Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot update Spybot Software,Virtumonde, Win32.tdss.rtk + more


  • This topic is locked This topic is locked
8 replies to this topic

#1 energiz20

energiz20

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 30 April 2009 - 01:27 PM

Hi anyone kind enough to be reading this,

My computer seems to be experiencing all types of different problems. Amongst them are:

- inability to update spyware software (Spybot showed a floating point error)
- changes to the desktop appearances (eg icon label background colours)
- random anti spyware pop ups (this never occured until quite recently)
- slowing down and in some cases the inability to view content on some websites such as megavideo (problems increased after an attempt to view)

So far the names that I was aware of were Virtumonde and Win32.tdss.rtk. However now I'm sure there is much more.

Below is my DDS scan result



DDS (Ver_09-03-16.01) - NTFSx86
Run by Adrian at 4:06:36.87 on Fri 01/05/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.554 [GMT 10:00]


============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
svchost.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\userinit.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\MSN Messenger\usnsvc.exe
D:\Documents and Settings\Adrian\Desktop\dds.scr

============== Pseudo HJT Report ===============

EB: DF Bar: {67fcef90-073e-11de-8c30-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [msnmsgr] "d:\program files\msn messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
LSP: d:\windows\temp\ntdll64.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - d:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - d:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli d:\windows\system32\yetawila.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\adrian\applic~1\mozilla\firefox\profiles\onksuo3k.default\
FF - component: d:\program files\mozilla firefox\components\WWShow.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npvlc.dll
FF - plugin: d:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R0 Achernar;Achernar - SCSI Command Filters;d:\windows\system32\drivers\Achernar.sys [2006-12-10 16855]
R1 sasdifsv;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 saskutil;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R1 start1driver;start1driver;d:\windows\system32\drivers\Start1Driver.SYS [2009-4-30 5120]
R2 zrpacinr;zrpacinr;c:\program files\common files\microsoft shared\msinfo\zrpacinr.sys [2009-3-17 7680]
R3 Aldebaran;Aldebaran - SCSI Command Filters;d:\windows\system32\drivers\Aldebaran.sys [2006-12-10 21808]
R3 AUD;DTV-DVB 3054 Analog Audio Capture;d:\windows\system32\drivers\3054AudCap.sys [2006-8-9 10240]
R3 CXAVSTS;DTV-DVB 3054 Digital TS Capture;d:\windows\system32\drivers\3054BDACap.sys [2006-8-9 18560]
R3 EuMusDesignVirtualAudioCableWdm_s2x;Sound2x Audio Cable (WDM);d:\windows\system32\drivers\vacs2xkd.sys [2008-10-4 42880]
R3 THAVXBar;DTV-DVB 3054 Analog AVStream Crossbar;d:\windows\system32\drivers\3054AVXBar.sys [2006-8-9 10496]
R3 THBDATUNE;DTV-DVB 3054 Digital Tuner/Demod;d:\windows\system32\drivers\3054BDATune.sys [2006-8-9 110592]
R3 THIR;DTV-DVB 3054 IR Decoder;d:\windows\system32\drivers\3054IR.sys [2006-8-9 17408]
R3 THTUNE;DTV-DVB 3054 Analog Tuner;d:\windows\system32\drivers\3054Tune.sys [2006-8-9 33408]
S3 ASPI;Advanced SCSI Programming Interface Driver;d:\windows\system32\drivers\ASPI32.SYS [2008-10-4 16512]
S3 FilterService2;Canon BJ Hid Usb Filter Service2;d:\windows\system32\drivers\bjhid2.sys [2006-8-15 6528]
S3 sasenum;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-05-01 03:49 439 a------- d:\windows\system32\win32hlp.cnf
2009-05-01 03:48 1,400 a------- d:\windows\system32\ahtn.htm
2009-05-01 03:48 4,785 a------- d:\windows\system32\warning.gif
2009-05-01 03:48 1 a------- d:\windows\system32\uniq.tll
2009-05-01 03:48 28,672 a------- d:\windows\system32\frmwrk32.exe
2009-05-01 03:48 28,672 a------- d:\windows\system32\loader49.exe
2009-05-01 03:48 531 a------- d:\windows\system32\lmppcsetup.exe
2009-04-30 09:11 545 a------- d:\windows\UC.PIF
2009-04-30 09:11 545 a------- d:\windows\RAR.PIF
2009-04-30 09:11 545 a------- d:\windows\PKZIP.PIF
2009-04-30 09:11 545 a------- d:\windows\PKUNZIP.PIF
2009-04-30 09:11 545 a------- d:\windows\NOCLOSE.PIF
2009-04-30 09:11 545 a------- d:\windows\LHA.PIF
2009-04-30 09:11 545 a------- d:\windows\ARJ.PIF
2009-04-30 07:57 5,120 a------- d:\windows\system32\drivers\Start1Driver.SYS
2009-04-30 07:57 256 a------- d:\windows\adaway.lic
2009-04-30 07:18 31,928 a------- d:\windows\system32\rrMon.sys
2009-04-30 07:18 <DIR> --d----- d:\program files\Registrar Registry Manager
2009-04-30 04:20 409 a------- d:\windows\wininit.ini
2009-04-30 03:35 <DIR> --d----- d:\program files\Spybot - Search & Destroy
2009-04-30 03:35 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-30 03:34 15,000 a------- d:\windows\system32\yhs783ijfo3fe.dll
2009-04-30 03:28 <DIR> --d----- d:\docume~1\adrian\applic~1\Twain
2009-04-30 03:17 182,911 a------- d:\windows\system32\prnet.tmp
2009-04-21 02:29 <DIR> --d----- d:\docume~1\adrian\applic~1\Malwarebytes
2009-04-21 02:29 15,504 a------- d:\windows\system32\drivers\mbam.sys
2009-04-21 02:29 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-04-21 02:29 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-04-21 02:29 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-20 19:51 <DIR> --d----- d:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-20 19:51 <DIR> --d----- d:\program files\SUPERAntiSpyware
2009-04-20 19:51 <DIR> --d----- d:\docume~1\adrian\applic~1\SUPERAntiSpyware.com
2009-04-20 19:51 <DIR> --d----- d:\program files\common files\Wise Installation Wizard
2009-04-20 19:16 <DIR> --d----- d:\windows\pss
2009-04-20 18:30 47 a------- d:\windows\system32\09wutili.sys
2009-04-20 18:12 <DIR> --d----- d:\program files\Trend Micro
2009-04-20 17:40 95,356 a------- d:\windows\system32\drivers\f67217e1.sys
2009-04-11 05:14 <DIR> --d----- d:\docume~1\adrian\applic~1\ChessBase
2009-04-10 18:53 <DIR> --d----- d:\docume~1\alluse~1\applic~1\ChessBase
2009-04-10 18:48 <DIR> --d----- d:\program files\ChessBase
2009-04-10 11:00 <DIR> --d----- d:\windows\system32\CatRoot_bak
2009-04-10 10:57 272,128 -c------ d:\windows\system32\dllcache\bthport.sys
2009-04-10 10:57 272,128 -------- d:\windows\system32\drivers\bthport.sys
2009-04-10 10:46 459,264 -c------ d:\windows\system32\dllcache\msfeeds.dll
2009-04-10 10:46 268,288 -c------ d:\windows\system32\dllcache\iertutil.dll
2009-04-10 10:46 63,488 -c------ d:\windows\system32\dllcache\icardie.dll
2009-04-10 10:46 52,224 -c------ d:\windows\system32\dllcache\msfeedsbs.dll
2009-04-10 10:46 13,824 -c------ d:\windows\system32\dllcache\ieudinit.exe
2009-04-10 10:46 2,455,488 -c------ d:\windows\system32\dllcache\ieapfltr.dat
2009-04-10 10:46 991,232 -c------ d:\windows\system32\dllcache\ieframe.dll.mui
2009-04-10 10:46 383,488 -c------ d:\windows\system32\dllcache\ieapfltr.dll
2009-04-10 10:46 6,066,176 -c------ d:\windows\system32\dllcache\ieframe.dll
2009-04-10 10:37 31,768 a------- d:\windows\system32\wucltui.dll.mui
2009-04-10 10:37 18,456 a------- d:\windows\system32\wuaueng.dll.mui
2009-04-10 10:37 23,576 a------- d:\windows\system32\wuaucpl.cpl.mui
2009-04-10 10:37 23,576 a------- d:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2009-05-01 03:48 104,960 a------- d:\windows\system32\userinit.exe
2009-04-30 03:17 51,200 a--sh--- d:\windows\system32\lujegifu.exe
2009-04-20 17:46 182,912 ac------ d:\windows\system32\drivers\ndis.sys
2009-03-07 00:44 283,648 a------- d:\windows\system32\pdh.dll
2009-03-03 10:18 826,368 a------- d:\windows\system32\wininet.dll
2009-02-21 04:09 78,336 a------- d:\windows\system32\ieencode.dll
2009-02-09 20:20 723,456 a------- d:\windows\system32\lsasrv.dll
2009-02-09 20:20 399,360 a------- d:\windows\system32\rpcss.dll
2009-02-09 20:20 714,752 a------- d:\windows\system32\ntdll.dll
2009-02-09 20:20 616,960 a------- d:\windows\system32\advapi32.dll
2009-02-09 20:19 1,846,272 a------- d:\windows\system32\win32k.sys
2009-02-07 03:22 2,136,064 a------- d:\windows\system32\ntoskrnl.exe
2009-02-07 03:14 110,592 a------- d:\windows\system32\services.exe
2009-02-07 02:54 35,328 a------- d:\windows\system32\sc.exe
2009-02-07 02:49 2,015,744 a------- d:\windows\system32\ntkrnlpa.exe
2009-02-04 06:08 55,808 a------- d:\windows\system32\secur32.dll
2006-10-05 00:50 24,112 ac------ d:\docume~1\adrian\applic~1\GDIPFONTCACHEV1.DAT
2004-10-01 15:00 40,960 a------- d:\program files\Uninstall_CDS.exe
2006-05-03 20:06 163,328 ---shr-- d:\windows\system32\flvDX.dll
2007-02-21 21:47 31,232 ---shr-- d:\windows\system32\msfDX.dll
2008-03-16 23:30 216,064 ---shr-- d:\windows\system32\nbDX.dll

============= FINISH: 4:07:10.06 ===============

I'd be really grateful for any help with these problems. Thank you in advance guys!

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 30 April 2009 - 02:59 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 energiz20

energiz20
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 01 May 2009 - 02:10 PM

Hello,

thank you for the very quick response.

I did not have a windows xp disc at my disposal (waiting for my cousin to drop that off) but I was still able to follow the rest of your instructions. At first the windows system bar had disappeared but now it is back.

The combo fix log is as follows:

ComboFix 09-05-01.1 - Adrian 02/05/2009 4:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.763 [GMT 10:00]
Running from: d:\documents and settings\Adrian\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\docume~1\Adrian\LOCALS~1\Temp\mousehook.dll
d:\docume~1\Adrian\LOCALS~1\Temp\ntdll64.dll
d:\documents and settings\Administrator\Local Settings\Temporary Internet Files\Cpvff.stt
d:\documents and settings\Adrian\Local Settings\Temporary Internet Files\bestwiner.stt
d:\documents and settings\Adrian\Local Settings\Temporary Internet Files\CPV.stt
d:\documents and settings\Adrian\Local Settings\Temporary Internet Files\Cpvff.stt
d:\documents and settings\Adrian\Local Settings\Temporary Internet Files\fbk.sts
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
d:\documents and settings\Remy\Local Settings\Temporary Internet Files\Cpvff.stt
d:\windows\adaway.lic
d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Cpvff.stt
d:\windows\system32\drivers\ovfsthojuhpusahnfmoobhyeiayinomnaqfvtd.sys
d:\windows\system32\lmppcsetup.exe
d:\windows\system32\loader49.exe
d:\windows\system32\lujegifu.exe
d:\windows\system32\ovfsthckymjanlthevmgresewbyodsydsklutw.dll
d:\windows\system32\ovfsthhvtpwxhquswrqpuljanavggqlxquvlwn.dll
d:\windows\system32\ovfsthlyosrpmkktbrfanibknlkjonoribhprx.dat
d:\windows\system32\ovfsthsbjawjtcrqdnhfbcfrsrvrovcdmxrpdt.dll
d:\windows\system32\ovfsthsqtadlahattkdjprdbxlcphbnnjuebiy.dat
d:\windows\system32\prnet.tmp
d:\windows\system32\win32hlp.cnf
d:\windows\system32\yhs783ijfo3fe.dll
d:\windows\TEMP\ntdll64.dll

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net
Infected copy of d:\windows\system32\userinit.exe was found and disinfected
Restored copy from - d:\windows\system32\init32.exe


Infected copy of d:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it :thumbup2:

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthbtwyvrdfqmnatbuevusxbvbsuibiwbmc


((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-04-30 17:52 . 2009-04-30 17:52 -------- d-----w d:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2009-04-29 23:11 . 2008-08-07 21:04 545 ----a-w d:\windows\LHA.PIF
2009-04-29 23:11 . 2008-08-07 21:04 545 ----a-w d:\windows\NOCLOSE.PIF
2009-04-29 23:11 . 2008-08-07 21:04 545 ----a-w d:\windows\PKUNZIP.PIF
2009-04-29 23:11 . 2008-08-07 21:04 545 ----a-w d:\windows\PKZIP.PIF
2009-04-29 23:11 . 2008-08-07 21:04 545 ----a-w d:\windows\RAR.PIF
2009-04-29 23:11 . 2008-08-07 21:04 545 ----a-w d:\windows\UC.PIF
2009-04-29 23:11 . 2008-08-07 21:04 545 ----a-w d:\windows\ARJ.PIF
2009-04-29 21:57 . 2009-03-13 20:48 5120 ----a-w d:\windows\system32\drivers\Start1Driver.SYS
2009-04-29 21:18 . 2009-01-20 02:52 31928 ----a-w d:\windows\system32\rrMon.sys
2009-04-29 21:18 . 2009-04-29 21:18 -------- d-----w d:\program files\Registrar Registry Manager
2009-04-29 18:21 . 2009-04-29 18:21 -------- d-----w d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-29 17:35 . 2009-04-29 17:38 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-29 17:35 . 2009-04-29 17:38 -------- d-----w d:\program files\Spybot - Search & Destroy
2009-04-29 17:28 . 2009-04-29 17:41 -------- d-----w d:\documents and settings\Adrian\Application Data\Twain
2009-04-20 16:29 . 2009-04-20 16:29 -------- d-----w d:\documents and settings\Adrian\Application Data\Malwarebytes
2009-04-20 16:29 . 2009-04-06 05:32 15504 ----a-w d:\windows\system32\drivers\mbam.sys
2009-04-20 16:29 . 2009-04-06 05:32 38496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 16:29 . 2009-04-20 16:29 -------- d-----w d:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-20 16:29 . 2009-04-20 16:29 -------- d-----w d:\program files\Malwarebytes' Anti-Malware
2009-04-20 10:06 . 2009-04-20 10:06 -------- d-----w d:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-20 09:51 . 2009-04-20 09:51 -------- d-----w d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-20 09:51 . 2009-04-23 04:43 -------- d-----w d:\program files\SUPERAntiSpyware
2009-04-20 09:51 . 2009-04-20 09:51 -------- d-----w d:\documents and settings\Adrian\Application Data\SUPERAntiSpyware.com
2009-04-20 09:51 . 2009-04-20 09:51 -------- d-----w d:\program files\Common Files\Wise Installation Wizard
2009-04-20 08:54 . 2009-04-20 08:54 -------- d-----w d:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-04-20 08:30 . 2009-04-20 08:31 47 ----a-w d:\windows\system32\09wutili.sys
2009-04-20 08:12 . 2009-04-20 08:12 -------- d-----w d:\program files\Trend Micro
2009-04-20 07:40 . 2009-05-01 18:57 95356 ----a-w d:\windows\system32\drivers\f67217e1.sys
2009-04-10 19:14 . 2009-04-10 19:21 -------- d-----w d:\documents and settings\Adrian\Application Data\ChessBase
2009-04-10 19:14 . 2009-04-10 19:14 -------- d-----w d:\documents and settings\Adrian\Local Settings\Application Data\ChessBase
2009-04-10 08:53 . 2009-04-10 08:53 -------- d-----w d:\documents and settings\All Users\Application Data\ChessBase
2009-04-10 08:50 . 2009-04-10 08:50 -------- d-----w d:\documents and settings\Remy\Local Settings\Application Data\ChessBase
2009-04-10 08:48 . 2009-04-17 09:29 -------- d-----w d:\documents and settings\Remy\Application Data\ChessBase
2009-04-10 08:48 . 2009-04-10 08:48 -------- d-----w d:\program files\ChessBase
2009-04-10 01:00 . 2009-04-10 01:20 -------- d-----w d:\windows\system32\CatRoot_bak
2009-04-10 00:57 . 2008-06-13 13:10 272128 -c----w d:\windows\system32\dllcache\bthport.sys
2009-04-10 00:57 . 2008-06-13 13:10 272128 ------w d:\windows\system32\drivers\bthport.sys
2009-04-10 00:46 . 2009-02-20 18:09 459264 -c----w d:\windows\system32\dllcache\msfeeds.dll
2009-04-10 00:46 . 2009-02-20 18:09 52224 -c----w d:\windows\system32\dllcache\msfeedsbs.dll
2009-04-10 00:46 . 2009-02-20 18:09 268288 -c----w d:\windows\system32\dllcache\iertutil.dll
2009-04-10 00:46 . 2009-02-20 18:09 63488 -c----w d:\windows\system32\dllcache\icardie.dll
2009-04-10 00:46 . 2009-02-20 10:20 13824 -c----w d:\windows\system32\dllcache\ieudinit.exe
2009-04-10 00:46 . 2009-02-20 18:09 383488 -c----w d:\windows\system32\dllcache\ieapfltr.dll
2009-04-10 00:46 . 2008-07-09 14:25 2455488 -c----w d:\windows\system32\dllcache\ieapfltr.dat
2009-04-10 00:46 . 2009-02-20 18:09 6066176 -c----w d:\windows\system32\dllcache\ieframe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 18:49 . 2004-08-04 12:00 182912 ----a-w d:\windows\system32\drivers\ndis.sys
2009-04-12 06:22 . 2006-08-09 09:43 26648 ----a-w d:\documents and settings\Remy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 19:15 . 2006-08-09 09:17 26648 -c--a-w d:\documents and settings\Adrian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 08:48 . 2006-08-09 10:48 -------- d--h--w d:\program files\InstallShield Installation Information
2009-04-03 04:26 . 2008-06-09 05:46 -------- d-----w d:\program files\FrostWire
2009-04-03 04:26 . 2007-03-11 08:55 -------- d-----w d:\program files\NetmarbleJP
2009-04-03 04:25 . 2006-08-15 07:56 -------- d-----w d:\program files\Canon
2009-03-24 16:04 . 2009-03-24 16:04 -------- d-----w d:\program files\MediaMonkey
2009-03-23 00:59 . 2009-03-23 00:58 -------- d-----w d:\program files\DVD Decrypter
2009-03-19 01:56 . 2009-03-19 01:56 -------- d-----w d:\program files\eRightSoft
2009-03-16 13:52 . 2009-03-16 13:52 -------- d-----w d:\program files\7-Zip
2009-03-16 03:50 . 2009-03-16 03:48 -------- d-----w d:\program files\SMPlayer
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w d:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w d:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w d:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2004-08-04 12:00 723456 ----a-w d:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 12:00 399360 ----a-w d:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 12:00 714752 ----a-w d:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 12:00 616960 ----a-w d:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w d:\windows\system32\win32k.sys
2009-02-06 17:22 . 2004-08-04 12:00 2136064 ----a-w d:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-04 12:00 110592 ----a-w d:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-04 12:00 35328 ----a-w d:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-03 22:59 2015744 ----a-w d:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-04 12:00 55808 ----a-w d:\windows\system32\secur32.dll
2004-10-01 05:00 . 2006-08-09 10:48 40960 ----a-w d:\program files\Uninstall_CDS.exe
2006-05-06 16:42 . 2006-08-21 05:45 7260160 ----a-w d:\program files\mozilla firefox\plugins\libvlc.dll
2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w d:\program files\mozilla firefox\components\WWShow.dll
2006-05-03 10:06 . 2009-03-16 03:59 163328 --sh--r d:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-03-19 01:56 31232 --sh--r d:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-03-19 01:56 216064 --sh--r d:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli d:\windows\system32\yetawila.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\StubInstaller.exe"=
"d:\\Program Files\\Azureus\\Azureus.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

R3 ASPI;Advanced SCSI Programming Interface Driver;d:\windows\System32\DRIVERS\ASPI32.sys [2002-07-16 16512]
R3 FilterService2;Canon BJ Hid Usb Filter Service2;d:\windows\system32\DRIVERS\bjhid2.sys [2003-06-17 6528]
R3 sasenum;sasenum;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S0 Achernar;Achernar - SCSI Command Filters;d:\windows\System32\Drivers\Achernar.sys [2004-02-11 16855]
S1 sasdifsv;sasdifsv;d:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 saskutil;saskutil;d:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S1 start1driver;start1driver; [x]
S2 zrpacinr;zrpacinr;c:\program files\Common Files\Microsoft Shared\MSInfo\zrpacinr.sys [2009-03-16 7680]
S3 Aldebaran;Aldebaran - SCSI Command Filters;d:\windows\System32\Drivers\Aldebaran.sys [2004-02-11 21808]
S3 AUD;DTV-DVB 3054 Analog Audio Capture;d:\windows\system32\DRIVERS\3054AudCap.sys [2005-12-15 10240]
S3 CXAVSTS;DTV-DVB 3054 Digital TS Capture;d:\windows\system32\drivers\3054BDACap.sys [2005-12-06 18560]
S3 EuMusDesignVirtualAudioCableWdm_s2x;Sound2x Audio Cable (WDM);d:\windows\system32\DRIVERS\vacs2xkd.sys [2007-11-01 42880]
S3 THAVXBar;DTV-DVB 3054 Analog AVStream Crossbar;d:\windows\system32\drivers\3054AVXBar.sys [2005-12-06 10496]
S3 THBDATUNE;DTV-DVB 3054 Digital Tuner/Demod;d:\windows\system32\drivers\3054BDATune.sys [2005-12-06 110592]
S3 THIR;DTV-DVB 3054 IR Decoder;d:\windows\system32\drivers\3054IR.sys [2005-12-06 17408]
S3 THTUNE;DTV-DVB 3054 Analog Tuner;d:\windows\system32\drivers\3054Tune.sys [2005-12-06 33408]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e20214e3-7872-11dd-91d1-000fea4b5d39}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe
.
.
------- Supplementary Scan -------
.
LSP: d:\windows\TEMP\ntdll64.dll
FF - ProfilePath - d:\documents and settings\Adrian\Application Data\Mozilla\Firefox\Profiles\onksuo3k.default\
FF - component: d:\program files\Mozilla Firefox\components\WWShow.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npvlc.dll
FF - plugin: d:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 04:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}\inprocserver32]
@DACL=(02 0000)
@="d:\\windows\\system32\\toniluwe.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
d:\windows\system32\imjp81.ime
d:\windows\system32\imjp81k.dll
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

- - - - - - - > 'explorer.exe'(1960)
d:\windows\system32\imjp81.ime
d:\windows\system32\imjp81k.dll
d:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
d:\windows\system32\mshtml.dll
d:\windows\system32\msls31.dll
d:\windows\system32\msimtf.dll
d:\windows\system32\MSCTF.dll
d:\windows\system32\WPDShServiceObj.dll
d:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
d:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
d:\program files\PC Connectivity Solution\ConnAPI.DLL
d:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
d:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
d:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
d:\windows\system32\browselc.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Ahead\InCD\InCDsrv.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Canon\CAL\CALMAIN.exe
d:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-01 5:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 18:59

Pre-Run: 80,104,902,656 bytes free
Post-Run: 82,410,991,616 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

240 --- E O F --- 2009-04-16 17:01

The Hijack This log is as follows

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:49 AM, on 2/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Adrian\Desktop\HiJackThis(2).exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O10 - Broken Internet access because of LSP provider 'd:\windows\temp\ntdll64.dll' missing
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - D:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 2122 bytes


I hope this helps!

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 01 May 2009 - 02:41 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
start1driver

File::
d:\windows\LHA.PIF
d:\windows\NOCLOSE.PIF
d:\windows\PKUNZIP.PIF
d:\windows\PKZIP.PIF
d:\windows\RAR.PIF
d:\windows\UC.PIF
d:\windows\ARJ.PIF
d:\windows\system32\drivers\Start1Driver.SYS
d:\windows\system32\09wutili.sys
d:\windows\system32\drivers\f67217e1.sys
d:\windows\system32\yetawila.dll
d:\windows\system32\toniluwe.dll

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}\inprocserver32]

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e20214e3-7872-11dd-91d1-000fea4b5d39}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 energiz20

energiz20
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 01 May 2009 - 03:07 PM

Hi again,

I did as you said. However after waiting 20 minutes for my system to reboot I thought there was some kind of problem and pressed the reset button. Despite this I still have the logs you requested. The system tray and icons are now back on my desktop so some progress has been made!

The following is the Combofix Log

ComboFix 09-05-01.1 - Adrian 02/05/2009 5:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.604 [GMT 10:00]
Running from: d:\documents and settings\Adrian\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Adrian\Desktop\CFscript.txt
* Created a new restore point

FILE ::
d:\windows\ARJ.PIF
d:\windows\LHA.PIF
d:\windows\NOCLOSE.PIF
d:\windows\PKUNZIP.PIF
d:\windows\PKZIP.PIF
d:\windows\RAR.PIF
d:\windows\system32\09wutili.sys
d:\windows\system32\drivers\f67217e1.sys
d:\windows\system32\drivers\Start1Driver.SYS
d:\windows\system32\toniluwe.dll
d:\windows\system32\yetawila.dll
d:\windows\UC.PIF
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\Adrian\Local Settings\Temporary Internet Files\Cpvff.stt
d:\windows\ARJ.PIF
d:\windows\LHA.PIF
d:\windows\NOCLOSE.PIF
d:\windows\PKUNZIP.PIF
d:\windows\PKZIP.PIF
d:\windows\RAR.PIF
d:\windows\system32\09wutili.sys
d:\windows\system32\drivers\f67217e1.sys
d:\windows\system32\drivers\Start1Driver.SYS
d:\windows\UC.PIF

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_START1DRIVER
-------\Service_start1driver
-------\Service_f67217e1


((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-04-30 17:52 . 2009-04-30 17:52 -------- d-----w d:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2009-04-29 21:18 . 2009-01-20 02:52 31928 ----a-w d:\windows\system32\rrMon.sys
2009-04-29 21:18 . 2009-04-29 21:18 -------- d-----w d:\program files\Registrar Registry Manager
2009-04-29 18:21 . 2009-04-29 18:21 -------- d-----w d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-29 17:35 . 2009-04-29 17:38 -------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-29 17:35 . 2009-04-29 17:38 -------- d-----w d:\program files\Spybot - Search & Destroy
2009-04-29 17:28 . 2009-04-29 17:41 -------- d-----w d:\documents and settings\Adrian\Application Data\Twain
2009-04-20 16:29 . 2009-04-20 16:29 -------- d-----w d:\documents and settings\Adrian\Application Data\Malwarebytes
2009-04-20 16:29 . 2009-04-06 05:32 15504 ----a-w d:\windows\system32\drivers\mbam.sys
2009-04-20 16:29 . 2009-04-06 05:32 38496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 16:29 . 2009-04-20 16:29 -------- d-----w d:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-20 16:29 . 2009-04-20 16:29 -------- d-----w d:\program files\Malwarebytes' Anti-Malware
2009-04-20 10:06 . 2009-04-20 10:06 -------- d-----w d:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-20 09:51 . 2009-04-20 09:51 -------- d-----w d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-20 09:51 . 2009-04-23 04:43 -------- d-----w d:\program files\SUPERAntiSpyware
2009-04-20 09:51 . 2009-04-20 09:51 -------- d-----w d:\documents and settings\Adrian\Application Data\SUPERAntiSpyware.com
2009-04-20 09:51 . 2009-04-20 09:51 -------- d-----w d:\program files\Common Files\Wise Installation Wizard
2009-04-20 08:54 . 2009-04-20 08:54 -------- d-----w d:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-04-20 08:12 . 2009-04-20 08:12 -------- d-----w d:\program files\Trend Micro
2009-04-10 19:14 . 2009-04-10 19:21 -------- d-----w d:\documents and settings\Adrian\Application Data\ChessBase
2009-04-10 19:14 . 2009-04-10 19:14 -------- d-----w d:\documents and settings\Adrian\Local Settings\Application Data\ChessBase
2009-04-10 08:53 . 2009-04-10 08:53 -------- d-----w d:\documents and settings\All Users\Application Data\ChessBase
2009-04-10 08:50 . 2009-04-10 08:50 -------- d-----w d:\documents and settings\Remy\Local Settings\Application Data\ChessBase
2009-04-10 08:48 . 2009-04-17 09:29 -------- d-----w d:\documents and settings\Remy\Application Data\ChessBase
2009-04-10 08:48 . 2009-04-10 08:48 -------- d-----w d:\program files\ChessBase
2009-04-10 01:00 . 2009-04-10 01:20 -------- d-----w d:\windows\system32\CatRoot_bak
2009-04-10 00:57 . 2008-06-13 13:10 272128 -c----w d:\windows\system32\dllcache\bthport.sys
2009-04-10 00:57 . 2008-06-13 13:10 272128 ------w d:\windows\system32\drivers\bthport.sys
2009-04-10 00:46 . 2009-02-20 18:09 459264 -c----w d:\windows\system32\dllcache\msfeeds.dll
2009-04-10 00:46 . 2009-02-20 18:09 52224 -c----w d:\windows\system32\dllcache\msfeedsbs.dll
2009-04-10 00:46 . 2009-02-20 18:09 268288 -c----w d:\windows\system32\dllcache\iertutil.dll
2009-04-10 00:46 . 2009-02-20 18:09 63488 -c----w d:\windows\system32\dllcache\icardie.dll
2009-04-10 00:46 . 2009-02-20 10:20 13824 -c----w d:\windows\system32\dllcache\ieudinit.exe
2009-04-10 00:46 . 2009-02-20 18:09 383488 -c----w d:\windows\system32\dllcache\ieapfltr.dll
2009-04-10 00:46 . 2008-07-09 14:25 2455488 -c----w d:\windows\system32\dllcache\ieapfltr.dat
2009-04-10 00:46 . 2009-02-20 18:09 6066176 -c----w d:\windows\system32\dllcache\ieframe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 18:49 . 2004-08-04 12:00 182912 ----a-w d:\windows\system32\drivers\ndis.sys
2009-04-12 06:22 . 2006-08-09 09:43 26648 ----a-w d:\documents and settings\Remy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 19:15 . 2006-08-09 09:17 26648 -c--a-w d:\documents and settings\Adrian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 08:48 . 2006-08-09 10:48 -------- d--h--w d:\program files\InstallShield Installation Information
2009-04-03 04:26 . 2008-06-09 05:46 -------- d-----w d:\program files\FrostWire
2009-04-03 04:26 . 2007-03-11 08:55 -------- d-----w d:\program files\NetmarbleJP
2009-04-03 04:25 . 2006-08-15 07:56 -------- d-----w d:\program files\Canon
2009-03-24 16:04 . 2009-03-24 16:04 -------- d-----w d:\program files\MediaMonkey
2009-03-23 00:59 . 2009-03-23 00:58 -------- d-----w d:\program files\DVD Decrypter
2009-03-19 01:56 . 2009-03-19 01:56 -------- d-----w d:\program files\eRightSoft
2009-03-16 13:52 . 2009-03-16 13:52 -------- d-----w d:\program files\7-Zip
2009-03-16 03:50 . 2009-03-16 03:48 -------- d-----w d:\program files\SMPlayer
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w d:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w d:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w d:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2004-08-04 12:00 723456 ----a-w d:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 12:00 399360 ----a-w d:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 12:00 714752 ----a-w d:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 12:00 616960 ----a-w d:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w d:\windows\system32\win32k.sys
2009-02-06 17:22 . 2004-08-04 12:00 2136064 ----a-w d:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-04 12:00 110592 ----a-w d:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-04 12:00 35328 ----a-w d:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-03 22:59 2015744 ----a-w d:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-04 12:00 55808 ----a-w d:\windows\system32\secur32.dll
2004-10-01 05:00 . 2006-08-09 10:48 40960 ----a-w d:\program files\Uninstall_CDS.exe
2006-05-06 16:42 . 2006-08-21 05:45 7260160 ----a-w d:\program files\mozilla firefox\plugins\libvlc.dll
2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w d:\program files\mozilla firefox\components\WWShow.dll
2006-05-03 10:06 . 2009-03-16 03:59 163328 --sh--r d:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-03-19 01:56 31232 --sh--r d:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-03-19 01:56 216064 --sh--r d:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-01_18.56.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-01 19:59 . 2009-05-01 19:59 16384 d:\windows\temp\Perflib_Perfdata_66c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="d:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\StubInstaller.exe"=
"d:\\Program Files\\Azureus\\Azureus.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

R3 ASPI;Advanced SCSI Programming Interface Driver;d:\windows\System32\DRIVERS\ASPI32.sys [2002-07-16 16512]
S0 Achernar;Achernar - SCSI Command Filters;d:\windows\System32\Drivers\Achernar.sys [2004-02-11 16855]
S3 Aldebaran;Aldebaran - SCSI Command Filters;d:\windows\System32\Drivers\Aldebaran.sys [2004-02-11 21808]
S3 AUD;DTV-DVB 3054 Analog Audio Capture;d:\windows\system32\DRIVERS\3054AudCap.sys [2005-12-15 10240]
S3 CXAVSTS;DTV-DVB 3054 Digital TS Capture;d:\windows\system32\drivers\3054BDACap.sys [2005-12-06 18560]
S3 EuMusDesignVirtualAudioCableWdm_s2x;Sound2x Audio Cable (WDM);d:\windows\system32\DRIVERS\vacs2xkd.sys [2007-11-01 42880]

.
.
------- Supplementary Scan -------
.
FF - ProfilePath - d:\documents and settings\Adrian\Application Data\Mozilla\Firefox\Profiles\onksuo3k.default\
FF - component: d:\program files\Mozilla Firefox\components\WWShow.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npvlc.dll
FF - plugin: d:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 06:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
d:\windows\system32\imjp81.ime
d:\windows\system32\imjp81k.dll
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

- - - - - - - > 'explorer.exe'(2244)
d:\windows\system32\imjp81.ime
d:\windows\system32\imjp81k.dll
d:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
d:\windows\system32\mshtml.dll
d:\windows\system32\msls31.dll
d:\windows\system32\msimtf.dll
d:\windows\system32\MSCTF.dll
d:\windows\system32\WPDShServiceObj.dll
d:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
d:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
d:\program files\PC Connectivity Solution\ConnAPI.DLL
d:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
d:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
d:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Ahead\InCD\InCDsrv.exe
d:\program files\Bonjour\mDNSResponder.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Canon\CAL\CALMAIN.exe
d:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-01 6:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 20:02
ComboFix2.txt 2009-05-01 19:00

Pre-Run: 82,320,924,672 bytes free
Post-Run: 82,311,626,752 bytes free

205 --- E O F --- 2009-04-16 17:01

The following is the Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:44 AM, on 2/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Adrian\Desktop\HiJackThis(2).exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - D:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 2160 bytes

Thanks again!

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 02 May 2009 - 05:21 AM

I haven't seen any antivirus in your logs.. Antivirus is extremely crucial as without it you will get re-infected again! Do you have any? If you don't, please install ONLY ONE of these free and excellent antivirus below:


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 energiz20

energiz20
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 02 May 2009 - 08:39 AM

Hi again!

I was able to get hold of a copy of Avira anti virus from my cousin. The little umbrella thing seems to be doing its job.
Overall the computer is running normal again (many thanks to you!). At first there were about 52 detections and some warnings but the second time I used it (I think in safe mode) it went down to no detections and 2 warnings.

I also did the online scan as you requested.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4049 (20090501)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=5acf4c213689f949a9425f6a222274ea
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-05-02 01:14:10
# local_time=2009-05-02 11:14:10 (+1000, AUS Eastern Standard Time)
# country="Australia"
# osver=5.1.2600 NT Service Pack 2
# scanned=283095
# found=3
# scan_time=9306
D:\Documents and Settings\Adrian\Desktop\iLove\iLove.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{777C72B8-1D0E-4BCF-85B8-4019D0E91065}\RP943\A0106342.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000
D:\System Volume Information\_restore{777C72B8-1D0E-4BCF-85B8-4019D0E91065}\RP995\A0114630.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000

Hope your having a good week!

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 02 May 2009 - 10:04 AM

Looks good to me.. Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 energiz20

energiz20
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 02 May 2009 - 10:20 AM

Hi!

the computer is functioning very well now. Its fast with none of the errors I initially reported at the start. The only thing is a pop up (very rare though) which I can live with once in a while.

I'll also make sure to regularly scan for viruses, spyware and malware using Avira. I've also kept SpyBot Search and Destroy. Both are running in the system tray (no detections so far!)

Fire wall is also back up.

Thank you very much for all your help. I'm going through the articles you have provided me with.

Have a great day




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users