Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SmitFraud-C infection cleanup


  • This topic is locked This topic is locked
13 replies to this topic

#1 Jamezu

Jamezu

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 20 April 2009 - 05:03 PM

Hi,

I had an infection yesterday, noticeable from the systray pop-up telling me I was infected and a funny red/blue/yellow patterned desktop background. I immediately shutdown and have since run Sybot S&D 3 or 4 times to try to clear the problem, it has detected and allegedly fixed the following problems:

- Win32.Agent.pz
- Win32.Agent.gpr
- Smitfraud-C.
- Win32.Renos.ik
- Corresponding Windows and WindowsSecurityCenter registry changes
- (Not sure if it is relevant but I had also been affected by Zlob at the end of last year)

This seemed to stop most of the nasties, but left my computer in a bit of a state:

- NA VirusScan 8.0 kept detecting a buffer overflow in explorer.exe, so my desktop kept crashing
- lsass.exe was continually trying to run a DLL (c:\windows\ceapodin.dll)
- Firefox kept crashing when trying to get onto any security-related sites
- Couldn't change desktop background
- Task Manager behaviour was funny
- Hijackthis reporting registry access errors

So I have since gone into safe-mode and ran SmitfraudFix (option 2) which seems to have cleared most of the problems up - it reported a few "file not found"-type messages. I have kept the rapport.txt file in case it is useful later.

But I am still affected by the not being able to change my desktop background, so I think I am most of the way there, but not all the way. I didn't want to run any more fixes until I got some advice - but at least I can get onto this website now!!!

Please find below, and attached, the DDS outputs. Thank you very much for your help in advance.

Kind regards,
James


DDS (Ver_09-03-16.01) - NTFSx86
Run by James at 22:37:42.11 on 20/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.11 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NDAS\System\ndassvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck /autofix
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: citigroup.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli ceapodin.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\james\applic~1\mozilla\firefox\profiles\pi1rpgjo.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2005-2-9 109184]
R1 lfsfilt;Lean File Sharing;c:\windows\system32\drivers\lfsfilt.sys [2005-8-2 120704]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-4-9 58048]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-4-9 102463]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2004-9-22 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-9-22 28672]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-4-9 108256]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2005-2-9 38656]
R3 NETGEAR_WPN511_SERVICE;NETGEAR WPN511 Wireless Adapter Service;c:\windows\system32\drivers\wpn511.sys [2008-5-21 488992]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\james\desktop\virtualcd\vcdrom.sys --> c:\documents and settings\james\desktop\virtualcd\VCdRom.sys [?]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2006-9-11 16194]
S3 efipsk;efipsk;\??\c:\docume~1\james\locals~1\temp\efipsk.sys --> c:\docume~1\james\locals~1\temp\efipsk.sys [?]
S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [2005-2-9 90752]
S3 rtl8180;Belkin 11Mbps Wireless Notebook Network Card Driver;c:\windows\system32\drivers\Bel6020.sys [2005-4-20 168448]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]

=============== Created Last 30 ================

2009-04-20 22:29 <DIR> --d----- c:\program files\SpywareBlaster
2009-04-20 22:05 3,566 a------- c:\windows\system32\tmp.reg
2009-04-20 22:00 <DIR> --d----- C:\SmitfraudFix
2009-04-20 21:42 1,529,241 a------- C:\SDFix.exe
2009-04-20 21:42 2,998,034 a------- C:\ComboFix.exe
2009-04-20 21:42 1,831,732 a------- C:\SmitfraudFix.exe
2009-04-20 21:38 <DIR> --d----- C:\HiJackThis
2009-04-20 21:38 318,369 a------- C:\HiJackThis.zip
2009-04-20 01:22 1,581 a------- c:\windows\opugiravucuya.dll
2009-04-20 01:12 389,120 a------- c:\windows\system32\CF31164.exe
2009-04-19 21:00 88 a--sh--- c:\windows\system32\2283161848.dat
2009-04-17 22:42 67,584 a------- c:\windows\system32\ff_vfw.dll
2009-04-17 22:42 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-04-17 22:42 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-04-17 22:42 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-04-16 20:38 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 20:38 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 20:38 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 20:37 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 20:37 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 20:37 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 20:37 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 20:37 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 20:37 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 20:28 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 20:28 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 20:28 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-10 15:12 <DIR> --d----- c:\documents and settings\james\Tracing
2009-04-10 15:09 <DIR> --d----- c:\program files\Microsoft
2009-04-10 15:05 <DIR> --d----- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 19:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 13:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 13:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 13:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 13:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-06 12:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 11:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 20:59 56,832 a------- c:\windows\system32\secur32.dll
2007-10-10 23:51 32 a----r-- c:\documents and settings\all users\hash.dat
2006-06-22 15:42 86,016 a------- c:\documents and settings\james\IDHWTSS1.dll
2006-06-22 14:06 81,920 a------- c:\documents and settings\james\hobjni.dll
2005-12-01 07:54 36,868 a------- c:\documents and settings\james\PrtDLL.dll
2005-10-21 22:37 8,192 a--sh--- c:\windows\o2cLicStore.bin
2007-08-17 00:03 12,208 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-07-10 03:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071020080711\index.dat
2008-08-01 23:42 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-08-01 23:42 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-08-01 23:42 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 22:40:28.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:43 AM

Posted 04 May 2009 - 08:29 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Jamezu

Jamezu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 05 May 2009 - 02:40 PM

Hi K,

Thanks for your response. Since my original post, I have done a few more things to try and clean up my computer, and have managed to get it in a reasonably working state now. But I'm still suspicious of the infection and whether I should rebuild my computer...?

- Ran ComboFix
- Ran MB-AM
- Ran SmitFraudFix again
- Installed SUPERAntiSpyware and ran it
- Uninstalled NA VirusScan 8.0 (as I was worried it didn't catch any of these infections first time around)
- Installed Avast! instead (bit noisy, but OK I guess)
- Edited the registry to remove the reference to ceapodin.dll in lsass.exe (I kept getting RUNDLL crashes before I did this)
- General tidy up of running services to get things more streamlined

Below (and attached is the recent DDS run).

Thanks!

DDS (Ver_09-03-16.01) - NTFSx86
Run by James at 20:28:26.23 on 05/05/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.239 [GMT 1:00]

AV: avast! antivirus 4.8.1335 [VPS 090505-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = www.google.co.uk
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\james\applic~1\mozilla\firefox\profiles\pi1rpgjo.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2005-2-9 109184]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-24 114768]
R1 lfsfilt;Lean File Sharing;c:\windows\system32\drivers\lfsfilt.sys [2005-8-2 120704]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-24 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-24 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-24 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-24 352920]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2005-2-9 38656]
R3 NETGEAR_WPN511_SERVICE;NETGEAR WPN511 Wireless Adapter Service;c:\windows\system32\drivers\wpn511.sys [2008-5-21 488992]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\james\desktop\virtualcd\vcdrom.sys --> c:\documents and settings\james\desktop\virtualcd\VCdRom.sys [?]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2006-9-11 16194]
S3 efipsk;efipsk;\??\c:\docume~1\james\locals~1\temp\efipsk.sys --> c:\docume~1\james\locals~1\temp\efipsk.sys [?]
S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [2005-2-9 90752]
S3 rtl8180;Belkin 11Mbps Wireless Notebook Network Card Driver;c:\windows\system32\drivers\Bel6020.sys [2005-4-20 168448]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]

=============== Created Last 30 ================

2009-05-02 19:38 1,582 a------- c:\windows\obutaludejemila.dll
2009-05-02 18:36 1,582 a------- c:\windows\oqutuket.dll
2009-05-02 17:34 1,582 a------- c:\windows\obafukin.dll
2009-05-02 16:32 1,582 a------- c:\windows\ekuvinasowovone.dll
2009-05-02 15:30 1,582 a------- c:\windows\ebolipizuluf.dll
2009-05-02 14:28 1,582 a------- c:\windows\ucujuqodihoducex.dll
2009-05-02 13:26 1,582 a------- c:\windows\ehotepopegogaj.dll
2009-05-02 12:24 1,582 a------- c:\windows\aletanabo.dll
2009-05-02 11:22 1,582 a------- c:\windows\erosoxebuxe.dll
2009-05-02 10:20 1,582 a------- c:\windows\egisicuz.dll
2009-05-02 09:28 1,586 a------- c:\windows\kbclatet.dll
2009-05-02 09:18 1,582 a------- c:\windows\okaladiwoxewof.dll
2009-05-01 02:17 1,582 a------- c:\windows\ifiziresoxiw.dll
2009-05-01 01:15 1,582 a------- c:\windows\upijukij.dll
2009-05-01 00:13 1,582 a------- c:\windows\ekiwisucejalafoq.dll
2009-04-30 23:11 1,582 a------- c:\windows\oduvugiy.dll
2009-04-30 22:09 1,582 a------- c:\windows\iruholurac.dll
2009-04-30 21:17 1,586 a------- c:\windows\wsel47.dll
2009-04-30 21:07 1,582 a------- c:\windows\oqojegoz.dll
2009-04-28 22:44 1,586 a------- c:\windows\w4Su32.dll
2009-04-28 22:34 1,582 a------- c:\windows\aceyoqeviwecedu.dll
2009-04-28 22:29 1,582 a------- c:\windows\ujedijib.dll
2009-04-28 00:28 1,582 a------- c:\windows\ahapakuk.dll
2009-04-27 23:26 1,582 a------- c:\windows\usoqowaq.dll
2009-04-27 22:24 1,582 a------- c:\windows\alegijobake.dll
2009-04-27 21:23 1,582 a------- c:\windows\okiruqeh.dll
2009-04-27 20:30 1,586 a------- c:\windows\wtwidc.dll
2009-04-27 20:20 1,582 a------- c:\windows\azuwetur.dll
2009-04-26 20:34 1,582 a------- c:\windows\itatehob.dll
2009-04-26 19:32 1,582 a------- c:\windows\epofamav.dll
2009-04-26 18:30 1,582 a------- c:\windows\ubidoqevoy.dll
2009-04-26 17:28 1,582 a------- c:\windows\onaxunak.dll
2009-04-26 16:26 1,582 a------- c:\windows\ofacekiqaqojune.dll
2009-04-26 15:24 1,582 a------- c:\windows\ugegazinufewor.dll
2009-04-26 14:22 1,582 a------- c:\windows\ibicubalepinube.dll
2009-04-26 13:20 1,582 a------- c:\windows\obewedigojeru.dll
2009-04-26 12:18 1,582 a------- c:\windows\ehupikepeqepijo.dll
2009-04-26 11:16 1,582 a------- c:\windows\icuvahohilofej.dll
2009-04-26 10:14 1,582 a------- c:\windows\edemapesepe.dll
2009-04-26 09:12 1,582 a------- c:\windows\emelukelikufevor.dll
2009-04-26 08:10 1,582 a------- c:\windows\ipuwemowemowe.dll
2009-04-26 07:08 1,582 a------- c:\windows\itipiseriyovuzi.dll
2009-04-26 06:06 1,582 a------- c:\windows\aroliyun.dll
2009-04-26 05:04 1,582 a------- c:\windows\ehureveg.dll
2009-04-26 04:02 1,582 a------- c:\windows\odupalam.dll
2009-04-26 03:00 1,582 a------- c:\windows\evefozuzifowasi.dll
2009-04-26 01:58 1,582 a------- c:\windows\ehipejideduvaka.dll
2009-04-26 01:44 1,588 a------- c:\windows\lpidlil.dll
2009-04-26 00:56 1,582 a------- c:\windows\eqalurupohof.dll
2009-04-25 23:54 1,582 a------- c:\windows\agicogot.dll
2009-04-25 22:52 1,582 a------- c:\windows\umiboqutunag.dll
2009-04-25 21:50 1,582 a------- c:\windows\afohemofivutamu.dll
2009-04-25 21:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-25 21:19 <DIR> --d----- c:\documents and settings\james\Tracing
2009-04-25 20:48 1,582 a------- c:\windows\etutixivum.dll
2009-04-25 19:46 1,582 a------- c:\windows\etelowadilakizax.dll
2009-04-25 18:44 1,582 a------- c:\windows\uguzoyip.dll
2009-04-25 17:42 1,582 a------- c:\windows\atarezat.dll
2009-04-25 16:40 1,582 a------- c:\windows\oweraxifokel.dll
2009-04-25 15:38 1,582 a------- c:\windows\akapufaxaw.dll
2009-04-25 14:36 1,582 a------- c:\windows\atiguyorukemomop.dll
2009-04-25 13:44 1,586 a------- c:\windows\ontmaL.dll
2009-04-25 13:34 1,582 a------- c:\windows\isojafec.dll
2009-04-25 10:38 1,582 a------- c:\windows\usaziqipuz.dll
2009-04-25 10:24 1,588 a------- c:\windows\afcmivcv.dll
2009-04-25 09:36 1,582 a------- c:\windows\ofexuxabibidovug.dll
2009-04-25 08:34 1,582 a------- c:\windows\oqodafuga.dll
2009-04-25 07:32 1,582 a------- c:\windows\utozamilab.dll
2009-04-25 06:30 1,582 a------- c:\windows\agaxacodeneqehex.dll
2009-04-25 05:28 1,582 a------- c:\windows\eqalanunevifohah.dll
2009-04-25 04:26 1,582 a------- c:\windows\ucaciviciduhak.dll
2009-04-25 03:24 1,582 a------- c:\windows\unavivamebopevu.dll
2009-04-25 02:22 1,582 a------- c:\windows\agitomivo.dll
2009-04-25 01:20 1,582 a------- c:\windows\ivuriqurej.dll
2009-04-25 00:18 1,582 a------- c:\windows\onakikodurexu.dll
2009-04-24 23:16 1,582 a------- c:\windows\upajufan.dll
2009-04-24 22:24 1,586 a------- c:\windows\apipdl32.dll
2009-04-24 22:14 1,582 a------- c:\windows\ixaduraya.dll
2009-04-24 20:58 1,582 a------- c:\windows\erufoceqozuzeqij.dll
2009-04-24 02:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-24 02:10 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-24 02:10 <DIR> --d----- c:\docume~1\james\applic~1\SUPERAntiSpyware.com
2009-04-24 02:03 1,582 a------- c:\windows\opowucobuhog.dll
2009-04-24 01:05 1,586 a------- c:\windows\sdsexypx.dll
2009-04-24 01:03 1,566 a------- c:\windows\ehivuqad.dll
2009-04-24 00:48 2,866 a------- c:\windows\system32\tmp.reg
2009-04-23 23:22 <DIR> --d----- c:\docume~1\james\applic~1\Malwarebytes
2009-04-23 23:22 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-23 23:22 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 23:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-23 23:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-23 22:36 161,792 a------- c:\windows\SWREG.exe
2009-04-23 22:36 98,816 a------- c:\windows\sed.exe
2009-04-22 19:23 1,585 a------- c:\windows\imgpidi.dll
2009-04-22 19:14 1,581 a------- c:\windows\avamulopoci.dll
2009-04-21 07:30 1,581 a------- c:\windows\obacabafo.dll
2009-04-21 06:28 1,581 a------- c:\windows\ecatofokeyibe.dll
2009-04-21 05:26 1,581 a------- c:\windows\ofuhogajimonob.dll
2009-04-21 04:24 1,581 a------- c:\windows\ifasasiyuw.dll
2009-04-21 03:22 1,581 a------- c:\windows\arezuyufomorabul.dll
2009-04-21 02:20 1,581 a------- c:\windows\iseneburimuquj.dll
2009-04-21 01:27 1,585 a------- c:\windows\pesvc3j.dll
2009-04-21 01:19 1,581 a------- c:\windows\ujepesepe.dll
2009-04-21 00:21 1,581 a------- c:\windows\ayacemucoro.dll
2009-04-20 23:19 1,581 a------- c:\windows\uyolixib.dll
2009-04-20 23:04 <DIR> --d----- C:\Cleanup
2009-04-20 22:29 <DIR> --d----- c:\program files\SpywareBlaster
2009-04-20 22:00 <DIR> --d----- C:\SmitfraudFix
2009-04-20 21:38 <DIR> --d----- C:\HiJackThis
2009-04-20 01:22 1,581 a------- c:\windows\opugiravucuya.dll
2009-04-19 21:00 88 a--sh--- c:\windows\system32\2283161848.dat
2009-04-17 22:42 67,584 a------- c:\windows\system32\ff_vfw.dll
2009-04-17 22:42 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-04-17 22:42 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-04-16 20:38 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 20:38 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 20:38 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 20:37 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 20:37 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 20:37 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 20:37 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 20:37 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 20:37 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 20:28 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 20:28 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 20:28 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-10 15:09 <DIR> --d----- c:\program files\Microsoft
2009-04-10 15:05 <DIR> --d----- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-04-25 21:28 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 19:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 13:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 13:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 13:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 13:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-06 12:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 11:39 35,328 a------- c:\windows\system32\sc.exe
2007-10-10 23:51 32 a----r-- c:\documents and settings\all users\hash.dat
2006-06-22 15:42 86,016 a------- c:\documents and settings\james\IDHWTSS1.dll
2006-06-22 14:06 81,920 a------- c:\documents and settings\james\hobjni.dll
2005-12-01 07:54 36,868 a------- c:\documents and settings\james\PrtDLL.dll
2005-10-21 22:37 8,192 a--sh--- c:\windows\o2cLicStore.bin
2007-08-17 00:03 12,208 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-07-10 03:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071020080711\index.dat

============= FINISH: 20:29:27.62 ===============

Attached Files



#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:43 AM

Posted 05 May 2009 - 04:22 PM

Hi Jamezu

We post so many times telling people not to run Combofix on their own.... but no one seems to listen.
It's not just about what it removes.... it's about what else is in the report!

As you have run Combofix, please post here the report it produced.
it can be found at:
C:\ComboFix.txt

Thanks.

BBPP6nz.png


#5 Jamezu

Jamezu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 05 May 2009 - 04:35 PM

Thanks Starbuck, I do understand your frustration with people running it on their own, but I had to do something to try to get my computer useable again. I managed to hold off for a few days, but eventually felt I had to go it alone:

ComboFix 09-04-21.03 - James 23/04/2009 22:38.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.359 [GMT 1:00]
Running from: C:\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\James\Application Data\~tmp.html
c:\documents and settings\James\Application Data\config.cfg
c:\windows\system32\MabryObj.dll
c:\windows\system32\pthreadGC2.dll
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2009-03-23 to 2009-04-23 )))))))))))))))))))))))))))))))
.

2009-04-23 21:35 . 2009-04-20 20:01 2998034 ----a-r C:\Combo-Fix.exe
2009-04-22 18:23 . 2009-04-22 18:23 1585 ----a-w c:\windows\imgpidi.dll
2009-04-22 18:14 . 2009-04-22 18:14 1581 ----a-w c:\windows\avamulopoci.dll
2009-04-21 06:30 . 2009-04-21 06:30 1581 ----a-w c:\windows\obacabafo.dll
2009-04-21 05:28 . 2009-04-21 05:28 1581 ----a-w c:\windows\ecatofokeyibe.dll
2009-04-21 04:26 . 2009-04-21 04:26 1581 ----a-w c:\windows\ofuhogajimonob.dll
2009-04-21 03:24 . 2009-04-21 03:24 1581 ----a-w c:\windows\ifasasiyuw.dll
2009-04-21 02:22 . 2009-04-21 02:22 1581 ----a-w c:\windows\arezuyufomorabul.dll
2009-04-21 01:20 . 2009-04-21 01:20 1581 ----a-w c:\windows\iseneburimuquj.dll
2009-04-21 00:27 . 2009-04-21 00:28 1585 ----a-w c:\windows\pesvc3j.dll
2009-04-21 00:19 . 2009-04-21 00:19 1581 ----a-w c:\windows\ujepesepe.dll
2009-04-20 23:21 . 2009-04-20 23:21 1581 ----a-w c:\windows\ayacemucoro.dll
2009-04-20 22:19 . 2009-04-20 22:19 1581 ----a-w c:\windows\uyolixib.dll
2009-04-20 22:04 . 2009-04-20 22:04 -------- d-----w C:\Cleanup
2009-04-20 21:00 . 2009-04-23 21:03 -------- d-----w C:\SmitfraudFix
2009-04-20 20:38 . 2009-04-20 22:04 -------- d-----w C:\HiJackThis
2009-04-20 00:22 . 2009-04-20 00:22 1581 ----a-w c:\windows\opugiravucuya.dll
2009-04-19 20:00 . 2009-04-19 20:02 88 --sha-w c:\windows\system32\2283161848.dat
2009-04-19 16:31 . 2009-04-19 16:31 -------- d-----w c:\documents and settings\James\Local Settings\Application Data\Temporary Projects
2009-04-17 21:42 . 2009-03-02 18:10 67584 ----a-w c:\windows\system32\ff_vfw.dll
2009-04-17 21:42 . 2007-07-10 16:10 547 ----a-w c:\windows\system32\ff_vfw.dll.manifest
2009-04-17 21:42 . 2009-04-17 21:42 -------- d-----w c:\documents and settings\James\Local Settings\Application Data\Real
2009-04-16 19:38 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 19:38 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 19:38 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 19:37 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 19:37 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 19:37 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 19:37 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 19:37 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 19:37 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 19:28 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 19:28 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 19:28 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 21:03 . 2009-04-23 21:00 3521 ----a-w C:\rapport.txt
2009-04-22 20:53 . 2008-10-27 20:59 -------- d-----w c:\program files\PS3Portal
2009-04-22 20:41 . 2008-07-03 20:57 -------- d-----w c:\documents and settings\James\Application Data\uTorrent
2009-04-20 21:29 . 2009-04-20 21:29 -------- d-----w c:\program files\SpywareBlaster
2009-04-20 18:02 . 2005-07-26 18:35 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-20 00:21 . 2005-07-26 18:35 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-17 21:44 . 2009-04-17 21:42 -------- d-----w c:\program files\K-Lite Codec Pack
2009-04-16 19:45 . 2006-07-11 12:20 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-12 23:23 . 2009-02-01 12:00 -------- d-----w c:\documents and settings\James\Application Data\Spotify
2009-04-10 14:11 . 2005-04-20 10:15 54160 ----a-w c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 14:09 . 2009-04-10 14:09 -------- d-----w c:\program files\Microsoft
2009-04-10 14:09 . 2008-12-28 22:10 -------- d-----w c:\program files\Windows Live
2009-04-10 14:05 . 2009-04-10 14:05 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-22 11:39 . 2009-02-03 19:44 -------- d-----w c:\program files\AutoHotkey
2009-03-22 11:34 . 2009-02-01 12:00 -------- d-----w c:\program files\Spotify
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-26 12:04 . 2009-02-16 21:17 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-05-04 09:01 . 2008-02-09 09:46 53192 ----a-w c:\documents and settings\Media Centre\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-01-01 01:22 . 2005-05-20 22:57 53192 ----a-w c:\documents and settings\Media Player\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-10-10 22:51 . 2007-12-09 22:51 32 ----a-r c:\documents and settings\All Users\hash.dat
2006-06-22 14:42 . 2005-12-01 06:54 86016 ----a-w c:\documents and settings\James\IDHWTSS1.dll
2006-06-22 13:06 . 2005-05-26 23:07 81920 ----a-w c:\documents and settings\James\hobjni.dll
2005-12-01 06:54 . 2005-12-01 06:54 36868 ----a-w c:\documents and settings\James\PrtDLL.dll
2005-05-20 22:57 . 2005-05-20 22:57 135 ----a-w c:\documents and settings\Media Player\Local Settings\Application Data\fusioncache.dat
2005-04-20 14:58 . 2005-04-20 14:58 137 ----a-w c:\documents and settings\NetworkService\Local Settings\Application Data\fusioncache.dat
2005-04-20 12:28 . 2005-04-20 12:28 128 ----a-w c:\documents and settings\James\Local Settings\Application Data\fusioncache.dat
2005-10-21 21:37 . 2005-10-21 21:37 8192 --sha-w c:\windows\o2cLicStore.bin
2007-08-16 23:03 . 2005-08-29 14:42 12208 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-07-10 02:11 . 2008-07-10 02:11 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008071020080711\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-02-10 270128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-02-24 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-02-05 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-02-05 495616]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Media Player\Start Menu\Programs\Startup\
Windows Media Player.lnk - c:\program files\Windows Media Player\wmplayer.exe [2005-4-20 64000]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ceapodin.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\PHP Designer 2006\\phpDesignerPrg2006.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PS3Portal\\hfs.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 lfsfilt;Lean File Sharing;c:\windows\system32\DRIVERS\lfsfilt.sys [2005-02-09 120704]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2004-09-22 58048]
R1 vcdrom;Virtual CD-ROM Device Driver; [x]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2002-04-11 16194]
R3 efipsk;efipsk; [x]
R3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\DRIVERS\ndasscsi.sys [2005-02-09 90752]
R3 NETGEAR_WPN511_SERVICE;NETGEAR WPN511 Wireless Adapter Service;c:\windows\system32\DRIVERS\wpn511.sys [2006-03-23 488992]
R3 rtl8180;Belkin 11Mbps Wireless Notebook Network Card Driver;c:\windows\system32\DRIVERS\Bel6020.sys [2003-07-10 168448]
S0 lpx;LPX Protocol;c:\windows\system32\DRIVERS\lpx.sys [2005-02-09 109184]
S3 ndasbus;NDAS Bus Driver;c:\windows\system32\DRIVERS\ndasbus.sys [2005-02-09 38656]

.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: citigroup.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\pi1rpgjo.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 23:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-1606980848-1957994488-1003\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(268)
c:\windows\ceapodin.dll

- - - - - - - > 'explorer.exe'(1324)
c:\windows\ceapodin.dll
.
Completion time: 2009-04-23 23:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-23 22:11

Pre-Run: 1,182,928,896 bytes free
Post-Run: 1,144,619,008 bytes free

193 --- E O F --- 2009-04-17 02:13

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:43 AM

Posted 05 May 2009 - 05:06 PM

Hi Jamezu

Ok, let's do this properly then.
I've highlighted the wrong points in your CF 'header:

ComboFix 09-04-21.03 - James 23/04/2009 22:38.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.359 [GMT 1:00]
Running from: C:\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.


Please remove this copy of Combofix and download a fresh one as per the following instructions:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    Then:
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    If running Vista, you may not see this screen
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks.

BBPP6nz.png


#7 Jamezu

Jamezu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 05 May 2009 - 05:27 PM

Yes, my computer got itself into such a state that it would not start up in normal mode, nor in safe mode with networking, so only safe mode worked. Hence I couldn't download the recovery console. Anyway, here's the log from this run:

Thank you!


ComboFix 09-05-05.03 - James 05/05/2009 23:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.285 [GMT 1:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090505-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\aceyoqeviwecedu.dll
c:\windows\afcmivcv.dll
c:\windows\afohemofivutamu.dll
c:\windows\agaxacodeneqehex.dll
c:\windows\agicogot.dll
c:\windows\agitomivo.dll
c:\windows\ahapakuk.dll
c:\windows\akapufaxaw.dll
c:\windows\alegijobake.dll
c:\windows\aletanabo.dll
c:\windows\apipdl32.dll
c:\windows\arezuyufomorabul.dll
c:\windows\aroliyun.dll
c:\windows\atarezat.dll
c:\windows\atiguyorukemomop.dll
c:\windows\avamulopoci.dll
c:\windows\ayacemucoro.dll
c:\windows\azuwetur.dll
c:\windows\ebolipizuluf.dll
c:\windows\ecatofokeyibe.dll
c:\windows\edemapesepe.dll
c:\windows\egisicuz.dll
c:\windows\ehipejideduvaka.dll
c:\windows\ehivuqad.dll
c:\windows\ehotepopegogaj.dll
c:\windows\ehupikepeqepijo.dll
c:\windows\ehureveg.dll
c:\windows\ekiwisucejalafoq.dll
c:\windows\ekuvinasowovone.dll
c:\windows\emelukelikufevor.dll
c:\windows\epofamav.dll
c:\windows\eqalanunevifohah.dll
c:\windows\eqalurupohof.dll
c:\windows\erosoxebuxe.dll
c:\windows\erufoceqozuzeqij.dll
c:\windows\etelowadilakizax.dll
c:\windows\etutixivum.dll
c:\windows\evefozuzifowasi.dll
c:\windows\ibicubalepinube.dll
c:\windows\icuvahohilofej.dll
c:\windows\ifasasiyuw.dll
c:\windows\ifiziresoxiw.dll
c:\windows\imgpidi.dll
c:\windows\ipuwemowemowe.dll
c:\windows\iruholurac.dll
c:\windows\iseneburimuquj.dll
c:\windows\isojafec.dll
c:\windows\itatehob.dll
c:\windows\itipiseriyovuzi.dll
c:\windows\ivuriqurej.dll
c:\windows\ixaduraya.dll
c:\windows\kbclatet.dll
c:\windows\lpidlil.dll
c:\windows\obacabafo.dll
c:\windows\obafukin.dll
c:\windows\obewedigojeru.dll
c:\windows\obutaludejemila.dll
c:\windows\odupalam.dll
c:\windows\oduvugiy.dll
c:\windows\ofacekiqaqojune.dll
c:\windows\ofexuxabibidovug.dll
c:\windows\ofuhogajimonob.dll
c:\windows\okaladiwoxewof.dll
c:\windows\okiruqeh.dll
c:\windows\onakikodurexu.dll
c:\windows\onaxunak.dll
c:\windows\ontmaL.dll
c:\windows\opowucobuhog.dll
c:\windows\opugiravucuya.dll
c:\windows\oqodafuga.dll
c:\windows\oqojegoz.dll
c:\windows\oqutuket.dll
c:\windows\oweraxifokel.dll
c:\windows\pesvc3j.dll
c:\windows\sdsexypx.dll
c:\windows\system32\tmp.reg
c:\windows\ubidoqevoy.dll
c:\windows\ucaciviciduhak.dll
c:\windows\ucujuqodihoducex.dll
c:\windows\ugegazinufewor.dll
c:\windows\uguzoyip.dll
c:\windows\ujedijib.dll
c:\windows\ujepesepe.dll
c:\windows\umiboqutunag.dll
c:\windows\unavivamebopevu.dll
c:\windows\upajufan.dll
c:\windows\upijukij.dll
c:\windows\usaziqipuz.dll
c:\windows\usoqowaq.dll
c:\windows\utozamilab.dll
c:\windows\uyolixib.dll
c:\windows\w4Su32.dll
c:\windows\wsel47.dll
c:\windows\wtwidc.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-05 20:06 . 2003-06-25 15:05 266360 ----a-w c:\windows\system32\TweakUI.exe
2009-04-25 20:28 . 2009-04-25 20:28 -------- d-----w c:\program files\Java
2009-04-25 20:19 . 2009-05-04 18:51 -------- d-----w c:\documents and settings\James\Tracing
2009-04-24 20:27 . 2009-04-24 20:27 -------- d-----w c:\program files\Alwil Software
2009-04-24 01:11 . 2009-04-24 01:11 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-24 01:10 . 2009-04-30 20:09 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-24 01:10 . 2009-04-24 01:10 -------- d-----w c:\documents and settings\James\Application Data\SUPERAntiSpyware.com
2009-04-23 22:22 . 2009-04-23 22:22 -------- d-----w c:\documents and settings\James\Application Data\Malwarebytes
2009-04-23 22:22 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 22:22 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 22:21 . 2009-04-23 22:21 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 22:21 . 2009-04-23 22:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 22:04 . 2009-05-05 19:59 -------- d-----w C:\Cleanup
2009-04-20 21:29 . 2009-04-20 21:29 -------- d-----w c:\program files\SpywareBlaster
2009-04-20 21:00 . 2009-04-23 23:50 -------- d-----w C:\SmitfraudFix
2009-04-20 20:38 . 2009-04-20 22:04 -------- d-----w C:\HiJackThis
2009-04-19 20:00 . 2009-04-19 20:02 88 --sha-w c:\windows\system32\2283161848.dat
2009-04-19 16:31 . 2009-04-19 16:31 -------- d-----w c:\documents and settings\James\Local Settings\Application Data\Temporary Projects
2009-04-17 21:43 . 2004-01-25 16:18 217088 ----a-w c:\windows\system32\yv12vfw.dll
2009-04-17 21:43 . 2008-12-07 18:08 795648 ----a-w c:\windows\system32\xvidcore.dll
2009-04-17 21:43 . 2008-12-07 18:08 130048 ----a-w c:\windows\system32\xvidvfw.dll
2009-04-17 21:43 . 2008-11-06 16:37 3596288 ----a-w c:\windows\system32\qt-dx331.dll
2009-04-17 21:43 . 2008-12-11 00:33 86016 ----a-w c:\windows\system32\dpl100.dll
2009-04-17 21:43 . 2008-11-06 16:33 684032 ----a-w c:\windows\system32\divx.dll
2009-04-17 21:42 . 2009-03-02 18:10 67584 ----a-w c:\windows\system32\ff_vfw.dll
2009-04-17 21:42 . 2009-04-17 21:42 -------- d-----w c:\documents and settings\James\Local Settings\Application Data\Real
2009-04-17 21:42 . 2009-04-17 21:44 -------- d-----w c:\program files\K-Lite Codec Pack
2009-04-16 19:38 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 19:38 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 19:38 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 19:37 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 19:37 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 19:37 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 19:37 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 19:37 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 19:37 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 19:28 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 19:28 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-10 14:09 . 2009-04-10 14:09 -------- d-----w c:\program files\Microsoft
2009-04-10 14:05 . 2009-04-10 14:05 -------- d-----w c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 21:49 . 2006-07-11 12:20 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-03 10:09 . 2006-07-08 21:20 -------- d-----w c:\program files\PHP Designer 2006
2009-04-27 20:12 . 2008-10-27 20:59 -------- d-----w c:\program files\PS3Portal
2009-04-25 20:28 . 2008-11-23 19:44 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-24 01:09 . 2006-07-25 22:56 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-24 00:23 . 2007-12-16 18:49 -------- d-----w c:\program files\CCleaner
2009-04-20 00:21 . 2005-07-26 18:35 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-10 14:11 . 2005-04-20 10:15 54160 ----a-w c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 14:09 . 2008-12-28 22:10 -------- d-----w c:\program files\Windows Live
2009-03-22 11:39 . 2009-02-03 19:44 -------- d-----w c:\program files\AutoHotkey
2009-03-22 11:34 . 2009-02-01 12:00 -------- d-----w c:\program files\Spotify
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2005-10-21 21:37 . 2005-10-21 21:37 8192 --sha-w c:\windows\o2cLicStore.bin
2007-08-16 23:03 . 2005-08-29 14:42 12208 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-23_22.05.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-30 20:06 . 2009-04-30 20:06 16384 c:\windows\temp\Perflib_Perfdata_7e0.dat
+ 2005-04-20 09:53 . 2004-08-04 12:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2009-04-24 20:28 . 2009-02-05 20:06 51376 c:\windows\system32\drivers\aswTdi.sys
+ 2009-04-24 20:28 . 2009-02-05 20:06 23152 c:\windows\system32\drivers\aswRdr.sys
+ 2009-04-24 20:28 . 2009-02-05 20:08 94032 c:\windows\system32\drivers\aswmon2.sys
+ 2009-04-24 20:28 . 2009-02-05 20:08 93296 c:\windows\system32\drivers\aswmon.sys
+ 2009-04-24 20:28 . 2009-02-05 20:07 20560 c:\windows\system32\drivers\aswFsBlk.sys
+ 2009-04-24 20:28 . 2009-02-05 20:05 26944 c:\windows\system32\drivers\aavmker4.sys
+ 2005-04-20 10:11 . 2009-04-28 21:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-04-20 10:11 . 2009-04-19 20:10 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-04-20 10:11 . 2009-04-19 20:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-04-20 10:11 . 2009-04-28 21:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-04-20 10:11 . 2009-04-28 21:12 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-04-20 10:11 . 2009-04-19 20:10 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-24 20:28 . 2009-02-05 20:04 97480 c:\windows\system32\AvastSS.scr
+ 2009-04-24 01:11 . 2009-04-24 01:11 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-04-24 01:11 . 2009-04-24 01:11 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-07-09 22:03 . 2008-01-18 15:13 2247 c:\windows\ServicePackFiles\i386\tscdsbl.bat
+ 2008-07-09 22:03 . 2008-01-18 15:13 2247 c:\windows\Installer\tsclientmsitrans\tscdsbl.bat
+ 2006-04-10 12:00 . 2009-03-10 21:18 934792 c:\windows\system32\WgaTray.exe
+ 2006-04-10 12:00 . 2009-03-10 21:18 239496 c:\windows\system32\WgaLogon.dll
+ 2009-04-25 20:29 . 2009-04-25 20:28 148888 c:\windows\system32\javaws.exe
+ 2009-04-25 20:29 . 2009-04-25 20:28 144792 c:\windows\system32\javaw.exe
+ 2009-04-25 20:29 . 2009-04-25 20:28 144792 c:\windows\system32\java.exe
+ 2005-04-20 10:26 . 2009-05-03 18:29 208104 c:\windows\system32\FNTCACHE.DAT
+ 2009-04-24 20:28 . 2009-02-05 20:07 114768 c:\windows\system32\drivers\aswSP.sys
+ 2006-04-10 12:00 . 2009-03-10 21:18 934792 c:\windows\system32\dllcache\WgaTray.exe
+ 2006-04-10 12:00 . 2009-03-10 21:18 239496 c:\windows\system32\dllcache\wgaLogon.dll
+ 2009-03-10 21:18 . 2009-03-10 21:18 1482112 c:\windows\system32\LegitCheckControl.dll
+ 2009-04-24 20:28 . 2009-02-05 20:11 1256296 c:\windows\system32\aswBoot.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-30 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-02-24 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-02-05 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-02-05 495616]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-25 148888]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PS3Portal\\hfs.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12559:TCP"= 12559:TCP:uTorrent TCP

R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [09/02/2005 18:18 109184]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [24/04/2009 21:28 114768]
R1 lfsfilt;Lean File Sharing;c:\windows\system32\drivers\lfsfilt.sys [02/08/2005 11:30 120704]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/03/2009 14:07 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/03/2009 14:07 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [24/04/2009 21:28 20560]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [09/02/2005 18:18 38656]
R3 NETGEAR_WPN511_SERVICE;NETGEAR WPN511 Wireless Adapter Service;c:\windows\system32\drivers\wpn511.sys [21/05/2008 21:43 488992]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/03/2009 14:07 7408]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\James\Desktop\VirtualCD\VCdRom.sys --> c:\documents and settings\James\Desktop\VirtualCD\VCdRom.sys [?]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [11/09/2006 23:33 16194]
S3 efipsk;efipsk;\??\c:\docume~1\James\LOCALS~1\Temp\efipsk.sys --> c:\docume~1\James\LOCALS~1\Temp\efipsk.sys [?]
S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [09/02/2005 18:18 90752]
S3 rtl8180;Belkin 11Mbps Wireless Notebook Network Card Driver;c:\windows\system32\drivers\Bel6020.sys [20/04/2005 11:33 168448]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\pi1rpgjo.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 23:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-1606980848-1957994488-1003\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1076)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-05 23:22
ComboFix-quarantined-files.txt 2009-05-05 22:21

Pre-Run: 6,832,402,432 bytes free
Post-Run: 6,860,369,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

310 --- E O F --- 2009-05-01 01:42

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:43 AM

Posted 05 May 2009 - 06:39 PM

Hi Jamezu

The updated copy of Combofix has done a lot of work for us.

Let's just double check everything.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Note: You will need to use Internet Explorer for this scan.

Thanks.

BBPP6nz.png


#9 Jamezu

Jamezu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 06 May 2009 - 05:24 AM

Thanks for your help, I'm very pleased that the situation is improving!

I tried running Bitdefender last night but couldn't get it to work. I was using IE as you said, IE7. I allowed the ActiveX control to run when prompted by IE. But Bitdefender just displays the message "Loading" and the red blobs keep counting up, but it never did anything more than that. I left it running overnight and nothing else happened.

Any suggestions?

Thanks,
James

#10 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:43 AM

Posted 06 May 2009 - 01:23 PM

Hi Jamezu

Let's try another online scanner, i have know problems with BitDefender in the past.

Go to: Eset Online Scanner
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic,
Note:
You will need to use Internet explorer for this scan

BBPP6nz.png


#11 Jamezu

Jamezu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 06 May 2009 - 07:26 PM

I came home tonight and tried BitDefender again. Uninstalled it from IE, and then ran it again, and it worked. It found no problems:

BitDefender Online Scanner - Real Time Virus Report
Generated at: Thu, May 07, 2009 - 01:23:44

Scan Info

Scanned Files
142621

Infected Files
0

Virus Detected
No virus found.

This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

#12 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:43 AM

Posted 07 May 2009 - 02:26 PM

Hi Jamezu

and it worked. It found no problems

That's good to hear :thumbup2:

Seems everything is sorted now.
If you are happy with the way your system is running now, let's do a little cleaning up to finish off.

Step 1
Please download ATF Cleaner by Atribune. (This program is for XP, Vista and Windows 2000 )Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
Then:
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Then:
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step 2
Please download OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • You should see a CleanUp! button, press that button,
  • This will delete all the tools you have downloaded along with there associated folders.. plus itself.
Step 3
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Select the drive for cleaning then click OK (usually 'C' drive)
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
To find out how you may have been infected....read this topic:
So how did i get infected?

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software
    Note:
    Comodo Internet Security contains an Anti-Virus protector + Firewall.
    If you are happy with your present Firewall, untick the option to install the Firewall on installation.
    If you require the Comodo Firewall.... then disable your present Firewall on installation of the Internet Security program.

    Only install one AntiVirus program
  • Update your AntiVirus Software regularly
  • Use a 3rd party Firewall NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option.

    Only install one software Firewall
  • Scan regularly with a 'Stand Alone' Anti-Malware scanner:
    Installing another scanner that you can run once or twice a week is always beneficial.
    Something like:
    Ad-Aware 2008
    Spybot Search & Destroy
    Malwarebytes Anti-Malware
    SUPERAntiSypware
    Remember to update these programs each time before running.
    You can install more than one of these as you only run them as stand alone programs.
  • Use an alternative browser:
    Some excellent alternatives to MS Internet Explorer are:

    Firefox
    For added security, add the NoScript extension to this browser:
    Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks

    Opera

    They offer better security, more stability, and better speed.
  • Keep your system clean of temp files etc, using a 'Cleaner':

    Cleaners are programs that will help to clean out your:
    Windows temp files
    Current user temp files
    Cookies
    Temporary Internet flies
    Browser history
    Recycle bin
    Etc.......
    In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc.
    Programs like:
    CCleaner
    ATF Cleaner ...now works with Vista.
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware
  • Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

BBPP6nz.png


#13 Jamezu

Jamezu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 08 May 2009 - 05:33 AM

Starbuck, thanks for your help. I carried out Steps 1, 2 & 3 successfully. You can close this topic now.

#14 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:43 AM

Posted 08 May 2009 - 05:59 AM

Thanks for getting back to me.
Thread closed.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users