Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 rcmck

rcmck

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:everywhere
  • Local time:05:47 AM

Posted 16 April 2009 - 02:51 PM

Hello, I have been getting help in another forum and wad directed to come here: If helpful here is a link to the thread: http://www.bleepingcomputer.com/forums/t/218648/cant-remove-unknow-registry-entry/

DDS log


DDS (Ver_09-03-16.01) - NTFSx86
Run by admin at 15:43:09.12 on Thu 04/16/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.345 [GMT -4:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program

files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\nt5pyg4b.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google updater\2.4.1439.6872\npCIDetect13.dll
FF - HiddenExtension: XUL Cache: {8ADE576B-2E29-4ABB-9D19-DF2B8F45B149} - c:\documents and settings\admin\local

settings\application data\{8ADE576B-2E29-4ABB-9D19-DF2B8F45B149}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page",

"certerror");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter",

false);

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-24 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-24 24336]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-3-24

700152]
R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\admin\locals~1\temp\aswarkrn.sys --> c:\docume~1\admin\locals~1\temp\aswArKrn.sys [?]
S3 perm2;perm2;c:\windows\system32\drivers\perm2.sys [2008-8-4 27904]
S3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\protowall.sys -->

c:\windows\system32\drivers\ProtoWall.sys [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-7-15 36928]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2008-9-2 100352]
S4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2008-6-21 425080]
S4 hasplms;HASP License Manager; [x]

=============== Created Last 30 ================

2009-04-14 23:24 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 23:24 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 23:24 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 18:17 61,440 a------- c:\windows\system32\drivers\laht.sys
2009-04-14 18:06 61,440 a------- c:\windows\system32\drivers\ygkaimbc.sys
2009-04-13 00:55 --d----- c:\documents and settings\admin\SmitfraudFix
2009-04-13 00:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-13 00:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 00:28 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-13 00:24 1,164 a------- c:\windows\system32\tmp.reg
2009-04-09 02:25 153 a------- c:\windows\cavscan.INI
2009-03-24 01:01 155,384 a------- c:\windows\system32\guard32.dll
2009-03-24 01:01 110,992 a------- c:\windows\system32\drivers\cmdguard.sys
2009-03-24 01:01 24,336 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-03-21 10:06 989,696 -c------ c:\windows\system32\dllcache\kernel32.dll

==================== Find3M ====================

2009-04-13 00:56 110,592 a------- c:\windows\system32\imm32.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2008-09-18 20:12 14,290 a------- c:\program files\settings.dat
2007-03-23 19:59 181 a--shr-- c:\windows\Regbak.dat

============= FINISH: 15:43:50.92 ===============

BC AdBot (Login to Remove)

 


#2 rcmck

rcmck
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:everywhere
  • Local time:05:47 AM

Posted 19 April 2009 - 10:50 AM

I hope this doesn't mess up my turn in line, but Comodo A/V on access scanning has finally started to recognize the virus. I know I am not supposed to make any changes so I just quarantined them for the time being. It also has given it a name if that is helpful TrojWare.Win32.Trojan.Agent.Gen@15238798

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:06:47 AM

Posted 01 May 2009 - 10:08 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 rcmck

rcmck
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:everywhere
  • Local time:05:47 AM

Posted 03 May 2009 - 11:50 PM

Thanks, the problem definitely still exists, here is a new DDS log


DDS (Ver_09-03-16.01) - NTFSx86
Run by admin at 0:45:21.07 on Mon 05/04/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.266 [GMT -4:00]

AV: COMODO Antivirus *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\nt5pyg4b.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: XUL Cache: {8ADE576B-2E29-4ABB-9D19-DF2B8F45B149} - c:\documents and settings\admin\local settings\application data\{8ADE576B-2E29-4ABB-9D19-DF2B8F45B149}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-24 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-24 24336]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-3-24 700152]
R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\admin\locals~1\temp\aswarkrn.sys --> c:\docume~1\admin\locals~1\temp\aswArKrn.sys [?]
S3 perm2;perm2;c:\windows\system32\drivers\perm2.sys [2008-8-4 27904]
S3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\protowall.sys --> c:\windows\system32\drivers\ProtoWall.sys [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-7-15 36928]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2008-9-2 100352]
S4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2008-6-21 425080]
S4 hasplms;HASP License Manager; [x]

=============== Created Last 30 ================

2009-04-30 02:26 <DIR> --d----- C:\font
2009-04-24 14:41 130,140 a---h--- c:\windows\system32\mlfcache.dat
2009-04-24 13:46 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-04-14 23:25 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 23:25 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 23:25 35,328 -c------ c:\windows\system32\dllcache\sc.exe
2009-04-14 23:25 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 23:25 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 23:25 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 23:25 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 23:25 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 23:25 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 23:25 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 23:24 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 23:24 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 23:24 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 18:17 61,440 a------- c:\windows\system32\drivers\laht.sys
2009-04-14 18:06 61,440 a------- c:\windows\system32\drivers\ygkaimbc.sys
2009-04-13 00:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-13 00:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 00:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-13 00:24 1,164 a------- c:\windows\system32\tmp.reg
2009-04-09 02:25 153 a------- c:\windows\cavscan.INI

==================== Find3M ====================

2009-04-13 00:56 110,592 a------- c:\windows\system32\imm32.dll
2009-03-24 01:01 155,384 a------- c:\windows\system32\guard32.dll
2009-03-24 01:01 110,992 a------- c:\windows\system32\drivers\cmdguard.sys
2009-03-24 01:01 24,336 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2008-09-18 20:12 14,290 a------- c:\program files\settings.dat
2007-03-23 19:59 181 a--shr-- c:\windows\Regbak.dat

============= FINISH: 0:45:55.79 ===============

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 04 May 2009 - 04:30 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

With Regards,
The Panda

#6 rcmck

rcmck
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:everywhere
  • Local time:05:47 AM

Posted 05 May 2009 - 01:25 AM

Thanks PP, Here is the combofix log

ComboFix 09-05-03.6 - admin 05/04/2009 18:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.289 [GMT -4:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows\system32\_004296_.tmp.dll
c:\windows\system32\_004297_.tmp.dll
c:\windows\system32\_004298_.tmp.dll
c:\windows\system32\_004299_.tmp.dll
c:\windows\system32\_004306_.tmp.dll
c:\windows\system32\_004307_.tmp.dll
c:\windows\system32\_004308_.tmp.dll
c:\windows\system32\_004309_.tmp.dll
c:\windows\system32\_004311_.tmp.dll
c:\windows\system32\_004312_.tmp.dll
c:\windows\system32\_004315_.tmp.dll
c:\windows\system32\_004316_.tmp.dll
c:\windows\system32\_004318_.tmp.dll
c:\windows\system32\_004319_.tmp.dll
c:\windows\system32\_004320_.tmp.dll
c:\windows\system32\_004322_.tmp.dll
c:\windows\system32\_004325_.tmp.dll
c:\windows\system32\_004326_.tmp.dll
c:\windows\system32\_004330_.tmp.dll
c:\windows\system32\_004331_.tmp.dll
c:\windows\system32\_004333_.tmp.dll
c:\windows\system32\_004336_.tmp.dll
c:\windows\system32\_004338_.tmp.dll
c:\windows\system32\_004339_.tmp.dll
c:\windows\system32\_004340_.tmp.dll
c:\windows\system32\_004341_.tmp.dll
c:\windows\system32\_004342_.tmp.dll
c:\windows\system32\_004345_.tmp.dll
c:\windows\system32\_004346_.tmp.dll
c:\windows\system32\_004347_.tmp.dll
c:\windows\system32\_004348_.tmp.dll
c:\windows\system32\_004349_.tmp.dll
c:\windows\system32\_004354_.tmp.dll
c:\windows\system32\_004356_.tmp.dll
c:\windows\system32\_004357_.tmp.dll
c:\windows\system32\tmp.reg

Infected copy of c:\windows\system32\imm32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\imm32.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-04-30 06:26 . 2009-05-02 00:08 -------- d-----w C:\font
2009-04-29 01:44 . 2009-04-29 01:50 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-27 21:56 . 2009-04-27 22:56 -------- d-----w c:\windows\BDOSCAN8
2009-04-25 18:28 . 2009-04-25 18:28 -------- d-----w c:\documents and settings\Mom\Application Data\Apple Computer
2009-04-24 18:41 . 2009-04-24 18:41 130140 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-24 17:46 . 2009-04-24 19:02 -------- d-----w c:\program files\EsetOnlineScanner
2009-04-23 03:07 . 2009-04-23 03:08 -------- d-----w c:\program files\Safari
2009-04-23 03:07 . 2009-04-23 03:07 -------- d-----w c:\program files\Apple Software Update
2009-04-23 03:07 . 2009-04-23 03:07 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-15 03:25 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 03:25 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 03:25 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-15 03:25 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 03:25 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 03:25 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 03:25 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 03:25 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 03:25 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 03:25 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 03:24 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 03:24 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 22:17 . 2009-04-14 22:17 61440 ----a-w c:\windows\system32\drivers\laht.sys
2009-04-14 22:07 . 2009-04-14 22:07 -------- d-----w c:\documents and settings\Dad\Application Data\Malwarebytes
2009-04-14 22:06 . 2009-04-14 22:06 61440 ----a-w c:\windows\system32\drivers\ygkaimbc.sys
2009-04-14 21:48 . 2009-04-14 21:48 -------- d-----w c:\documents and settings\Mom\Application Data\Malwarebytes
2009-04-13 04:28 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-13 04:28 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 04:28 . 2009-04-13 04:51 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 22:35 . 2007-02-28 09:17 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-04 22:35 . 2009-02-20 08:07 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 2
2009-04-30 17:00 . 2008-12-18 07:02 -------- d-----w c:\program files\Google
2009-04-24 23:49 . 2008-06-21 17:06 -------- d-----w c:\program files\a-squared Free
2009-04-23 04:02 . 2007-02-28 09:56 -------- d-----w c:\program files\Common Files\Adobe
2009-04-23 03:41 . 2007-03-03 04:00 -------- d-----w c:\program files\CCleaner
2009-04-23 03:40 . 2008-07-20 17:40 -------- d-----w c:\program files\opera
2009-04-16 07:16 . 2007-08-07 23:15 -------- d-----w c:\program files\Security Task Manager
2009-04-11 19:51 . 2007-11-28 00:45 -------- d-----w c:\program files\Finale 2008
2009-04-11 19:44 . 2007-02-28 19:00 -------- d-----w c:\program files\Common Files\Ahead
2009-04-11 19:42 . 2007-05-08 03:32 -------- d-----w c:\program files\Common Files\Real
2009-04-11 19:41 . 2007-03-26 02:04 -------- d-----w c:\program files\DivX
2009-04-11 19:40 . 2008-01-25 23:43 -------- d-----w c:\program files\Audacity 1.3 Beta (Unicode)
2009-04-10 16:30 . 2007-10-18 00:11 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-09 19:20 . 2007-10-18 00:11 -------- d-----w c:\documents and settings\admin\Application Data\SUPERAntiSpyware.com
2009-04-05 00:50 . 2007-02-28 03:11 198376 ----a-w c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 17:32 . 2009-03-01 23:01 -------- d-----w c:\program files\HDDScan
2009-04-01 04:54 . 2008-06-27 03:58 -------- d-----w c:\program files\Wootalyzer
2009-03-24 05:01 . 2009-03-24 05:01 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-03-24 05:01 . 2009-03-24 05:01 155384 ----a-w c:\windows\system32\guard32.dll
2009-03-24 05:01 . 2009-03-24 05:01 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-03-24 05:01 . 2007-02-28 09:12 -------- d-----w c:\program files\Comodo
2009-03-13 20:56 . 2007-08-28 22:58 -------- d-----w c:\program files\DIFX
2009-03-12 01:12 . 2008-08-10 20:46 -------- d-----w c:\program files\Songbird
2009-03-07 00:05 . 2009-03-07 00:05 -------- d-----w c:\program files\Free CD Music Converter
2009-03-06 14:22 . 2004-08-04 05:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-04 05:56 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 05:56 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-10 05:01 . 2009-02-10 05:01 215872 ----a-w c:\windows\system32\drivers\truecrypt.sys
2009-02-09 12:10 . 2008-08-04 20:50 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-08-04 20:50 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-08-04 20:50 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 05:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-08-04 20:50 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2008-08-04 20:50 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2008-08-04 20:50 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-08-04 20:50 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-07-16 20:43 35328 ----a-w c:\windows\system32\sc.exe
2008-09-19 00:12 . 2008-09-19 00:12 14290 ----a-w c:\program files\settings.dat
2007-03-23 23:59 . 2007-03-23 23:59 181 --sha-r c:\windows\Regbak.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"COMODO Internet Security"="c:\program files\Comodo\COMODO Internet Security\cfp.exe" [2009-03-24 1851128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-04-10 16:30 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^MRU-Blaster Scheduler.lnk]
path=c:\documents and settings\admin\Start Menu\Programs\Startup\MRU-Blaster Scheduler.lnk
backup=c:\windows\pss\MRU-Blaster Scheduler.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^MRU-Blaster Silent Clean.lnk]
path=c:\documents and settings\admin\Start Menu\Programs\Startup\MRU-Blaster Silent Clean.lnk
backup=c:\windows\pss\MRU-Blaster Silent Clean.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxcfcoms.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17194:TCP"= 17194:TCP:BitComet 17194 TCP
"17194:UDP"= 17194:UDP:BitComet 17194 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM
"17205:TCP"= 17205:TCP:ut
"17205:UDP"= 17205:UDP:ut2
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R3 aswArKrn;aswArKrn; [x]
R3 perm2;perm2;c:\windows\system32\DRIVERS\perm2.sys [2008-04-14 27904]
R3 ProtoWall;ProtoWall Network Service; [x]
R3 PsSdk41;PsSdk41;c:\windows\system32\Drivers\pssdk41.sys [2008-07-15 36928]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2008-09-02 100352]
R4 hasplms;HASP License Manager; [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2009-03-24 110992]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2009-03-24 24336]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-10 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-06-21 55024]


--- Other Services/Drivers In Memory ---

*Deregistered* - Fastfat
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\nt5pyg4b.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 18:49
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(932)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(3528)
c:\windows\system32\guard32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Comodo\COMODO Internet Security\cmdagent.exe
c:\windows\system32\lxczcoms.exe
c:\program files\Lexmark 1200 Series\LXCZbmon.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-04 18:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 22:52

Pre-Run: 40,932,855,808 bytes free
Post-Run: 40,823,504,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

262 --- E O F --- 2009-04-29 07:01

And the gmer will be coming, after a lengthy scan process, as I clicked the "save" button I got a wonderful BSOD, so I have to do it all over again. Yay. Reminds of why I choose to use linux primarily now, it is going to add years to my life, I am sure. Will get that posted ASAP. Thanks again.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 05 May 2009 - 07:07 AM

Hello.

Post the GMER scan when does. If it takes too long, we'll try something else.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/219926/trojan-infection/
    
    Suspect::[59]
    c:\windows\system32\drivers\ygkaimbc.sys
    c:\windows\system32\drivers\laht.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Upload Samples Collected by ComboFix
The script above had included directed to upload file samples. Ensure you are connected to the internet before clicking "OK" on the message box. After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

With Regards,
The Panda

#8 rcmck

rcmck
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:everywhere
  • Local time:05:47 AM

Posted 05 May 2009 - 03:14 PM

New combofix, and gmer has to be done again, May have been my fault this time, I was weary of choosing save so I tried copy, which froze the comp, I think I shutdown prematurely, it was coming out of it.

ComboFix 09-05-05.02 - admin 05/05/2009 15:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.276 [GMT -4:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*

file zipped: c:\windows\system32\drivers\Suspect_laht.sys.vir
file zipped: c:\windows\system32\drivers\Suspect_ygkaimbc.sys.vir
.

((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-04-30 06:26 . 2009-05-02 00:08 -------- d-----w C:\font
2009-04-29 01:44 . 2009-05-05 03:48 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-27 21:56 . 2009-04-27 22:56 -------- d-----w c:\windows\BDOSCAN8
2009-04-25 18:28 . 2009-04-25 18:28 -------- d-----w c:\documents and settings\Mom\Application Data\Apple Computer
2009-04-24 18:41 . 2009-04-24 18:41 130140 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-23 03:07 . 2009-04-23 03:08 -------- d-----w c:\program files\Safari
2009-04-23 03:07 . 2009-04-23 03:07 -------- d-----w c:\program files\Apple Software Update
2009-04-23 03:07 . 2009-04-23 03:07 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-15 03:25 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 03:25 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 03:25 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-15 03:25 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 03:25 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 03:25 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 03:25 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 03:25 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 03:25 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 03:25 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 03:24 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 03:24 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 22:17 . 2009-04-14 22:17 61440 ----a-w c:\windows\system32\drivers\laht.sys
2009-04-14 22:07 . 2009-04-14 22:07 -------- d-----w c:\documents and settings\Dad\Application Data\Malwarebytes
2009-04-14 22:06 . 2009-04-14 22:06 61440 ----a-w c:\windows\system32\drivers\ygkaimbc.sys
2009-04-14 21:48 . 2009-04-14 21:48 -------- d-----w c:\documents and settings\Mom\Application Data\Malwarebytes
2009-04-13 04:28 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-13 04:28 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 04:28 . 2009-04-13 04:51 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 17:23 . 2009-02-20 08:07 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 2
2009-05-05 07:32 . 2007-02-28 09:17 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-05 03:48 . 2007-04-12 05:10 -------- d-----w c:\program files\SourceTec
2009-05-05 03:47 . 2007-04-12 05:10 -------- d-----w c:\program files\Common Files\SourceTec
2009-05-05 03:45 . 2008-10-16 19:51 -------- d-----w c:\program files\RocketDock
2009-05-05 03:38 . 2007-02-28 09:56 -------- d-----w c:\program files\Common Files\Adobe
2009-05-05 03:36 . 2007-03-03 04:00 -------- d-----w c:\program files\CCleaner
2009-04-30 17:00 . 2008-12-18 07:02 -------- d-----w c:\program files\Google
2009-04-24 23:49 . 2008-06-21 17:06 -------- d-----w c:\program files\a-squared Free
2009-04-23 03:40 . 2008-07-20 17:40 -------- d-----w c:\program files\opera
2009-04-16 07:16 . 2007-08-07 23:15 -------- d-----w c:\program files\Security Task Manager
2009-04-11 19:44 . 2007-02-28 19:00 -------- d-----w c:\program files\Common Files\Ahead
2009-04-11 19:42 . 2007-05-08 03:32 -------- d-----w c:\program files\Common Files\Real
2009-04-11 19:41 . 2007-03-26 02:04 -------- d-----w c:\program files\DivX
2009-04-10 16:30 . 2007-10-18 00:11 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-09 19:20 . 2007-10-18 00:11 -------- d-----w c:\documents and settings\admin\Application Data\SUPERAntiSpyware.com
2009-04-05 00:50 . 2007-02-28 03:11 198376 ----a-w c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 04:54 . 2008-06-27 03:58 -------- d-----w c:\program files\Wootalyzer
2009-03-24 05:01 . 2009-03-24 05:01 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-03-24 05:01 . 2009-03-24 05:01 155384 ----a-w c:\windows\system32\guard32.dll
2009-03-24 05:01 . 2009-03-24 05:01 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-03-24 05:01 . 2007-02-28 09:12 -------- d-----w c:\program files\Comodo
2009-03-13 20:56 . 2007-08-28 22:58 -------- d-----w c:\program files\DIFX
2009-03-12 01:12 . 2008-08-10 20:46 -------- d-----w c:\program files\Songbird
2009-03-06 14:22 . 2004-08-04 05:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-04 05:56 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 05:56 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-10 05:01 . 2009-02-10 05:01 215872 ----a-w c:\windows\system32\drivers\truecrypt.sys
2009-02-09 12:10 . 2008-08-04 20:50 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-08-04 20:50 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-08-04 20:50 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 05:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-08-04 20:50 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2008-08-04 20:50 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2008-08-04 20:50 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-08-04 20:50 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-07-16 20:43 35328 ----a-w c:\windows\system32\sc.exe
2008-09-19 00:12 . 2008-09-19 00:12 14290 ----a-w c:\program files\settings.dat
2007-03-23 23:59 . 2007-03-23 23:59 181 --sha-r c:\windows\Regbak.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"COMODO Internet Security"="c:\program files\Comodo\COMODO Internet Security\cfp.exe" [2009-03-24 1851128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-04-10 16:30 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^MRU-Blaster Scheduler.lnk]
path=c:\documents and settings\admin\Start Menu\Programs\Startup\MRU-Blaster Scheduler.lnk
backup=c:\windows\pss\MRU-Blaster Scheduler.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^MRU-Blaster Silent Clean.lnk]
path=c:\documents and settings\admin\Start Menu\Programs\Startup\MRU-Blaster Silent Clean.lnk
backup=c:\windows\pss\MRU-Blaster Silent Clean.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxcfcoms.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17194:TCP"= 17194:TCP:BitComet 17194 TCP
"17194:UDP"= 17194:UDP:BitComet 17194 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM
"17205:TCP"= 17205:TCP:ut
"17205:UDP"= 17205:UDP:ut2
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [3/24/2009 1:01 AM 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/24/2009 1:01 AM 24336]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 55024]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\admin\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\admin\LOCALS~1\Temp\aswArKrn.sys [?]
S3 perm2;perm2;c:\windows\system32\drivers\perm2.sys [8/4/2008 4:50 PM 27904]
S3 ProtoWall;ProtoWall Network Service;c:\windows\system32\DRIVERS\ProtoWall.sys --> c:\windows\system32\DRIVERS\ProtoWall.sys [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [7/15/2008 6:00 PM 36928]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
S3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [9/2/2008 8:33 AM 100352]
S4 hasplms;HASP License Manager; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - Fastfat
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\nt5pyg4b.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 16:00
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(928)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(2588)
c:\windows\system32\guard32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-05 16:02
ComboFix-quarantined-files.txt 2009-05-05 20:02
ComboFix2.txt 2009-05-04 22:53

Pre-Run: 40,741,117,952 bytes free
Post-Run: 40,729,825,280 bytes free

201 --- E O F --- 2009-04-29 07:01
Upload was successful

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 05 May 2009 - 04:54 PM

Hello.

Please try RootRepeal if GMER does not work.
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open RootRepeal.exe on your desktop. If you are using Windows Vista, right click RootRepeal.exe and select Run As Administrator.
  • Click the Report tab.
  • Click the Scan button.
  • Check all six boxes.
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

With Regards,
The Panda

#10 rcmck

rcmck
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:everywhere
  • Local time:05:47 AM

Posted 05 May 2009 - 11:51 PM

That was much faster, here is the log:

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/06 00:40
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF34CD000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A87000 Size: 8192 File Visible: No
Status: -

Name: PCI_NTPNP6464
Image Path: \Driver\PCI_NTPNP6464
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF27BC000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Temp\hlktmp
Status: Allocation size mismatch (API: 33570816, Raw: 0)

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine
Status: Locked to the Windows API!

Path: \\?\C:\Program Files\Comodo\COMODO Internet Security\Quarantine\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\A0000272.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\A0000272.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmp2048.tmp.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmp2048.tmp.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmp3D9B.tmp.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmp3D9B.tmp.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmp53C8.tmp.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmp53C8.tmp.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmp5468.tmp.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmp5468.tmp.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmp7736.tmp.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmp7736.tmp.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmp8A22.tmp.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmp8A22.tmp.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmpA6E0.tmp.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmpA6E0.tmp.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmpAE16.tmp.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmpAE16.tmp.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmpBF15.tmp.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmpBF15.tmp.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmpD68C.tmp.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmpD68C.tmp.exe.info
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmpE45B.tmp.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\Comodo\COMODO Internet Security\Quarantine\tmpE45B.tmp.exe.info
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\admin\My Documents\iMacros\Macros\Woot
Status: Locked to the Windows API!

Path: C:\Documents and Settings\admin\My Documents\iMacros\Macros\Wsh-Extract-Rate.iim: One Day, One Deal (SM)(1).iim
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\admin\My Documents\iMacros\Macros\Wsh-Extract-Rate.iim: One Day, One Deal (SM).iim
Status: Invisible to the Windows API!

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf37732a0

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf37727c2

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3772e5c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3773a6a

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf377251c

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3774776

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3773486

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf37720ea

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf37736d4

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3773884

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3771e4c

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf8432fb2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf8433340

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf37743f8

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3772a46

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3773094

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf842d0b0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3771b7c

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3772cd6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3771cf4

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf8433418

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf8433298

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3773e30

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf377263a

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3774194

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf37745a6

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3773c30

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf37729e0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf3772bca

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf37723e6

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf37722b4

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x82f6a1e8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x82b99790 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x82dc11e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x82dc11e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x82dc11e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x82dc11e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82dc11e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82dc11e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82dc11e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82dc11e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x82dc11e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82dc11e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x82dc11e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x822c51e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x822c51e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x822c51e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x822c51e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x822c51e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x822c51e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x822c51e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x822c51e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x822c51e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x82d831e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x82d831e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82d831e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82d831e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x82d831e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82d831e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x82d831e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x82fd71e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x82fd71e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x82fd71e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82fd71e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82fd71e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82fd71e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82fd71e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x82fd71e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x82fd71e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82fd71e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x82fd71e8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x82b53790 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x82b53790 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b53790 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82b53790 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x82b53790 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x82b53790 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x82d611e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x82d611e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82d611e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82d611e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x82d611e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82d611e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x82d611e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x829a2790 Size: -

Object: Hidden Code [Driver: sys, IRP_MJ_CREATE]
Process: System Address: 0x827cf790 Size: -

Object: Hidden Code [Driver: sys, IRP_MJ_CLOSE]
Process: System Address: 0x827cf790 Size: -

Object: Hidden Code [Driver: sys, IRP_MJ_READ]
Process: System Address: 0x827cf790 Size: -

Object: Hidden Code [Driver: sys, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x827cf790 Size: -

Object: Hidden Code [Driver: sys, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x827cf790 Size: -

Object: Hidden Code [Driver: sys, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x827cf790 Size: -

Object: Hidden Code [Driver: sys, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x827cf790 Size: -

Object: Hidden Code [Driver: sys, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x827cf790 Size: -

Object: Hidden Code [Driver: sys, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x827cf790 Size: -

Object: Hidden Code [Driver: sys, IRP_MJ_SHUTDOWN]
Process: System Address: 0x827cf790 Size: -

Object: Hidden Code [Driver: sys, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x827cf790 Size: -

Object: Hidden Code [Driver: sys, IRP_MJ_CLEANUP]
Process: System Address: 0x827cf790 Size: -

Object: Hidden Code [Driver: sys, IRP_MJ_PNP]
Process: System Address: 0x827cf790 Size: -

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 06 May 2009 - 04:24 PM

Hello.

Let's remove those two leftover files.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :files
    c:\windows\system32\drivers\ygkaimbc.sys
    c:\windows\system32\drivers\laht.sys
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please also take a new DDS.txt log. Include the Attach.txt.

Any problems at the moment.

With Regards,
The Panda

#12 rcmck

rcmck
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:everywhere
  • Local time:05:47 AM

Posted 06 May 2009 - 07:13 PM

Thanks,

========== FILES ==========
c:\windows\system32\drivers\ygkaimbc.sys moved successfully.
c:\windows\system32\drivers\laht.sys moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\hlktmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Opera cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05062009_180408

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.


and fsecure

Scanning Report
Wednesday, May 06, 2009 18:16:10 - 20:08:48

Computer name: RE
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 2 malware found
W32/Packed_Upack.C (virus)

* C:\PROGRAM FILES\SOURCETEC\SOTHINK SWF QUICKER\I-PATCH\SWFQUICKER.EXE (Submitted)

W32/Zlob.gen123 (virus)

* C:\PROGRAM FILES\MOZILLA FIREFOX 3.1 BETA 2\SMITFRAUDFIX\AGENT.OMZ.FIX.EXE (Submitted)

Statistics
Scanned:

* Files: 56850
* System: 2842
* Not scanned: 7

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 2

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 06 May 2009 - 07:41 PM

Hello.

Please take a new DDS.txt log and tell me of any problems that are still present.

With Regards,
The Panda

#14 rcmck

rcmck
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:everywhere
  • Local time:05:47 AM

Posted 06 May 2009 - 10:31 PM

Thanks for all the help, I appreciate it. The problem seems to be gone, I am not getting the warning messages and the suspicious files are gone. The last startup/login was a lot slower than usual, but it probably had something to do with the recent clearing of prefetch data, and my computer is no powerhouse anyways. But other than that everything seems normal, if not better than before. Here is the requested log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by admin at 23:23:05.71 on Wed 05/06/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.267 [GMT -4:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\nt5pyg4b.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: XUL Cache: {8ADE576B-2E29-4ABB-9D19-DF2B8F45B149} - c:\documents and settings\admin\local settings\application data\{8ADE576B-2E29-4ABB-9D19-DF2B8F45B149}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-24 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-24 24336]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-3-24 700152]
R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\admin\locals~1\temp\aswarkrn.sys --> c:\docume~1\admin\locals~1\temp\aswArKrn.sys [?]
S3 perm2;perm2;c:\windows\system32\drivers\perm2.sys [2008-8-4 27904]
S3 ProtoWall;ProtoWall Network Service;c:\windows\system32\drivers\protowall.sys --> c:\windows\system32\drivers\ProtoWall.sys [?]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-7-15 36928]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2008-9-2 100352]
S4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2008-6-21 425080]
S4 hasplms;HASP License Manager; [x]

=============== Created Last 30 ================

2009-05-06 18:12 <DIR> --d----- C:\fsaua.data
2009-05-06 18:04 <DIR> --d----- C:\_OTMoveIt
2009-05-06 00:38 8 a------- c:\documents and settings\admin\settings.dat
2009-05-04 18:42 <DIR> a-dshr-- C:\cmdcons
2009-05-04 18:41 161,792 a------- c:\windows\SWREG.exe
2009-05-04 18:41 98,816 a------- c:\windows\sed.exe
2009-04-30 02:26 <DIR> --d----- C:\font
2009-04-24 14:41 130,140 a---h--- c:\windows\system32\mlfcache.dat
2009-04-14 23:25 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 23:25 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 23:25 35,328 -c------ c:\windows\system32\dllcache\sc.exe
2009-04-14 23:25 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 23:25 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 23:25 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 23:25 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 23:25 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 23:25 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 23:25 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 23:24 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 23:24 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 23:24 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-13 00:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-13 00:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 00:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-09 02:25 153 a------- c:\windows\cavscan.INI

==================== Find3M ====================

2009-03-24 01:01 155,384 a------- c:\windows\system32\guard32.dll
2009-03-24 01:01 110,992 a------- c:\windows\system32\drivers\cmdguard.sys
2009-03-24 01:01 24,336 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2008-09-18 20:12 14,290 a------- c:\program files\settings.dat
2007-03-23 19:59 181 a--shr-- c:\windows\Regbak.dat

============= FINISH: 23:23:50.14 ===============

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 AM

Posted 07 May 2009 - 05:10 PM

Hello.

The logs look clean. Let's wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Run Cleanup! with OTMoveIt
Let's clear out the tools we've used.
  • Double click the OTMoveIt3.exe icon on your desktop to start the program.
  • Click Posted Image.
  • A pop-up box will appear asking "Begin Removal Process?". Click Yes.
  • Click Yes when asked to reboot.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users