Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring Trojan horse BackDoor.Generic10.ASYE


  • Please log in to reply
49 replies to this topic

#1 LemmingLeader

LemmingLeader

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 07 April 2009 - 11:55 PM

I was directed here from topic http://www.bleepingcomputer.com/forums/t/216489/recurring-trojanbackdoorgeneric10/
My original problem was that AVG antivirus kept finding a trojan in comaddinh.dll and wasn't able to remove it.
As instructed, I also ran scans with Malwarebyte's Anti-Malware, ATF Cleaner, Super Antispyware, SDFix, and DDS.
Below is the DDS log and attach.txt is attached.

Thanks for any help you can provide.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Mary at 21:28:23.93 on Tue 04/07/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.147 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Mary\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://beta.mytelus.com/telusen/portal/index.aspx
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {81f8968e-0d80-4c50-87d5-e4b52078af09} - c:\windows\system32\comaddinh.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli svests.dll

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2009-1-16 5632]
R0 wurmrtul;wurmrtul;c:\windows\system32\drivers\wurmrtul.sys [2003-3-31 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-1 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-1 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-1 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-1 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-1 298264]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 getPlusŪ Helper;getPlusŪ Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-5 33752]

=============== Created Last 30 ================

2009-04-06 18:15 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-06 18:13 --d----- c:\windows\ERUNT
2009-04-06 18:06 --d----- C:\SDFix
2009-04-04 10:32 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-04 10:31 --d----- c:\program files\SUPERAntiSpyware
2009-04-04 10:31 --d----- c:\docume~1\mary\applic~1\SUPERAntiSpyware.com
2009-04-04 10:31 --d----- c:\program files\common files\Wise Installation Wizard
2009-04-03 19:45 --d----- c:\docume~1\mary\applic~1\Malwarebytes
2009-04-03 19:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-03 19:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 19:45 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 19:45 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-01 21:44 --d-h--- C:\$AVG8.VAULT$
2009-04-01 18:45 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-01 18:45 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-01 18:45 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-01 18:45 --d----- c:\windows\system32\drivers\Avg
2009-04-01 18:45 --d----- c:\program files\AVG
2009-04-01 18:45 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-21 15:30 --d----- c:\program files\common files\Deskshare Shared
2009-03-21 15:30 --d----- c:\program files\Deskshare
2009-03-21 15:24 307,200 a----r-- c:\windows\vidcap32.exe
2009-03-20 21:46 189 a------- c:\windows\setuplog
2009-03-20 21:45 --d----- c:\windows\CtDrvInstall
2009-03-20 21:45 24,576 a----r-- c:\windows\system32\P0630Aor.dll
2009-03-20 21:43 --d----- c:\program files\SightSpeed
2009-03-20 21:43 306,688 a------- c:\windows\IsUninst.exe
2009-03-20 21:42 36,864 -------- c:\windows\system32\CTCamMgr.dll
2009-03-20 21:42 --d----- c:\program files\Creative
2009-03-20 20:48 107,864 a------- c:\windows\system32\tsccvid.dll
2009-03-20 20:47 --d----- c:\windows\system32\QuickTime
2009-03-20 18:54 1,112,288 a------- c:\windows\system32\WdfCoInstaller01007.dll
2009-03-20 18:54 581,192 a------- c:\windows\system32\WinUSBCoInstaller.dll
2009-03-20 18:46 --d----- c:\docume~1\alluse~1\applic~1\Deskshare
2009-03-20 18:46 1,064,456 a------- c:\windows\system32\Mscomctl.ocx
2009-03-20 18:46 140,288 a------- c:\windows\system32\COMDLG32.OCX
2009-03-20 18:22 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-03-20 18:21 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-03-20 18:21 14,640 -------- c:\windows\system32\spmsgXP_2k3.dll
2009-03-20 18:18 --d----- c:\program files\AlexP
2009-03-20 18:10 60,032 ac------ c:\windows\system32\dllcache\usbaudio.sys
2009-03-20 18:10 60,032 a------- c:\windows\system32\drivers\USBAUDIO.sys
2009-03-20 18:09 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-03-20 18:09 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-03-17 19:33 --d----- c:\windows\system32\scripting
2009-03-17 19:33 --d----- c:\windows\l2schemas
2009-03-17 19:33 --d----- c:\windows\system32\en
2009-03-17 18:25 --d----- c:\windows\network diagnostic
2009-03-17 18:25 33,792 ac------ c:\windows\system32\dllcache\custsat.dll
2009-03-11 20:01 462,848 a------- c:\windows\system32\ltkrn13n.dll
2009-03-11 20:01 450,560 a------- c:\windows\system32\ltimg13n.dll
2009-03-11 20:01 401,408 a------- c:\windows\system32\lfcmp13n.dll
2009-03-11 20:01 299,008 a------- c:\windows\system32\ltdis13n.dll
2009-03-11 20:01 206,336 a------- c:\windows\system32\ltefx13n.dll
2009-03-11 20:01 163,840 a------- c:\windows\system32\ltfil13n.dll
2009-03-11 20:01 69,632 a------- c:\windows\system32\lfgif13n.dll
2009-03-11 20:01 57,344 a------- c:\windows\system32\lfbmp13n.dll
2009-03-11 19:43 5,632 a------- c:\windows\system32\ptpusb.dll
2009-03-11 19:43 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-03-11 19:43 159,232 a------- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-03-17 19:36 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-17 19:18 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-15 19:37 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 21:28:57.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:02 AM

Posted 19 April 2009 - 07:57 AM

hi,

sorry for delay, no shortage of posters. Your log is old, if you still need post back. AVG still finding the trojan?

How Can I Reduce My Risk to Malware?


#3 LemmingLeader

LemmingLeader
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 20 April 2009 - 11:19 AM

Thank you for looking into this. We've avoided using the computer until it could be cleaned.
I can repost a newer log when I get home tonight if that'll be more helpfull.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:02 AM

Posted 20 April 2009 - 04:33 PM

hi,

ok sure post a new DDS log. Were Malwarebytes and Super Antispyware coming up clean last time you scanned with them? Log looks ok to me as far as malware goes.

How Can I Reduce My Risk to Malware?


#5 LemmingLeader

LemmingLeader
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 21 April 2009 - 01:04 AM

Malware is still reporting the same threats as before. Having everything checked for deletion and rebooting into normal mode hasn't worked in getting rid of these.


Malwarebytes' Anti-Malware 1.35
Database version: 1940
Windows 5.1.2600 Service Pack 3

4/20/2009 9:32:37 PM
mbam-log-2009-04-20 (21-32-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 126109
Time elapsed: 49 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81f8968e-0d80-4c50-87d5-e4b52078af09} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{81f8968e-0d80-4c50-87d5-e4b52078af09} (Trojan.BHO.H) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\comaddinh.dll (Trojan.BHO.H) -> No action taken.
C:\Documents and Settings\Mary\Local Settings\Temp\mbuycgyx.dat (Rootkit.Agent) -> No action taken.

#6 LemmingLeader

LemmingLeader
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 21 April 2009 - 01:07 AM

This is my current "Highjack This" log from DDS. Hope it helps.
Thanks.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Mary at 22:50:00.90 on Mon 04/20/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.125 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mary\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://beta.mytelus.com/telusen/portal/index.aspx
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {81f8968e-0d80-4c50-87d5-e4b52078af09} - c:\windows\system32\comaddinh.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli svests.dll

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2009-1-16 5632]
R0 wurmrtul;wurmrtul;c:\windows\system32\drivers\wurmrtul.sys [2003-3-31 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-1 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-1 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-1 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-1 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-1 298264]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-5 33752]

=============== Created Last 30 ================

2009-04-06 18:15 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-06 18:13 <DIR> --d----- c:\windows\ERUNT
2009-04-06 18:06 <DIR> --d----- C:\SDFix
2009-04-04 10:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-04 10:31 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-04 10:31 <DIR> --d----- c:\docume~1\mary\applic~1\SUPERAntiSpyware.com
2009-04-04 10:31 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-03 19:45 <DIR> --d----- c:\docume~1\mary\applic~1\Malwarebytes
2009-04-03 19:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-03 19:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 19:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 19:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-01 21:44 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-01 18:45 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-01 18:45 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-01 18:45 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-01 18:45 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-01 18:45 <DIR> --d----- c:\program files\AVG
2009-04-01 18:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2009-03-20 18:22 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-03-20 18:21 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-03-17 19:36 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-17 19:18 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys

============= FINISH: 22:50:32.50 ===============

Attached Files



#7 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:02 AM

Posted 21 April 2009 - 03:59 PM

hi,

ok we will get two downloads to use. The first one you can use is called Root Repeal. This is only to see what might be there. Link and directions:

Please download: RootRepeal

http://rootrepeal.googlepages.com/RootRepeal.zip

Extract the file to your desktop.
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

Next you can download and use combofix. there is a guide to read first. read through the guide, download combofix to your desktop. Disable any AV as explained in the guide, double click the icon to start. Follow the prompts. Post the log in reply:

The guide to read:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How Can I Reduce My Risk to Malware?


#8 LemmingLeader

LemmingLeader
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 21 April 2009 - 10:00 PM

This is the RootRepeal log:

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/21 17:36
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEBEC3000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C1F000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEB341000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Mary\Local Settings\Temp\mbuycgyx.dat
Status: Locked to the Windows API!

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xec0badf0

#9 LemmingLeader

LemmingLeader
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 21 April 2009 - 10:02 PM

And this is the combofix log:

ComboFix 09-04-22.02 - Mary 04/21/2009 19:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.126 [GMT -7:00]
Running from: c:\documents and settings\Mary\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-22 00:35 . 2009-04-22 00:35 0 ----a-w c:\documents and settings\Mary\settings.dat
2009-04-21 05:55 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-21 05:55 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-21 05:55 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-21 05:55 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 05:55 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-21 05:55 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 05:55 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-21 05:55 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-21 05:55 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-21 05:54 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-21 05:53 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-21 05:53 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-07 01:15 . 2009-04-07 01:15 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-04-07 01:13 . 2009-04-07 01:14 -------- d-----w c:\windows\ERUNT
2009-04-07 01:06 . 2009-04-07 02:36 -------- d-----w C:\SDFix
2009-04-04 17:32 . 2009-04-04 17:32 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-04 17:31 . 2009-04-04 17:31 -------- d-----w c:\documents and settings\Mary\Application Data\SUPERAntiSpyware.com
2009-04-04 02:45 . 2009-04-04 02:45 -------- d-----w c:\documents and settings\Mary\Application Data\Malwarebytes
2009-04-04 02:45 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 02:45 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 02:45 . 2009-04-04 02:45 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-02 04:44 . 2009-04-22 01:08 -------- d--h--w C:\$AVG8.VAULT$
2009-04-02 01:45 . 2009-04-02 01:45 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-02 01:45 . 2009-04-02 01:45 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-02 01:45 . 2009-04-02 01:45 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-02 01:45 . 2009-04-21 05:54 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-02 01:45 . 2009-04-22 00:30 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-29 04:48 . 2009-03-29 04:48 -------- d-----w c:\documents and settings\Mary\Local Settings\Application Data\{59B91B1A-234F-46D0-AF3E-9FC2D180AB84}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 17:31 . 2009-04-04 17:31 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-04 17:31 . 2009-04-04 17:31 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-04 02:45 . 2009-04-04 02:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-02 01:45 . 2009-04-02 01:45 -------- d-----w c:\program files\AVG
2009-03-21 22:30 . 2009-03-21 01:46 -------- d-----w c:\documents and settings\All Users\Application Data\Deskshare
2009-03-21 22:30 . 2009-03-21 22:30 -------- d-----w c:\program files\Common Files\Deskshare Shared
2009-03-21 22:30 . 2009-03-21 22:30 -------- d-----w c:\program files\Deskshare
2009-03-21 05:27 . 2009-03-21 04:42 -------- d-----w c:\program files\Creative
2009-03-21 05:08 . 2009-03-21 04:43 -------- d-----w c:\program files\SightSpeed
2009-03-21 05:01 . 2009-03-21 04:56 -------- d-----w c:\documents and settings\Mary\Application Data\Creative
2009-03-21 04:46 . 2009-01-16 04:11 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 04:41 . 2009-01-16 04:11 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-21 01:50 . 2009-03-21 01:18 -------- d-----w c:\program files\AlexP
2009-03-21 01:22 . 2009-03-21 01:22 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-03-21 01:21 . 2009-03-21 01:21 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-03-18 02:36 . 2009-01-16 02:39 76487 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-03-18 02:28 . 2003-03-31 12:00 250048 --sha-r C:\ntldr
2009-03-18 02:18 . 2009-02-15 17:42 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-18 01:21 . 2009-02-05 15:30 -------- d-----w c:\program files\Common Files\Adobe
2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-06-23 19:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-26 02:07 . 2009-02-26 02:07 -------- d-----w c:\documents and settings\Mary\Application Data\Apple Computer
2009-02-26 02:06 . 2009-02-26 02:06 -------- d-----w c:\program files\iTunes
2009-02-26 02:06 . 2009-02-26 02:06 -------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-26 02:06 . 2009-02-26 02:06 -------- d-----w c:\program files\iPod
2009-02-26 02:06 . 2009-02-26 02:05 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-26 02:06 . 2009-02-26 02:06 -------- d-----w c:\program files\Bonjour
2009-02-26 02:06 . 2009-02-26 02:05 -------- d-----w c:\program files\QuickTime
2009-02-26 02:05 . 2009-02-26 02:05 -------- d-----w c:\program files\Apple Software Update
2009-02-26 02:04 . 2009-02-26 02:04 -------- d-----w c:\program files\Common Files\Apple
2009-02-26 02:04 . 2009-02-26 02:04 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-02-23 07:18 . 2009-02-23 07:18 17280 ----a-w c:\documents and settings\Mary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2003-03-31 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-03-31 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-03-31 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-03-31 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2002-08-29 01:04 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2003-03-31 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2003-03-31 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-03-31 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2003-03-31 12:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81F8968E-0D80-4C50-87D5-E4B52078AF09}]
2003-03-31 12:00 101376 ----a-w c:\windows\System32\comaddinh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 335872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-18 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-02 1932568]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-6-2 565309]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-02 01:45 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli svests.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S0 atiide;atiide;c:\windows\System32\DRIVERS\atiide.sys [2004-04-15 5632]
S0 wurmrtul;wurmrtul;c:\windows\system32\drivers\wurmrtul.sys [2003-03-31 23424]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-02 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-02 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-02 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-02 298264]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://beta.mytelus.com/telusen/portal/index.aspx
uInternet Settings,ProxyOverride = *.local
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 19:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-04-22 19:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 02:32

Pre-Run: 80,188,456,960 bytes free
Post-Run: 80,156,430,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
186 --- E O F --- 2009-04-21 06:13

#10 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:02 AM

Posted 22 April 2009 - 05:28 PM

hi,

ok thanks for the info. We will use combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

File::
C:\Documents and Settings\Mary\Local Settings\Temp\mbuycgyx.dat
c:\windows\system32\comaddinh.dll

Registry::
-[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81F8968E-0D80-4C50-87D5-E4B52078AF09}]

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log


After combofix is done, check MBAM for updates and do a full scan with it. After the scan completes:

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the combofix log and the MBAM log please.

How Can I Reduce My Risk to Malware?


#11 LemmingLeader

LemmingLeader
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 23 April 2009 - 01:42 AM

Thank you so much for your simple, straightforward directions. This is Very appreciated!
After running Combofix with the CFScript.txt file, I got this log:

ComboFix 09-04-22.02 - Mary 04/22/2009 19:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.113 [GMT -7:00]
Running from: c:\documents and settings\Mary\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mary\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-23 to 2009-04-23 )))))))))))))))))))))))))))))))
.

2009-04-22 00:35 . 2009-04-22 00:35 0 ----a-w c:\documents and settings\Mary\settings.dat
2009-04-21 05:55 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-21 05:55 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-21 05:55 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-21 05:55 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 05:55 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-21 05:55 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 05:55 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-21 05:55 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-21 05:55 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-21 05:54 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-21 05:53 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-21 05:53 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-02 13:06 . 2009-04-03 04:18 -------- d-----w c:\documents and settings\Administrator
2009-04-02 04:44 . 2009-04-22 01:08 -------- d--h--w C:\$AVG8.VAULT$
2009-04-02 01:45 . 2009-04-02 01:45 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-02 01:45 . 2009-04-02 01:45 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-02 01:45 . 2009-04-02 01:45 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-02 01:45 . 2009-04-22 02:31 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-02 01:45 . 2009-04-22 00:30 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-29 04:48 . 2009-03-29 04:48 -------- d-----w c:\documents and settings\Mary\Local Settings\Application Data\{59B91B1A-234F-46D0-AF3E-9FC2D180AB84}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 17:32 . 2009-04-04 17:32 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-04 17:31 . 2009-04-04 17:31 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-04 17:31 . 2009-04-04 17:31 -------- d-----w c:\documents and settings\Mary\Application Data\SUPERAntiSpyware.com
2009-04-04 17:31 . 2009-04-04 17:31 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-04 02:45 . 2009-04-04 02:45 -------- d-----w c:\documents and settings\Mary\Application Data\Malwarebytes
2009-04-04 02:45 . 2009-04-04 02:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-04 02:45 . 2009-04-04 02:45 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-02 01:45 . 2009-04-02 01:45 -------- d-----w c:\program files\AVG
2009-03-26 23:49 . 2009-04-04 02:45 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 23:49 . 2009-04-04 02:45 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-21 22:30 . 2009-03-21 01:46 -------- d-----w c:\documents and settings\All Users\Application Data\Deskshare
2009-03-21 22:30 . 2009-03-21 22:30 -------- d-----w c:\program files\Common Files\Deskshare Shared
2009-03-21 22:30 . 2009-03-21 22:30 -------- d-----w c:\program files\Deskshare
2009-03-21 05:27 . 2009-03-21 04:42 -------- d-----w c:\program files\Creative
2009-03-21 05:08 . 2009-03-21 04:43 -------- d-----w c:\program files\SightSpeed
2009-03-21 05:01 . 2009-03-21 04:56 -------- d-----w c:\documents and settings\Mary\Application Data\Creative
2009-03-21 04:46 . 2009-01-16 04:11 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 04:41 . 2009-01-16 04:11 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-21 01:50 . 2009-03-21 01:18 -------- d-----w c:\program files\AlexP
2009-03-21 01:22 . 2009-03-21 01:22 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-03-21 01:21 . 2009-03-21 01:21 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-03-18 02:36 . 2009-01-16 02:39 76487 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-03-18 02:28 . 2003-03-31 12:00 250048 --sha-r C:\ntldr
2009-03-18 02:18 . 2009-02-15 17:42 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-18 01:21 . 2009-02-05 15:30 -------- d-----w c:\program files\Common Files\Adobe
2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-06-23 19:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-26 02:07 . 2009-02-26 02:07 -------- d-----w c:\documents and settings\Mary\Application Data\Apple Computer
2009-02-26 02:06 . 2009-02-26 02:06 -------- d-----w c:\program files\iTunes
2009-02-26 02:06 . 2009-02-26 02:06 -------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-26 02:06 . 2009-02-26 02:06 -------- d-----w c:\program files\iPod
2009-02-26 02:06 . 2009-02-26 02:05 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-26 02:06 . 2009-02-26 02:06 -------- d-----w c:\program files\Bonjour
2009-02-26 02:06 . 2009-02-26 02:05 -------- d-----w c:\program files\QuickTime
2009-02-26 02:05 . 2009-02-26 02:05 -------- d-----w c:\program files\Apple Software Update
2009-02-26 02:04 . 2009-02-26 02:04 -------- d-----w c:\program files\Common Files\Apple
2009-02-26 02:04 . 2009-02-26 02:04 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-02-23 07:18 . 2009-02-23 07:18 17280 ----a-w c:\documents and settings\Mary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2003-03-31 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-03-31 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-03-31 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-03-31 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2002-08-29 01:04 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2003-03-31 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2003-03-31 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-03-31 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2003-03-31 12:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-22_02.28.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-23 02:52 . 2009-04-23 02:52 16384 c:\windows\Temp\Perflib_Perfdata_71c.dat
+ 2003-03-31 12:00 . 2009-04-23 02:29 60034 c:\windows\system32\perfc009.dat
- 2003-03-31 12:00 . 2009-04-22 01:47 60034 c:\windows\system32\perfc009.dat
+ 2003-03-31 12:00 . 2009-04-23 02:29 394616 c:\windows\system32\perfh009.dat
- 2003-03-31 12:00 . 2009-04-22 01:47 394616 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81F8968E-0D80-4C50-87D5-E4B52078AF09}]
2003-03-31 12:00 101376 ----a-w c:\windows\System32\comaddinh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 335872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-18 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-02 1932568]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-6-2 565309]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-02 01:45 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli svests.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
S0 atiide;atiide;c:\windows\System32\DRIVERS\atiide.sys [2004-04-15 5632]
S0 wurmrtul;wurmrtul;c:\windows\system32\drivers\wurmrtul.sys [2003-03-31 23424]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-02 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-02 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-02 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-02 298264]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://beta.mytelus.com/telusen/portal/index.aspx
uInternet Settings,ProxyOverride = *.local
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 19:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint2K\ApntEx.exe
.
**************************************************************************
.
Completion time: 2009-04-23 19:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-23 02:55
ComboFix2.txt 2009-04-22 02:32

Pre-Run: 80,147,767,296 bytes free
Post-Run: 80,132,403,200 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
186 --- E O F --- 2009-04-21 06:13

#12 LemmingLeader

LemmingLeader
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 23 April 2009 - 01:46 AM

Then after updating MBAM and running a full scan, this log was produced:

Malwarebytes' Anti-Malware 1.36
Database version: 2029
Windows 5.1.2600 Service Pack 3

4/22/2009 8:42:15 PM
mbam-log-2009-04-22 (20-42-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 131477
Time elapsed: 30 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81f8968e-0d80-4c50-87d5-e4b52078af09} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{81f8968e-0d80-4c50-87d5-e4b52078af09} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\comaddinh.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\Mary\Local Settings\Temp\mbuycgyx.dat (Rootkit.Agent) -> Delete on reboot.
C:\System Volume Information\_restore{A6437F04-41B6-4327-870C-F09035CC17E3}\RP177\A0012510.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6437F04-41B6-4327-870C-F09035CC17E3}\RP178\A0012522.exe (Rogue.TotalVirusProtection) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6437F04-41B6-4327-870C-F09035CC17E3}\RP178\A0012523.exe (Rogue.TotalVirusProtection) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6437F04-41B6-4327-870C-F09035CC17E3}\RP178\A0012524.exe (Rogue.TotalVirusProtection) -> Quarantined and deleted successfully.

#13 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:02 AM

Posted 23 April 2009 - 06:55 PM

hi,

After MBAM is done with a scan:

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

Is MBAM prompting you for a reboot? Normally it has to reboot your machine to finish the removal process.
When it boots back up it will generate a new log. post that log.

The logs can also be found here:
The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

I would just check it for updates and do a full scan again post the log that opens after the reboot.

How Can I Reduce My Risk to Malware?


#14 LemmingLeader

LemmingLeader
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 23 April 2009 - 08:24 PM

Sorry, I didn't realize there were 2 logs.
All the items were checked, and MBAM did need to reboot after trying to remove everything.
I'll try scanning again and post the correct log.

#15 LemmingLeader

LemmingLeader
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 23 April 2009 - 10:21 PM

MBAM is up to date, but doesn't show bring up a second log after it reboots.
When I check the logs, there is only one dated today. This is the one below.
Do I need to do anything while it's rebooting?

Malwarebytes' Anti-Malware 1.36
Database version: 2029
Windows 5.1.2600 Service Pack 3

4/23/2009 8:05:15 PM
mbam-log-2009-04-23 (20-05-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 131542
Time elapsed: 31 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81f8968e-0d80-4c50-87d5-e4b52078af09} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{81f8968e-0d80-4c50-87d5-e4b52078af09} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\comaddinh.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\Mary\Local Settings\Temp\mbuycgyx.dat (Rootkit.Agent) -> Delete on reboot.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users