Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan horse Back Door.Generic 11.HCO


  • This topic is locked This topic is locked
15 replies to this topic

#1 amanda.anonymous

amanda.anonymous

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 14 April 2009 - 08:42 PM

Hi,
I have tried Malwarebytes' Anti-Malware, AVG, and Super Anti Spyware. They all find the problem, and ask me to reboot in order to remove it, but it does not work. It first time I noticed the problem was when I found a new Bear Share toolbar in my Firefox that I did not download. I ran the scans and things were removed, but not the above mentioned name. I also removed the Bear Share in Add/Remove programs, and manually deleted the folders I found. I don't see any problems caused by the virus, other than my computer might be a bit slow. Here is the log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Customer at 21:39:55.93 on Tue 04/14/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.510 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Pro Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\UMStor\Res.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\BitComet\BitComet.exe
C:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://search.bearshare.com/sidebar.html?src=ssb
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.9.24.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {dfb52ef4-7eb8-4933-8553-1a6b0d9ec088} - c:\windows\system32\atmf.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {f4c9b48f-8ed7-48c0-bae3-39af27cc0614} - c:\windows\system32\ljJAQGww.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [VistaDrive] c:\windows\vistadrive\VistaDrive.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [VTTimer] VTTimer.exe
mRun: [S3Trayp] S3trayp.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [USB Storage Toolbox] c:\windows\umstor\Res.EXE
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [TaskSwitchXP] c:\program files\taskswitchxp\TaskSwitchXP.exe
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - {E7A829CC-671F-4C3D-B590-8C0AEA72E6B2} - c:\program files\bitcomet\tools\BitCometBHO_1.1.9.24.dll
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ljJBstRJ - ljJBstRJ.dll
AppInit_DLLs: avgrsstx.dll c:\windows\system32\hakolike.dll c:\windows\system32\nakonaze.dll c:\windows\system32\pafuzaji.dll c:\windows\system32\jijivafo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SSODL: mgxfebsq - {DBBDD926-27E4-4BA1-9C86-99AA69E2907B} - c:\windows\mgxfebsq.dll
SSODL: dtseqrxk - {D3B3A25E-EC70-47C5-868A-65BC8D349353} - c:\windows\dtseqrxk.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJAQGww
LSA: Notification Packages = scecli c:\windows\system32\hakolike.dll c:\windows\system32\nakonaze.dll c:\windows\system32\pafuzaji.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\customer\applic~1\mozilla\firefox\profiles\4d7jx25v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R0 ukwpucun;ukwpucun;c:\windows\system32\drivers\ukwpucun.sys [2004-8-12 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-29 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-29 26824]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-10 353680]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-29 231704]
R3 S3G700;S3G700;c:\windows\system32\drivers\S3G700m.sys [2002-1-1 792576]
S2 gupdate1c98d6eec3cc2b6;Google Update Service (gupdate1c98d6eec3cc2b6);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2007-9-29 215552]
S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-04-14 21:17 61,440 a------- c:\windows\system32\drivers\qunz.sys
2009-04-14 15:27 <DIR> --d----- c:\windows\UMStor
2009-04-14 15:27 201,736 -------- c:\windows\system32\drivers\UMSTOR.sys
2009-04-14 15:27 <DIR> --d----- C:\MP3 Player
2009-04-14 15:06 <DIR> --d----- c:\program files\Managed DirectX (0900)
2009-04-11 14:40 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-04-10 20:53 <DIR> --d----- c:\windows\system32\KB905474
2009-04-10 20:52 118 a------- c:\windows\system32\MRT.INI
2009-04-10 19:23 8,461,312 -------- c:\windows\system32\dllcache\shell32.dll
2009-04-10 19:22 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-10 19:22 144,896 -------- c:\windows\system32\dllcache\schannel.dll
2009-04-10 18:11 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-04-10 18:09 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-10 18:08 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-10 18:08 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-04-10 18:08 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-10 18:07 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2009-04-10 18:07 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-04-10 18:05 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-04-10 18:05 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-10 18:05 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-10 18:05 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-10 18:05 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-10 18:04 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-04-10 18:04 253,952 -------- c:\windows\system32\dllcache\es.dll
2009-04-10 18:04 74,240 -------- c:\windows\system32\dllcache\mscms.dll
2009-04-10 18:02 1,288,192 -------- c:\windows\system32\dllcache\quartz.dll
2009-04-10 18:02 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-04-10 18:02 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-04-10 17:39 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-04-10 17:38 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-04-10 17:08 221,184 a------- c:\windows\system32\wmpns.dll
2009-04-10 17:08 <DIR> --d----- c:\windows\system32\xircom
2009-04-10 17:08 <DIR> --d----- c:\windows\system32\ime
2009-04-10 17:08 <DIR> --d----- c:\windows\srchasst
2009-04-10 17:08 <DIR> --d----- c:\windows\msagent
2009-04-10 17:08 <DIR> --d----- c:\program files\msn gaming zone
2009-04-10 17:03 <DIR> --d----- c:\program files\Messenger
2009-04-10 17:03 <DIR> --d----- c:\windows\system32\scripting
2009-04-10 17:03 <DIR> --d----- c:\windows\system32\bits
2009-04-10 17:03 <DIR> --d----- c:\windows\l2schemas
2009-04-10 17:00 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-10 16:56 <DIR> --d----- c:\windows\EHome
2009-04-10 16:34 554,496 -------- c:\windows\system32\p2psvc.dll
2009-04-10 16:33 10,752 -------- c:\windows\system32\smtpapi.dll
2009-04-10 15:37 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-04-10 01:45 155 a------- c:\windows\system32\SelfDel.bat
2009-04-10 01:40 1,397,010 ---sh--- c:\windows\system32\etovurej.ini
2009-04-10 01:40 97,280 a------- c:\windows\system32\atmf.dll
2009-04-08 19:08 <DIR> --d----- c:\docume~1\customer\applic~1\Uniblue
2009-04-08 18:50 483,328 a------- c:\windows\system32\actskn45.ocx

==================== Find3M ====================

2009-04-10 21:15 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-25 20:47 63,968 a------- c:\docume~1\customer\applic~1\GDIPFONTCACHEV1.DAT
2008-09-05 04:26 371 -----r-- c:\program files\Setup.ini
2008-09-05 03:25 7,599,095 -----r-- c:\program files\data2.cab
2008-09-05 03:25 51,453 -----r-- c:\program files\data1.hdr
2008-09-05 03:25 417 -----r-- c:\program files\layout.bin
2008-09-05 03:25 1,039,180 -----r-- c:\program files\data1.cab
2008-09-25 19:44 599 a--sh--- c:\windows\system32\wwGQAJjl.ini2

============= FINISH: 21:40:08.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:34 AM

Posted 15 April 2009 - 05:58 AM

Hello, amanda.anonymous

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


We will begin with DrWeb:

Dr Web - CureIt

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
ReScan

Please rescan with DDS and post DDS.txt


In your next reply, please post:
  • DrWeb log
  • DDS log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 amanda.anonymous

amanda.anonymous
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 15 April 2009 - 06:38 PM

Hi Jat,

Thank you for helping me! I have tried to do what you've asked, however, when I try to start up in Safe Mode, I get a list with options, none of which are safe mode. The screen reads:

Please select boot device:
1st floppy drive
HDD: PM-STB160021A
CDROM: SM-_NECDVD_RW ND-3520AW

I am not sure which option to select.
Amanda

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:34 AM

Posted 15 April 2009 - 07:10 PM

Hello, select this one:

HDD: PM-STB160021A
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 amanda.anonymous

amanda.anonymous
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 15 April 2009 - 07:19 PM

I made that selection, but Windows loaded like usual. It did not say Safe Mode anywhere. Is this correct? Should I continue?

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:34 AM

Posted 15 April 2009 - 07:24 PM

Sounds like you are selecting boot options, rather then getting the safe mode selection screen. Are you sure your pressing the F8 key on startup? You should get a screen like this:

Posted Image
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 amanda.anonymous

amanda.anonymous
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 15 April 2009 - 07:27 PM

I am pressing F8. I tried a few times before I wrote the message asking which option to choose. I am not getting the screen that you pictured.

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:34 AM

Posted 15 April 2009 - 07:39 PM

Hello,

Ignore my last instructions then. We shall use a different tool.

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 amanda.anonymous

amanda.anonymous
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 15 April 2009 - 08:44 PM

I exited AVI from the taskbar beside the clock, however, ComboFix detected it.


ComboFix 09-04-15.08 - Customer 04/15/2009 21:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.672 [GMT -4:00]
Running from: c:\downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Pro Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\TDSSserv.sys
c:\windows\system32\etovurej.ini
c:\windows\system32\msconfig.exe
c:\windows\system32\wwGQAJjl.ini
c:\windows\system32\wwGQAJjl.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV
-------\Legacy_TDSSSERV


((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-14 19:34 . 2009-04-14 19:34 -------- d-----w c:\documents and settings\Customer\Local Settings\Application Data\Help
2009-04-14 19:27 . 2009-04-14 19:31 -------- d-----w c:\windows\UMStor
2009-04-14 19:27 . 2003-11-21 22:09 201736 ------w c:\windows\system32\drivers\UMSTOR.sys
2009-04-14 19:27 . 2009-04-14 19:27 -------- d-----w C:\MP3 Player
2009-04-11 18:40 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat
2009-04-11 00:53 . 2009-04-11 00:53 -------- d-----w c:\windows\system32\KB905474
2009-04-11 00:53 . 2009-03-11 02:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-11 00:53 . 2009-03-11 02:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-11 00:53 . 2009-02-09 22:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-11 00:52 . 2009-04-11 00:52 118 ----a-w c:\windows\system32\MRT.INI
2009-04-10 23:23 . 2008-06-17 19:02 8461312 ------w c:\windows\system32\dllcache\shell32.dll
2009-04-10 23:22 . 2009-02-09 11:13 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-04-10 23:22 . 2008-12-05 06:54 144896 ------w c:\windows\system32\dllcache\schannel.dll
2009-04-10 22:11 . 2008-12-11 10:57 333952 ------w c:\windows\system32\dllcache\srv.sys
2009-04-10 22:09 . 2008-10-16 01:00 666112 ------w c:\windows\system32\dllcache\wininet.dll
2009-04-10 22:08 . 2008-10-16 01:00 619520 ------w c:\windows\system32\dllcache\urlmon.dll
2009-04-10 22:08 . 2008-10-16 01:00 1499136 ------w c:\windows\system32\dllcache\shdocvw.dll
2009-04-10 22:08 . 2008-12-12 17:01 3067904 ------w c:\windows\system32\dllcache\mshtml.dll
2009-04-10 22:07 . 2008-10-23 12:36 286720 ------w c:\windows\system32\dllcache\gdi32.dll
2009-04-10 22:07 . 2008-10-24 11:21 455296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-10 22:05 . 2008-09-04 17:15 1106944 ------w c:\windows\system32\dllcache\msxml3.dll
2009-04-10 22:05 . 2008-08-14 10:11 2189184 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-10 22:05 . 2008-08-14 10:09 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-10 22:05 . 2008-08-14 09:33 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-10 22:05 . 2008-08-14 09:33 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-10 22:04 . 2008-05-01 14:33 331776 ------w c:\windows\system32\dllcache\msadce.dll
2009-04-10 22:04 . 2008-07-07 20:26 253952 ------w c:\windows\system32\dllcache\es.dll
2009-04-10 22:04 . 2008-06-24 16:43 74240 ------w c:\windows\system32\dllcache\mscms.dll
2009-04-10 22:02 . 2008-05-07 05:12 1288192 ------w c:\windows\system32\dllcache\quartz.dll
2009-04-10 22:02 . 2008-06-13 11:05 272128 ------w c:\windows\system32\dllcache\bthport.sys
2009-04-10 22:02 . 2008-05-08 14:02 203136 ------w c:\windows\system32\dllcache\rmcast.sys
2009-04-10 21:39 . 2008-10-03 10:02 247326 ------w c:\windows\system32\dllcache\strmdll.dll
2009-04-10 21:38 . 2008-10-15 16:34 337408 ------w c:\windows\system32\dllcache\netapi32.dll
2009-04-10 21:08 . 2004-08-12 12:00 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-10 21:08 . 2009-04-10 21:08 -------- d-----w c:\windows\system32\xircom
2009-04-10 21:08 . 2009-04-10 21:08 -------- d-----w c:\windows\srchasst
2009-04-10 21:08 . 2009-04-10 21:08 -------- d-----w c:\windows\msagent
2009-04-10 21:03 . 2009-04-10 21:03 -------- d-----w c:\windows\system32\scripting
2009-04-10 21:03 . 2009-04-10 21:03 -------- d-----w c:\windows\l2schemas
2009-04-10 21:03 . 2009-04-10 21:03 -------- d-----w c:\windows\system32\bits
2009-04-10 21:00 . 2009-04-10 21:00 -------- d-----w c:\windows\ServicePackFiles
2009-04-10 20:56 . 2009-04-10 20:56 -------- d-----w c:\windows\EHome
2009-04-10 20:34 . 2008-04-14 00:12 554496 ------w c:\windows\system32\p2psvc.dll
2009-04-10 20:33 . 2008-04-14 00:12 10752 ------w c:\windows\system32\smtpapi.dll
2009-04-10 19:37 . 2008-10-16 18:07 23576 ----a-w c:\windows\system32\wuapi.dll.mui
2009-04-10 05:45 . 2009-04-10 05:45 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-10 05:40 . 2004-08-12 12:00 97280 ----a-w c:\windows\system32\atmf.dll
2009-04-08 23:08 . 2009-04-08 23:08 -------- d-----w c:\documents and settings\Customer\Application Data\Uniblue
2009-04-08 22:50 . 2008-09-25 13:20 483328 ----a-w c:\windows\system32\actskn45.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 19:27 . 2002-01-01 05:30 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-14 19:23 . 2008-10-10 18:57 -------- d-----w c:\program files\Zone Labs
2009-04-14 19:06 . 2009-04-14 19:06 -------- d-----w c:\program files\Managed DirectX (0900)
2009-04-13 03:27 . 2007-09-29 15:26 -------- d-----w c:\program files\MSN Messenger
2009-04-11 18:32 . 2007-11-23 11:48 -------- d-----w c:\program files\Google
2009-04-11 03:03 . 2009-04-11 03:03 19579152 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_10_23_03_08_full.dmp.zip
2009-04-11 03:03 . 2009-04-11 03:03 91136 ----a-w c:\windows\Internet Logs\xDBE0.tmp
2009-04-11 03:03 . 2009-04-11 03:03 1925632 ----a-w c:\windows\Internet Logs\xDBDF.tmp
2009-04-11 02:04 . 2009-04-11 02:04 128887 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_10_22_04_28_small.dmp.zip
2009-04-11 01:55 . 2009-04-11 01:55 128671 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_10_21_55_02_small.dmp.zip
2009-04-11 01:34 . 2009-04-11 01:34 128147 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_10_21_33_58_small.dmp.zip
2009-04-11 01:33 . 2009-04-11 01:34 1921536 ----a-w c:\windows\Internet Logs\xDBDE.tmp
2009-04-11 01:33 . 2009-04-11 01:34 16896 ----a-w c:\windows\Internet Logs\xDBDD.tmp
2009-04-11 01:32 . 2009-04-11 01:32 151620 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_10_21_32_31_small.dmp.zip
2009-04-11 01:32 . 2009-04-11 01:32 37376 ----a-w c:\windows\Internet Logs\xDBDC.tmp
2009-04-11 01:22 . 2009-04-11 01:22 140055 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_10_21_22_17_small.dmp.zip
2009-04-11 01:22 . 2009-04-11 01:22 37376 ----a-w c:\windows\Internet Logs\xDBBF.tmp
2009-04-11 01:22 . 2009-04-11 01:22 1920512 ----a-w c:\windows\Internet Logs\xDBC0.tmp
2009-04-11 01:17 . 2009-04-11 01:17 127878 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_10_21_17_02_small.dmp.zip
2009-04-11 01:17 . 2009-04-11 01:17 27136 ----a-w c:\windows\Internet Logs\xDBA1.tmp
2009-04-11 01:16 . 2009-04-11 01:16 120767 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_10_21_15_50_small.dmp.zip
2009-04-11 01:15 . 2009-04-11 01:15 16896 ----a-w c:\windows\Internet Logs\xDBA0.tmp
2009-04-11 01:15 . 2009-04-11 01:15 131592 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_10_21_15_27_small.dmp.zip
2009-04-11 01:15 . 2009-04-11 01:15 32256 ----a-w c:\windows\Internet Logs\xDB9F.tmp
2009-04-11 01:15 . 2002-01-01 06:07 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-11 01:13 . 2009-04-11 01:13 24576 ----a-w c:\windows\Internet Logs\xDB9D.tmp
2009-04-11 01:13 . 2009-04-11 01:13 1916928 ----a-w c:\windows\Internet Logs\xDB9E.tmp
2009-04-11 01:12 . 2009-04-11 01:12 1923072 ----a-w c:\windows\Internet Logs\xDB9C.tmp
2009-04-11 01:12 . 2009-04-11 01:12 39424 ----a-w c:\windows\Internet Logs\xDB9B.tmp
2009-04-11 01:03 . 2009-04-11 01:03 1916416 ----a-w c:\windows\Internet Logs\xDB8E.tmp
2009-04-11 01:03 . 2009-04-11 01:03 18944 ----a-w c:\windows\Internet Logs\xDB8D.tmp
2009-04-11 01:03 . 2009-04-11 01:03 14848 ----a-w c:\windows\Internet Logs\xDB8B.tmp
2009-04-11 01:02 . 2009-04-11 01:03 1913856 ----a-w c:\windows\Internet Logs\xDB8C.tmp
2009-04-11 01:02 . 2009-04-11 01:02 15872 ----a-w c:\windows\Internet Logs\xDB89.tmp
2009-04-11 01:02 . 2009-04-11 01:02 1915904 ----a-w c:\windows\Internet Logs\xDB8A.tmp
2009-04-11 01:02 . 2009-04-11 01:02 1925120 ----a-w c:\windows\Internet Logs\xDB88.tmp
2009-04-11 01:02 . 2009-04-11 01:02 41984 ----a-w c:\windows\Internet Logs\xDB87.tmp
2009-04-11 00:59 . 2008-02-14 00:51 -------- d-----w c:\program files\Common Files\Adobe
2009-04-11 00:57 . 2007-10-04 04:26 65568 ----a-w c:\documents and settings\Customer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 21:08 . 2009-04-10 21:08 -------- d-----w c:\program files\microsoft frontpage
2009-04-10 20:59 . 2004-08-12 12:00 250048 --sha-r C:\ntldr
2009-04-10 16:29 . 2008-10-10 17:59 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-10 05:50 . 2007-11-22 15:57 -------- d-----w c:\program files\BitComet
2009-04-08 23:02 . 2008-02-11 00:17 -------- d-----w c:\documents and settings\Customer\Application Data\LimeWire
2009-04-06 19:32 . 2008-10-10 17:59 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-10-10 17:59 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-11 01:27 . 2009-02-11 01:28 34816 ----a-w c:\windows\Internet Logs\xDB86.tmp
2009-02-11 01:15 . 2009-02-11 01:25 52224 ----a-w c:\windows\Internet Logs\xDB85.tmp
2009-02-11 01:14 . 2009-02-11 01:14 129024 ----a-w c:\windows\Internet Logs\xDB84.tmp
2009-02-09 11:13 . 2007-01-25 22:23 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-26 00:47 . 2009-01-26 00:47 63968 ----a-w c:\documents and settings\Customer\Application Data\GDIPFONTCACHEV1.DAT
2008-09-05 08:26 . 2008-12-27 19:55 371 ------r c:\program files\Setup.ini
2008-09-05 07:25 . 2008-12-27 19:55 51453 ------r c:\program files\data1.hdr
2008-09-05 07:25 . 2008-12-27 19:55 417 ------r c:\program files\layout.bin
2008-09-05 07:25 . 2008-12-27 19:55 7599095 ------r c:\program files\data2.cab
2008-09-05 07:25 . 2008-12-27 19:55 1039180 ------r c:\program files\data1.cab
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DFB52EF4-7EB8-4933-8553-1A6B0D9EC088}]
2004-08-12 12:00 97280 ----a-w c:\windows\system32\atmf.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 692224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-06 280779]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2004-12-09 57344]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 593920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-14 1261336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-15 65536]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HDAShCut.exe [2007-01-25 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-09-17 1626112]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
"S3Trayp"="S3trayp.exe" - c:\windows\system32\S3Trayp.exe [2005-04-05 159744]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-09-11 16264192]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-15 2879488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-14 99840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-10-4 278528]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 20:28 352256 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14594:TCP"= 14594:TCP:BitComet 14594 TCP
"14594:UDP"= 14594:UDP:BitComet 14594 UDP

R2 gupdate1c98d6eec3cc2b6;Google Update Service (gupdate1c98d6eec3cc2b6);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 133104]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\DRIVERS\sis163u.sys [2006-02-15 215552]
S0 ukwpucun;ukwpucun;c:\windows\system32\drivers\ukwpucun.sys [2004-08-12 23424]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2008-09-30 97928]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-03 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-03 55024]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-14 231704]
S3 S3G700;S3G700;c:\windows\system32\DRIVERS\S3G700m.sys [2005-10-15 792576]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - HELPSVC
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 00:06]

2009-04-16 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-11 02:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{F4C9B48F-8ED7-48C0-BAE3-39AF27CC0614} - c:\windows\system32\ljJAQGww.dll
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKU-Default-Run-TaskSwitchXP - c:\program files\TaskSwitchXP\TaskSwitchXP.exe
SSODL-mgxfebsq-{DBBDD926-27E4-4BA1-9C86-99AA69E2907B} - c:\windows\mgxfebsq.dll
SSODL-dtseqrxk-{D3B3A25E-EC70-47C5-868A-65BC8D349353} - c:\windows\dtseqrxk.dll
Notify-ljJBstRJ - ljJBstRJ.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Customer\Application Data\Mozilla\Firefox\Profiles\4d7jx25v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 21:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthwhkylkdpyqboetymdtqlvbwmqpxuwylv]
"imagepath"="\systemroot\system32\drivers\ovfsthvrvxewxkdynvnpdppjogxuwpufbntsrt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3604)
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2009-04-16 21:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 01:39

Pre-Run: 85,216,149,504 bytes free
Post-Run: 85,297,528,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /bootlogo

272 --- E O F --- 2009-04-13 01:31

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:34 AM

Posted 16 April 2009 - 05:36 AM

Hello,

One of the infections identified was a rootkit, therefore you should know the following:

:thumbup2: Rootkit Warning

Rootkits are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Please let me know what you decide to do.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 amanda.anonymous

amanda.anonymous
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 18 April 2009 - 11:15 AM

Well, It sounds like the only option I have is to have my computer re-formatted? Does this mean that if I try to save my pictures the dvd might be infected? Or if I take it to a professional, can they save my files safely? And I have used my camera to upload pictures, can that become infected also?

#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:34 AM

Posted 18 April 2009 - 11:47 AM

No, they will all be fine. The infected files are the one's seen above. Although a different virus does exist that would possibly infect a lot of other files. In this case you can move everything over. You do not have to reformat, it is your choice based on the facts presented in the post above.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 amanda.anonymous

amanda.anonymous
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 18 April 2009 - 08:00 PM

Well, that is a relief. So, if I burn a dvd with my pics, and scan it with the clean computer, I should be ok?

Your above posting about Rootkits says that the computer should be wiped clean, reformatted and have the OS re-installed, is this the best option? Is it even worth trying to remove the infection?

#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:34 AM

Posted 19 April 2009 - 05:51 AM

Yes that would be fine.

We recommend a full reinstallation because your computer is compromised, even if we clean it, there's a good chance your sensitive information could still be stolen. There's no way to completely clear this threat unless you reformat. The rootkit can be killed, just your pc will still be compromised.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 amanda.anonymous

amanda.anonymous
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 19 April 2009 - 09:26 AM

Okay, then I will take my computer to be fixed.

Thank you very much for all of your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users