Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Protect 2009 - MBAM did not get rid of it all


  • This topic is locked This topic is locked
21 replies to this topic

#1 The Diver

The Diver

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 27 April 2009 - 12:52 AM

Hello,

I was infected with the "Spyware Protect 2009." I followed the directions here on BleepingComputer to get rid of this malicious program. MBAM detected 40 infected objects and cleaned most of them. On the secone run through with MBAM it detected 5 infected objects. It could not remove "wbbetsgq.dll" on reboot.

Browser IE trys to redirect me to <hxxp://69.31.80.181/rtc/?u=4d038be7+C420940D68404048A18250B4D80E27A7&g=00000000000000000000000000000000&src_id=88&v=1.04>

Multiple trys with MBAM have been unsuccessful. I ran "dss.scr" and have attached DDS.txt and Attach.txt files.

Please help me get rid of this. Thank you,

Amy

Attached Files


Edited by Orange Blossom, 11 February 2013 - 04:30 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 04 May 2009 - 02:48 AM

Hi,

Still having the same problem. My original post was April 26th and I have noticed that others who have posted after me have been getting help. Is there something else that is needed to get started? I was under the impression that help was assigned in the order received. I've attached the dss files. Do you need more info? Please help as this problem is with the Vundo trojan that MBAM can't seem to get rid of. Browser is redirecting.

I'm hoping to get this resolved as it is Mom's computer and since she is legally blind, she uses software on this computer to read for her. She is lost without it. Thank you,

Amy

#3 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:38 AM

Posted 10 May 2009 - 04:07 AM

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Before we can continue, please post a fresh DSS log back here :thumbup2:
Posted Image

#4 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 10 May 2009 - 10:02 PM

Hello,

Thank you for the reply. I am still having the same problem on the computer. I've tried MBAm and Spybot Search & Destroy. Both programs found Vundo or Virtumonde. Both try ridding the computer of it, but are unable to do so. Here are fresh updated attach file and dss file.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Compaq_Owner at 19:31:51.00 on Sun 05/10/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.160 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\BigShot 2.1\BigShot.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Webshots\webshots.scr
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {3fd3b6c8-0985-4413-b28c-88875bd1e49e} - c:\windows\system32\wbbetsgq.dll
BHO: : {5e66b6ad-0d1c-46f4-b114-b2d2df11d53d} - c:\windows\system32\sldlzwa.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [BigShot] "c:\program files\bigshot 2.1\BigShot.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear wg311v2 adapter\wlancfg5.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: adwweidm - sldlzwa.dll
Notify: AtiExtEvent - Ati2evxx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 bpnrtgoa;bpnrtgoa;c:\windows\system32\drivers\bpnrtgoa.sys [2004-8-3 23424]
R1 ddint;ddint;c:\windows\system32\drivers\DDINT.sys [2006-6-15 9198]
R2 nfhnzryz;NDIS System Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-05-04 01:01 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-04 01:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-30 16:17 <DIR> --d----- c:\docume~1\compaq~1\applic~1\clvbausz
2009-04-26 22:30 <DIR> --d----- c:\program files\Trend Micro
2009-04-21 11:03 0 a------- c:\windows\system32\nfr.gpref
2009-04-21 09:58 0 a------- c:\windows\system32\nfr.assembly
2009-04-21 09:57 <DIR> --d----- c:\windows\system32\219198
2009-04-21 09:57 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-04-14 16:14 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-14 16:14 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 16:14 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-14 16:14 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-14 16:14 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 16:14 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-14 16:13 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 16:13 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-14 16:13 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-14 16:13 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 16:13 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 16:13 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-11 18:00 <DIR> --d----- c:\program files\Microsoft

==================== Find3M ====================

2009-04-21 09:57 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 16:04 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 01:11 3,068,416 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-20 01:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 01:10 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-20 01:10 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-02-20 01:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-20 01:10 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2004-07-02 12:19 40,960 a------- c:\windows\inf\wg311v2\imdinst.exe
2004-06-17 23:41 386,688 a------- c:\windows\inf\wg311v2\netwg311_XP.sys
2004-04-04 13:07 84,912 a------- c:\windows\inf\wg311v2\FwRad17.bin
2004-04-04 13:07 83,320 a------- c:\windows\inf\wg311v2\FwRad16.bin
2004-02-04 12:53 62,865 a------- c:\windows\inf\wg311v2\odysseyIM3.sys
2004-02-04 12:53 12,739 a------- c:\windows\inf\wg311v2\odNetInstall.dll
2006-06-03 13:38 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 19:32:33.50 ===============

Attached Files



#5 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:38 AM

Posted 10 May 2009 - 10:40 PM

Hello :thumbup2:

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
Posted Image

#6 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 11 May 2009 - 02:28 PM

Done. ComboFix log:



ComboFix 09-05-11.01 - Compaq_Owner 05/11/2009 12:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.133 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll
c:\windows\IE4 Error Log.txt
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\Tasks\At1.job
D:\Autorun.inf
c:\windows\system32\sldlzwa.dll . . . . failed to delete
c:\windows\system32\wbbetsgq.dll . . . . failed to delete

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\ndis.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NFHNZRYZ
-------\Service_nfhnzryz


((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 )))))))))))))))))))))))))))))))
.

2009-05-04 08:01 . 2009-05-04 08:04 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-04 08:01 . 2009-05-04 08:04 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-30 23:17 . 2009-04-30 23:17 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\clvbausz
2009-04-30 23:17 . 2009-04-30 23:17 -------- d-----w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\clvbausz
2009-04-28 20:51 . 2009-04-28 22:32 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Move Networks
2009-04-27 17:36 . 2009-04-27 17:36 -------- d-----w c:\documents and settings\NetworkService\Application Data\clvbausz
2009-04-27 17:36 . 2009-04-27 17:36 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\clvbausz
2009-04-27 05:30 . 2009-04-27 05:30 -------- d-----w c:\program files\Trend Micro
2009-04-21 16:57 . 2009-04-22 06:23 -------- d-----w c:\windows\system32\219198
2009-04-14 23:14 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 23:14 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 23:14 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 23:14 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 23:14 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 23:14 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 23:13 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 23:13 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 23:13 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 23:13 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 23:13 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 01:00 . 2009-04-12 01:00 -------- d-----w c:\program files\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 19:19 . 2004-08-04 04:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-11 19:18 . 2004-08-04 04:00 143872 ----a-w c:\windows\system32\wbbetsgq.dll
2009-05-11 19:18 . 2004-08-04 04:00 103936 ----a-w c:\windows\system32\uxadlnw.dll
2009-04-17 06:20 . 2008-07-26 01:29 -------- d-----w c:\program files\CCleaner
2009-04-17 00:38 . 2008-07-26 02:20 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-12 00:58 . 2006-02-18 17:11 -------- d-----w c:\program files\Java
2009-04-06 22:32 . 2008-07-26 02:20 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-07-26 02:20 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-09 12:19 . 2008-12-14 09:07 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-04 04:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 04:00 81920 ----a-w c:\windows\system32\ieencode.dll
2006-06-03 20:38 . 2006-06-03 20:38 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FD3B6C8-0985-4413-B28C-88875BD1E49e}]
2009-05-11 19:18 143872 ----a-w c:\windows\system32\wbbetsgq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E66B6AD-0D1C-46F4-B114-B2D2DF11D53D}]
2004-08-04 04:00 103936 ----a-w c:\windows\system32\sldlzwa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-18 180269]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"BigShot"="c:\program files\BigShot 2.1\BigShot.exe" [2004-06-22 139322]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2006-5-15 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-2-18 36903]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2006-9-14 335872]
NETGEAR WG311v2 Smart Configuration.lnk - c:\program files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 450560]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 bpnrtgoa;bpnrtgoa;c:\windows\system32\drivers\bpnrtgoa.sys [8/3/2004 9:00 PM 23424]
R1 ddint;ddint;c:\windows\system32\drivers\DDINT.sys [6/15/2006 5:57 PM 9198]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [1/14/2009 5:53 PM 226656]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-PCDrProfiler - (no file)
SafeBoot-acup.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-11 12:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigShot = "c:\program files\BigShot 2.1\BigShot.exe"?~p[?w?????????FB~??????????????????????G~@?W?h???k?B~????!???????????????????J????????????????$C~????1/??D?????B~8QW??????????????????MB~????????????8?3?d?????B~8QW???V?????????????????|???!NB~?????????????????????=@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Network\SharingHandler]
@DACL=(02 0000)
@="ntshrui.dll"

[HKEY_LOCAL_MACHINE\software\Classes\Network\Type]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Webshots\webshots.scr
.
**************************************************************************
.
Completion time: 2009-05-11 12:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-11 19:26

Pre-Run: 81,069,142,016 bytes free
Post-Run: 81,731,948,544 bytes free

156 --- E O F --- 2009-04-15 00:21

#7 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:38 AM

Posted 12 May 2009 - 06:28 AM

Hello :thumbup2:

Step #1
Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,
File::
C:\windows\system32\wbbetsgq.dll
c:\windows\system32\uxadlnw.dll
c:\windows\system32\sldlzwa.dll

Folder::
c:\documents and settings\Compaq_Owner\Application Data\clvbausz
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\clvbausz
c:\documents and settings\NetworkService\Application Data\clvbausz
c:\documents and settings\NetworkService\Local Settings\Application Data\clvbausz
c:\windows\system32\219198

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FD3B6C8-0985-4413-B28C-88875BD1E49e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E66B6AD-0D1C-46F4-B114-B2D2DF11D53D}]


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Step #2
Please download ATF-cleaner and save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser:

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser:

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Step #3
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Step #4
Please post Combofix log, Mbam log back here :)
How's your pc working?
Posted Image

#8 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 13 May 2009 - 01:26 AM

MBAM found Trojan.BHO.H

Here is the Combofix log and MBAM log:


ComboFix 09-05-11.01 - Compaq_Owner 05/12/2009 22:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.153 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt.txt

FILE ::
c:\windows\system32\sldlzwa.dll
c:\windows\system32\uxadlnw.dll
c:\windows\system32\wbbetsgq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Application Data\clvbausz
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\profiles.ini
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\cert8.db
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\compatibility.ini
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\compreg.dat
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\cookies.sqlite
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\formhistory.sqlite
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\key3.db
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\localstore.rdf
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\permissions.sqlite
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\places.sqlite-journal
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\places.sqlite
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\pluginreg.dat
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\prefs.js
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\secmod.db
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\webappsstore.sqlite
c:\documents and settings\Compaq_Owner\Application Data\clvbausz\Profiles\h7tru94g.default\xpti.dat
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\clvbausz
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\clvbausz\Profiles\h7tru94g.default\urlclassifier3.sqlite
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\clvbausz\Profiles\h7tru94g.default\XPC.mfl
c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll
c:\documents and settings\NetworkService\Application Data\clvbausz
c:\documents and settings\NetworkService\Application Data\clvbausz\profiles.ini
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\cert8.db
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\key3.db
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\prefs.js
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\secmod.db
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\clvbausz\Profiles\f5rl1g86.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\clvbausz
c:\documents and settings\NetworkService\Local Settings\Application Data\clvbausz\Profiles\f5rl1g86.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\clvbausz\Profiles\f5rl1g86.default\XPC.mfl
c:\windows\system32\219198
c:\windows\system32\sldlzwa.dll . . . . failed to delete
c:\windows\system32\uxadlnw.dll . . . . failed to delete
c:\windows\system32\wbbetsgq.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.

2009-05-04 08:01 . 2009-05-04 08:04 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-04 08:01 . 2009-05-04 08:04 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-28 20:51 . 2009-04-28 22:32 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Move Networks
2009-04-27 05:30 . 2009-04-27 05:30 -------- d-----w c:\program files\Trend Micro
2009-04-14 23:14 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 23:14 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 23:14 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 23:14 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 23:14 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 23:14 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 23:13 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 23:13 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 23:13 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 23:13 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 23:13 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 19:19 . 2004-08-04 04:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-11 19:18 . 2004-08-04 04:00 143872 ----a-w c:\windows\system32\wbbetsgq.dll
2009-05-11 19:18 . 2004-08-04 04:00 103936 ----a-w c:\windows\system32\uxadlnw.dll
2009-04-17 06:20 . 2008-07-26 01:29 -------- d-----w c:\program files\CCleaner
2009-04-17 00:38 . 2008-07-26 02:20 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-12 01:00 . 2009-04-12 01:00 -------- d-----w c:\program files\Microsoft
2009-04-12 00:58 . 2006-02-18 17:11 -------- d-----w c:\program files\Java
2009-04-06 22:32 . 2008-07-26 02:20 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-07-26 02:20 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-09 12:19 . 2008-12-14 09:07 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-04 04:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 04:00 81920 ----a-w c:\windows\system32\ieencode.dll
2006-06-03 20:38 . 2006-06-03 20:38 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-11_19.22.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-13 05:38 . 2009-05-13 05:38 16384 c:\windows\Temp\Perflib_Perfdata_80.dat
+ 2006-05-19 06:17 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E66B6AD-0D1C-46F4-B114-B2D2DF11D53D}]
2004-08-04 04:00 103936 ----a-w c:\windows\system32\sldlzwa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-18 180269]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"BigShot"="c:\program files\BigShot 2.1\BigShot.exe" [2004-06-22 139322]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2006-5-15 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-2-18 36903]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2006-9-14 335872]
NETGEAR WG311v2 Smart Configuration.lnk - c:\program files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 450560]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 bpnrtgoa;bpnrtgoa;c:\windows\system32\drivers\bpnrtgoa.sys [8/3/2004 9:00 PM 23424]
R1 ddint;ddint;c:\windows\system32\drivers\DDINT.sys [6/15/2006 5:57 PM 9198]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [1/14/2009 5:53 PM 226656]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-12 22:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigShot = "c:\program files\BigShot 2.1\BigShot.exe"?~p[?w?????????FB~??????????????????????G~@?W?h???k?B~????!???????????????????J????????????????$C~????1/??D?????B~8QW??????????????????MB~????????????8?3?d?????B~8QW???V?????????????????|???!NB~?????????????????????=@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Network\SharingHandler]
@DACL=(02 0000)
@="ntshrui.dll"

[HKEY_LOCAL_MACHINE\software\Classes\Network\Type]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Webshots\webshots.scr
.
**************************************************************************
.
Completion time: 2009-05-13 22:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-13 05:42
ComboFix2.txt 2009-05-11 19:26

Pre-Run: 81,644,335,104 bytes free
Post-Run: 81,658,089,472 bytes free

187 --- E O F --- 2009-05-12 22:06





----------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.36
Database version: 2120
Windows 5.1.2600 Service Pack 3

5/12/2009 11:23:26 PM
mbam-log-2009-05-12 (23-23-26).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 172406
Time elapsed: 32 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e66b6ad-0d1c-46f4-b114-b2d2df11d53d} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5e66b6ad-0d1c-46f4-b114-b2d2df11d53d} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\o675.o675mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\o675.o675mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\sldlzwa.dll (Trojan.BHO.H) -> Delete on reboot.

#9 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 13 May 2009 - 04:07 AM

I ran MBAM a second time and let it to its thing where it trys to get rid of the bad stuff on reboot. Still not getting a clean log. Here's the latest and greatest.

Thank you again.

Amy


Malwarebytes' Anti-Malware 1.36
Database version: 2120
Windows 5.1.2600 Service Pack 3

5/13/2009 12:06:32 AM
mbam-log-2009-05-13 (00-06-32).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 172438
Time elapsed: 31 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e66b6ad-0d1c-46f4-b114-b2d2df11d53d} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5e66b6ad-0d1c-46f4-b114-b2d2df11d53d} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\sldlzwa.dll (Trojan.BHO.H) -> Delete on reboot.

#10 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:38 AM

Posted 13 May 2009 - 10:00 AM

Hello :thumbup2:

Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,
File::
c:\windows\system32\sldlzwa.dll
c:\windows\system32\uxadlnw.dll
c:\windows\system32\wbbetsgq.dll
c:\windows\system32\drivers\bpnrtgoa.sys

Service::
bpnrtgoa

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E66B6AD-0D1C-46F4-B114-B2D2DF11D53D}]


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
Posted Image

#11 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 13 May 2009 - 06:42 PM

ComboFix 09-05-13.02 - Compaq_Owner 05/13/2009 16:33.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.154 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt

FILE ::
c:\windows\system32\drivers\bpnrtgoa.sys
c:\windows\system32\sldlzwa.dll
c:\windows\system32\uxadlnw.dll
c:\windows\system32\wbbetsgq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\temp\IadHide5.dll
c:\windows\system32\drivers\bpnrtgoa.sys
c:\windows\system32\sldlzwa.dll
c:\windows\system32\uxadlnw.dll
c:\windows\system32\wbbetsgq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_bpnrtgoa
-------\Service_bpnrtgoa


((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.

2009-05-04 08:01 . 2009-05-04 08:04 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-04 08:01 . 2009-05-04 08:04 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-28 20:51 . 2009-04-28 22:32 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Move Networks
2009-04-27 05:30 . 2009-04-27 05:30 -------- d-----w c:\program files\Trend Micro
2009-04-14 23:14 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 23:14 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 23:14 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 23:14 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 23:14 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 23:14 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 23:13 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 23:13 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 23:13 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 23:13 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 23:13 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 23:33 . 2004-08-04 04:00 23424 ----a-w c:\windows\system32\drivers\jaboceuk.sys
2009-05-11 19:19 . 2004-08-04 04:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-17 06:20 . 2008-07-26 01:29 -------- d-----w c:\program files\CCleaner
2009-04-17 00:38 . 2008-07-26 02:20 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-12 01:00 . 2009-04-12 01:00 -------- d-----w c:\program files\Microsoft
2009-04-12 00:58 . 2006-02-18 17:11 -------- d-----w c:\program files\Java
2009-04-06 22:32 . 2008-07-26 02:20 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-07-26 02:20 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-09 12:19 . 2008-12-14 09:07 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-04 04:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 04:00 81920 ----a-w c:\windows\system32\ieencode.dll
2006-06-03 20:38 . 2006-06-03 20:38 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-11_19.22.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-13 23:36 . 2009-05-13 23:36 16384 c:\windows\Temp\Perflib_Perfdata_7f8.dat
+ 2006-05-19 06:17 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-18 180269]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"BigShot"="c:\program files\BigShot 2.1\BigShot.exe" [2004-06-22 139322]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2006-5-15 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-2-18 36903]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2006-9-14 335872]
NETGEAR WG311v2 Smart Configuration.lnk - c:\program files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 450560]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ddint;ddint;c:\windows\system32\drivers\DDINT.sys [6/15/2006 5:57 PM 9198]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [1/14/2009 5:53 PM 226656]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BPNRTGOA
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 16:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigShot = "c:\program files\BigShot 2.1\BigShot.exe"?~p[?w?????????FB~??????????????????????G~@?W?h???k?B~????!???????????????????J????????????????$C~????1/??D?????B~8QW??????????????????MB~????????????8?3?d?????B~8QW???V?????????????????|???!NB~?????????????????????=@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Network\SharingHandler]
@DACL=(02 0000)
@="ntshrui.dll"

[HKEY_LOCAL_MACHINE\software\Classes\Network\Type]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Webshots\webshots.scr
.
**************************************************************************
.
Completion time: 2009-05-13 16:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-13 23:40
ComboFix2.txt 2009-05-11 19:26

Pre-Run: 81,668,599,808 bytes free
Post-Run: 81,659,043,840 bytes free

150 --- E O F --- 2009-05-12 22:06

#12 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 13 May 2009 - 07:28 PM

You rock! MBAM clean.


Malwarebytes' Anti-Malware 1.36
Database version: 2120
Windows 5.1.2600 Service Pack 3

5/13/2009 5:27:35 PM
mbam-log-2009-05-13 (17-27-35).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 172741
Time elapsed: 28 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:38 AM

Posted 14 May 2009 - 08:30 AM

Hello

Great work :)

View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

c:\windows\system32\drivers\jaboceuk.sys

Then empty your trash bin.

Let's run one scanner so we can make sure your computer is clean :thumbup2:

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post Kaspersky results and tell me how's your pc working now :step4:
Posted Image

#14 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 17 May 2009 - 05:29 PM

Sorry for the delay. I removed c:\windows\system32\drivers\jaboceuk.sys as that file was there.

I did Kaspersky scan and still found a few problems. Looks like these two are the main culprits.

C:\Qoobox\Quarantine\C\WINDOWS\system32\_wbbetsgq_.dll.zip Infected: Trojan-Clicker.Win32.Delf.cbe 1

C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-13_16.33.12.ZIP Infected: Trojan.Win32.BHO.ext 1

Thank you!

Amy


KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 17, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 17, 2009 18:37:34
Records in database: 2188594


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\

Scan statistics
Files scanned 99051
Threat name 3
Infected objects 8
Suspicious objects 0
Duration of the scan 02:11:31

File name Threat name Threats count
C:\hp\bin\wbug\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

C:\Qoobox\Quarantine\C\WINDOWS\system32\_wbbetsgq_.dll.zip Infected: Trojan-Clicker.Win32.Delf.cbe 1

C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-13_16.33.12.ZIP Infected: Trojan.Win32.BHO.ext 1

D:\I386\APPS\APP00195\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

D:\I386\APPS\APP00195\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

The selected area was scanned.

#15 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:38 AM

Posted 17 May 2009 - 10:38 PM

hello

Those are Combofix backups and they can be removed. They will be removed when we remove used tools... I will give the insturctions for that when your computer is clean.

Please remove these files:

D:\I386\APPS\APP00195\src\CompaqPresario_Spring06.exe

D:\I386\APPS\APP00195\src\HPPavillion_Spring06.exe

How's your Computer working now?

Edited by Baabiouz, 17 May 2009 - 10:38 PM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users