Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

Photo

iexplore.exe running when no window is open, Userinit value changed

Started by Mikniks , Mar 16 2009 01:50 AM

  • This topic is locked This topic is locked
13 replies to this topic

#1 Mikniks

Mikniks

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:05:58 PM

Posted 16 March 2009 - 01:50 AM

I've been working for 2 days now trying to fix this problem, but it has been a very resilient trojan (or group of them). I think I have the problem files isolated but I can't figure out how to remove them. The userinit value has been changed, and I can't modify it in Regedit. I've read some other materials suggesting the use of ComboFix, but the program (along with Spybot S&D, Malwarebytes, and SuperAntiSpyware) won't load after I double-click them on my desktop. AVG and Avira do load for some reason and I've completed scans with both of them. Sdra64.exe and lowsec.exe are my main concerns. Thank you in advance for your help!!


DDS (Ver_09-03-16.01) - NTFSx86
Run by Sugarbear at 2:26:45.71 on Mon 03/16/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.164 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Sugarbear\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [HijackThis startup scan] c:\program files\trend micro\hijackthis\HijackThis.exe /startupscan
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\sugarb~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\iifecdab

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-3-16 11840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-15 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-15 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-15 107912]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 55024]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-16 151297]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-15 298264]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-3-16 52032]
S2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-16 68865]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-15 908056]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-2-2 16512]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]

=============== Created Last 30 ================

2009-03-16 00:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-16 00:07 <DIR> --d----- c:\program files\Avira
2009-03-15 23:35 389,120 a------- c:\windows\system32\CF26439.exe
2009-03-15 22:16 <DIR> --d----- c:\windows\pss
2009-03-15 14:27 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-15 14:08 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-15 14:08 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-15 14:08 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-15 14:08 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-15 14:08 <DIR> --d----- c:\docume~1\sugarb~1\applic~1\AVGTOOLBAR
2009-03-15 14:06 <DIR> --d----- c:\program files\AVG
2009-03-15 14:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-15 11:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-14 14:30 <DIR> --d----- c:\windows\srchasst
2009-03-14 14:03 <DIR> --d----- c:\windows\mui
2009-03-14 11:26 <DIR> --dsh--- c:\windows\system32\lowsec
2009-03-09 13:11 <DIR> --dsh--- c:\documents and settings\sugarbear\IECompatCache
2009-03-06 17:58 0 a------- c:\windows\system32\nfr.gpref
2009-03-06 17:58 0 a------- c:\windows\system32\nfr.assembly
2009-03-06 17:28 1 ----h--- c:\windows\t55ft3518f44.dat
2009-03-04 19:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-04 19:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-22 12:35 <DIR> --d----- c:\docume~1\sugarb~1\applic~1\mIRC
2009-02-22 12:35 <DIR> --d----- c:\program files\mIRC
2009-02-20 03:06 <DIR> --dsh--- c:\documents and settings\sugarbear\PrivacIE
2009-02-20 03:06 <DIR> --dsh--- c:\documents and settings\sugarbear\IETldCache
2009-02-20 02:44 <DIR> -cd-h--- c:\windows\ie8
2009-02-18 20:17 <DIR> --d----- c:\program files\Photosynth

==================== Find3M ====================

2009-02-02 23:10 262,144 a------- c:\windows\system32\wrap_oal.dll
2009-02-02 23:10 86,016 a------- c:\windows\system32\OpenAL32.dll
2009-01-15 03:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 03:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 03:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 03:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 03:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 03:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 03:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 03:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 03:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 02:50 156,160 a------- c:\windows\system32\msls31.dll
2008-12-01 15:55 109 a--sh--- c:\windows\system32\1887203005.dat

============= FINISH: 2:28:11.59 ===============


HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:01 AM, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe


Again, thank you for taking the time to help mere mortals like myself!

BC AdBot (Login to Remove)

 

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:58 PM

Posted 27 March 2009 - 08:44 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Mikniks

Mikniks
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:05:58 PM

Posted 28 March 2009 - 12:54 AM

Thanks for the reply! I'm fairly certain the problem is the file "sdra64.exe," I'm just not sure how to remove it. Here are the logs:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Sugarbear at 1:38:37.75 on Sat 03/28/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.119 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sugarbear\Desktop\dds.scr
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [HijackThis startup scan] c:\program files\trend micro\hijackthis\HijackThis.exe /startupscan
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\sugarb~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-3-16 11840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-15 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-15 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-15 107912]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 55024]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-16 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-16 151297]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-15 298264]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-3-16 52032]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-15 908056]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-2-2 16512]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]

=============== Created Last 30 ================

2009-03-22 02:33 <DIR> --d----- c:\program files\ESPN
2009-03-17 02:22 <DIR> --d-h--- c:\windows\PIF
2009-03-16 00:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-16 00:07 <DIR> --d----- c:\program files\Avira
2009-03-15 23:35 389,120 a------- c:\windows\system32\CF26439.exe
2009-03-15 22:16 <DIR> --d----- c:\windows\pss
2009-03-15 14:27 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-15 14:08 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-15 14:08 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-15 14:08 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-15 14:08 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-15 14:08 <DIR> --d----- c:\docume~1\sugarb~1\applic~1\AVGTOOLBAR
2009-03-15 14:06 <DIR> --d----- c:\program files\AVG
2009-03-15 14:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-15 11:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-14 14:30 <DIR> --d----- c:\windows\srchasst
2009-03-14 14:03 <DIR> --d----- c:\windows\mui
2009-03-09 13:11 <DIR> --dsh--- c:\documents and settings\sugarbear\IECompatCache
2009-03-06 17:58 0 a------- c:\windows\system32\nfr.gpref
2009-03-06 17:58 0 a------- c:\windows\system32\nfr.assembly
2009-03-06 17:28 1 ----h--- c:\windows\t55ft3518f44.dat
2009-03-04 19:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-04 19:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-02 23:10 262,144 a------- c:\windows\system32\wrap_oal.dll
2009-02-02 23:10 86,016 a------- c:\windows\system32\OpenAL32.dll
2009-01-15 03:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 03:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 03:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 03:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 03:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 03:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 03:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 03:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 03:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 02:50 156,160 a------- c:\windows\system32\msls31.dll
2008-12-01 15:55 109 a--sh--- c:\windows\system32\1887203005.dat

============= FINISH: 1:40:25.14 ===============


Please let me know if you need the "Attach" part of the log.

#4 Mikniks

Mikniks
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:05:58 PM

Posted 28 March 2009 - 01:35 AM

Thanks for the reply! Here is the log from DDS:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Sugarbear at 2:29:43.09 on Sat 03/28/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.235 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sugarbear\Desktop\dds.scr
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [HijackThis startup scan] c:\program files\trend micro\hijackthis\HijackThis.exe /startupscan
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\sugarb~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: AutorunsDisabled\linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: AutorunsDisabled - avgrsstx.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll

============= SERVICES / DRIVERS ===============

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-2-2 16512]
S4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-16 68865]
S4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-16 151297]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-15 908056]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-15 298264]
S4 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-3-16 11840]
S4 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-15 325640]
S4 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-15 27656]
S4 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-3-16 52032]
S4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-15 107912]
S4 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-11-17 8944]
S4 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]
S4 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 55024]

=============== Created Last 30 ================

2009-03-22 02:33 <DIR> --d----- c:\program files\ESPN
2009-03-17 02:22 <DIR> --d-h--- c:\windows\PIF
2009-03-16 00:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-16 00:07 <DIR> --d----- c:\program files\Avira
2009-03-15 23:35 389,120 a------- c:\windows\system32\CF26439.exe
2009-03-15 22:16 <DIR> --d----- c:\windows\pss
2009-03-15 14:27 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-15 14:08 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-15 14:08 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-15 14:08 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-15 14:08 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-15 14:08 <DIR> --d----- c:\docume~1\sugarb~1\applic~1\AVGTOOLBAR
2009-03-15 14:06 <DIR> --d----- c:\program files\AVG
2009-03-15 14:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-15 11:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-14 14:30 <DIR> --d----- c:\windows\srchasst
2009-03-14 14:03 <DIR> --d----- c:\windows\mui
2009-03-09 13:11 <DIR> --dsh--- c:\documents and settings\sugarbear\IECompatCache
2009-03-06 17:58 0 a------- c:\windows\system32\nfr.gpref
2009-03-06 17:58 0 a------- c:\windows\system32\nfr.assembly
2009-03-06 17:28 1 ----h--- c:\windows\t55ft3518f44.dat
2009-03-04 19:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-04 19:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-02 23:10 262,144 a------- c:\windows\system32\wrap_oal.dll
2009-02-02 23:10 86,016 a------- c:\windows\system32\OpenAL32.dll
2009-01-15 03:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 03:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 03:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 03:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 03:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 03:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 03:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 03:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 03:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 02:50 156,160 a------- c:\windows\system32\msls31.dll
2008-12-01 15:55 109 a--sh--- c:\windows\system32\1887203005.dat

============= FINISH: 2:31:20.90 ===============

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:05:58 PM

Posted 28 March 2009 - 12:45 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#6 Mikniks

Mikniks
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:05:58 PM

Posted 28 March 2009 - 02:46 PM

I've actually tried running ComboFix and GMER, but the programs refuse to run. ComboFix will start and the load timer will come up, but after a few seconds ComboFix will just sit inactively in task manager with no interface popping up. The same goes for programs like Spybot, Malwarebytes, SuperAntiSpyware, etc.

Avira is the only one that runs.

I'm unsure as to why this is happening.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:05:58 PM

Posted 28 March 2009 - 03:06 PM

Hello.

Please delete your current copy of ComboFix.

Download ComboFix again. In the Save As window, save it as ComboFix123.exe.

Try running it again.

With Regards,
The Panda

If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#8 Mikniks

Mikniks
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:05:58 PM

Posted 28 March 2009 - 06:07 PM

.

Edited by PropagandaPanda, 28 March 2009 - 06:44 PM.

#9 Mikniks

Mikniks
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:05:58 PM

Posted 28 March 2009 - 06:07 PM

Ran both, and here are the results (preliminary results are good; I can now open IE and click Google links without being transported to another page):

ComboFix Log:

ComboFix 09-03-27.02 - Sugarbear 2009-03-28 18:21:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.322 [GMT -4:00]
Running from: c:\documents and settings\Sugarbear\Desktop\ComboFix123.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\senekacboesfoy.sys
c:\windows\system32\drivers\UACnausfnmt.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\senekaicxayuup.dll
c:\windows\system32\senekaoiyenjbo.dll
c:\windows\system32\UACfxrtcoha.log
c:\windows\system32\UAChfgtuxyi.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACleitaqbi.log
c:\windows\system32\UACloucjwub.dll
c:\windows\system32\UACpcpfysbx.log
c:\windows\system32\UACrghcnmxp.dll
c:\windows\system32\UACtjdyxefh.dll
c:\windows\system32\UACvucyyxdo.dll
c:\windows\system32\UACyevoayyd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-28 13:31 . 2009-03-28 14:27 <DIR> d-------- c:\program files\Lexmark 8300 Series
2009-03-28 13:02 . 2009-03-28 13:02 47,224 --a------ C:\LXCJunst.csv
2009-03-28 12:40 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll
2009-03-28 12:40 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll
2009-03-28 12:40 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-28 12:40 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-03-28 11:44 . 2009-03-28 18:10 <DIR> d-------- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2009-03-28 11:44 . 2009-03-28 11:44 <DIR> d-------- C:\Temp
2009-03-28 11:44 . 2009-03-28 12:02 18,300 --a------ C:\LXCJINST.000
2009-03-28 11:44 . 2009-03-28 13:02 10,372 --a------ C:\LXCJINST.csv
2009-03-28 11:44 . 2009-03-28 12:05 0 --a------ C:\lxcjfire.csv
2009-03-28 11:44 . 2009-03-28 11:44 0 --a------ C:\lxcjfire.000
2009-03-22 02:33 . 2009-03-22 02:33 <DIR> d-------- c:\program files\ESPN
2009-03-17 02:22 . 2009-03-17 02:22 <DIR> d--h----- c:\windows\PIF
2009-03-16 00:07 . 2009-03-16 00:07 <DIR> d-------- c:\program files\Avira
2009-03-16 00:07 . 2009-03-16 00:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-15 19:07 . 2009-03-15 19:07 <DIR> d--hs---- c:\documents and settings\Clean\PrivacIE
2009-03-15 19:07 . 2009-03-15 19:07 <DIR> d--hs---- c:\documents and settings\Clean\IETldCache
2009-03-15 19:07 . 2008-09-22 01:04 <DIR> d-------- c:\documents and settings\Clean\Application Data\Intel
2009-03-15 19:07 . 2009-03-15 19:07 <DIR> d-------- c:\documents and settings\Clean
2009-03-15 14:27 . 2009-03-15 17:40 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-15 14:08 . 2009-03-15 14:13 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-15 14:08 . 2009-03-15 14:14 <DIR> d-------- c:\documents and settings\Sugarbear\Application Data\AVGTOOLBAR
2009-03-15 14:08 . 2009-03-15 14:08 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-15 14:08 . 2009-03-15 14:08 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-15 14:08 . 2009-03-15 14:08 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-15 14:06 . 2009-03-15 14:06 <DIR> d-------- c:\program files\AVG
2009-03-15 14:06 . 2009-03-28 02:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-15 11:59 . 2009-03-15 11:58 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-14 14:30 . 2009-03-14 14:30 <DIR> d-------- c:\windows\srchasst
2009-03-14 14:19 . 2009-03-14 14:19 <DIR> d--hs---- c:\documents and settings\GuestUser\PrivacIE
2009-03-14 14:19 . 2009-03-14 14:19 <DIR> d--hs---- c:\documents and settings\GuestUser\IETldCache
2009-03-14 14:03 . 2009-03-14 14:03 <DIR> d-------- c:\windows\mui
2009-03-14 14:03 . 2009-03-14 14:03 <DIR> d-------- c:\program files\microsoft frontpage
2009-03-09 13:11 . 2009-03-09 13:11 <DIR> d--hs---- c:\documents and settings\Sugarbear\IECompatCache
2009-03-06 17:58 . 2009-03-06 17:58 0 --a------ c:\windows\system32\nfr.gpref
2009-03-06 17:58 . 2009-03-06 17:58 0 --a------ c:\windows\system32\nfr.assembly
2009-03-06 17:28 . 2009-03-06 17:28 1 ---h----- c:\windows\t55ft3518f44.dat
2009-03-04 19:46 . 2009-03-14 14:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-04 19:46 . 2009-03-05 17:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 06:29 --------- d-----w c:\documents and settings\Sugarbear\Application Data\OpenOffice.org2
2009-03-28 05:36 --------- d-----w c:\program files\Full Tilt Poker
2009-03-16 14:19 --------- d-----w c:\documents and settings\Sugarbear\Application Data\LimeWire
2009-03-15 15:57 --------- d-----w c:\program files\Java
2009-03-06 14:17 --------- d-----w c:\documents and settings\Sugarbear\Application Data\mIRC
2009-03-06 14:16 --------- d-----w c:\program files\mIRC
2009-02-26 06:24 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-20 19:18 --------- d-----w c:\program files\LimeWire
2009-02-19 00:18 --------- d-----w c:\program files\Photosynth
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-03 03:32 --------- d-----w c:\program files\Free DVD Ripper
2009-02-03 03:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-03 03:30 --------- d-----w c:\program files\OpenLibraries
2009-02-03 03:10 86,016 ----a-w c:\windows\system32\OpenAL32.dll
2009-02-03 03:10 262,144 ----a-w c:\windows\system32\wrap_oal.dll
2009-02-03 02:54 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-03 02:53 --------- d-----w c:\program files\Holdem Indicator
2009-01-15 07:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 07:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 07:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 07:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 07:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 07:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 07:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 07:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 07:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 06:50 156,160 ----a-w c:\windows\system32\msls31.dll
2008-12-01 19:55 109 --sha-w c:\windows\system32\1887203005.dat
.

------- Sigcheck -------

2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-14 00:50 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 07:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 07:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-01-11 396288]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

c:\documents and settings\Sugarbear\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2006-08-03 03:20 188482 c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2009-03-15 14:08 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 11:21 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2005-07-07 06:08 135168 c:\program files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZCfgSvc.exe]
--a------ 2006-08-03 03:19 639040 c:\windows\system32\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"AppMgmt"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"ALG"=3 (0x3)
"IDriverT"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:dll32
"7171:TCP"= 7171:TCP:dll32

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-02-02 16512]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-15 908056]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-15 298264]
S4 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-15 325640]
S4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-15 107912]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-11-17 8944]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-11-17 55024]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b248d274-872f-11dd-b421-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-net64 - c:\windows\svhoster.exe
MSConfigStartUp-netc - c:\windows\svc.exe
MSConfigStartUp-netsv32 - c:\windows\sv.exe
MSConfigStartUp-netw - c:\windows\svw.exe
MSConfigStartUp-netx - c:\windows\svx.exe
MSConfigStartUp-netzip - c:\windows\svzip.exe
MSConfigStartUp-runsql - c:\windows\runsql.exe
MSConfigStartUp-UpdateWin - c:\windows\system32\amstreamp.exe
MSConfigStartUp-userinit - c:\windows\system32\ntos.exe
MSConfigStartUp-vlc - c:\windows\vlc.exe
MSConfigStartUp-wdmon - c:\windows\wdmon.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 18:27:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\netprovcredman.dll
c:\windows\System32\LgNotify.dll
.
Completion time: 2009-03-28 18:30:39
ComboFix-quarantined-files.txt 2009-03-28 22:29:22

Pre-Run: 44,444,377,088 bytes free
Post-Run: 46,405,816,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

218 --- E O F --- 2009-03-16 07:04:52

#10 Mikniks

Mikniks
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:05:58 PM

Posted 28 March 2009 - 06:08 PM

GMER Log (ran this after ComboFix):

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-03-28 19:04:51
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix123\catchme.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[784] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 00BD4315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[784] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00CA1D31 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[784] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 00C9D5B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[784] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 00CA67BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[784] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00C170D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[784] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 00DC637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[784] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 00DC62AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[784] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 00DC6318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[784] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 00DC617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[784] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 00DC61E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[784] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 00DC63DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[784] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 00DC6242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[784] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00CA74D1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1972] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 00BD4315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1972] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 00CA67BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1972] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 00DC637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1972] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 00DC62AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1972] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 00DC6318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1972] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 00DC617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1972] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 00DC61E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1972] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 00DC63DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1972] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 00DC6242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat EF7E2D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACnausfnmt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACnausfnmt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACtjdyxefh.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UAChfgtuxyi.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACyevoayyd.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACloucjwub.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACvucyyxdo.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACrghcnmxp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACpcpfysbx.log
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACfxrtcoha.log
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACleitaqbi.log

---- EOF - GMER 1.0.15 ----

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:05:58 PM

Posted 28 March 2009 - 06:51 PM

Hello.

Posted ImageBackdoor Threat
I'm sorry to say that your computer was infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Peer-to-Peer Programs
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case LimeWire/b]). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Run ComboFix with CFScript
There are a couple items I would like to look into

We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/211516/iexploreexe-running-when-no-window-is-open-userinit-value-changed/

Suspect::[59]
c:\windows\system32\netprovcredman.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"=-
"7171:TCP"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from [b]here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.
With Regards,
The Panda

If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#12 Mikniks

Mikniks
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
    •  
  • Local time:05:58 PM

Posted 28 March 2009 - 09:07 PM

Re-ran ComboFix with the script you provided, and deleted LimeWire (although I don't know why I still appears in the log.) Ran Malwarebytes (full scan) and nothing turned up.


ComboFix 09-03-28.01 - Sugarbear 2009-03-28 21:52:36.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.196 [GMT -4:00]
Running from: c:\documents and settings\Sugarbear\Desktop\ComboFixA.exe
Command switches used :: c:\documents and settings\Sugarbear\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-28 20:33 . 2009-03-28 20:40 <DIR> d-------- C:\ComboFix123
2009-03-28 13:31 . 2009-03-28 14:27 <DIR> d-------- c:\program files\Lexmark 8300 Series
2009-03-28 13:02 . 2009-03-28 13:02 47,224 --a------ C:\LXCJunst.csv
2009-03-28 12:40 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll
2009-03-28 12:40 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll
2009-03-28 12:40 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-28 12:40 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-03-28 11:44 . 2009-03-28 18:10 <DIR> d-------- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2009-03-28 11:44 . 2009-03-28 11:44 <DIR> d-------- C:\Temp
2009-03-28 11:44 . 2009-03-28 12:02 18,300 --a------ C:\LXCJINST.000
2009-03-28 11:44 . 2009-03-28 13:02 10,372 --a------ C:\LXCJINST.csv
2009-03-28 11:44 . 2009-03-28 12:05 0 --a------ C:\lxcjfire.csv
2009-03-28 11:44 . 2009-03-28 11:44 0 --a------ C:\lxcjfire.000
2009-03-22 02:33 . 2009-03-22 02:33 <DIR> d-------- c:\program files\ESPN
2009-03-17 02:22 . 2009-03-17 02:22 <DIR> d--h----- c:\windows\PIF
2009-03-16 00:07 . 2009-03-16 00:07 <DIR> d-------- c:\program files\Avira
2009-03-16 00:07 . 2009-03-16 00:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-15 19:07 . 2009-03-15 19:07 <DIR> d--hs---- c:\documents and settings\Clean\PrivacIE
2009-03-15 19:07 . 2009-03-15 19:07 <DIR> d--hs---- c:\documents and settings\Clean\IETldCache
2009-03-15 19:07 . 2008-09-22 01:04 <DIR> d-------- c:\documents and settings\Clean\Application Data\Intel
2009-03-15 19:07 . 2009-03-15 19:07 <DIR> d-------- c:\documents and settings\Clean
2009-03-15 14:27 . 2009-03-15 17:40 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-15 14:08 . 2009-03-15 14:13 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-15 14:08 . 2009-03-15 14:14 <DIR> d-------- c:\documents and settings\Sugarbear\Application Data\AVGTOOLBAR
2009-03-15 14:08 . 2009-03-15 14:08 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-15 14:08 . 2009-03-15 14:08 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-15 14:08 . 2009-03-15 14:08 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-15 14:06 . 2009-03-15 14:06 <DIR> d-------- c:\program files\AVG
2009-03-15 14:06 . 2009-03-28 02:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-15 11:59 . 2009-03-15 11:58 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-14 14:30 . 2009-03-14 14:30 <DIR> d-------- c:\windows\srchasst
2009-03-14 14:19 . 2009-03-14 14:19 <DIR> d--hs---- c:\documents and settings\GuestUser\PrivacIE
2009-03-14 14:19 . 2009-03-14 14:19 <DIR> d--hs---- c:\documents and settings\GuestUser\IETldCache
2009-03-14 14:03 . 2009-03-14 14:03 <DIR> d-------- c:\windows\mui
2009-03-14 14:03 . 2009-03-14 14:03 <DIR> d-------- c:\program files\microsoft frontpage
2009-03-09 13:11 . 2009-03-09 13:11 <DIR> d--hs---- c:\documents and settings\Sugarbear\IECompatCache
2009-03-06 17:28 . 2009-03-06 17:28 1 ---h----- c:\windows\t55ft3518f44.dat
2009-03-04 19:46 . 2009-03-14 14:18 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-04 19:46 . 2009-03-05 17:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 01:41 --------- d-----w c:\program files\LimeWire
2009-03-29 00:32 --------- d-----w c:\program files\Full Tilt Poker
2009-03-28 06:29 --------- d-----w c:\documents and settings\Sugarbear\Application Data\OpenOffice.org2
2009-03-16 14:19 --------- d-----w c:\documents and settings\Sugarbear\Application Data\LimeWire
2009-03-15 15:57 --------- d-----w c:\program files\Java
2009-03-06 14:17 --------- d-----w c:\documents and settings\Sugarbear\Application Data\mIRC
2009-03-06 14:16 --------- d-----w c:\program files\mIRC
2009-02-26 06:24 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-19 00:18 --------- d-----w c:\program files\Photosynth
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-03 03:32 --------- d-----w c:\program files\Free DVD Ripper
2009-02-03 03:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-03 03:30 --------- d-----w c:\program files\OpenLibraries
2009-02-03 03:10 86,016 ----a-w c:\windows\system32\OpenAL32.dll
2009-02-03 03:10 262,144 ----a-w c:\windows\system32\wrap_oal.dll
2009-02-03 02:54 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-03 02:53 --------- d-----w c:\program files\Holdem Indicator
2009-01-15 07:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 07:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 07:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 07:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 07:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 07:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 07:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 07:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 07:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 06:50 156,160 ----a-w c:\windows\system32\msls31.dll
2008-12-01 19:55 109 --sha-w c:\windows\system32\1887203005.dat
.

------- Sigcheck -------

2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-14 00:50 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 07:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 07:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-01-11 396288]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

c:\documents and settings\Sugarbear\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2006-08-03 03:20 188482 c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2009-03-15 14:08 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 11:21 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2005-07-07 06:08 135168 c:\program files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZCfgSvc.exe]
--a------ 2006-08-03 03:19 639040 c:\windows\system32\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"AppMgmt"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"ALG"=3 (0x3)
"IDriverT"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-02-02 16512]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-15 908056]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-15 298264]
S4 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-15 325640]
S4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-15 107912]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-11-17 8944]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-11-17 55024]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AUJASNKJ
*Deregistered* - aujasnkj

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 21:55:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\netprovcredman.dll
c:\windows\System32\LgNotify.dll
.
Completion time: 2009-03-28 21:58:23
ComboFix-quarantined-files.txt 2009-03-29 01:57:05
ComboFix2.txt 2009-03-29 00:40:07
ComboFix3.txt 2009-03-28 22:30:41

Pre-Run: 46,406,868,992 bytes free
Post-Run: 46,398,513,152 bytes free

174 --- E O F --- 2009-03-16 07:04:52


If you find that the problems on this computer require serious work or that the issues may not be ultimately resolved, I will look to invest in a new computer as this one is nearly five years old. If I am able to fix it, I will do so as I'd like to put off the computer purchase for a month or so. I also do not have any especially sensitive information... I don't do any online banking or any other transactions, but I will probably change the password to my e-mail for the sake of safety. Thank you so much for the help you've provided.

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:05:58 PM

Posted 29 March 2009 - 09:38 AM

Hello.

The infections can be removed. If you do not use this computer for sensitive information handling, then it should not be a big problem.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner to check for anything left.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.
Take a new DDS.txt log after.

Please give me an update on the symptoms. Any problems at the moment?

With Regards,
The Panda

If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:05:58 PM

Posted 08 April 2009 - 05:30 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·