Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32.agent.pz


  • This topic is locked This topic is locked
20 replies to this topic

#1 johnmark32

johnmark32

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 26 April 2009 - 04:32 PM

Hi,

Just lost a day of my life trying to remove Win32.agent.pz from a PC. I have tried various advice from forums but it just seems to slip though.
So here is the dss log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by OFFICE at 22:12:07.25 on 26/04/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1316 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated)
FW: NVIDIA Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\OFFICE\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>;*.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\bootlist32.exe,
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [O2] "c:\program files\o2\bin\sprtcmd.exe" /P O2
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Service Manager.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: blogspot.com\reloda
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\office\applic~1\mozilla\firefox\profiles\ydw32qaf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-9-13 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-9-13 38528]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-2-17 66048]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2008-9-22 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-8-21 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2008-12-23 172032]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2006-7-1 25423]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-5-21 29744]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-2-17 112384]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-1 14976]

=============== Created Last 30 ================

2009-04-26 21:48 <DIR> --d----- C:\!FixIEDef
2009-04-26 20:48 <DIR> --d----- c:\windows\pss
2009-04-26 20:48 <DIR> --d----- c:\program files\ACW
2009-04-26 17:24 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-26 17:23 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-26 17:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-26 17:20 28 a------- c:\windows\pdf995.ini
2009-04-26 16:26 59 a------- c:\windows\wpd99.drv
2009-04-26 16:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\pdf995
2009-04-26 16:26 249,856 a------- c:\windows\system32\pdfmona.dll
2009-04-26 16:26 51,716 a------- c:\windows\system32\pdf995mon.dll
2009-04-26 16:26 <DIR> --d----- c:\program files\pdf995
2009-04-26 16:00 <DIR> --d----- c:\program files\Trend Micro
2009-04-26 15:28 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-26 12:19 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-04-26 12:17 <DIR> --d----- c:\windows\ERUNT
2009-04-26 12:12 <DIR> --d----- C:\SDFix
2009-04-26 11:54 <DIR> a-dshr-- C:\cmdcons
2009-04-26 11:52 161,792 a------- c:\windows\SWREG.exe
2009-04-26 11:52 98,816 a------- c:\windows\sed.exe
2009-04-26 10:59 23,328 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-26 10:59 10,016 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-26 10:59 2,012 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-26 10:59 1,388 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-26 10:59 1,380 a------- C:\rollback.ini
2009-04-26 10:47 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-04-26 10:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-23 00:32 <DIR> --d----- c:\docume~1\office\applic~1\Uniblue
2009-04-22 23:22 <DIR> --d----- c:\docume~1\office\applic~1\Malwarebytes
2009-04-22 23:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-22 18:57 <DIR> --d----- c:\program files\Lavasoft
2009-04-22 09:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-22 09:54 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-22 09:54 <DIR> --d----- c:\docume~1\office\applic~1\SUPERAntiSpyware.com
2009-04-21 23:27 <DIR> --d----- c:\program files\iPod
2009-04-21 23:27 <DIR> --d----- c:\program files\iTunes
2009-04-21 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-21 20:38 <DIR> --d----- c:\program files\CCleaner
2009-03-28 18:47 <DIR> --d----- c:\windows\system32\LogFiles

==================== Find3M ====================

2009-04-15 07:45 6,528 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-23 16:13 130,104 a------- c:\windows\system32\sdccoinstaller.dll
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 15:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 05:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 11:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 11:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 06:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 13:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 13:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 13:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 13:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 13:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 13:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 13:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 13:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 13:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 13:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 12:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 12:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 12:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 12:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 11:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 11:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 11:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 20:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 20:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2007-05-27 10:40 56 ---shr-- c:\windows\system32\376B382594.sys
2008-12-30 16:57 2,713 ---sh--- c:\windows\system32\dagihama.exe
2008-12-30 01:56 2,713 ---sh--- c:\windows\system32\muzakego.exe
2008-12-31 07:57 2,713 ---sh--- c:\windows\system32\sukazata.exe
2008-10-20 07:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102020081021\index.dat

============= FINISH: 22:13:40.85 ===============

Attached Files

  • Attached File  DDS.txt   18.34KB   0 downloads


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 08 May 2009 - 08:12 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 11 May 2009 - 02:31 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 johnmark32

johnmark32
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 15 May 2009 - 10:40 AM

HI EB,

First my thanks for your response & I know how busy things can get. Reason for my delay in getting back to you is that I have had some hols; just got back today bit jet lagged!! Please dont drop my post as I am still desparate to solve this. I will now read your relays and action and get back to you.

Thanks once agian for your help.

John

#5 johnmark32

johnmark32
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 15 May 2009 - 11:15 AM

Hi EB,

OK just checked to see if anything has changed. A spybot run shows 4 entries of Virtumonde.sdn and 3 entries of Win32.Agent.pz

That will teach me to go on leave! I now have two trojans.
I have not tried to clear these with Spybot based on previous failures.

I post new DSS log blow and attach the Attach.Txt file.

I will not change anything till you advise.

Thanks again.


DDS (Ver_09-05-14.01) - NTFSx86
Run by OFFICE at 17:09:53.31 on 15/05/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1287 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: NVIDIA Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\OFFICE\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>;*.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\bootlist32.exe,
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [O2] "c:\program files\o2\bin\sprtcmd.exe" /P O2
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Service Manager.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: blogspot.com\reloda
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-9-13 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-9-13 38528]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-2-17 66048]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2008-9-22 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-8-21 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2008-12-23 172032]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
RUnknown SASKUTIL;SASKUTIL; [x]
S0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2006-7-1 25423]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-5-21 29744]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-2-17 112384]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-1 14976]

=============== Created Last 30 ================

2009-04-26 21:48 <DIR> --d----- C:\!FixIEDef
2009-04-26 20:48 <DIR> --d----- c:\windows\pss
2009-04-26 20:48 <DIR> --d----- c:\program files\ACW
2009-04-26 17:24 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-26 17:23 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-26 17:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-26 17:20 28 a------- c:\windows\pdf995.ini
2009-04-26 16:26 59 a------- c:\windows\wpd99.drv
2009-04-26 16:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\pdf995
2009-04-26 16:26 249,856 a------- c:\windows\system32\pdfmona.dll
2009-04-26 16:26 51,716 a------- c:\windows\system32\pdf995mon.dll
2009-04-26 16:26 <DIR> --d----- c:\program files\pdf995
2009-04-26 16:00 <DIR> --d----- c:\program files\Trend Micro
2009-04-26 12:19 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-04-26 12:17 <DIR> --d----- c:\windows\ERUNT
2009-04-26 12:12 <DIR> --d----- C:\SDFix
2009-04-26 11:54 <DIR> a-dshr-- C:\cmdcons
2009-04-26 11:52 161,792 a------- c:\windows\SWREG.exe
2009-04-26 11:52 98,816 a------- c:\windows\sed.exe
2009-04-26 10:59 23,328 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-26 10:59 10,016 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-26 10:59 2,012 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-26 10:59 1,388 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-26 10:59 1,380 a------- C:\rollback.ini
2009-04-26 10:47 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-04-26 10:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-23 00:32 <DIR> --d----- c:\docume~1\office\applic~1\Uniblue
2009-04-22 23:22 <DIR> --d----- c:\docume~1\office\applic~1\Malwarebytes
2009-04-22 23:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-22 18:57 <DIR> --d----- c:\program files\Lavasoft
2009-04-22 09:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-22 09:54 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-22 09:54 <DIR> --d----- c:\docume~1\office\applic~1\SUPERAntiSpyware.com
2009-04-21 23:27 <DIR> --d----- c:\program files\iPod
2009-04-21 23:27 <DIR> --d----- c:\program files\iTunes
2009-04-21 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-21 20:38 <DIR> --d----- c:\program files\CCleaner

==================== Find3M ====================

2009-04-15 07:45 6,528 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-23 16:13 130,104 a------- c:\windows\system32\sdccoinstaller.dll
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 15:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 05:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 11:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 11:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 06:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2007-05-27 10:40 56 ---shr-- c:\windows\system32\376B382594.sys
2008-12-30 16:57 2,713 ---sh--- c:\windows\system32\dagihama.exe
2008-12-30 01:56 2,713 ---sh--- c:\windows\system32\muzakego.exe
2008-12-31 07:57 2,713 ---sh--- c:\windows\system32\sukazata.exe
2008-10-20 07:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102020081021\index.dat

============= FINISH: 17:11:27.59 ===============

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 15 May 2009 - 06:00 PM

Hello.

Install Recovery Console and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Please download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 johnmark32

johnmark32
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 16 May 2009 - 12:40 AM

Hi EB,

I have previous installed Windows Recovery Console but when selected at boot it just sits with flashing cursor not running? How do I uninstall it so that COMBOFIX properly installs the WRC?

#8 johnmark32

johnmark32
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 16 May 2009 - 02:16 AM

Hi EB,

I have now solved the Windows Recovery Consol problem; had to remove previous installation and let COMBOFIX reinstall. It was a problem removing folder \cmdcons but "Fileunlock" did in the end.
So COMBOFIX has been run and log file is as follows:

ComboFix 09-05-15.01 - OFFICE 16/05/2009 7:54.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1399 [GMT 1:00]
Running from: c:\documents and settings\OFFICE\Desktop\bleeping computer forum notes\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: NVIDIA Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-16 06:32 . 2009-05-16 06:37 -------- d-----w c:\program files\Unlocker
2009-04-26 20:48 . 2009-04-26 20:48 -------- d-----w C:\ERDNT
2009-04-26 20:48 . 2009-04-26 20:48 -------- d-----w C:\!FixIEDef
2009-04-26 19:48 . 2009-04-26 19:48 -------- d-----w c:\program files\ACW
2009-04-26 16:24 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-26 16:23 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-26 16:23 . 2009-04-26 16:24 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 16:20 . 2009-04-26 16:20 -------- d-----w c:\documents and settings\OFFICE\Application Data\pdf995
2009-04-26 15:26 . 2009-04-26 16:20 -------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2009-04-26 15:26 . 2009-04-26 19:42 59 ----a-w c:\windows\wpd99.drv
2009-04-26 15:26 . 2009-04-26 19:42 249856 ----a-w c:\windows\system32\pdfmona.dll
2009-04-26 15:26 . 2009-04-26 19:42 51716 ----a-w c:\windows\system32\pdf995mon.dll
2009-04-26 15:26 . 2009-04-26 15:28 -------- d-----w c:\program files\pdf995
2009-04-26 15:00 . 2009-04-26 15:00 -------- d-----w c:\program files\Trend Micro
2009-04-26 11:19 . 2009-04-26 11:19 578560 ----a-w c:\windows\system32\dllcache\user32.dll
2009-04-26 11:17 . 2009-04-26 20:48 -------- d-----w c:\windows\ERUNT
2009-04-26 11:12 . 2009-04-26 14:24 -------- d-----w C:\SDFix
2009-04-26 09:59 . 2009-04-26 11:04 23328 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-26 09:59 . 2009-04-26 11:04 10016 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-26 09:47 . 2009-04-26 10:20 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-26 09:47 . 2009-04-26 10:20 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-26 09:46 . 2009-04-26 09:46 -------- d-----w c:\documents and settings\OFFICE\Local Settings\Application Data\Downloaded Installations
2009-04-22 23:32 . 2009-04-22 23:32 -------- d-----w c:\documents and settings\OFFICE\Application Data\Uniblue
2009-04-22 22:22 . 2009-04-22 22:22 -------- d-----w c:\documents and settings\OFFICE\Application Data\Malwarebytes
2009-04-22 22:22 . 2009-04-22 22:22 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-22 21:31 . 2009-04-22 21:43 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-22 17:57 . 2009-04-22 21:19 -------- d-----w c:\program files\Lavasoft
2009-04-22 17:57 . 2009-04-22 21:19 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-22 08:54 . 2009-04-22 08:54 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-22 08:54 . 2009-05-15 15:29 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-22 08:54 . 2009-05-15 15:29 -------- d-----w c:\documents and settings\OFFICE\Application Data\SUPERAntiSpyware.com
2009-04-21 22:27 . 2009-04-21 22:27 -------- d-----w c:\program files\iPod
2009-04-21 22:27 . 2009-04-21 22:28 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-21 22:27 . 2009-04-21 22:28 -------- d-----w c:\program files\iTunes
2009-04-21 19:38 . 2009-04-21 19:38 -------- d-----w c:\program files\CCleaner
2009-04-21 15:52 . 2009-04-21 15:52 -------- d-----w c:\documents and settings\OFFICE_2\Local Settings\Application Data\Sophos
2009-04-21 15:47 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-21 15:47 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-21 15:47 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-21 15:47 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-21 15:47 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-21 15:47 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 15:47 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 15:47 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-21 15:47 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-21 15:47 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-21 15:47 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-21 15:47 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 15:50 . 2006-05-21 09:23 -------- d-----w c:\program files\Hewlett-Packard
2009-04-26 13:47 . 2006-12-10 12:10 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-26 11:04 . 2009-04-26 09:59 2012 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-26 11:04 . 2009-04-26 09:59 1388 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-21 22:27 . 2007-07-17 08:30 -------- d-----w c:\program files\Common Files\Apple
2009-04-21 16:00 . 2006-12-25 18:46 -------- d-----w c:\program files\PokerStars
2009-04-15 06:45 . 2006-06-08 07:51 6528 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-15 06:45 . 2006-06-08 07:51 88 --sh--r c:\windows\system32\2A0957E5AF.sys
2009-04-02 19:03 . 2006-10-18 13:49 -------- d-----w c:\program files\Thomson
2009-04-02 18:19 . 2009-04-02 18:19 100696 ----a-w c:\documents and settings\OFFICE_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 20:24 . 2009-03-26 20:24 -------- d-----w c:\program files\Bonjour
2009-03-26 20:24 . 2009-03-26 20:24 -------- d-----w c:\program files\QuickTime
2009-03-26 20:22 . 2009-03-26 20:22 -------- d-----w c:\program files\Apple Software Update
2009-03-23 15:13 . 2008-10-01 08:03 130104 ----a-w c:\windows\system32\sdccoinstaller.dll
2009-03-19 23:47 . 2006-05-09 20:21 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-19 23:44 . 2006-05-27 15:28 -------- d-----w c:\program files\Soulseek
2009-03-19 15:32 . 2006-09-19 13:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2005-08-16 03:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 03:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 03:18 78336 ----a-w c:\windows\system32\ieencode.dll
2007-05-27 09:40 . 2007-05-27 09:40 56 --sh--r c:\windows\system32\376B382594.sys
2008-12-30 15:57 . 2008-12-30 15:57 2713 --sh--w c:\windows\system32\dagihama.exe
2008-12-30 00:56 . 2008-12-30 00:56 2713 --sh--w c:\windows\system32\muzakego.exe
2008-12-31 06:57 . 2008-12-31 06:57 2713 --sh--w c:\windows\system32\sukazata.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-04-26_11.06.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-26 11:05 . 2007-03-30 15:04 73728 c:\windows\Temp\sophos_autoupdate1.dir\xmltok.dll
+ 2009-05-16 07:04 . 2007-03-30 15:04 73728 c:\windows\Temp\sophos_autoupdate1.dir\xmltok.dll
+ 2009-05-16 07:04 . 2007-03-30 15:05 57344 c:\windows\Temp\sophos_autoupdate1.dir\xmlparse.dll
- 2009-04-26 11:05 . 2007-03-30 15:05 57344 c:\windows\Temp\sophos_autoupdate1.dir\xmlparse.dll
- 2009-04-26 11:05 . 2007-04-03 07:17 14336 c:\windows\Temp\sophos_autoupdate1.dir\xmlcpp.dll
+ 2009-05-16 07:04 . 2007-04-03 07:17 14336 c:\windows\Temp\sophos_autoupdate1.dir\xmlcpp.dll
+ 2009-05-16 07:04 . 2008-02-13 14:49 18432 c:\windows\Temp\sophos_autoupdate1.dir\SharedRes.dll
- 2009-04-26 11:05 . 2008-02-13 14:49 18432 c:\windows\Temp\sophos_autoupdate1.dir\SharedRes.dll
+ 2009-05-16 07:04 . 2007-04-03 07:17 20480 c:\windows\Temp\sophos_autoupdate1.dir\crypto.dll
- 2009-04-26 11:05 . 2007-04-03 07:17 20480 c:\windows\Temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-05-16 07:04 . 2007-04-02 09:07 45056 c:\windows\Temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
- 2009-04-26 11:05 . 2007-04-02 09:07 45056 c:\windows\Temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
+ 2009-05-16 07:04 . 2009-05-16 07:04 16384 c:\windows\Temp\Perflib_Perfdata_5f4.dat
+ 2009-05-16 07:04 . 2009-05-16 07:04 16384 c:\windows\Temp\Perflib_Perfdata_438.dat
+ 2009-04-26 15:26 . 2009-04-26 19:42 15872 c:\windows\system32\spool\drivers\w32x86\pdf995ui5.DLL
+ 2009-04-26 15:26 . 2009-04-26 15:26 15872 c:\windows\system32\spool\drivers\w32x86\3\pdf995ui5.DLL
+ 2006-05-12 20:53 . 2009-05-16 07:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-05-12 20:53 . 2009-04-26 11:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-05-12 20:53 . 2009-05-16 07:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-12 20:53 . 2009-04-26 11:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-12 20:53 . 2009-04-26 11:05 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-05-12 20:53 . 2009-05-16 07:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-18 17:44 . 2009-05-15 15:26 25214 c:\windows\Installer\{034759DA-E21A-4795-BFB3-C66D17FAD183}\MainGUIShortcut.exe
- 2007-11-18 17:44 . 2009-04-02 18:50 25214 c:\windows\Installer\{034759DA-E21A-4795-BFB3-C66D17FAD183}\MainGUIShortcut.exe
+ 2007-11-18 17:44 . 2009-05-15 15:26 25214 c:\windows\Installer\{034759DA-E21A-4795-BFB3-C66D17FAD183}\ARPPRODUCTICON.exe
- 2007-11-18 17:44 . 2009-04-02 18:50 25214 c:\windows\Installer\{034759DA-E21A-4795-BFB3-C66D17FAD183}\ARPPRODUCTICON.exe
+ 2009-05-16 07:04 . 2008-12-24 11:35 2970 c:\windows\Temp\sophos_autoupdate1.dir\scf.dat
- 2009-04-26 11:05 . 2008-12-24 11:35 2970 c:\windows\Temp\sophos_autoupdate1.dir\scf.dat
- 2009-04-26 11:05 . 2008-12-24 11:33 208896 c:\windows\Temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-05-16 07:04 . 2008-12-24 11:33 208896 c:\windows\Temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-05-16 07:04 . 2004-03-17 17:06 348160 c:\windows\Temp\sophos_autoupdate1.dir\MSVCR71.DLL
- 2009-04-26 11:05 . 2004-03-17 17:06 348160 c:\windows\Temp\sophos_autoupdate1.dir\MSVCR71.DLL
+ 2009-05-16 07:04 . 2004-03-17 17:06 499712 c:\windows\Temp\sophos_autoupdate1.dir\MSVCP71.DLL
- 2009-04-26 11:05 . 2004-03-17 17:06 499712 c:\windows\Temp\sophos_autoupdate1.dir\MSVCP71.DLL
- 2009-04-26 11:05 . 2007-03-30 15:12 745472 c:\windows\Temp\sophos_autoupdate1.dir\libeay32.dll
+ 2009-05-16 07:04 . 2007-03-30 15:12 745472 c:\windows\Temp\sophos_autoupdate1.dir\libeay32.dll
+ 2009-05-16 07:04 . 2008-12-23 19:47 159744 c:\windows\Temp\sophos_autoupdate1.dir\libcurl.dll
- 2009-04-26 11:05 . 2008-12-23 19:47 159744 c:\windows\Temp\sophos_autoupdate1.dir\libcurl.dll
- 2009-04-26 11:05 . 2008-12-24 11:34 176128 c:\windows\Temp\sophos_autoupdate1.dir\CidSync.dll
+ 2009-05-16 07:04 . 2008-12-24 11:34 176128 c:\windows\Temp\sophos_autoupdate1.dir\CidSync.dll
+ 2009-05-16 07:04 . 2008-12-24 11:34 172032 c:\windows\Temp\sophos_autoupdate1.dir\ChannelUpdater.dll
- 2009-04-26 11:05 . 2008-12-24 11:34 172032 c:\windows\Temp\sophos_autoupdate1.dir\ChannelUpdater.dll
- 2009-04-26 11:05 . 2008-12-24 11:34 659456 c:\windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe
+ 2009-05-16 07:04 . 2008-12-24 11:34 659456 c:\windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe
+ 2009-04-26 15:26 . 2009-04-26 19:42 470608 c:\windows\system32\spool\drivers\w32x86\pscript5-32.dll
+ 2009-04-26 15:26 . 2009-04-26 19:42 225648 c:\windows\system32\spool\drivers\w32x86\Pscript.dll
+ 2009-04-26 15:26 . 2009-04-26 19:42 218816 c:\windows\system32\spool\drivers\w32x86\Pdf995ui.dll
+ 2009-04-26 15:26 . 2009-04-26 19:42 135248 c:\windows\system32\spool\drivers\w32x86\pdf995ps5ui.dll
+ 2009-04-26 15:26 . 2009-04-26 15:26 470608 c:\windows\system32\spool\drivers\w32x86\3\pscript5-32.dll
+ 2009-04-26 15:26 . 2009-04-26 15:26 135248 c:\windows\system32\spool\drivers\w32x86\3\pdf995ps5ui.dll
+ 2009-04-26 11:17 . 2009-04-26 11:17 188416 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2009-04-26 11:17 . 2008-08-07 14:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-04-26 14:08 . 2009-04-26 14:08 188416 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-04-26 11:17 . 2008-08-07 14:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2008-12-25 03:47 . 2005-10-20 16:00 157696 c:\windows\ERUNT\ERUNT.EXE
+ 2009-01-14 23:32 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
+ 2009-04-26 11:17 . 2009-04-26 11:17 17260544 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-04-26 14:08 . 2009-04-26 14:08 17260544 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-08 7110656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2005-07-22 126464]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-21 180269]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-30 29744]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 222208]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]
"O2"="c:\program files\O2\bin\sprtcmd.exe" [2008-03-28 198184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" - c:\windows\MIDIDEF.EXE [2005-11-08 25600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2008-12-23 245760]
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-5-21 136192]
Service Manager.lnk.disabled [2006-5-9 1908]
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2008-2-17 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\bootlist32.exe,"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [13/09/2007 12:43 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [13/09/2007 12:43 38528]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [17/02/2008 11:23 66048]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [22/09/2008 12:18 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [21/08/2008 13:04 98304]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
S0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [01/07/2006 17:53 25423]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [21/05/2006 09:55 29744]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [17/02/2008 11:23 112384]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [01/10/2008 09:02 14976]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{955effb6-d4fb-11dd-a1b1-000fb5d3a99a}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: blogspot.com\reloda
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 08:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\CTXFISPI.EXE
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-16 8:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 07:08
ComboFix2.txt 2009-04-26 13:07
ComboFix3.txt 2009-04-26 12:01
ComboFix4.txt 2009-04-26 11:09

Pre-Run: 200,852,353,024 bytes free
Post-Run: 200,920,522,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

307 --- E O F --- 2009-05-15 21:02

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 16 May 2009 - 10:15 AM

Hello.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/222494/win32agentpz/
    Collect::
    c:\windows\system32\376B382594.sys
    c:\windows\system32\dagihama.exe
    c:\windows\system32\muzakego.exe
    c:\windows\system32\sukazata.exe
    DDS::
    uInternet Settings,ProxyOverride = <local>;*.local
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".
**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[4]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.
Let me know how it goes and if the upload went successfully or not in your next reply.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with:
-Combofix log
-MBAM log
-How is your computer running?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 johnmark32

johnmark32
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 16 May 2009 - 11:39 AM

Hi EB,

Some progress.
I am not certain that COMBOFIX uploaded the zipped file, any way I manually uploaded the file just in case.
MalwareBytes ran ok & removed some files and did a re-boot.

I post below:
-Combofix log
-MBAM log

The computer is running fine with no error messages. I did run Spybot and got:-
Virtumonde.sdn 1 infection @ c:\windows\system32\buvujise
Win32.Agent.pz 2 entries as follows:
Win32.Agent.pz: [SBI $7EC6899E] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

============
COMBOFIX log:-
ComboFix 09-05-15.08 - OFFICE 16/05/2009 16:40.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1426 [GMT 1:00]
Running from: c:\documents and settings\OFFICE\Desktop\bleeping computer forum notes\ComboFix.exe
Command switches used :: c:\documents and settings\OFFICE\Desktop\bleeping computer forum notes\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: NVIDIA Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
* Created a new restore point

file zipped: c:\windows\system32\376B382594.sys
file zipped: c:\windows\system32\dagihama.exe
file zipped: c:\windows\system32\muzakego.exe
file zipped: c:\windows\system32\sukazata.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\376B382594.sys
c:\windows\system32\dagihama.exe
c:\windows\system32\muzakego.exe
c:\windows\system32\sukazata.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-16 06:32 . 2009-05-16 06:37 -------- d-----w c:\program files\Unlocker
2009-04-26 20:48 . 2009-04-26 20:48 -------- d-----w C:\ERDNT
2009-04-26 20:48 . 2009-04-26 20:48 -------- d-----w C:\!FixIEDef
2009-04-26 19:48 . 2009-04-26 19:48 -------- d-----w c:\program files\ACW
2009-04-26 16:24 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-26 16:23 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-26 16:23 . 2009-04-26 16:24 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 16:20 . 2009-04-26 16:20 -------- d-----w c:\documents and settings\OFFICE\Application Data\pdf995
2009-04-26 15:26 . 2009-04-26 16:20 -------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2009-04-26 15:26 . 2009-04-26 19:42 59 ----a-w c:\windows\wpd99.drv
2009-04-26 15:26 . 2009-04-26 19:42 249856 ----a-w c:\windows\system32\pdfmona.dll
2009-04-26 15:26 . 2009-04-26 19:42 51716 ----a-w c:\windows\system32\pdf995mon.dll
2009-04-26 15:26 . 2009-04-26 15:28 -------- d-----w c:\program files\pdf995
2009-04-26 15:00 . 2009-04-26 15:00 -------- d-----w c:\program files\Trend Micro
2009-04-26 11:19 . 2009-04-26 11:19 578560 ----a-w c:\windows\system32\dllcache\user32.dll
2009-04-26 11:17 . 2009-04-26 20:48 -------- d-----w c:\windows\ERUNT
2009-04-26 11:12 . 2009-04-26 14:24 -------- d-----w C:\SDFix
2009-04-26 09:59 . 2009-04-26 11:04 23328 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-26 09:59 . 2009-04-26 11:04 10016 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-26 09:47 . 2009-04-26 10:20 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-04-26 09:47 . 2009-04-26 10:20 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-26 09:46 . 2009-04-26 09:46 -------- d-----w c:\documents and settings\OFFICE\Local Settings\Application Data\Downloaded Installations
2009-04-22 23:32 . 2009-04-22 23:32 -------- d-----w c:\documents and settings\OFFICE\Application Data\Uniblue
2009-04-22 22:22 . 2009-04-22 22:22 -------- d-----w c:\documents and settings\OFFICE\Application Data\Malwarebytes
2009-04-22 22:22 . 2009-04-22 22:22 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-22 21:31 . 2009-04-22 21:43 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-22 17:57 . 2009-04-22 21:19 -------- d-----w c:\program files\Lavasoft
2009-04-22 17:57 . 2009-04-22 21:19 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-22 08:54 . 2009-04-22 08:54 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-22 08:54 . 2009-05-15 15:29 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-22 08:54 . 2009-05-15 15:29 -------- d-----w c:\documents and settings\OFFICE\Application Data\SUPERAntiSpyware.com
2009-04-21 22:27 . 2009-04-21 22:27 -------- d-----w c:\program files\iPod
2009-04-21 22:27 . 2009-04-21 22:28 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-21 22:27 . 2009-04-21 22:28 -------- d-----w c:\program files\iTunes
2009-04-21 19:38 . 2009-04-21 19:38 -------- d-----w c:\program files\CCleaner
2009-04-21 15:52 . 2009-04-21 15:52 -------- d-----w c:\documents and settings\OFFICE_2\Local Settings\Application Data\Sophos
2009-04-21 15:47 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-21 15:47 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-21 15:47 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-21 15:47 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-21 15:47 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-21 15:47 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 15:47 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 15:47 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-21 15:47 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-21 15:47 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-21 15:47 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-21 15:47 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 15:50 . 2006-05-21 09:23 -------- d-----w c:\program files\Hewlett-Packard
2009-04-26 13:47 . 2006-12-10 12:10 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-26 11:04 . 2009-04-26 09:59 2012 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-26 11:04 . 2009-04-26 09:59 1388 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-21 22:27 . 2007-07-17 08:30 -------- d-----w c:\program files\Common Files\Apple
2009-04-21 16:00 . 2006-12-25 18:46 -------- d-----w c:\program files\PokerStars
2009-04-15 06:45 . 2006-06-08 07:51 6528 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-15 06:45 . 2006-06-08 07:51 88 --sh--r c:\windows\system32\2A0957E5AF.sys
2009-04-02 19:03 . 2006-10-18 13:49 -------- d-----w c:\program files\Thomson
2009-04-02 18:19 . 2009-04-02 18:19 100696 ----a-w c:\documents and settings\OFFICE_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 20:24 . 2009-03-26 20:24 -------- d-----w c:\program files\Bonjour
2009-03-26 20:24 . 2009-03-26 20:24 -------- d-----w c:\program files\QuickTime
2009-03-26 20:22 . 2009-03-26 20:22 -------- d-----w c:\program files\Apple Software Update
2009-03-23 15:13 . 2008-10-01 08:03 130104 ----a-w c:\windows\system32\sdccoinstaller.dll
2009-03-19 23:47 . 2006-05-09 20:21 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-19 23:44 . 2006-05-27 15:28 -------- d-----w c:\program files\Soulseek
2009-03-19 15:32 . 2006-09-19 13:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:22 . 2005-08-16 03:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 03:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 03:18 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-05-16_07.05.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-16 15:27 . 2009-05-16 15:27 16384 c:\windows\Temp\Perflib_Perfdata_78.dat
+ 2009-05-16 15:27 . 2009-05-16 15:27 16384 c:\windows\Temp\Perflib_Perfdata_214.dat
+ 2006-05-12 20:53 . 2009-05-16 15:28 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-05-12 20:53 . 2009-05-16 07:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-05-12 20:53 . 2009-05-16 15:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-12 20:53 . 2009-05-16 07:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-05-12 20:53 . 2009-05-16 15:28 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-05-12 20:53 . 2009-05-16 07:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-08 7110656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2005-07-22 126464]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-21 180269]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-30 29744]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 222208]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]
"O2"="c:\program files\O2\bin\sprtcmd.exe" [2008-03-28 198184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" - c:\windows\MIDIDEF.EXE [2005-11-08 25600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2008-12-23 245760]
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-5-21 136192]
Service Manager.lnk.disabled [2006-5-9 1908]
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2008-2-17 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\bootlist32.exe,"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [13/09/2007 12:43 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [13/09/2007 12:43 38528]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [17/02/2008 11:23 66048]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [22/09/2008 12:18 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [21/08/2008 13:04 98304]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
S0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [01/07/2006 17:53 25423]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [21/05/2006 09:55 29744]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [17/02/2008 11:23 112384]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [01/10/2008 09:02 14976]
.
Contents of the 'Scheduled Tasks' folder

2009-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: blogspot.com\reloda
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 16:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...


c:\windows\system32\bootlist32.exe 441344 bytes executable
c:\windows\system32\zad32and

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2009-05-16 16:50
ComboFix-quarantined-files.txt 2009-05-16 15:50
ComboFix2.txt 2009-05-16 07:08
ComboFix3.txt 2009-04-26 13:07
ComboFix4.txt 2009-04-26 12:01
ComboFix5.txt 2009-05-16 15:38

Pre-Run: 200,855,007,232 bytes free
Post-Run: 200,852,860,928 bytes free

221 --- E O F --- 2009-05-15 21:02
Upload was successful
================
MBAM log:-
Malwarebytes' Anti-Malware 1.36
Database version: 2142
Windows 5.1.2600 Service Pack 3

16/05/2009 17:08:00
mbam-log-2009-05-16 (17-08-00).txt

Scan type: Quick Scan
Objects scanned: 107526
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Zbot) -> Data: c:\windows\system32\bootlist32.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootlist32.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\zad32and (Trojan.Zbot) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\zad32and\boot.pop (Trojan.Zbot) -> Delete on reboot.
C:\WINDOWS\system32\zad32and\boot.pop.lll (Trojan.Zbot) -> Delete on reboot.
C:\WINDOWS\system32\zad32and\codec.dll (Trojan.Zbot) -> Delete on reboot.
C:\WINDOWS\system32\bootlist32.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
==========

The above ends info requested. PC still not being used and virus, anti spyware and software firewall all still off.
Looks like the are still some infections?

Regards

John

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 16 May 2009 - 01:40 PM

Hello.

Re-run DDS and post back with the new set of logs.

Does your security program still detect anything. The other item that you were talking about has been removed by MBAM already.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 johnmark32

johnmark32
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 16 May 2009 - 04:56 PM

Hi EB,

I have re-booted and run Spybot and Sophos with results:-
Spybot - now only 2 entries for Win32.Agent.pz found as previously advised relating to HKEY_USERS entries in the registry.
Sophos - 1 new item passed to quarantine manger relates to Nircmd listed as Adware/PAU type other and more info seems to relate to entries in Documents and Settings folder .\ComboFix.exe\SfxArchiveData\ and various files. I presume this is a false positive?

I have re-run DDS and logs are as below/attached:-

=========
DSS log

DDS (Ver_09-05-14.01) - NTFSx86
Run by OFFICE at 22:46:43.40 on 16/05/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1377 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: NVIDIA Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\O2\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\OFFICE\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [O2] "c:\program files\o2\bin\sprtcmd.exe" /P O2
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Service Manager.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: blogspot.com\reloda
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-9-13 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-9-13 38528]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-2-17 66048]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2008-9-22 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-8-21 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2008-12-23 172032]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
S0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2006-7-1 25423]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-5-21 29744]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2008-2-17 112384]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-10-1 14976]

=============== Created Last 30 ================

2009-05-16 17:02 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-16 17:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-16 17:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-16 07:54 <DIR> a-dshr-- C:\cmdcons
2009-05-16 07:32 <DIR> --d----- c:\program files\Unlocker
2009-04-26 21:48 <DIR> --d----- C:\!FixIEDef
2009-04-26 20:48 <DIR> --d----- c:\windows\pss
2009-04-26 20:48 <DIR> --d----- c:\program files\ACW
2009-04-26 17:20 28 a------- c:\windows\pdf995.ini
2009-04-26 16:26 59 a------- c:\windows\wpd99.drv
2009-04-26 16:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\pdf995
2009-04-26 16:26 249,856 a------- c:\windows\system32\pdfmona.dll
2009-04-26 16:26 51,716 a------- c:\windows\system32\pdf995mon.dll
2009-04-26 16:26 <DIR> --d----- c:\program files\pdf995
2009-04-26 16:00 <DIR> --d----- c:\program files\Trend Micro
2009-04-26 12:19 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-04-26 12:17 <DIR> --d----- c:\windows\ERUNT
2009-04-26 12:12 <DIR> --d----- C:\SDFix
2009-04-26 11:52 161,792 a------- c:\windows\SWREG.exe
2009-04-26 11:52 98,816 a------- c:\windows\sed.exe
2009-04-26 10:59 23,328 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-26 10:59 10,016 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-26 10:59 2,012 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-26 10:59 1,388 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-26 10:59 1,380 a------- C:\rollback.ini
2009-04-26 10:47 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-04-26 10:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-23 00:32 <DIR> --d----- c:\docume~1\office\applic~1\Uniblue
2009-04-22 23:22 <DIR> --d----- c:\docume~1\office\applic~1\Malwarebytes
2009-04-22 23:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-22 18:57 <DIR> --d----- c:\program files\Lavasoft
2009-04-22 09:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-22 09:54 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-22 09:54 <DIR> --d----- c:\docume~1\office\applic~1\SUPERAntiSpyware.com
2009-04-21 23:27 <DIR> --d----- c:\program files\iPod
2009-04-21 23:27 <DIR> --d----- c:\program files\iTunes
2009-04-21 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-21 20:38 <DIR> --d----- c:\program files\CCleaner

==================== Find3M ====================

2009-04-15 07:45 6,528 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-23 16:13 130,104 a------- c:\windows\system32\sdccoinstaller.dll
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 15:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 05:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 11:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 11:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 06:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-20 07:39 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102020081021\index.dat

============= FINISH: 22:47:03.32 ===============


The other log is attached

Thanks again and I await your advice on status.

Regards

John

Attached Files



#13 johnmark32

johnmark32
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 17 May 2009 - 12:19 PM

Hi Extremeboy,

I await your confirmation but from my checks the machine is now clean. Spybot kept find the two registry entries and normally a fix did not cure but after the other actions under your advise a final fix by Spybot removed these and they did not reapear after a re-boot.
Many thanks for kind and generous help. You are a star!.

I have turned all protection backon and reset resore point.
I would finally ask:-
*whether there are any final actions I should take?
*Is Sophos and Spybot and a harware and software firewall sufficient protection?

Best Regards

John

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 17 May 2009 - 04:19 PM

Hello.

Sophos - 1 new item passed to quarantine manger relates to Nircmd listed as Adware/PAU type other and more info seems to relate to entries in Documents and Settings folder .\ComboFix.exe\SfxArchiveData\ and various files. I presume this is a false positive?

Yes.

We are not quite done yet. We need to update your Java and run an online scan.

Update Java to Version 6 Update 13

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.


Regarding Protection.

All I have to say is:

1. Have good surfing habits
2. Have an anti-virus and Firewall installed and up to date.
3. Install one or two anti-spyware program for additional protection.

I never tried Sophos so I don't know but I can let you start another topic in another forum after we are done here if you wish for some opinions. However, Spybot is currently "old" now. Many don't find it a very effective real-time protection anti-spyware program. If you want me to give you some other anti-spyware programs, let me know :thumbup2:

I will give you some prevention tips when we are all clean :)

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 johnmark32

johnmark32
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 17 May 2009 - 06:57 PM

Hi EB,

Java action all done.
Kaspersky scan is as follows:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 17, 2009 23:42:56
Records in database: 2189078


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned 91365
Threat name 1
Infected objects 0
Suspicious objects 1
Duration of the scan 01:31:55

File name Threat name Threats count
C:\Documents and Settings\OFFICE\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The selected area was scanned.
============

I await your further advice.
Yes I would appreciate any advice on some good anti-spyware progs.

Thanks again.

Regards

John




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users