Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My laptop was recently attacked by several Trojans, not sure if I'm safe. HELP!


  • This topic is locked This topic is locked
18 replies to this topic

#1 Dave Finlay

Dave Finlay

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 28 March 2009 - 07:38 PM

I guess you could say I got a good dose of karma, I just hope that you guys won't judge me or refuse to help me for what I'm about to describe. Two night s ago, I acquired a crack for one of my programs, and scanned it with both my anti-virus (Symantec AntiVirus) and MalwareBytes upon downloading it. When I opened up the program, it was akin to opening up a can of worms. My internet access was severed, my anti-virus went haywire and got overwhelmed, and what scared me the most is that a screen-full of warning messages from my anti-virus, attempting to intercept e-mails popped up........there aren't viruses that send your info out like that, right?

Long story short, my main account was being held hostage by these trojan/viruses, and barely if at all functioned (i.e wasn't allowed access to the folder or Task Manager). I had no internet access on the laptop at all no matter what account. I had to create another account via Safe Mode in order to scan my laptop with MalwareBytes and SuperAntiSpyware. Both picked up some Trojans (located in WINDOWS/System32/userinit and quarantined/deleted them, but some required re-boot to delete them. And when I did, the same Trojans popped back up again anyways.)

I've run HijackThis and saved the log (for anyone that wants to see it). My anti-virus also has listed the Trojans that immediately popped up when I opened that program (which I've since deleted), and has them listed as "being cleaned successfully", yet I can't delete them from the Risk History list, nor do they appear on the Quarantine list or any subsequent scans (so I assume that they're gone or at least dormant). The buggers that it picked up were:

Packed.Generic.209 (3 of them)
Trojan.Neprodoor!inf (2 of them)
Trojan.Vundo (1)

The ones picked up by initial Anti-Malware and SuperAntiSpyware scans:

Trojan.Agent (2 of them) (from WINDOWS/System32/userinit)

Since then I've managed to:

- restore my laptop's internet access, with a program called "LSPfix".
- deleted my old main account and its folders/files, which had some nasty stuff in its temp file that probably was that didn't allow me to access the entire folder.
- Have done numerous virus/spyware/adware scans with a handful of programs. All that's come up since is these two Trojan.Agent files from WINDOWS/System32/userinit.exe (via MalwareBytes and SuperAntiSpyware) that keep re-spawning when I delete them. The trojans that my anti-virus initally intercepted (Neprodoor, Vundo etc.) and which I listed in my first post were "cleaned" right on the spot, and are listed as having been cleaned successfully by the AV. They might be gone, I dunno. Every other virus scan has yielded nothing.

Still, I'm wondering whether I'm compromising my laptop and my security as I speak. I've seeked help elsewhere and was told that Neprodoor is a pretty nasty toolkit that embeds itself in Windows' ndis.sys file, among others and is difficult to get rid of. But like I said, it's listed as "cleaned" by my AV and I haven't seen any signs of it since. They suggested that I re-format, thing is that this laptop requires a portable floppy disk drive to load the SATA drivers into it during re-installation..........I don't have a portable floppy. Unless I can use my microSD card (which is technically a portable drive) to load the drivers I can't re-install.

Do you think I'm in the clear now after that initial attack, or are there probably still well-hidden backdoors and rootkits at work as I speak? I may have further risked myself just by registering to this forum........I've deathly afraid of having my personal information and passwords leaked.

Here's my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:50 PM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "my real name"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 6619 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:11:43 PM

Posted 06 April 2009 - 11:24 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Dave Finlay

Dave Finlay
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 08 April 2009 - 01:51 AM

Thanks for responding.

In addition to what I said in the first post, I'm also not able to access Windows/Microsoft Update as I get an error message [Error number: 0x80070002] In my services menu, BITS (Background Intelligent Transfer Service), the service is stopped and I am not able to start it. Other features such as System Restore have disappeared entirely. In the virus/malware scans that I've ran in the last week or so, no more viruses or trojans have come up as I apparently eliminated these last two Trojan.Agents that kept popping in MalwareBytes scans a couple of days ago. They were located in my system32 folder. Regardless I've been told elsewhere that I should re-format/re-install as my security may be compromised as I speak.

Here's the results I got from that DDS scan:


DDS (Ver_09-03-16.01) - NTFSx86
Run byat 2:35:24.10 on Wed 04/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.567 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Daniel Ramirez\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunServicesOnce: [washindex] c:\program files\cookie washer\washidx.exe "Daniel Ramirez"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://pcpitstop.com/mhLbl.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daniel~1\applic~1\mozilla\firefox\profiles\ccyoekty.default\
FF - component: c:\program files\google\google gears\firefox\components\gears_ff2.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-6 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090407.003\naveng.sys [2009-4-7 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090407.003\navex15.sys [2009-4-7 876144]
R3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2005-6-20 42176]
S3 bcmntio;bcmntio;\??\c:\progra~1\checkit\utilit~1\bcmntio.sys --> c:\progra~1\checkit\utilit~1\bcmntio.sys [?]
S3 CB54G3;Wireless CB54G3/MP54G3 Wireless LAN Card Driver;c:\windows\system32\drivers\i2220ntx.sys [2005-6-20 148480]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-11-9 17149]
S3 mapmem;mapmem;\??\c:\progra~1\checkit\utilit~1\mapmem.sys --> c:\progra~1\checkit\utilit~1\mapmem.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-5-21 34576]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\drivers\scr131c.sys --> c:\windows\system32\drivers\SCR131C.sys [?]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\scr33x2k.sys --> c:\windows\system32\drivers\SCR33X2K.sys [?]
S3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\slazldrv.sys [2004-12-29 223112]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
S4 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-3-27 4414520]
S4 gupdate1c9a12749c48388;Google Update Service (gupdate1c9a12749c48388);c:\program files\google\update\GoogleUpdate.exe [2009-3-9 133104]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"

=============== Created Last 30 ================

2009-04-03 22:43 <DIR> -cd----- c:\docume~1\daniel~1\applic~1\BitTorrent
2009-04-03 22:09 <DIR> -cd----- c:\docume~1\daniel~1\applic~1\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2009-04-01 02:24 <DIR> -cdsh--- c:\documents and settings\daniel ramirez\IECompatCache
2009-04-01 02:22 <DIR> -cdsh--- c:\documents and settings\daniel ramirez\PrivacIE
2009-04-01 02:21 <DIR> -cdsh--- c:\documents and settings\daniel ramirez\IETldCache
2009-04-01 02:14 <DIR> -cd-h--- c:\windows\ie8
2009-03-28 02:27 <DIR> -cd----- C:\RootkitNO
2009-03-28 02:05 2 ac-shrot c:\windows\winstart.bat
2009-03-28 02:05 <DIR> -cd----- c:\program files\UnHackMe
2009-03-28 01:29 <DIR> -cd----- c:\docume~1\daniel~1\applic~1\Windows Search
2009-03-27 21:32 22,024 ac------ c:\windows\system32\drivers\pxscan.sys
2009-03-27 21:32 <DIR> -cd----- c:\program files\Prevx
2009-03-27 21:32 67 ac------ c:\windows\wininit.ini
2009-03-27 21:32 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-03-27 05:50 <DIR> -cd----- c:\docume~1\daniel~1\applic~1\SUPERAntiSpyware.com
2009-03-27 04:14 <DIR> -cd----- c:\docume~1\daniel~1\applic~1\Malwarebytes
2009-03-27 04:12 <DIR> -cd----- c:\documents and settings\Daniel Ramirez
2009-03-27 01:46 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-03-27 01:45 1 ac------ c:\windows\system32\uniq.tll
2009-03-25 22:05 <DIR> -cd----- c:\program files\hkSFV
2009-03-12 16:28 <DIR> -cd----- c:\program files\Virtual VCR

==================== Find3M ====================

2009-03-27 01:46 182,656 ac------ c:\windows\system32\drivers\ndis.sys
2009-03-27 01:36 323,584 ac------ c:\windows\system32\AUDIOGENIE2.DLL
2009-03-26 16:49 38,496 ac------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 ac------ c:\windows\system32\drivers\mbam.sys
2009-03-08 04:34 914,944 ac------ c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 ac------ c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 ac------ c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 ac------ c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 ac------ c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 ac------ c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 ac------ c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 ac------ c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 ac------ c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 ac------ c:\windows\system32\msls31.dll
2009-02-09 07:13 1,846,784 ac------ c:\windows\system32\win32k.sys
2009-01-16 15:45 73,728 ac------ c:\windows\system32\RtNicProp32.dll
2008-10-06 19:48 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100620081007\index.dat

============= FINISH: 2:35:44.75 ===============

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:43 PM

Posted 08 April 2009 - 09:00 PM

Hello.

We'll start off with Combofix.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Dave Finlay

Dave Finlay
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 09 April 2009 - 04:18 AM

Alright, I downloaded ComboFix, followed the instructions and let it run. I didn't get any prompts whatsoever during the scan, and only noticed that it erased a file from my system32 folder.

Checking the log file for myself, it says that my laptop doesn't have the Microsoft Windows Recovery Console installed, yet according to your guide I didn't receive a prompt for it. ComboFix also didn't re-start my laptop after deleting that one file (maybe it was a minor one). Regardless, here's the log file, hope it is of help. So, how can I go about installing this Recovery Console?:

EDIT: Correction, I ran a second ComboFix scan, received the same prompts listed in your guide, and ComboFix d/led and installed Recovery Console. It didn't delete anything the second time around. Services such as "Automatic Updates" and "BITS (Background Intelligent Transfer Service) are still permanently stopped though.

ComboFix 09-04-04.01 - Daniel Ramirez 2009-04-09 5:01:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.533 [GMT -4:00]
Running from: c:\documents and settings\Daniel Ramirez\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\uniq.tll

.
((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-03 23:55 . 2009-04-03 23:55 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\Ahead
2009-04-03 22:43 . 2009-04-03 23:28 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\BitTorrent
2009-04-03 22:09 . 2009-04-03 22:09 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2009-04-02 02:16 . 2009-04-02 02:18 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\vlc
2009-04-01 02:24 . 2009-04-01 02:24 <DIR> d--hsc--- c:\documents and settings\Daniel Ramirez\IECompatCache
2009-04-01 02:22 . 2009-04-01 02:22 <DIR> d--hsc--- c:\documents and settings\LocalService\IETldCache
2009-04-01 02:22 . 2009-04-01 02:22 <DIR> d--hsc--- c:\documents and settings\Daniel Ramirez\PrivacIE
2009-04-01 02:21 . 2009-04-01 02:21 <DIR> d--hsc--- c:\documents and settings\NetworkService\IETldCache
2009-04-01 02:21 . 2009-04-01 02:21 <DIR> d--hsc--- c:\documents and settings\Daniel Ramirez\IETldCache
2009-04-01 02:14 . 2009-04-01 02:15 <DIR> d--h-c--- c:\windows\ie8
2009-03-31 21:20 . 2009-04-01 01:09 <DIR> d----c--- c:\program files\Windows Live Safety Center
2009-03-29 00:13 . 2009-03-29 05:21 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\Winamp
2009-03-28 02:27 . 2009-03-28 02:28 <DIR> d----c--- C:\RootkitNO
2009-03-28 02:05 . 2009-03-28 02:49 <DIR> d----c--- c:\program files\UnHackMe
2009-03-28 02:05 . 2009-03-28 02:05 (2) -rahscot- c:\windows\winstart.bat
2009-03-28 01:29 . 2009-03-28 01:29 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\Windows Search
2009-03-27 21:32 . 2009-03-27 21:32 <DIR> d----c--- c:\program files\Prevx
2009-03-27 21:32 . 2009-03-29 21:48 <DIR> d----c--- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-03-27 21:32 . 2009-03-27 21:32 22,024 --a--c--- c:\windows\system32\drivers\pxscan.sys
2009-03-27 21:32 . 2009-03-27 21:32 67 --a--c--- c:\windows\wininit.ini
2009-03-27 05:50 . 2009-03-27 05:50 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\SUPERAntiSpyware.com
2009-03-27 04:14 . 2009-03-27 04:14 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\Malwarebytes
2009-03-27 04:12 . 2008-01-20 23:52 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\Apple Computer
2009-03-27 04:12 . 2009-04-01 02:24 <DIR> d----c--- c:\documents and settings\Daniel Ramirez
2009-03-27 02:10 . 2009-03-27 02:10 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-27 01:57 . 2009-03-27 01:57 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-27 01:46 . 2009-03-27 01:46 182,656 --a--c--- c:\windows\system32\dllcache\ndis.sys
2009-03-25 22:05 . 2009-03-27 05:11 <DIR> d----c--- c:\program files\hkSFV
2009-03-20 00:52 . 2009-03-20 00:52 <DIR> d----c--- c:\documents and settings\All Users\Application Data\RoboForm
2009-03-12 16:28 . 2009-03-12 16:28 <DIR> d----c--- c:\program files\Virtual VCR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 08:58 --------- dc----w c:\program files\Symantec AntiVirus
2009-04-08 06:39 --------- dc----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 38,496 -c--a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 15,504 -c--a-w c:\windows\system32\drivers\mbam.sys
2009-03-27 09:30 --------- dc----w c:\program files\Replay Music 3
2009-03-27 05:46 182,656 -c--a-w c:\windows\system32\drivers\ndis.sys
2009-03-27 05:36 323,584 -c--a-w c:\windows\system32\AUDIOGENIE2.DLL
2009-03-22 17:50 --------- dc----w c:\program files\Common Files\Adobe
2009-03-14 03:01 --------- dc----w c:\program files\Winamp
2009-03-14 00:26 --------- dc----w c:\program files\Common Files\Adobe AIR
2009-03-12 20:26 --------- dc----w c:\program files\DScaler
2009-03-11 23:28 --------- dc----w c:\program files\QuickTime
2009-03-10 02:24 --------- dc----w c:\program files\Google
2009-03-08 08:34 914,944 -c--a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 43,008 -c--a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 420,352 -c--a-w c:\windows\system32\vbscript.dll
2009-03-08 08:33 18,944 -c--a-w c:\windows\system32\corpol.dll
2009-03-08 08:32 72,704 -c--a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 71,680 -c--a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 48,128 -c--a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 45,568 -c--a-w c:\windows\system32\mshta.exe
2009-03-08 08:31 34,816 -c--a-w c:\windows\system32\imgutil.dll
2009-03-08 08:22 156,160 -c--a-w c:\windows\system32\msls31.dll
2009-02-27 02:17 --------- dc----w c:\program files\Microsoft Silverlight
2009-02-14 08:35 --------- dc----w c:\program files\MSECache
2009-02-09 11:13 1,846,784 -c--a-w c:\windows\system32\win32k.sys
2009-01-16 19:45 73,728 -c--a-w c:\windows\system32\RtNicProp32.dll
2008-10-01 21:58 67,696 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
2008-10-01 21:58 54,376 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-01 21:58 34,952 -c--a-w c:\program files\mozilla firefox\components\myspell.dll
2008-10-01 21:58 46,720 -c--a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-10-01 21:58 172,144 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-06 23:48 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100620081007\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"washindex"="c:\program files\Cookie Washer\washidx.exe" [2001-07-24 72704]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"VIDC.I420"= i263_32.drv
"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ActivClient Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ActivClient Agent.lnk
backup=c:\windows\pss\ActivClient Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111T Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111T Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111T Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk
backup=c:\windows\pss\QuickTV.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WLAN Configuration Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WLAN Configuration Utility.lnk
backup=c:\windows\pss\WLAN Configuration Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\63204]
--a--c--- 2008-09-06 08:46 8461992 c:\windows\63204.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a--c--- 2008-08-06 11:21 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2004-12-08 00:10 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a--c--- 2008-11-29 21:31 342336 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccWasher]
--a--c--- 2001-08-16 12:34 2982400 c:\program files\Cookie Washer\aolwasher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a--c--- 2008-08-08 08:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
-----c--- 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 15:40 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a--c--- 2008-09-03 14:07 1576176 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2004-12-29 03:55 688218 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a--c--- 2004-12-29 03:55 98394 c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a--c--- 2007-03-14 22:49 125632 c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a--c--- 2005-05-03 18:43 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a--c--- 2005-09-21 15:32 2807808 c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a--c--- 2001-12-26 04:12 472576 c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
-----c--- 2004-08-12 20:45 61952 c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
--a--c--- 2004-10-07 05:07 24576 c:\windows\system32\ptipbm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a--c--- 2005-09-21 10:24 86016 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"SLService"=2 (0x2)
"SavRoam"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"gupdate1c9a12749c48388"=2 (0x2)
"CSIScanner"=2 (0x2)
"btwdins"=2 (0x2)
"msfwsvc"=2 (0x2)
"OcHealthMon"=2 (0x2)
"OneCareMP"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\MusicBrainz Picard\\picard.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Camisa Negra\\My Video Games Folder\\Emulators\\Arcade\\Dedicated Arcade Emulators\\GGPOFBA (MC68000 - Z80 Arcade Emulator)\\ggpo.exe"=
"c:\\Documents and Settings\\Camisa Negra\\My Video Games Folder\\Emulators\\Arcade\\Dedicated Arcade Emulators\\GGPOFBA (MC68000 - Z80 Arcade Emulator)\\ggpofba.exe"=
"c:\\Netgear\\Netgear Super-G Wireless Router (WGT624)\\bin\\IA\\Core\\MDM_Util.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"7000:TCP"= 7000:TCP:ggpo

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-03-27 22024]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-06 101936]
R3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2005-06-20 42176]
S3 bcmntio;bcmntio;\??\c:\progra~1\CheckIt\UTILIT~1\bcmntio.sys --> c:\progra~1\CheckIt\UTILIT~1\bcmntio.sys [?]
S3 CB54G3;Wireless CB54G3/MP54G3 Wireless LAN Card Driver;c:\windows\system32\drivers\i2220ntx.sys [2005-06-20 148480]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-11-09 17149]
S3 mapmem;mapmem;\??\c:\progra~1\CheckIt\UTILIT~1\mapmem.sys --> c:\progra~1\CheckIt\UTILIT~1\mapmem.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-05-21 34576]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\DRIVERS\SCR131C.sys --> c:\windows\system32\DRIVERS\SCR131C.sys [?]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\DRIVERS\SCR33X2K.sys --> c:\windows\system32\DRIVERS\SCR33X2K.sys [?]
S3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\slazldrv.sys [2004-12-29 223112]
S4 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2009-03-27 4414520]
S4 gupdate1c9a12749c48388;Google Update Service (gupdate1c9a12749c48388);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-09 133104]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-22 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 20:12]

2009-04-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-09 22:24]

2009-02-27 c:\windows\Tasks\Symantec AntiVirus.job
- c:\progra~1\SYMANT~1\VPC32.exe [2007-03-14 22:49]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-accrdsub - c:\program files\ActivIdentity\ActivClient\accrdsub.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-IDMan - c:\program files\Internet Download Manager\IDMan.exe
MSConfigStartUp-Mlasebewahaz - c:\windows\Nreqagubinago.dll
MSConfigStartUp-Norton Ghost 10 - c:\program files\Norton Ghost\Agent\GhostTray.exe
MSConfigStartUp-OneCareUI - c:\program files\Microsoft Windows OneCare Live\winssnotify.exe
MSConfigStartUp-reader_s - c:\windows\System32\reader_s.exe
MSConfigStartUp-RoboForm - c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
MSConfigStartUp-UnHackMe Monitor - c:\program files\UnHackMe\hackmon.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
MSConfigStartUp-Framework Windows - frmwrk32.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Daniel Ramirez\Application Data\Mozilla\Firefox\Profiles\ccyoekty.default\
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears_ff2.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 05:04:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{027d284a-a6e2-474b-b278-82140cc2daa1}]
@Denied: (Full) (Everyone)
"Model"=dword:0000000c
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):22,f2,60,ad,43,1c,d5,1f,fe,2b,f7,6e,c7,95,66,21,ac,af,a0,52,75,
9c,1f,b4,f1,28,74,6f,92,8e,50,19,6d,6c,9c,2b,c6,bd,56,51,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-09 5:06:14
ComboFix-quarantined-files.txt 2009-04-09 09:06:11

Pre-Run: 69,246,943,232 bytes free
Post-Run: 69,289,033,728 bytes free

306 --- E O F --- 2009-03-13 00:34:10

Edited by Dave Finlay, 09 April 2009 - 05:11 AM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:43 PM

Posted 09 April 2009 - 03:28 PM

Hello.

Regarding the Windows Update problem and the BITS service, we will deal with that next post. I have seen this problem before. Can you post a screenshot of the exact error message that you recieve.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{027d284a-a6e2-474b-b278-82140cc2daa1}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Update Java to Version 6 Update 12

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Post back with:
-Service screenshot
-Combofix log
-MBAM log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Dave Finlay

Dave Finlay
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 09 April 2009 - 03:45 PM

Here's screenshots of my Automatic Updates/BITS/ error messages in this attachment:

EDIT: I've deleted my old Java and installed the new Java. I've also done the ComboFix and MBAM scans as instructed. Here's the logs:

COMBOFIX:

ComboFix 09-04-04.01 - Daniel Ramirez 2009-04-09 17:08:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.583 [GMT -4:00]
Running from: c:\documents and settings\Daniel Ramirez\Desktop\Protection\ComboFix.exe
Command switches used :: c:\documents and settings\Daniel Ramirez\Desktop\Protection\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-09 17:03 . 2009-04-09 17:02 410,984 --a--c--- c:\windows\system32\deploytk.dll
2009-04-09 17:03 . 2009-04-09 17:02 73,728 --a--c--- c:\windows\system32\javacpl.cpl
2009-04-03 23:55 . 2009-04-03 23:55 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\Ahead
2009-04-03 22:43 . 2009-04-03 23:28 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\BitTorrent
2009-04-03 22:09 . 2009-04-03 22:09 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2009-04-02 02:16 . 2009-04-02 02:18 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\vlc
2009-04-01 02:24 . 2009-04-01 02:24 <DIR> d--hsc--- c:\documents and settings\Daniel Ramirez\IECompatCache
2009-04-01 02:22 . 2009-04-01 02:22 <DIR> d--hsc--- c:\documents and settings\LocalService\IETldCache
2009-04-01 02:22 . 2009-04-01 02:22 <DIR> d--hsc--- c:\documents and settings\Daniel Ramirez\PrivacIE
2009-04-01 02:21 . 2009-04-01 02:21 <DIR> d--hsc--- c:\documents and settings\NetworkService\IETldCache
2009-04-01 02:21 . 2009-04-01 02:21 <DIR> d--hsc--- c:\documents and settings\Daniel Ramirez\IETldCache
2009-04-01 02:14 . 2009-04-01 02:15 <DIR> d--h-c--- c:\windows\ie8
2009-03-31 21:20 . 2009-04-01 01:09 <DIR> d----c--- c:\program files\Windows Live Safety Center
2009-03-29 00:13 . 2009-03-29 05:21 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\Winamp
2009-03-28 02:27 . 2009-03-28 02:28 <DIR> d----c--- C:\RootkitNO
2009-03-28 02:05 . 2009-03-28 02:49 <DIR> d----c--- c:\program files\UnHackMe
2009-03-28 02:05 . 2009-03-28 02:05 (2) -rahscot- c:\windows\winstart.bat
2009-03-28 01:29 . 2009-03-28 01:29 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\Windows Search
2009-03-27 21:32 . 2009-03-27 21:32 <DIR> d----c--- c:\program files\Prevx
2009-03-27 21:32 . 2009-03-29 21:48 <DIR> d----c--- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-03-27 21:32 . 2009-03-27 21:32 22,024 --a--c--- c:\windows\system32\drivers\pxscan.sys
2009-03-27 21:32 . 2009-03-27 21:32 67 --a--c--- c:\windows\wininit.ini
2009-03-27 05:50 . 2009-03-27 05:50 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\SUPERAntiSpyware.com
2009-03-27 04:14 . 2009-03-27 04:14 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\Malwarebytes
2009-03-27 04:12 . 2008-01-20 23:52 <DIR> d----c--- c:\documents and settings\Daniel Ramirez\Application Data\Apple Computer
2009-03-27 04:12 . 2009-04-01 02:24 <DIR> d----c--- c:\documents and settings\Daniel Ramirez
2009-03-27 02:10 . 2009-03-27 02:10 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-27 01:57 . 2009-03-27 01:57 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-27 01:46 . 2009-03-27 01:46 182,656 --a--c--- c:\windows\system32\dllcache\ndis.sys
2009-03-25 22:05 . 2009-03-27 05:11 <DIR> d----c--- c:\program files\hkSFV
2009-03-20 00:52 . 2009-03-20 00:52 <DIR> d----c--- c:\documents and settings\All Users\Application Data\RoboForm
2009-03-12 16:28 . 2009-03-12 16:28 <DIR> d----c--- c:\program files\Virtual VCR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 21:06 --------- dc----w c:\program files\Symantec AntiVirus
2009-04-09 21:02 --------- dc----w c:\program files\Java
2009-04-08 06:39 --------- dc----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 38,496 -c--a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 15,504 -c--a-w c:\windows\system32\drivers\mbam.sys
2009-03-27 09:30 --------- dc----w c:\program files\Replay Music 3
2009-03-27 05:46 182,656 -c--a-w c:\windows\system32\drivers\ndis.sys
2009-03-27 05:36 323,584 -c--a-w c:\windows\system32\AUDIOGENIE2.DLL
2009-03-22 17:50 --------- dc----w c:\program files\Common Files\Adobe
2009-03-14 03:01 --------- dc----w c:\program files\Winamp
2009-03-14 00:26 --------- dc----w c:\program files\Common Files\Adobe AIR
2009-03-12 20:26 --------- dc----w c:\program files\DScaler
2009-03-11 23:28 --------- dc----w c:\program files\QuickTime
2009-03-10 02:24 --------- dc----w c:\program files\Google
2009-03-08 08:34 914,944 -c--a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 43,008 -c--a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 420,352 -c--a-w c:\windows\system32\vbscript.dll
2009-03-08 08:33 18,944 -c--a-w c:\windows\system32\corpol.dll
2009-03-08 08:32 72,704 -c--a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 71,680 -c--a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 48,128 -c--a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 45,568 -c--a-w c:\windows\system32\mshta.exe
2009-03-08 08:31 34,816 -c--a-w c:\windows\system32\imgutil.dll
2009-03-08 08:22 156,160 -c--a-w c:\windows\system32\msls31.dll
2009-02-27 02:17 --------- dc----w c:\program files\Microsoft Silverlight
2009-02-14 08:35 --------- dc----w c:\program files\MSECache
2009-02-09 11:13 1,846,784 -c--a-w c:\windows\system32\win32k.sys
2009-01-16 19:45 73,728 -c--a-w c:\windows\system32\RtNicProp32.dll
2008-10-01 21:58 67,696 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
2008-10-01 21:58 54,376 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-01 21:58 34,952 -c--a-w c:\program files\mozilla firefox\components\myspell.dll
2008-10-01 21:58 46,720 -c--a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-10-01 21:58 172,144 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-06 23:48 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100620081007\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-09_ 5.05.12.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-10 05:21:01 135,168 -c--a-w c:\windows\system32\java.exe
+ 2009-04-09 21:02:44 144,792 -c--a-w c:\windows\system32\java.exe
- 2008-06-10 05:21:04 135,168 -c--a-w c:\windows\system32\javaw.exe
+ 2009-04-09 21:02:44 144,792 -c--a-w c:\windows\system32\javaw.exe
- 2008-06-10 06:32:34 139,264 -c--a-w c:\windows\system32\javaws.exe
+ 2009-04-09 21:02:44 148,888 -c--a-w c:\windows\system32\javaws.exe
+ 2009-04-09 21:03:08 16,384 -c--atw c:\windows\temp\Perflib_Perfdata_574.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-16 1197648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-09 148888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"washindex"="c:\program files\Cookie Washer\washidx.exe" [2001-07-24 72704]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"VIDC.I420"= i263_32.drv
"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ActivClient Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ActivClient Agent.lnk
backup=c:\windows\pss\ActivClient Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111T Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111T Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111T Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk
backup=c:\windows\pss\QuickTV.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WLAN Configuration Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WLAN Configuration Utility.lnk
backup=c:\windows\pss\WLAN Configuration Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\63204]
--a--c--- 2008-09-06 08:46 8461992 c:\windows\63204.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a--c--- 2008-08-06 11:21 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2004-12-08 00:10 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a--c--- 2008-11-29 21:31 342336 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccWasher]
--a--c--- 2001-08-16 12:34 2982400 c:\program files\Cookie Washer\aolwasher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a--c--- 2008-08-08 08:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
-----c--- 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 15:40 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a--c--- 2008-09-03 14:07 1576176 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2004-12-29 03:55 688218 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a--c--- 2004-12-29 03:55 98394 c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a--c--- 2007-03-14 22:49 125632 c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a--c--- 2005-05-03 18:43 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a--c--- 2005-09-21 15:32 2807808 c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a--c--- 2001-12-26 04:12 472576 c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
-----c--- 2004-08-12 20:45 61952 c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
--a--c--- 2004-10-07 05:07 24576 c:\windows\system32\ptipbm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a--c--- 2005-09-21 10:24 86016 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"SLService"=2 (0x2)
"SavRoam"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"gupdate1c9a12749c48388"=2 (0x2)
"CSIScanner"=2 (0x2)
"btwdins"=2 (0x2)
"msfwsvc"=2 (0x2)
"OcHealthMon"=2 (0x2)
"OneCareMP"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\MusicBrainz Picard\\picard.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Camisa Negra\\My Video Games Folder\\Emulators\\Arcade\\Dedicated Arcade Emulators\\GGPOFBA (MC68000 - Z80 Arcade Emulator)\\ggpo.exe"=
"c:\\Documents and Settings\\Camisa Negra\\My Video Games Folder\\Emulators\\Arcade\\Dedicated Arcade Emulators\\GGPOFBA (MC68000 - Z80 Arcade Emulator)\\ggpofba.exe"=
"c:\\Netgear\\Netgear Super-G Wireless Router (WGT624)\\bin\\IA\\Core\\MDM_Util.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"7000:TCP"= 7000:TCP:ggpo

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-03-27 22024]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-06 101936]
R3 PhTVTune;Cap7134 TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2005-06-20 42176]
S3 bcmntio;bcmntio;\??\c:\progra~1\CheckIt\UTILIT~1\bcmntio.sys --> c:\progra~1\CheckIt\UTILIT~1\bcmntio.sys [?]
S3 CB54G3;Wireless CB54G3/MP54G3 Wireless LAN Card Driver;c:\windows\system32\drivers\i2220ntx.sys [2005-06-20 148480]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-11-09 17149]
S3 mapmem;mapmem;\??\c:\progra~1\CheckIt\UTILIT~1\mapmem.sys --> c:\progra~1\CheckIt\UTILIT~1\mapmem.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-05-21 34576]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\DRIVERS\SCR131C.sys --> c:\windows\system32\DRIVERS\SCR131C.sys [?]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\DRIVERS\SCR33X2K.sys --> c:\windows\system32\DRIVERS\SCR33X2K.sys [?]
S3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\slazldrv.sys [2004-12-29 223112]
S4 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2009-03-27 4414520]
S4 gupdate1c9a12749c48388;Google Update Service (gupdate1c9a12749c48388);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-09 133104]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-22 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 20:12]

2009-04-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-09 22:24]

2009-02-27 c:\windows\Tasks\Symantec AntiVirus.job
- c:\progra~1\SYMANT~1\VPC32.exe [2007-03-14 22:49]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Daniel Ramirez\Application Data\Mozilla\Firefox\Profiles\ccyoekty.default\
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears_ff2.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 17:11:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-09 17:13:53
ComboFix-quarantined-files.txt 2009-04-09 21:13:49
ComboFix2.txt 2009-04-09 10:05:36
ComboFix3.txt 2009-04-09 09:06:16

Pre-Run: 69,279,420,416 bytes free
Post-Run: 69,245,259,776 bytes free

291 --- E O F --- 2009-03-13 00:34:10


MBAM:

Malwarebytes' Anti-Malware 1.36
Database version: 1959
Windows 5.1.2600 Service Pack 3

4/9/2009 5:21:24 PM
mbam-log-2009-04-09 (17-21-24).txt

Scan type: Quick Scan
Objects scanned: 73733
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Dave Finlay, 09 April 2009 - 04:26 PM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:43 PM

Posted 09 April 2009 - 04:03 PM

Hello.

Okay, I see now. We will deal with that once you post teh MBAM log. Remember to update your Java as well :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Dave Finlay

Dave Finlay
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 09 April 2009 - 05:33 PM

Posted!

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:43 PM

Posted 09 April 2009 - 07:52 PM

Hello.

Next time, no need to edit the topic because I somtimes over look that.

Let's backup your registry again for safety purposes.

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

How to Restore from the ERUNT Backup

Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.



Let's deal with the windows update problem. Please create and run the script below. It will reset those related keys and also export a log for me to look at.

Create and Run batch script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".

    @Echo Off

    If Exist Log.txt Del Log.txt
    SET SERVICE=HKLM\SYSTEM\CurrentControlSet\Services\
    SET IMGPATH="%%SystemRoot%%\system32\svchost.exe -k netsvcs"
    FOR %%a IN ( BITS WUAUSERV ) DO @(
    SWReg ACL %SERVICE%%%a
    SWReg QUERY %SERVICE%%%a /s
    ECHO.
    SWReg ACL %SERVICE%%%a /reset
    SWReg ADD %SERVICE%%%a /v ImagePath /t REG_EXPAND_SZ /d %IMGPATH%
    SWReg QUERY %SERVICE%%%a /s
    ECHO.
    ECHO.
    NET START %%a
    ECHO.
    )>>Log.txt 2>>&1
    Zip -m AttachThis Log.txt

    Shutdown -r -t 10

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input FixLook.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on FixLook.bat to run it. If you are using Windows Vista, please right-click and Run As Administrator...

A Black DOS window shall appear and then disappear. This is normal please do not panic, then soon a shutdown warning will come up giving you 10 seconds to close anything and it will restart your computer. After the restart a compressed, zipped file called "AttachThis.zip" file should be on your desktop.

Please attach back with that log in your next reply. Also, see if your Windows Update/BITS service works now.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Dave Finlay

Dave Finlay
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 10 April 2009 - 12:07 AM

Yes, Automatic Updates and BITS have started up and are working again! Thanks a lot!

Here's the log:

Is there anything else I should do? I'm asking because as I speak, it was exactly two weeks ago that I was attacked by those viruses which I listed in my first post, which in turn seriously messed up my laptop. Like I also mentioned in the first post, it appears that the "big ones" (Vundo, Neprodoor) were intercepted by my Symantec AntiVirus and "cleaned successfully" (though I'm not sure if that means completely eradicating them, I still have them listed in my Risk History in case of reference). Elsewhere I went to seek advice about this I was told that, even if I cleaned/deleted the viruses and fixed the damage done to my Windows installation, that I should rather re-format and re-install entirely as I may be compromising my security as I speak. Based on everything that I've provided in this thread so far, do you think that I'm still at risk and am compromising my security? I've held out on doing some important stuff that requires my personal information in fear of this.

Also, I've had this other problem, with Internet Explorer, ever since this virus attack. My problem is that ads rarely if ever appear on the websites I visit, and in place of where the ads would play is an "Internet Explorer Cannot Display This Webpage" warning. I even tried upgrading to the new IE8 and still have the problem. Also, when backtracking on webpages with ads, I have to back click through numerous "empty" links (that I assume are links to the missing ads) before getting back to the page I was previously at. It's really annoying and inconvenient. Is there any way to fix this?

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:43 PM

Posted 10 April 2009 - 09:10 AM

Hello again.

If that Neprodoor infection was active then Yes, your computer was compromised and a format is a good idea. Here's a writeup on the infection over here.

It's really annoying and inconvenient. Is there any way to fix this?

For some reason I have the same problem with IE. To be honest I don't know how to fix it. You might want to ask in the Web Browsing forum and see if anyone can help you. However, the only difference is I don't get the ad problem.

If you wish to continue do the following online scan, otherwise please let me know.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Dave Finlay

Dave Finlay
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 10 April 2009 - 06:29 PM

Well, I wasn't able to view the scan report due to being prompted that I had to turn off IE's Pop-Up Blocker to see the results. When I did, nothing occured. I also tried to save the report but again, nothing. So I refreshed and it was all gone. But basically, the scan lasted about 1 hour, 20 minutes, scanned "My Computer" entirely and did not bring up any viruses whatsoever.

When you asked if the Neprodoor infection was active, I wasn't sure what you meant. I recall Symantec AntiVirus intercepting and cleaning those viruses when they hit. In every other virus/malware scan I did afterwards, neither Vundo, Neprodoor or Packed.Generic appeared again (only these four Trojan.Initbar that my AntiVirus finally caught and cleaned days later), but they did leave some damage which I've been able to pretty much repair thanks to you and other's help. Given that, do you still think that my laptop's compromised, as those viruses haven't appeared again after the initial attack? Also, what is the difference between "partially cleaned" (which is what the 4 Trojan.Initbar's status is listed as), "Cleaned" (the status of most of the other viruses) and "Cleaned By Deletion" (the initial Packed.Generic's status)?

Edited by Dave Finlay, 10 April 2009 - 06:33 PM.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:43 PM

Posted 10 April 2009 - 06:57 PM

Hello.

Given that, do you still think that my laptop's compromised, as those viruses haven't appeared again after the initial attack?

If you had the infection and it caused damage then yes, it was compromised. Now that it's removed it's not but your computer WAS compromised and that's all it matters.

Partially cleaned probably means it was not completely cleaned. Cleaned means it's cleaned and Cleaned by Deletion means cleaned and deleted.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 Dave Finlay

Dave Finlay
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 10 April 2009 - 11:54 PM

Ah, I see. So should I be changing up my website passwords or any of that? That's about the most personal information that I have on my laptop at the time the viruses hit.

Apart from that, is that all and am I in the clear? If so, thank you, thank you SO MUCH! :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users