 <DIR> d-------- c:\documents and settings\admin\Application Data\Malwarebytes
2009-03-14 17:46 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-14 17:46 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-14 17:36 . 2008-04-14 06:42 26,112 --a--c--- c:\windows\system32\dllcache\userinit.exe
2009-03-13 19:14 . 2007-07-27 04:26 37,768 -ra------ c:\windows\system32\drivers\wceusbsh.sys
2009-03-13 19:14 . 2007-07-27 04:26 37,768 -ra------ c:\windows\system32\drivers\OLD243.tmp
2009-03-13 19:14 . 2008-04-14 00:15 31,744 --a--c--- c:\windows\system32\dllcache\wceusbsh.sys
2009-03-09 19:22 . 2009-03-09 19:22 <DIR> d-------- c:\program files\Alex Feinman
2009-03-08 19:07 . 2009-03-08 19:07 <DIR> d-------- c:\program files\ATI Technologies
2009-02-16 18:44 . 2009-02-16 18:53 <DIR> d-------- c:\program files\Google
2009-02-16 18:44 . 2009-03-30 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-02-11 00:10 . 2009-02-11 00:10 <DIR> d-------- c:\documents and settings\admin\Application Data\Aim
2009-02-11 00:09 . 2009-02-11 00:11 <DIR> d-------- c:\program files\AIM
2009-02-01 03:37 . 2009-02-01 03:37 <DIR> d-------- c:\program files\MagicISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 02:30 --------- d-----w c:\documents and settings\admin\Application Data\uTorrent
2009-02-11 04:09 --------- d-----w c:\program files\Common Files\AOL
2009-02-11 04:09 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-01 07:46 --------- d-----w c:\program files\DivX
2009-02-01 00:15 --------- d-----w c:\documents and settings\admin\Application Data\U3
2009-01-30 02:09 --------- d-----w c:\documents and settings\admin\Application Data\AdobeUM
2009-01-30 02:08 --------- d-----w c:\program files\Common Files\Adobe
2008-12-11 04:17 472,576 ----a-w c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-30_23.22.05.91 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-31 22:14:04 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_46c.dat
+ 2009-03-31 22:13:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_678.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-30 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 16:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R1 aswsp;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-14 114768]
R2 aswfsblk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-14 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-19 24652]
S1 48a05659;48a05659;c:\windows\system32\drivers\48a05659.sys --> c:\windows\system32\drivers\48a05659.sys [?]
S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys --> c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-26 00:01]

2009-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1563985344-1343024091-1003.job
- c:\documents and settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-29 19:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\vd4z7kpt.default\
FF - plugin: c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\vd4z7kpt.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\admin\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 18:23:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
.
Completion time: 2009-03-31 18:24:40
ComboFix-quarantined-files.txt 2009-03-31 22:24:07
ComboFix2.txt 2009-03-31 03:23:05

Pre-Run: 25,606,012,928 bytes free
Post-Run: 25,613,053,952 bytes free

138






--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, April 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, April 02, 2009 00:13:53
Records in database: 1994982
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 27639
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:53:25


File name / Threat name / Threats count
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ab 1

The selected area was scanned.

#9 jmw3

jmw3

    MRU Teacher


  • Malware Response Team
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 02 April 2009 - 04:52 AM

Hi
Let's make sure that file is gone.

View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK

Navigate to c:\windows\system32\drivers\48a05659.sys

If the file is still on your system then upload it to VirSCAN for checking. If it's not there then we're just about done.

Posted Image
Teacher, Malware Removal University - You too could train to help others
Member - UNITE, Alliance of Security Analysis Professionals


#10 sadj2885

sadj2885
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 02 April 2009 - 07:38 AM

The file isnt there. Thanks for all your help. everything looks good now.

#11 jmw3

jmw3

    MRU Teacher


  • Malware Response Team
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 02 April 2009 - 07:55 AM

Hi

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.

Remove Combofix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /u
OTCleanIt
Download OTCleanIt here & save it to your desktop.
Double click on OTCleanIt.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
You can also delete DDS.scr & Gooredfix.exe from your desktop.
You can either delete or keep ATF-Cleaner. It's a handy tool for cleaning out your temporary folders.

All Clean
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can find a tutorial here.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):
  • A short distance down the page in the centre, click on the Download button
  • Agree to the license
  • On the next page, to the right side of where it says Download Estimates, right click on the underlined word Hosts Manager choose Save Target As and download the installer Hosts20setup.exe to your desktop
  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Posted Image
Teacher, Malware Removal University - You too could train to help others
Member - UNITE, Alliance of Security Analysis Professionals


#12 jmw3

jmw3

    MRU Teacher


  • Malware Response Team
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 AM

Posted 04 April 2009 - 12:13 PM

As this issue appears to be resolved, this Topic is closed.
Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.
This applies only to the original poster. Everyone else please begin a New Topic.

Posted Image
Teacher, Malware Removal University - You too could train to help others
Member - UNITE, Alliance of Security Analysis Professionals





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users