Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit issue, via Virtumonde/SmitFraud type virus.


  • This topic is locked This topic is locked
45 replies to this topic

#1 Vivian2

Vivian2

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 08 April 2009 - 12:58 AM

First off, I'd like to thank anyone who is about to attempt to tackle this beast with me, your help is MUCH appreciated, Thank You Very Much!

OVERVIEW:
I was in the middle of fixing a friends pc, I was using my flash drive to take files from my pc, to use in fighting this thing on their pc. Unknowingly, their pc infects my flash drive, which then infected my computer. Yes, this thing is THAT nasty! So now, I am looking for help in disinfecting my pc first, then my flash drive, and then finally, fixing my friends pc(the original problem).

WHAT I HAVE DONE SO FAR:
I have run countless scans from all the major names, they seem to be coming up clean, but I know something isn't right, and here is how I know, 2 reasons:
#1
I saved an HTML file to my desktop yesterday, double clicking on it won't open it, I get: THERE WAS A PROBLEM SENDING THE COMMAND TO THE PROGRAM. Also, when I right mouse click on it, and view the properties, it says: This file came from another computer and might be blocked to help protect this computer. This is untrue, I know this for a fact. It makes me think that whatever I have has turned my own computer into what looks like a remote computer to itself! (I hope that makes sense)
#2
In the taskmanager, I now see: UNSECAPP.EXE and a new WMIPRVSE.EXE, which didn't run before, now do, and I didn't install anything(aside from this beast) recently.

SUMMARY:
I have tried to kill this thing for a week now, and I don't consider myself a novice, but this thing is just unlike anything I have ever run into before. Again, thank you very much in advance to anyone that would be willing to help me with this issue.


DDS (Ver_09-03-16.01) - NTFSx86
Run by XP at 1:05:07.25 on Wed 04/08/2009
Internet Explorer: 7.0.5730.11

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = ftp=127.0.0.1:8118;http=127.0.0.1:8118;https=127.0.0.1:8118;socks=127.0.0.1:9050
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;68.180.*.*
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [kmw_run.exe] kmw_run.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xp\applic~1\mozilla\firefox\profiles\cojty8k4.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D1231638670&id=64855&bk=657545
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8118
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre6\bin\npdeploytk.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-07 19:56 1,878,888 a------- C:\install_flash_player.exe
2009-04-07 08:02 7,304 a------- c:\windows\TMP0001.TMP
2009-04-06 04:20 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-06 03:52 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-06 03:51 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-06 03:51 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-06 03:51 <DIR> --d----- c:\program files\AVG
2009-04-06 03:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-06 03:44 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-06 03:43 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-03 21:39 <DIR> --d----- c:\program files\Unlocker
2009-03-12 13:20 244 a---h--- C:\sqmnoopt00.sqm
2009-03-12 13:20 232 a---h--- C:\sqmdata00.sqm
2009-03-10 13:52 0 a------- c:\windows\HMHud.INI
2009-03-09 18:46 <DIR> --d----- C:\HMArchive

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 05:03 121,984 a------- c:\windows\system32\drivers\Rtnicxp.sys
2009-03-03 12:18 73,728 a------- c:\windows\system32\RtNicProp32.dll
2009-02-22 11:07 18,848 a------- c:\docume~1\xp\applic~1\GDIPFONTCACHEV1.DAT
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-05-11 22:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051120080512\index.dat

============= FINISH: 1:08:32.37 ===============



***JUST WANTED TO ADD: Did a Kaspersky Online Scan, then UPDATED MBAM, then ran a Malware Bytes Scan, here are those.........***



KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, April 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, April 08, 2009 04:23:26
Records in database: 2021814


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\XP\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics
Files scanned 60290
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 02:26:55

No malware has been detected. The scan area is clean.
The selected area was scanned.


Malwarebytes' Anti-Malware 1.36
Database version: 1953
Windows 5.1.2600 Service Pack 3

4/8/2009 4:58:57 PM
mbam-log-2009-04-08 (16-58-57).txt

Scan type: Quick Scan
Objects scanned: 76888
Time elapsed: 10 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files


Edited by Vivian2, 08 April 2009 - 04:22 PM.


BC AdBot (Login to Remove)

 


#2 Vivian2

Vivian2
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 10 April 2009 - 05:44 PM

I have a feeling this is the scan required....it took 12 hours....

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, April 10, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, April 10, 2009 11:10:03
Records in database: 2031275
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 588474
Threat name: 7
Infected objects: 55
Suspicious objects: 0
Duration of the scan: 12:44:14


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Infected: Trojan-Downloader.BAT.Small.e 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-244aa3eb Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-27b60fb3 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-3e13b511 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-5eb75605 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-6f6fea27 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-3a666261 Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-506a651d Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-5a63a90d Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-5b24736e Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-6156e353 Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-12fb06fe Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-1df9608b Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-2c7d97ef Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-370d54a8 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-5750e6ec Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-12f8959a Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-13f9f9d4 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-3dfe27d8 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-5929bb9c Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-7322206e Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-49eb5a34.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-51ac2b7c.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-10da61f1.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\jeff(original workpc)\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-5d36a2bf.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-244aa3eb Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-27b60fb3 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-3e13b511 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-5eb75605 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-6f6fea27 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-3a666261 Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-506a651d Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-5a63a90d Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-5b24736e Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-6156e353 Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-12fb06fe Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-1df9608b Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-2c7d97ef Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-370d54a8 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-5750e6ec Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-12f8959a Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-13f9f9d4 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-3dfe27d8 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-5929bb9c Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-7322206e Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-49eb5a34.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-51ac2b7c.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-10da61f1.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\XP\Desktop\Jeffs Users\jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-5d36a2bf.zip Infected: Exploit.Java.Gimsh.b 1
C:\TO INSTALL\Bearshare521-BSINSTALL.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
D:\Documents and Settings\All Users\Documents\kazaalite_202_b1\first stage\kazaa_lite_202_english.exe Infected: not-a-virus:AdWare.Win32.Altnet.o 1
D:\Documents and Settings\M2\.housecall\Quarantine\nt50.exe.bac_a01184 Infected: Hoax.Win32.BadJoke.Stript 1
D:\Documents and Settings\M2\.housecall\Quarantine\vvl.exe.bac_a01184 Infected: Trojan-Spy.Win32.KeyLogger.ao 1
D:\Documents and Settings\Mike\.housecall\Quarantine\nt50.exe.bac_a01184 Infected: Hoax.Win32.BadJoke.Stript 1
D:\Documents and Settings\Mike\.housecall\Quarantine\vvl.exe.bac_a01184 Infected: Trojan-Spy.Win32.KeyLogger.ao 1

The selected area was scanned.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:11:10 AM

Posted 19 April 2009 - 11:38 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 Vivian2

Vivian2
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 20 April 2009 - 10:16 AM

Thank you for getting back with me. Just my personal thoughts....

1. IE hijacked
My Default Search engine was changed from Google to Live Search. My personal links were rearranged. Getting all the initial action boxes, like, "Would you like to enable Auto Complete?" and "Access can be viewed by others when 1st tried to to go to a different web page.

2. My computer's somehow been set up by a rogue program to act as a server to itself.
-Tools>Internet Options>Connections>LAN Settings button...when I tick to use a proxy server, the ADDRESS: and PORT: boxes stay greyed out, and unusable!
-When I startup IE, ZoneAlarm asks if iexplore.exe can access 127.0.00.1:Port 1445

3. I think my Windows Automatic Update was somehow hijacked, and instead of updating my computer is a personal installer for this malware. I really distrust Windows Automatic Update, making sure that it's legit is very important to me.

Thanks, here's the DDS requested:


DDS (Ver_09-03-16.01) - NTFSx86
Run by XP at 10:45:54.35 on Mon 04/20/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.281 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090419-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\XP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://login.live.com/login.srf?wa=wsignin...amp;bk=74541155
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = ftp=127.0.0.1:8118;http=127.0.0.1:8118;https=127.0.0.1:8118;socks=127.0.0.1:9050
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;68.180.*.*
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [kmw_run.exe] kmw_run.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\xp\startm~1\programs\startup\cports~1.lnk - c:\pc pitstop cd(update this!!!)\tcp ip port listing utilities\cports.exe
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xp\applic~1\mozilla\firefox\profiles\cojty8k4.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D1231638670&id=64855&bk=657545
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre6\bin\npdeploytk.dll

============= SERVICES / DRIVERS ===============

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-4-14 36752]
R0 csdf;csdf;c:\windows\system32\drivers\csdf.sys [2009-4-14 39440]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-15 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-15 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-12 353680]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-15 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2009-4-15 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2009-4-15 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2009-4-15 352920]
S3 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-5-8 204800]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\204.tmp --> c:\windows\system32\204.tmp [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-04-15 08:03 <DIR> --d----- c:\program files\Avast4
2009-04-15 07:56 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-15 07:42 <DIR> a-dshr-- C:\cmdcons
2009-04-15 07:39 161,792 a------- c:\windows\SWREG.exe
2009-04-15 07:39 98,816 a------- c:\windows\sed.exe
2009-04-14 14:45 <DIR> --d----- c:\windows\system32\KB905474
2009-04-14 14:40 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 14:40 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 14:40 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 14:40 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 14:40 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 14:40 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 14:40 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 14:40 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 14:40 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 14:39 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 14:39 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 14:39 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 12:19 36,752 a------- c:\windows\system32\drivers\crpf.sys
2009-04-14 12:19 39,440 a------- c:\windows\system32\drivers\csdf.sys
2009-04-14 12:19 7,928 a------- c:\windows\system32\cnat.exe
2009-04-08 16:31 2,781 a------- C:\Kaspersky Scan 4-8-09.html
2009-04-08 07:47 94,208 a------- C:\GooredFix.exe
2009-04-08 03:15 33,952,648 a------- C:\zaZA_Setup_en.exe
2009-04-08 02:39 607,640 a------- C:\jre-6u13-windows-i586-p-iftw.exe
2009-04-08 02:30 607,640 a------- C:\jxpiinstall-6u13-fcs-bin-b03-windows-i586-09_mar_2009.exe
2009-04-07 19:56 1,878,888 a------- C:\install_flash_player.exe
2009-04-07 08:02 7,304 a------- c:\windows\TMP0001.TMP
2009-04-03 21:39 <DIR> --d----- c:\program files\Unlocker

==================== Find3M ====================

2009-04-10 05:11 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 05:03 121,984 a------- c:\windows\system32\drivers\Rtnicxp.sys
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 12:18 73,728 a------- c:\windows\system32\RtNicProp32.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-22 11:07 18,848 a------- c:\docume~1\xp\applic~1\GDIPFONTCACHEV1.DAT
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2008-05-11 22:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051120080512\index.dat

============= FINISH: 10:46:48.28 ===============

#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:10 PM

Posted 21 April 2009 - 12:30 PM

Hi

I don't think you mentioned that have run ComboFix too. Please post contents of ComboFix.txt file back here.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 Vivian2

Vivian2
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 22 April 2009 - 10:58 AM

ComboFix 09-04-22.A23 - XP 04/22/2009 11:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.184 [GMT -4:00]
Running from: c:\documents and settings\XP\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090421-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-15 12:03 . 2009-04-15 12:03 -------- d-----w c:\program files\Avast4
2009-04-15 11:56 . 2008-06-19 20:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-14 18:45 . 2009-04-14 18:45 -------- d-----w c:\windows\system32\KB905474
2009-04-14 18:45 . 2009-03-11 02:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-14 18:45 . 2009-03-11 02:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-14 18:45 . 2009-02-09 22:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-14 18:40 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 18:40 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 18:40 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 18:40 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 18:40 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 18:40 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 18:40 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 18:40 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 18:40 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 18:39 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 18:39 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 18:39 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 16:19 . 2009-04-03 16:17 36752 ----a-w c:\windows\system32\drivers\crpf.sys
2009-04-14 16:19 . 2009-04-03 16:18 39440 ----a-w c:\windows\system32\drivers\csdf.sys
2009-04-14 16:19 . 2009-04-03 16:16 7928 ----a-w c:\windows\system32\cnat.exe
2009-04-10 09:11 . 2009-04-10 09:11 -------- d-----w c:\program files\Java
2009-04-10 08:48 . 2009-04-15 16:27 1374 ----a-w c:\windows\imsins.BAK
2009-04-08 20:31 . 2009-04-08 20:31 2781 ----a-w C:\Kaspersky Scan 4-8-09.html
2009-04-08 11:47 . 2009-04-08 20:44 94208 ----a-w C:\GooredFix.exe
2009-04-08 07:15 . 2009-04-08 07:16 33952648 ----a-w C:\zaZA_Setup_en.exe
2009-04-08 06:39 . 2009-04-08 06:39 607640 ----a-w C:\jre-6u13-windows-i586-p-iftw.exe
2009-04-08 06:30 . 2009-04-08 06:30 607640 ----a-w C:\jxpiinstall-6u13-fcs-bin-b03-windows-i586-09_mar_2009.exe
2009-04-07 23:56 . 2009-04-07 23:57 1878888 ----a-w C:\install_flash_player.exe
2009-04-07 12:02 . 2009-04-21 17:55 7304 ----a-w c:\windows\TMP0001.TMP
2009-04-06 07:47 . 2009-04-14 20:03 8192 ----a-w c:\documents and settings\Mike
2009-04-04 01:39 . 2009-04-10 08:09 -------- d-----w c:\program files\Unlocker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 21:06 . 2008-11-23 06:22 -------- d-----w c:\program files\Firefox
2009-04-21 00:38 . 2006-12-08 03:01 -------- d-----w c:\program files\PokerStars
2009-04-20 14:42 . 2009-01-12 10:39 -------- d-----w c:\documents and settings\XP\Application Data\Vidalia
2009-04-20 14:42 . 2009-01-12 10:43 -------- d-----w c:\documents and settings\XP\Application Data\tor
2009-04-20 13:44 . 2008-07-23 17:32 47287409 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-04-19 17:00 . 2007-03-16 19:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-14 19:55 . 2007-11-05 14:02 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-14 19:55 . 2007-11-05 14:02 -------- d-----w c:\program files\Lavasoft
2009-04-14 13:41 . 2008-07-11 19:23 -------- d-----w c:\program files\Panda Security
2009-04-10 22:31 . 2009-04-10 22:31 9488 ----a-w C:\Kaspersky -My Computer- Scan 4-10-09.txt
2009-04-10 09:11 . 2008-11-26 13:48 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-10 09:00 . 2006-12-28 10:47 -------- d-----w c:\program files\QuickTime
2009-04-10 09:00 . 2006-12-28 10:53 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-10 08:57 . 2006-12-28 10:54 -------- d-----w c:\program files\Apple Software Update
2009-04-07 11:08 . 2006-12-27 01:34 -------- d-----w c:\program files\Common Files\Adobe
2009-04-07 05:11 . 2009-02-08 21:51 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-02-08 21:51 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-02-08 21:51 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 08:37 . 2009-02-09 04:55 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-04 16:24 . 2008-08-29 14:05 -------- d-----w c:\program files\WPEX
2009-03-30 14:20 . 2007-08-07 08:58 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-12 17:20 . 2009-03-12 17:20 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-12 17:20 . 2009-03-12 17:20 232 ---ha-w C:\sqmdata00.sqm
2009-03-11 00:38 . 2009-03-11 00:38 -------- d-----w c:\documents and settings\XP\Application Data\U3
2009-03-09 17:45 . 2007-03-16 19:53 -------- d-----w c:\program files\Full Tilt Poker
2009-03-09 09:03 . 2006-12-14 20:44 121984 ----a-w c:\windows\system32\drivers\Rtnicxp.sys
2009-03-09 01:18 . 2009-03-09 01:35 2621440 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-07 23:07 . 2009-03-07 23:07 -------- d-----w c:\program files\AGEIA Technologies
2009-03-06 14:22 . 2001-08-23 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 16:18 . 2008-11-27 16:47 73728 ----a-w c:\windows\system32\RtNicProp32.dll
2009-03-03 00:18 . 2004-01-08 20:23 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 19:06 . 2006-12-28 22:50 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-22 15:07 . 2008-02-09 02:14 18848 ----a-w c:\documents and settings\XP\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 23:24 . 2006-12-28 22:48 2350 ---ha-w C:\IPH.PH
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-23 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-12-04 05:52 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-23 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-23 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-23 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 17:31 . 2006-12-04 06:32 18848 ----a-w c:\documents and settings\XP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-07 23:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-23 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-23 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-23 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2001-08-23 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2007-05-25 14:59 . 2007-05-25 14:59 125 ----a-w c:\documents and settings\XP\Local Settings\Application Data\fusioncache.dat
2006-12-04 23:16 . 2006-12-04 23:16 17920 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-11 05:09 . 2008-09-11 05:06 24 --sh--w c:\windows\S3214DC9A.tmp
2008-05-12 02:08 . 2008-05-12 02:08 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051120080512\index.dat
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1033216 66B2972986C8CE0454D28E791B16A934 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-15_11.47.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 16:43 . 2009-04-15 16:43 16384 c:\windows\Temp\Perflib_Perfdata_684.dat
- 2007-05-25 21:22 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2007-05-25 21:22 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2009-04-19 17:00 . 2007-03-05 14:20 28352 c:\windows\system32\drivers\ssmdrv.sys
+ 2009-04-19 17:00 . 2007-03-22 13:36 43584 c:\windows\system32\drivers\avipbb.sys
+ 2009-04-15 12:03 . 2009-02-05 20:06 51376 c:\windows\system32\drivers\aswTdi.sys
+ 2009-04-15 12:03 . 2009-02-05 20:06 23152 c:\windows\system32\drivers\aswRdr.sys
+ 2009-04-15 12:03 . 2009-02-05 20:08 94032 c:\windows\system32\drivers\aswmon2.sys
+ 2009-04-15 12:03 . 2009-02-05 20:08 93296 c:\windows\system32\drivers\aswmon.sys
+ 2009-04-15 12:03 . 2009-02-05 20:07 20560 c:\windows\system32\drivers\aswFsBlk.sys
+ 2009-04-15 12:03 . 2009-02-05 20:05 26944 c:\windows\system32\drivers\aavmker4.sys
+ 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-04-15 12:03 . 2009-02-05 20:04 97480 c:\windows\system32\AvastSS.scr
+ 2007-02-15 23:01 . 2009-03-11 02:18 934792 c:\windows\system32\WgaTray.exe
+ 2007-02-15 23:00 . 2009-03-11 02:18 239496 c:\windows\system32\WgaLogon.dll
- 2001-08-23 12:00 . 2008-04-14 00:11 989696 c:\windows\system32\kernel32.dll
+ 2001-08-23 12:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
+ 2009-04-15 12:03 . 2009-02-05 20:07 114768 c:\windows\system32\drivers\aswSP.sys
+ 2007-02-15 23:01 . 2009-03-11 02:18 934792 c:\windows\system32\dllcache\WgaTray.exe
+ 2007-02-15 23:00 . 2009-03-11 02:18 239496 c:\windows\system32\dllcache\wgaLogon.dll
+ 2009-03-21 14:06 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2001-08-23 12:00 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
- 2001-08-23 12:00 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
+ 2006-05-17 16:23 . 2009-03-11 02:18 1482112 c:\windows\system32\LegitCheckControl.dll
+ 2008-05-07 05:12 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
- 2008-05-07 05:12 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2009-04-15 12:03 . 2009-02-05 20:11 1256296 c:\windows\system32\aswBoot.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"avast!"="c:\progra~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"kmw_run.exe"="kmw_run.exe" - c:\windows\system32\kmw_run.exe [2006-08-03 106496]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\XP\Start Menu\Programs\Startup\
cports.exe.lnk - c:\pc pitstop cd(update this!!!)\TCP IP Port Listing Utilities\cports.exe [2009-1-30 46592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kensington\\MouseWorks\\k_update.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-05-08 204800]
R3 MEMSWEEP2;MEMSWEEP2; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S0 crpf;crpf;c:\windows\System32\drivers\crpf.sys [2009-04-03 36752]
S0 csdf;csdf;c:\windows\System32\drivers\csdf.sys [2009-04-03 39440]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-06 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-15 55024]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - RKHDRV40
*NewlyCreated* - RKREVEAL150
*Deregistered* - PROCEXP113
*Deregistered* - rkhdrv40
*Deregistered* - RKREVEAL150

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.live.com/login.srf?wa=wsignin...amp;bk=74541155
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = ftp=127.0.0.1:8118;http=127.0.0.1:8118;https=127.0.0.1:8118;socks=127.0.0.1:9050
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;68.180.*.*
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\XP\Application Data\Mozilla\Firefox\Profiles\cojty8k4.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D1231638670&id=64855&bk=657545
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre6\bin\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 11:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\5.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3664)
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-22 11:54
ComboFix-quarantined-files.txt 2009-04-22 15:54
ComboFix2.txt 2009-04-15 11:49

Pre-Run: 19,063,087,104 bytes free
Post-Run: 19,151,769,600 bytes free

233 --- E O F --- 2009-04-15 16:28

#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:10 PM

Posted 22 April 2009 - 12:16 PM

Hi

I didn't mean that ComboFix should be re-run but that you post the log you got earlier :thumbup2: Please look for c:\ComboFix\ComboFix2.txt file and post it back. I want to see what was removed earlier.

Edited by Blade81, 22 April 2009 - 12:16 PM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 Vivian2

Vivian2
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 22 April 2009 - 12:36 PM

Oh, sorry about that. The only Combofix2.txt I could find was in C:\Qoobox, and here's that log...

ComboFix 09-04-15.08 - XP 04/15/2009 7:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.291 [GMT -4:00]
Running from: c:\documents and settings\XP\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk

.
((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-14 18:45 . 2009-04-14 18:45 -------- d-----w c:\windows\system32\KB905474
2009-04-14 18:45 . 2009-03-11 02:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-14 18:45 . 2009-03-11 02:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-14 18:45 . 2009-02-09 22:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-14 18:40 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 18:40 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 18:40 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 18:40 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 18:40 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 18:40 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 18:40 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 18:40 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 18:40 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 18:39 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 18:39 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 18:39 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 16:19 . 2009-04-03 16:17 36752 ----a-w c:\windows\system32\drivers\crpf.sys
2009-04-14 16:19 . 2009-04-03 16:18 39440 ----a-w c:\windows\system32\drivers\csdf.sys
2009-04-14 16:19 . 2009-04-03 16:16 7928 ----a-w c:\windows\system32\cnat.exe
2009-04-14 13:53 . 2008-06-19 20:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-10 09:12 . 2009-04-10 09:11 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-10 09:11 . 2009-04-10 09:11 -------- d-----w c:\program files\Java
2009-04-10 08:48 . 2009-04-14 18:51 1374 ----a-w c:\windows\imsins.BAK
2009-04-08 20:31 . 2009-04-08 20:31 2781 ----a-w C:\Kaspersky Scan 4-8-09.html
2009-04-08 11:47 . 2009-04-08 20:44 94208 ----a-w C:\GooredFix.exe
2009-04-08 07:15 . 2009-04-08 07:16 33952648 ----a-w C:\zaZA_Setup_en.exe
2009-04-08 06:39 . 2009-04-08 06:39 607640 ----a-w C:\jre-6u13-windows-i586-p-iftw.exe
2009-04-08 06:30 . 2009-04-08 06:30 607640 ----a-w C:\jxpiinstall-6u13-fcs-bin-b03-windows-i586-09_mar_2009.exe
2009-04-07 23:56 . 2009-04-07 23:57 1878888 ----a-w C:\install_flash_player.exe
2009-04-07 12:02 . 2009-04-15 11:25 7304 ----a-w c:\windows\TMP0001.TMP
2009-04-06 07:47 . 2009-04-14 20:03 8192 ----a-w c:\documents and settings\Mike
2009-04-04 01:39 . 2009-04-10 08:09 -------- d-----w c:\program files\Unlocker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 11:36 . 2008-11-23 06:22 -------- d-----w c:\program files\Firefox
2009-04-14 19:55 . 2007-11-05 14:02 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-14 19:55 . 2007-11-05 14:02 -------- d-----w c:\program files\Lavasoft
2009-04-14 13:41 . 2008-07-11 19:23 -------- d-----w c:\program files\Panda Security
2009-04-10 22:31 . 2009-04-10 22:31 9488 ----a-w C:\Kaspersky -My Computer- Scan 4-10-09.txt
2009-04-10 09:11 . 2008-11-26 13:48 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-10 09:00 . 2006-12-28 10:47 -------- d-----w c:\program files\QuickTime
2009-04-10 09:00 . 2006-12-28 10:53 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-10 08:57 . 2006-12-28 10:54 -------- d-----w c:\program files\Apple Software Update
2009-04-07 11:08 . 2006-12-27 01:34 -------- d-----w c:\program files\Common Files\Adobe
2009-04-07 05:11 . 2009-02-08 21:51 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-02-08 21:51 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-02-08 21:51 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 08:37 . 2009-02-09 04:55 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-04 16:24 . 2008-08-29 14:05 -------- d-----w c:\program files\WPEX
2009-04-03 22:11 . 2009-01-12 10:39 -------- d-----w c:\documents and settings\XP\Application Data\Vidalia
2009-04-03 22:11 . 2009-01-12 10:43 -------- d-----w c:\documents and settings\XP\Application Data\tor
2009-04-03 21:57 . 2008-07-23 17:32 45360190 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-04-02 17:20 . 2006-12-08 03:01 -------- d-----w c:\program files\PokerStars
2009-03-30 14:20 . 2007-08-07 08:58 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-12 17:20 . 2009-03-12 17:20 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-12 17:20 . 2009-03-12 17:20 232 ---ha-w C:\sqmdata00.sqm
2009-03-11 00:38 . 2009-03-11 00:38 -------- d-----w c:\documents and settings\XP\Application Data\U3
2009-03-09 17:45 . 2007-03-16 19:53 -------- d-----w c:\program files\Full Tilt Poker
2009-03-09 09:03 . 2006-12-14 20:44 121984 ----a-w c:\windows\system32\drivers\Rtnicxp.sys
2009-03-09 01:18 . 2009-03-09 01:35 2621440 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-07 23:07 . 2009-03-07 23:07 -------- d-----w c:\program files\AGEIA Technologies
2009-03-06 14:22 . 2001-08-23 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 16:18 . 2008-11-27 16:47 73728 ----a-w c:\windows\system32\RtNicProp32.dll
2009-03-03 00:18 . 2004-01-08 20:23 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 19:06 . 2006-12-28 22:50 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-22 15:07 . 2008-02-09 02:14 18848 ----a-w c:\documents and settings\XP\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 23:24 . 2006-12-28 22:49 -------- d-----w c:\program files\AIM6
2009-02-20 23:24 . 2006-12-28 22:48 2350 ---ha-w C:\IPH.PH
2009-02-20 23:23 . 2009-02-20 23:23 -------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-02-20 23:22 . 2006-12-28 22:48 -------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-16 22:54 . 2009-02-16 22:53 -------- d-----w c:\program files\Resource Hacker
2009-02-09 12:10 . 2001-08-23 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-12-04 05:52 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-23 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-23 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-23 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 17:31 . 2006-12-04 06:32 18848 ----a-w c:\documents and settings\XP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-07 23:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-23 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-23 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-23 12:00 35328 ----a-w c:\windows\system32\sc.exe
2007-05-25 14:59 . 2007-05-25 14:59 125 ----a-w c:\documents and settings\XP\Local Settings\Application Data\fusioncache.dat
2006-12-04 23:16 . 2006-12-04 23:16 17920 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1033216 66B2972986C8CE0454D28E791B16A934 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"kmw_run.exe"="kmw_run.exe" - c:\windows\system32\kmw_run.exe [2006-08-03 106496]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\XP\Start Menu\Programs\Startup\
cports.exe.lnk - c:\pc pitstop cd(update this!!!)\TCP IP Port Listing Utilities\cports.exe [2009-1-30 46592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2008-05-16 10:11 648504 ----a-w c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-10 09:11 148888 ----a-w c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-04-06 08:37 1830128 ----a-w c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
2003-07-14 15:52 40960 ----a-w c:\windows\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kensington\\MouseWorks\\k_update.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-05-08 204800]
R3 MEMSWEEP2;MEMSWEEP2; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S0 crpf;crpf;c:\windows\System32\drivers\crpf.sys [2009-04-03 36752]
S0 csdf;csdf;c:\windows\System32\drivers\csdf.sys [2009-04-03 39440]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-06 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-15 55024]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.live.com/login.srf?wa=wsignin...amp;bk=74541155
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = ftp=127.0.0.1:8118;http=127.0.0.1:8118;https=127.0.0.1:8118;socks=127.0.0.1:9050
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;68.180.*.*
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\XP\Application Data\Mozilla\Firefox\Profiles\cojty8k4.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D1231638670&id=64855&bk=657545
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre6\bin\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 07:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\204.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
Completion time: 2009-04-15 7:49
ComboFix-quarantined-files.txt 2009-04-15 11:49

Pre-Run: 19,710,083,072 bytes free
Post-Run: 19,706,150,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

207 --- E O F --- 2009-04-14 19:02

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:10 PM

Posted 23 April 2009 - 09:57 AM

Hi again,

Upload following file to http://www.virustotal.com and post back the results:
c:\windows\explorer.exe


Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uInternet Settings,ProxyServer = ftp=127.0.0.1:8118;http=127.0.0.1:8118;https=127.0.0.1:8118;socks=127.0.0.1:9050
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;68.180.*.*

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. How's the system running?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 Vivian2

Vivian2
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 24 April 2009 - 03:11 AM

explorer.exe came up clean at virustotal.com, to save space, I left out the scanners list:

File explorer.exe received on 04.23.2009 19:15:32 (CET)
Current status: finished
Result: 0/40 (0.00%)

Additional information
File size: 1033216 bytes
MD5...: 66b2972986c8ce0454d28e791b16a934
SHA1..: c7a869faccc4ce2c4e298d3b2efcb3cb3a8f58bd
SHA256: 7bd1e1886898d79a05b497703b22600b3a32de0c5bc896a1f22fda3a68e32c32
SHA512: a38f62d098da8e2809eff1af19747329ca6d163aba3532ec92a8f941a6849e3d
00113139cfa15126654493651fb36acfb67baf8a732adefa9a757d0bf7205aed
ssdeep: 12288:DHmcoCUyZtwAvAs4wTCyrPTviV0VnzaHkP8ioJpaz/g/J/vRS:7mfty/wA
vN7lrU0VnekP8xaz/g/J/Z
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1a55f
timedatestamp.....: 0x48025c30 (Sun Apr 13 19:17:04 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x44c09 0x44e00 6.38 fd89c9ce334764ffdbb62637ad9b5809
.data 0x46000 0x1db4 0x1800 1.30 983f35021232560eaaa99fcbc1b7d359
.rsrc 0x48000 0xb219b 0xb2200 6.64 cef0e41b7c595b1f15f7e94c8d78b0bb
.reloc 0xfb000 0x374c 0x3800 6.78 ec335057489badbf6d8142b57175fd91

( 13 imports )
> ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
> BROWSEUI.dll: -, -, -, -
> GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
> KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject
> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
> OLEAUT32.dll: -, -
> SHDOCVW.dll: -, -, -
> SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
> SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -
> USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-


CFScript put into Combofix:


ComboFix 09-04-23.A3 - XP 04/23/2009 13:35.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.248 [GMT -4:00]
Running from: c:\documents and settings\XP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\XP\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090423-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 )))))))))))))))))))))))))))))))
.

2009-04-15 12:03 . 2009-04-15 12:03 -------- d-----w c:\program files\Avast4
2009-04-15 11:56 . 2008-06-19 20:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-14 18:45 . 2009-04-14 18:45 -------- d-----w c:\windows\system32\KB905474
2009-04-14 18:45 . 2009-03-11 02:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-14 18:45 . 2009-03-11 02:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-14 18:45 . 2009-02-09 22:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-14 18:40 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-14 18:40 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 18:40 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-14 18:40 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 18:40 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 18:40 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 18:40 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 18:40 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 18:40 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 18:39 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 18:39 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 18:39 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 16:19 . 2009-04-03 16:17 36752 ----a-w c:\windows\system32\drivers\crpf.sys
2009-04-14 16:19 . 2009-04-03 16:18 39440 ----a-w c:\windows\system32\drivers\csdf.sys
2009-04-14 16:19 . 2009-04-03 16:16 7928 ----a-w c:\windows\system32\cnat.exe
2009-04-10 09:11 . 2009-04-10 09:11 -------- d-----w c:\program files\Java
2009-04-10 08:48 . 2009-04-15 16:27 1374 ----a-w c:\windows\imsins.BAK
2009-04-08 20:31 . 2009-04-08 20:31 2781 ----a-w C:\Kaspersky Scan 4-8-09.html
2009-04-08 11:47 . 2009-04-08 20:44 94208 ----a-w C:\GooredFix.exe
2009-04-08 07:15 . 2009-04-08 07:16 33952648 ----a-w C:\zaZA_Setup_en.exe
2009-04-08 06:39 . 2009-04-08 06:39 607640 ----a-w C:\jre-6u13-windows-i586-p-iftw.exe
2009-04-08 06:30 . 2009-04-08 06:30 607640 ----a-w C:\jxpiinstall-6u13-fcs-bin-b03-windows-i586-09_mar_2009.exe
2009-04-07 23:56 . 2009-04-07 23:57 1878888 ----a-w C:\install_flash_player.exe
2009-04-07 12:02 . 2009-04-21 17:55 7304 ----a-w c:\windows\TMP0001.TMP
2009-04-06 07:47 . 2009-04-14 20:03 8192 ----a-w c:\documents and settings\Mike
2009-04-04 01:39 . 2009-04-10 08:09 -------- d-----w c:\program files\Unlocker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 17:00 . 2008-11-23 06:22 -------- d-----w c:\program files\Firefox
2009-04-21 00:38 . 2006-12-08 03:01 -------- d-----w c:\program files\PokerStars
2009-04-20 14:42 . 2009-01-12 10:39 -------- d-----w c:\documents and settings\XP\Application Data\Vidalia
2009-04-20 14:42 . 2009-01-12 10:43 -------- d-----w c:\documents and settings\XP\Application Data\tor
2009-04-20 13:44 . 2008-07-23 17:32 47287409 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-04-19 17:00 . 2007-03-16 19:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-14 19:55 . 2007-11-05 14:02 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-14 19:55 . 2007-11-05 14:02 -------- d-----w c:\program files\Lavasoft
2009-04-14 13:41 . 2008-07-11 19:23 -------- d-----w c:\program files\Panda Security
2009-04-10 22:31 . 2009-04-10 22:31 9488 ----a-w C:\Kaspersky -My Computer- Scan 4-10-09.txt
2009-04-10 09:11 . 2008-11-26 13:48 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-10 09:00 . 2006-12-28 10:47 -------- d-----w c:\program files\QuickTime
2009-04-10 09:00 . 2006-12-28 10:53 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-10 08:57 . 2006-12-28 10:54 -------- d-----w c:\program files\Apple Software Update
2009-04-07 11:08 . 2006-12-27 01:34 -------- d-----w c:\program files\Common Files\Adobe
2009-04-07 05:11 . 2009-02-08 21:51 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2009-02-08 21:51 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-02-08 21:51 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 08:37 . 2009-02-09 04:55 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-04 16:24 . 2008-08-29 14:05 -------- d-----w c:\program files\WPEX
2009-03-30 14:20 . 2007-08-07 08:58 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-12 17:20 . 2009-03-12 17:20 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-12 17:20 . 2009-03-12 17:20 232 ---ha-w C:\sqmdata00.sqm
2009-03-11 00:38 . 2009-03-11 00:38 -------- d-----w c:\documents and settings\XP\Application Data\U3
2009-03-09 17:45 . 2007-03-16 19:53 -------- d-----w c:\program files\Full Tilt Poker
2009-03-09 09:03 . 2006-12-14 20:44 121984 ----a-w c:\windows\system32\drivers\Rtnicxp.sys
2009-03-09 01:18 . 2009-03-09 01:35 2621440 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-07 23:07 . 2009-03-07 23:07 -------- d-----w c:\program files\AGEIA Technologies
2009-03-06 14:22 . 2001-08-23 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 16:18 . 2008-11-27 16:47 73728 ----a-w c:\windows\system32\RtNicProp32.dll
2009-03-03 00:18 . 2004-01-08 20:23 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 19:06 . 2006-12-28 22:50 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-22 15:07 . 2008-02-09 02:14 18848 ----a-w c:\documents and settings\XP\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 23:24 . 2006-12-28 22:48 2350 ---ha-w C:\IPH.PH
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-23 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-12-04 05:52 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-23 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-23 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-23 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 17:31 . 2006-12-04 06:32 18848 ----a-w c:\documents and settings\XP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-07 23:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-23 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-23 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-23 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2001-08-23 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2007-05-25 14:59 . 2007-05-25 14:59 125 ----a-w c:\documents and settings\XP\Local Settings\Application Data\fusioncache.dat
2006-12-04 23:16 . 2006-12-04 23:16 17920 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-11 05:09 . 2008-09-11 05:06 24 --sh--w c:\windows\S3214DC9A.tmp
2008-05-12 02:08 . 2008-05-12 02:08 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051120080512\index.dat
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1033216 66B2972986C8CE0454D28E791B16A934 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-15_11.47.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 16:43 . 2009-04-15 16:43 16384 c:\windows\Temp\Perflib_Perfdata_684.dat
- 2007-05-25 21:22 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2007-05-25 21:22 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2006-12-04 04:56 . 2001-08-23 12:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2009-04-19 17:00 . 2007-03-05 14:20 28352 c:\windows\system32\drivers\ssmdrv.sys
+ 2009-04-19 17:00 . 2007-03-22 13:36 43584 c:\windows\system32\drivers\avipbb.sys
+ 2009-04-15 12:03 . 2009-02-05 20:06 51376 c:\windows\system32\drivers\aswTdi.sys
+ 2009-04-15 12:03 . 2009-02-05 20:06 23152 c:\windows\system32\drivers\aswRdr.sys
+ 2009-04-15 12:03 . 2009-02-05 20:08 94032 c:\windows\system32\drivers\aswmon2.sys
+ 2009-04-15 12:03 . 2009-02-05 20:08 93296 c:\windows\system32\drivers\aswmon.sys
+ 2009-04-15 12:03 . 2009-02-05 20:07 20560 c:\windows\system32\drivers\aswFsBlk.sys
+ 2009-04-15 12:03 . 2009-02-05 20:05 26944 c:\windows\system32\drivers\aavmker4.sys
+ 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-04-15 12:03 . 2009-02-05 20:04 97480 c:\windows\system32\AvastSS.scr
+ 2008-05-12 01:35 . 2008-01-18 15:13 2247 c:\windows\ServicePackFiles\i386\tscdsbl.bat
+ 2008-05-12 01:35 . 2008-01-18 15:13 2247 c:\windows\Installer\tsclientmsitrans\tscdsbl.bat
+ 2007-02-15 23:01 . 2009-03-11 02:18 934792 c:\windows\system32\WgaTray.exe
+ 2007-02-15 23:00 . 2009-03-11 02:18 239496 c:\windows\system32\WgaLogon.dll
- 2001-08-23 12:00 . 2008-04-14 00:11 989696 c:\windows\system32\kernel32.dll
+ 2001-08-23 12:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
+ 2009-04-15 12:03 . 2009-02-05 20:07 114768 c:\windows\system32\drivers\aswSP.sys
+ 2007-02-15 23:01 . 2009-03-11 02:18 934792 c:\windows\system32\dllcache\WgaTray.exe
+ 2007-02-15 23:00 . 2009-03-11 02:18 239496 c:\windows\system32\dllcache\wgaLogon.dll
+ 2009-03-21 14:06 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\kernel32.dll
+ 2001-08-23 12:00 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
- 2001-08-23 12:00 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
+ 2006-05-17 16:23 . 2009-03-11 02:18 1482112 c:\windows\system32\LegitCheckControl.dll
+ 2008-05-07 05:12 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
- 2008-05-07 05:12 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2009-04-15 12:03 . 2009-02-05 20:11 1256296 c:\windows\system32\aswBoot.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"avast!"="c:\progra~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"kmw_run.exe"="kmw_run.exe" - c:\windows\system32\kmw_run.exe [2006-08-03 106496]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

c:\documents and settings\XP\Start Menu\Programs\Startup\
cports.exe.lnk - c:\pc pitstop cd(update this!!!)\TCP IP Port Listing Utilities\cports.exe [2009-1-30 46592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kensington\\MouseWorks\\k_update.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-05-08 204800]
R3 MEMSWEEP2;MEMSWEEP2; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S0 crpf;crpf;c:\windows\System32\drivers\crpf.sys [2009-04-03 36752]
S0 csdf;csdf;c:\windows\System32\drivers\csdf.sys [2009-04-03 39440]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-06 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-15 55024]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - RKHDRV40
*NewlyCreated* - RKREVEAL150
*Deregistered* - PROCEXP113
*Deregistered* - rkhdrv40
*Deregistered* - RKREVEAL150

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-14 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.live.com/login.srf?wa=wsignin...amp;bk=74541155
uInternet Connection Wizard,ShellNext = iexplore
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\XP\Application Data\Mozilla\Firefox\Profiles\cojty8k4.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D1231638670&id=64855&bk=657545
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre6\bin\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 13:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\5.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2564)
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-23 13:43
ComboFix-quarantined-files.txt 2009-04-23 17:43
ComboFix2.txt 2009-04-22 15:54
ComboFix3.txt 2009-04-15 11:49

Pre-Run: 19,084,734,464 bytes free
Post-Run: 19,072,106,496 bytes free

238 --- E O F --- 2009-04-15 16:28


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I had to run Kaspersky Scan in Firefox, it wouldn't run in IE, can you fix that?

Here's the scan, it took longer than 10 hours:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, April 24, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, April 23, 2009 20:23:33
Records in database: 2073015
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 589546
Threat name: 3
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 10:11:54


File name / Threat name / Threats count
C:\TO INSTALL\Bearshare521-BSINSTALL.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
D:\Documents and Settings\M2\.housecall\Quarantine\nt50.exe.bac_a01184 Infected: Hoax.Win32.BadJoke.Stript 1
D:\Documents and Settings\M2\.housecall\Quarantine\vvl.exe.bac_a01184 Infected: Trojan-Spy.Win32.KeyLogger.ao 1
D:\Documents and Settings\Mike\.housecall\Quarantine\nt50.exe.bac_a01184 Infected: Hoax.Win32.BadJoke.Stript 1
D:\Documents and Settings\Mike\.housecall\Quarantine\vvl.exe.bac_a01184 Infected: Trojan-Spy.Win32.KeyLogger.ao 1

The selected area was scanned.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



DDS (Ver_09-03-16.01) - NTFSx86
Run by XP at 4:04:34.97 on Fri 04/24/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.309 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090423-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\XP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://login.live.com/login.srf?wa=wsignin...amp;bk=74541155
uInternet Connection Wizard,ShellNext = iexplore
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [kmw_run.exe] kmw_run.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\xp\startm~1\programs\startup\cports~1.lnk - c:\pc pitstop cd(update this!!!)\tcp ip port listing utilities\cports.exe
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xp\applic~1\mozilla\firefox\profiles\cojty8k4.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D1231638670&id=64855&bk=657545
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre6\bin\npdeploytk.dll

============= SERVICES / DRIVERS ===============

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-4-14 36752]
R0 csdf;csdf;c:\windows\system32\drivers\csdf.sys [2009-4-14 39440]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-15 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-15 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-12 353680]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-15 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2009-4-15 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2009-4-15 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2009-4-15 352920]
S3 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-5-8 204800]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-04-23 16:19 139,536 a------- c:\windows\system32\javaee.dll
2009-04-23 16:19 <DIR> --d----- c:\windows\Java
2009-04-23 14:24 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-23 13:34 161,792 a------- c:\windows\SWREG.exe
2009-04-23 13:34 98,816 a------- c:\windows\sed.exe
2009-04-15 08:03 <DIR> --d----- c:\program files\Avast4
2009-04-15 07:56 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-15 07:42 <DIR> a-dshr-- C:\cmdcons
2009-04-14 14:45 <DIR> --d----- c:\windows\system32\KB905474
2009-04-14 14:40 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 14:40 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 14:40 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 14:40 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 14:40 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 14:40 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 14:40 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 14:40 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 14:40 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 14:39 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 14:39 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 14:39 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 12:19 36,752 a------- c:\windows\system32\drivers\crpf.sys
2009-04-14 12:19 39,440 a------- c:\windows\system32\drivers\csdf.sys
2009-04-14 12:19 7,928 a------- c:\windows\system32\cnat.exe
2009-04-08 16:31 2,781 a------- C:\Kaspersky Scan 4-8-09.html
2009-04-08 07:47 94,208 a------- C:\GooredFix.exe
2009-04-08 03:15 33,952,648 a------- C:\zaZA_Setup_en.exe
2009-04-08 02:39 607,640 a------- C:\jre-6u13-windows-i586-p-iftw.exe
2009-04-08 02:30 607,640 a------- C:\jxpiinstall-6u13-fcs-bin-b03-windows-i586-09_mar_2009.exe
2009-04-07 19:56 1,878,888 a------- C:\install_flash_player.exe
2009-04-07 08:02 7,304 a------- c:\windows\TMP0001.TMP
2009-04-03 21:39 <DIR> --d----- c:\program files\Unlocker

==================== Find3M ====================

2009-04-23 16:19 155,995 a------- c:\windows\java\packages\VPNHBPBZ.ZIP
2009-04-23 16:19 2,232 a------- c:\windows\java\packages\data\DZTVH71R.DAT
2009-04-23 16:19 2,678 a------- c:\windows\java\packages\data\4NZZN5VV.DAT
2009-04-23 16:19 2,678 a------- c:\windows\java\packages\data\T3V7NBRF.DAT
2009-04-23 16:19 2,678 a------- c:\windows\java\packages\data\MPZ7LRVL.DAT
2009-04-23 16:19 2,678 a------- c:\windows\java\packages\data\7ZVFDNN1.DAT
2009-04-23 16:19 2,678 a------- c:\windows\java\packages\data\6E3RFL7Z.DAT
2009-04-23 14:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 05:03 121,984 a------- c:\windows\system32\drivers\Rtnicxp.sys
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 12:18 73,728 a------- c:\windows\system32\RtNicProp32.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-22 11:07 18,848 a------- c:\docume~1\xp\applic~1\GDIPFONTCACHEV1.DAT
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2008-05-11 22:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051120080512\index.dat

============= FINISH: 4:05:33.70 ===============

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:10 PM

Posted 24 April 2009 - 09:40 AM

I had to run Kaspersky Scan in Firefox, it wouldn't run in IE, can you fix that?

Hi

Did you get any error message or how wouldn't it run in IE?


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Delete C:\TO INSTALL\Bearshare521-BSINSTALL.exe file

Delete files in D:\Documents and Settings\M2\.housecall\Quarantine folder.

Post a fresh dds.txt log. How's the system running?

Edited by Blade81, 24 April 2009 - 09:41 AM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 Vivian2

Vivian2
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 24 April 2009 - 02:46 PM

Kaspersky loads up, the scan looks like it's ready to roll, I AM CONNECTED TO THE INTERNET, I click "Accept", page hangs on this for a few seconds:

Downloading and installing the program (0%)...

Update size: 0 KB
Transferred size: 0 KB


then a box with a yellow ! Triangle pops up saying this:

Starting Java applet has failed! Please go online to use this program.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




DDS (Ver_09-03-16.01) - NTFSx86
Run by XP at 15:43:20.80 on Fri 04/24/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.187 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090423-0] *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Firefox\firefox.exe
C:\Documents and Settings\XP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://login.live.com/login.srf?wa=wsignin...amp;bk=74541155
uInternet Connection Wizard,ShellNext = iexplore
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [kmw_run.exe] kmw_run.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast!] c:\progra~1\avast4\ashDisp.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\xp\startm~1\programs\startup\cports~1.lnk - c:\pc pitstop cd(update this!!!)\tcp ip port listing utilities\cports.exe
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xp\applic~1\mozilla\firefox\profiles\cojty8k4.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D1231638670&id=64855&bk=657545
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8118
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre6\bin\npdeploytk.dll

============= SERVICES / DRIVERS ===============

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-4-14 36752]
R0 csdf;csdf;c:\windows\system32\drivers\csdf.sys [2009-4-14 39440]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-15 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-15 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-12 353680]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-15 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2009-4-15 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2009-4-15 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2009-4-15 352920]
S3 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-5-8 204800]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-04-23 16:19 139,536 a------- c:\windows\system32\javaee.dll
2009-04-23 16:19 <DIR> --d----- c:\windows\Java
2009-04-23 14:24 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-23 13:34 161,792 a------- c:\windows\SWREG.exe
2009-04-23 13:34 98,816 a------- c:\windows\sed.exe
2009-04-15 08:03 <DIR> --d----- c:\program files\Avast4
2009-04-15 07:56 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-15 07:42 <DIR> a-dshr-- C:\cmdcons
2009-04-14 14:45 <DIR> --d----- c:\windows\system32\KB905474
2009-04-14 14:40 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 14:40 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 14:40 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 14:40 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 14:40 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 14:40 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 14:40 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 14:40 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 14:40 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 14:39 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 14:39 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 14:39 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 12:19 36,752 a------- c:\windows\system32\drivers\crpf.sys
2009-04-14 12:19 39,440 a------- c:\windows\system32\drivers\csdf.sys
2009-04-14 12:19 7,928 a------- c:\windows\system32\cnat.exe
2009-04-08 16:31 2,781 a------- C:\Kaspersky Scan 4-8-09.html
2009-04-08 07:47 94,208 a------- C:\GooredFix.exe
2009-04-08 03:15 33,952,648 a------- C:\zaZA_Setup_en.exe
2009-04-08 02:39 607,640 a------- C:\jre-6u13-windows-i586-p-iftw.exe
2009-04-08 02:30 607,640 a------- C:\jxpiinstall-6u13-fcs-bin-b03-windows-i586-09_mar_2009.exe
2009-04-07 19:56 1,878,888 a------- C:\install_flash_player.exe
2009-04-07 08:02 7,304 a------- c:\windows\TMP0001.TMP
2009-04-03 21:39 <DIR> --d----- c:\program files\Unlocker

==================== Find3M ====================

2009-04-23 16:19 155,995 a------- c:\windows\java\packages\VPNHBPBZ.ZIP
2009-04-23 16:19 2,232 a------- c:\windows\java\packages\data\DZTVH71R.DAT
2009-04-23 16:19 2,678 a------- c:\windows\java\packages\data\4NZZN5VV.DAT
2009-04-23 16:19 2,678 a------- c:\windows\java\packages\data\T3V7NBRF.DAT
2009-04-23 16:19 2,678 a------- c:\windows\java\packages\data\MPZ7LRVL.DAT
2009-04-23 16:19 2,678 a------- c:\windows\java\packages\data\7ZVFDNN1.DAT
2009-04-23 16:19 2,678 a------- c:\windows\java\packages\data\6E3RFL7Z.DAT
2009-04-23 14:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 05:03 121,984 a------- c:\windows\system32\drivers\Rtnicxp.sys
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 12:18 73,728 a------- c:\windows\system32\RtNicProp32.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-22 11:07 18,848 a------- c:\docume~1\xp\applic~1\GDIPFONTCACHEV1.DAT
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2008-05-11 22:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051120080512\index.dat

============= FINISH: 15:44:12.72 ===============

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:10 PM

Posted 24 April 2009 - 05:40 PM

Hi

It's probably Java related thing. Kaspersky scanner has had these issues with IE earlier too. In IE, click tools->Manage Add-ons->Enable or Disable Add-ons. Check if Java is enabled there.

How is your system running in general now?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 Vivian2

Vivian2
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 26 April 2009 - 02:37 AM

Hey, I checked to see about the java in IE, there's a bunch, and they are enabled, yet still not working, and today, I just loaded up IE, and my homepage was changed to:

http://go.microsoft.com/fwlink/?LinkId=69157

I didn't change it, it just did this on it's own.

The system is running slow, I really think I have a rootkit issue here.

Sophos Anti-Rootkit is finding this:

Area: Windows registry
Description: Hidden registry value
Location: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed
Removable: No
Notes: (type 3, length 368) "I1\xf4\x88\x04(\x01\x14\xc5\xca\xfa_\xf5\xcffn\x1flBH;\x1d\xbb\x84n\xc3\x98\xa3\x07h\xb8\xa1\x8e?q\xca\xa8Sm\xaf\xa8\xe5)Q\xa3\xe5\x99\xcb\x8eg\xa2\xa4\xbc7\xad\x9b\xefQd\xcf\xf2\xef\xb7\xdeS\xfd\xb2\xdd\x81\xd0\x0ao" ... "\xc7\xf3I\xb9ze\xbd\xc2"

#15 Vivian2

Vivian2
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 26 April 2009 - 03:57 AM

Hey, just thought I'd let you know, IE isn't even loading my homepage on startup (I had to change it back to http://www.hotmail.com) anymore, just to make sure my internet connection is working, I used FF and it loads up immediately. I really feel I have something nasty on my computer, an Autorun/Installer type thing. I noticed with procexp.exe when I started windows in Safe Mode, DcomLaunch, WMI Iprvrse loads, then disappears. Could you take me through a comprehensive rootkit scan analysis. I have one of those stubborn "just won't go away" things. There was a time that anything I did, click on Start>Search, OR open a window, OR just right mouse click, a Windows Installer would pop up out of nowhere. This hasn't happened for awhile, but that leads me to believe that whatever malware was causing this, has installed. I really do believe I have something VERY well hidden, and VERY difficult to get rid of on my system, thanks again for your help, and I'll keep an eye out for your follow up post.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users