Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm.Autorun and Trojan.Agent infection


  • This topic is locked This topic is locked
20 replies to this topic

#1 jaf72

jaf72

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 09 May 2009 - 09:35 AM

My computer shows two major problems involved with this infection:

1) There is a warning in the bottom-right hand corner of the screen (a red shield with a white X on it) telling me that Automatic Updates is turned off. I click on it to open up the security centre and when I try to turn on Automatic Updates, it tells me I have to do it manually in Control Panel. When I look at the system settings in Control Panel, it tells me that Automatic Updates is already turned on.

2) Whenever I try to use the internet, I will sometimes click on a link (e.g. to another video on YouTube) and instead of loading the page I want, a new tab opens, loading up a completely different website. The website it links me to seems to change every time.

Here is my DDS log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jason at 15:10:34.07 on Sat 05/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.849 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jason\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
mSearchAssistant = hxxp://www.google.com
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [A00F58EB3B73.exe] c:\docume~1\jason\locals~1\temp\_A00F58EB3B73.exe
uRun: [autochk] rundll32.exe c:\docume~1\jason\protect.dll,_IWMPEvents@16
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [HydraVisionDesktopManager] c:\program files\ati technologies\ati hydravision\HydraDM.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [EPSON Stylus D68 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O16 "Epson Stylus D68" /M "Stylus D68"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [autochk] rundll32.exe c:\windows\system32\config\system~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\docume~1\jason\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229780191703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\movunafu.dll,c:\windows\system32\hadomoku.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\movunafu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jason\applic~1\mozilla\firefox\profiles\qlywt0hz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-6 35328]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-5-30 3968]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
S1 c5f45f0b;c5f45f0b;c:\windows\system32\drivers\c5f45f0b.sys --> c:\windows\system32\drivers\c5f45f0b.sys [?]
S2 QeiVoy;QeiVoy;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]

=============== Created Last 30 ================

2009-05-09 11:59 24,064 a--sh--- c:\documents and settings\jason\protect.dll
2009-05-09 11:59 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-05-09 11:58 27,648 a------- c:\windows\system32\lmn_setup.exe
2009-05-05 23:15 1 a------- c:\windows\system32\uniq.tll
2009-05-05 22:51 2 a------- C:\-2010294316
2009-05-05 22:51 7,168 a------- C:\dtmb.exe
2009-04-15 11:38 <DIR> --d----- C:\spoolerlogs
2009-04-15 07:14 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 07:14 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 07:14 2,560 -------- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-05-05 22:51 51,712 a--sh--- c:\windows\system32\rohamuda.exe
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 19:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 13:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 13:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 13:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 13:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-05-09 15:11 24,064 a--sh--- c:\windows\system32\autochk.dll
2008-09-26 21:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092620080927\index.dat

============= FINISH: 15:11:18.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:39 PM

Posted 23 May 2009 - 09:41 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 jaf72

jaf72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 25 May 2009 - 06:03 PM

OK, since my first post, a new problem came up:
A program called "Malware Doctor" popped up and started to tell me that a ridiculous number of files had been infected. I did a scan with SuperAntiSpyware and it seems to have gone, but I'm not holding my breath.
Anyway, here is my new DDS log:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Jason at 23:58:27.21 on Mon 05/25/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.861 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jason\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
mSearchAssistant = hxxp://www.google.com
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [A00F58EB3B73.exe] c:\docume~1\jason\locals~1\temp\_A00F58EB3B73.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [HydraVisionDesktopManager] c:\program files\ati technologies\ati hydravision\HydraDM.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [EPSON Stylus D68 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O16 "Epson Stylus D68" /M "Stylus D68"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
StartupFolder: c:\docume~1\jason\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229780191703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\movunafu.dll,c:\windows\system32\hadomoku.dll,c:\progra~1\thunmail\testabd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\movunafu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jason\applic~1\mozilla\firefox\profiles\qlywt0hz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-6 35328]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-5-30 3968]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
S1 c5f45f0b;c5f45f0b;c:\windows\system32\drivers\c5f45f0b.sys --> c:\windows\system32\drivers\c5f45f0b.sys [?]
S2 avast!Antivirus;avast!Antivirus;c:\windows\system32\avast!antivirus.exe -k netsvcs --> c:\windows\system32\avast!Antivirus.exe -k netsvcs [?]
S2 QeiVoy;QeiVoy;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]

=============== Created Last 30 ================

2009-05-25 21:07 28,672 a------- c:\windows\system32\lmn_setup.exe
2009-05-22 12:32 444 a------- c:\windows\system32\win32hlp.cnf
2009-05-22 12:32 55 a------- c:\windows\system32\ahtn.htm
2009-05-22 12:32 104,960 ac------ c:\windows\system32\dllcache\userinit.exe
2009-05-22 12:31 19,968 a------- c:\windows\system32\loader49.exe
2009-05-21 20:16 136 a------- c:\windows\system32\vp_setup.exe.bat
2009-05-21 20:16 61,440 a------- c:\windows\system32\vp_setup.exe
2009-05-21 20:16 <DIR> --dshr-- c:\program files\ThunMail
2009-05-18 08:26 37,376 a------- c:\windows\system32\glsetup.exe
2009-05-05 23:15 1 a------- c:\windows\system32\uniq.tll
2009-05-05 22:51 2 a------- C:\-2010294316
2009-05-05 22:51 7,168 a------- C:\dtmb.exe

==================== Find3M ====================

2009-05-05 22:51 51,712 a--sh--- c:\windows\system32\rohamuda.exe
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 23:59:09.89 ===============


:thumbup2:

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:39 PM

Posted 26 May 2009 - 02:44 AM

Hi jaf72,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

The PC is still infected, it is set to a proxy server, the registry tool and the Task Manager is disabled and an important Windows system file look to be be patched by the malware. You don't have an antivirus protection on the system but we are going to install a good free one the next round as it might remove the patched userinit.exe and you might not be able to boot to the computer any more.

In the step describe below please make sure you install the Recovery console otherwise ComboFix doesn't fix the patched system file.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#5 jaf72

jaf72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 26 May 2009 - 06:09 AM

Awesome!
The ComboFix scan worked without any problems. :thumbup2:
Here's the log (I've attached it as well, just in case):

ComboFix 09-05-25.07 - Jason 05/26/2009 11:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.963 [GMT 1:00]
Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-2010294316
c:\documents and settings\Jason\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Jason\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\Application Data\1107964398.exe
c:\documents and settings\LocalService\Application Data\912196419.exe
c:\documents and settings\LocalService\Application Data\971313497.exe
c:\program files\ThunMail
c:\program files\ThunMail\testabd.dll
c:\windows\system32\ahtn.htm
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\drivers\ovfsthipwuhndugrfhrfujqtqaiwxyesmbwfns.sys
c:\windows\system32\glsetup.exe
c:\windows\system32\lmn_setup.exe
c:\windows\system32\loader49.exe
c:\windows\system32\ovfsthfopnkqhtmfeobamtaoyicypdaqurejqs.dll
c:\windows\system32\ovfsthgotdnbggvckdopqnjnvvhsacdxpxxlmd.dat
c:\windows\system32\ovfsthsdpqmtxucxrevosblrjyowiashlffamd.dat
c:\windows\system32\ovfsthvxryiwujlvcaovaoesdppguhwyjffdko.dll
c:\windows\system32\ovfsthwjgqpuikcstvltogebsvsvubpoucnlch.dll
c:\windows\system32\rohamuda.exe
c:\windows\system32\uniq.tll
c:\windows\system32\vp_setup.exe
c:\windows\system32\vp_setup.exe.bat
c:\windows\system32\win32hlp.cnf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthmxwhpyigkkepkxtaavowbvmlygeiemol
-------\Legacy_AVAST!ANTIVIRUS
-------\Service_avast!Antivirus


((((((((((((((((((((((((( Files Created from 2009-04-26 to 2009-05-26 )))))))))))))))))))))))))))))))
.

2009-05-26 09:52 . 2009-05-26 03:18 105 ----a-w C:\tj.vbs
2009-05-26 09:51 . 2009-05-26 09:52 107254 ----a-w c:\windows\system32\vic_setup.exe
2009-05-22 11:47 . 2009-05-22 11:47 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2009-05-22 11:32 . 2009-05-22 11:32 104960 -c--a-w c:\windows\system32\dllcache\userinit.exe
2009-05-08 10:48 . 2009-05-26 10:17 117760 ----a-w c:\documents and settings\Jason\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-05 21:51 . 2009-05-05 21:51 7168 ----a-w C:\dtmb.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-26 10:58 . 2008-02-21 16:42 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-05-06 17:52 . 2008-07-19 15:18 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-06 09:30 . 2008-10-06 17:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-06 09:26 . 2008-10-06 22:54 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-15 11:07 . 2007-02-15 22:22 -------- d-----w c:\program files\Java
2009-04-15 11:04 . 2009-04-15 11:04 152576 ----a-w c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-06 14:32 . 2008-10-06 17:57 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-10-06 17:57 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-28 12:00 826368 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-17 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-01-25 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HydraVision\HydraDM.exe" [2003-04-01 270336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-30 180269]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"EPSON Stylus D68 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE" [2005-01-25 98304]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2003-03-20 1855488]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-21 45056]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-04 12:09 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LucasArts\\Force Commander\\Resource\\focom.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\WINDOWS\\mixer.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtHSP.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [12/6/2005 16:11 35328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 14:07 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 14:07 55024]
S1 c5f45f0b;c5f45f0b;c:\windows\system32\drivers\c5f45f0b.sys --> c:\windows\system32\drivers\c5f45f0b.sys [?]
S2 QeiVoy;QeiVoy;c:\windows\System32\svchost.exe -k netsvcs [2/28/2006 13:00 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 14:07 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
QeiVoy
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver
SafeBoot-procexp90.Sys
SafeBoot-AVG Anti-Spyware Guard


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Jason\Application Data\Mozilla\Firefox\Profiles\qlywt0hz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-26 11:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-1085031214-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ac,d4,79,06,b0,d3,6c,24,5a,ca,21,ca,5b,7c,a1,16,b5,f9,0e,d4,0c,96,eb,
6a,25,5c,a5,b1,58,82,2c,88,f7,32,7d,2e,df,98,ec,f5,f2,83,53,47,df,74,83,af,\
"??"=hex:d0,fe,e9,75,d6,d8,cd,ad,c3,8d,7d,75,23,88,83,bf

[HKEY_USERS\S-1-5-21-299502267-1085031214-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:ef,dc,5e,bc,fd,63,bf,7b,95,a8,6d,58,e5,05,01,e3,34,29,0e,5b,11,
f4,aa,01,d3,79,2a,99,d0,dc,68,e8,74,82,d2,99,06,72,10,61,7c,37,98,f2,3d,c1,\
"rkeysecu"=hex:19,9c,f0,ca,6e,de,a8,69,79,3e,43,a8,cc,59,f9,b0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1280)
c:\program files\ATI Technologies\ATI HydraVision\HydraDMH.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
.
**************************************************************************
.
Completion time: 2009-05-26 12:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-26 11:04

Pre-Run: 44,777,816,064 bytes free
Post-Run: 44,719,321,088 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

200 --- E O F --- 2009-04-15 11:12

Attached Files



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:39 PM

Posted 26 May 2009 - 06:59 AM

Well done. :thumbup2:

Posting the log will do. No need to attach it too.

Open notepad and copy/paste the text in the code box below into it:

http://www.bleepingcomputer.com/forums/t/225638/wormautorun-and-trojanagent-infection/

Collect::
c:\windows\system32\drivers\c5f45f0b.sys
C:\dtmb.exe
Driver::
QeiVoy
c5f45f0b
NetSvc::
QeiVoy
DDS::
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
FileLook::
userinit.exe

Save this as CFScript.txt


Posted Image


Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Important Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


#7 jaf72

jaf72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 26 May 2009 - 07:45 AM

OK, that seemed to go well.
Here's the report:

ComboFix 09-05-25.07 - Jason 05/26/2009 13:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.857 [GMT 1:00]
Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jason\Desktop\CFScript.txt
* Created a new restore point

file zipped: C:\dtmb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dtmb.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QEIVOY
-------\Service_c5f45f0b
-------\Service_QeiVoy


((((((((((((((((((((((((( Files Created from 2009-04-26 to 2009-05-26 )))))))))))))))))))))))))))))))
.

2009-05-26 09:52 . 2009-05-26 03:18 105 ----a-w C:\tj.vbs
2009-05-26 09:51 . 2009-05-26 09:52 107254 ----a-w c:\windows\system32\vic_setup.exe
2009-05-22 11:47 . 2009-05-22 11:47 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2009-05-22 11:32 . 2009-05-22 11:32 104960 -c--a-w c:\windows\system32\dllcache\userinit.exe
2009-05-08 10:48 . 2009-05-26 10:17 117760 ----a-w c:\documents and settings\Jason\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-26 12:35 . 2008-02-21 16:42 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-05-06 17:52 . 2008-07-19 15:18 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-06 09:30 . 2008-10-06 17:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-06 09:26 . 2008-10-06 22:54 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-15 11:07 . 2007-02-15 22:22 -------- d-----w c:\program files\Java
2009-04-15 11:04 . 2009-04-15 11:04 152576 ----a-w c:\documents and settings\Jason\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-06 14:32 . 2008-10-06 17:57 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-10-06 17:57 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-28 12:00 826368 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-26_10.56.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-26 12:31 . 2009-05-26 12:31 16384 c:\windows\Temp\Perflib_Perfdata_5e4.dat
- 2009-05-26 10:52 . 2009-05-26 10:52 16384 c:\windows\Temp\Perflib_Perfdata_5e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-17 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-01-25 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HydraVision\HydraDM.exe" [2003-04-01 270336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-30 180269]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"EPSON Stylus D68 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE" [2005-01-25 98304]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2003-03-20 1855488]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-21 45056]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-04 12:09 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LucasArts\\Force Commander\\Resource\\focom.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"c:\\WINDOWS\\mixer.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtHSP.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [12/6/2005 16:11 35328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 14:07 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 14:07 55024]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 14:07 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Jason\Application Data\Mozilla\Firefox\Profiles\qlywt0hz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-26 13:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-1085031214-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ac,d4,79,06,b0,d3,6c,24,5a,ca,21,ca,5b,7c,a1,16,b5,f9,0e,d4,0c,96,eb,
6a,25,5c,a5,b1,58,82,2c,88,f7,32,7d,2e,df,98,ec,f5,f2,83,53,47,df,74,83,af,\
"??"=hex:d0,fe,e9,75,d6,d8,cd,ad,c3,8d,7d,75,23,88,83,bf

[HKEY_USERS\S-1-5-21-299502267-1085031214-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:ef,dc,5e,bc,fd,63,bf,7b,95,a8,6d,58,e5,05,01,e3,34,29,0e,5b,11,
f4,aa,01,d3,79,2a,99,d0,dc,68,e8,74,82,d2,99,06,72,10,61,7c,37,98,f2,3d,c1,\
"rkeysecu"=hex:19,9c,f0,ca,6e,de,a8,69,79,3e,43,a8,cc,59,f9,b0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2716)
c:\program files\ATI Technologies\ATI HydraVision\HydraDMH.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
.
**************************************************************************
.
Completion time: 2009-05-26 13:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-26 12:40
ComboFix2.txt 2009-05-26 11:04

Pre-Run: 44,720,558,080 bytes free
Post-Run: 44,697,231,360 bytes free

168 --- E O F --- 2009-04-15 11:12

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:39 PM

Posted 26 May 2009 - 09:00 AM

Please go to start => Run
copy and paste the following in the run box and click OK:

cmd /c dir /s "c:\userinit*" >log.txt&log.txt del log.txt

A command window and then a text file opens. Please post the content of it to your reply.

#9 jaf72

jaf72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 26 May 2009 - 09:12 AM

OK, this is what it came up with:

Volume in drive C has no label.
Volume Serial Number is 882D-57D4

Directory of c:\WINDOWS\$NtServicePackUninstall$

02/28/2006 13:00 24,576 userinit.exe
1 File(s) 24,576 bytes

Directory of c:\WINDOWS\Prefetch

05/26/2009 13:32 23,630 USERINIT.EXE-30B18140.pf
1 File(s) 23,630 bytes

Directory of c:\WINDOWS\ServicePackFiles\i386

04/14/2008 01:12 26,112 userinit.exe
1 File(s) 26,112 bytes

Directory of c:\WINDOWS\system32

04/14/2008 01:12 26,112 userinit.exe
1 File(s) 26,112 bytes

Directory of c:\WINDOWS\system32\dllcache

05/22/2009 12:32 104,960 userinit.exe
1 File(s) 104,960 bytes

Total Files Listed:
5 File(s) 205,390 bytes
0 Dir(s) 44,718,751,744 bytes free

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:39 PM

Posted 26 May 2009 - 09:57 AM

Thanks. It seems the userinit.exe that is in use is not patched, but the one in dllcache is patched.
  • Please go to start => Run
    Copy and paste the following lines one by one in the run box and click OK after each line:

    cmd /c copy /y C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\dllcache
    cmd /c dir /s "userinit*" >log.txt&log.txt del log.txt


    A command window and then a text file opens. Please post the content of it to your reply.

  • You are missing one important program on that computer: An antivirus.
    This is somewhat suicidal in today's digital world.
    You need to install an antivirus program as soon as you can. I recommend this good free antivirus:


    Avira
  • Download the installer. Install and update it.
  • In the left pane click Status. In the right pane click Scan system now.
  • After the scan finished let it remove what it finds and then Click Report.
  • You can get the last report also by clicking on Reports on the left pane.
  • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
  • A window opens, click on Report file.
  • Copy and paste the content of the report to your reply.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:39 PM

Posted 26 May 2009 - 10:02 AM

When you click on the link you get the option to download the installer from different locations. Please download the installer from softpedia.com as it has a secure download mirror.
If you download it from the other link you have to add .exe to the file in order to run it.

#12 jaf72

jaf72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 26 May 2009 - 12:54 PM

OK. Both scans have finished.
Here is the first log:

Volume in drive C has no label.
Volume Serial Number is 882D-57D4

Directory of C:\Documents and Settings\Jason

04/14/2008 01:12 26,112 userinit.exe
1 File(s) 26,112 bytes

Total Files Listed:
1 File(s) 26,112 bytes
0 Dir(s) 44,716,728,320 bytes free




and here is the Avira report:

Avira AntiVir Personal
Report file date: 26 May 2009 16:29

Scanning for 1426566 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : JASONFLINTHAM

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/17/2009 08:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 10:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 12:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 20:33:26
ANTIVIR2.VDF : 7.1.4.0 2336768 Bytes 5/20/2009 15:28:02
ANTIVIR3.VDF : 7.1.4.19 199680 Bytes 5/26/2009 15:28:05
Engineversion : 8.2.0.168
AEVDF.DLL : 8.1.1.1 106868 Bytes 5/26/2009 15:28:39
AESCRIPT.DLL : 8.1.2.0 389497 Bytes 5/26/2009 15:28:39
AESCN.DLL : 8.1.2.3 127347 Bytes 5/26/2009 15:28:36
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 18:24:41
AEPACK.DLL : 8.1.3.16 397686 Bytes 5/26/2009 15:28:35
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/26/2009 20:01:56
AEHEUR.DLL : 8.1.0.129 1761655 Bytes 5/26/2009 15:28:32
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/26/2009 20:01:56
AEGEN.DLL : 8.1.1.44 348532 Bytes 5/26/2009 15:28:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 14:32:40
AECORE.DLL : 8.1.6.9 176500 Bytes 5/26/2009 15:28:07
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 14:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 10:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 10:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 11:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 10:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 26 May 2009 16:29

Starting search for hidden objects.
'48526' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'TosBtHSP.exe' - '1' Module(s) have been scanned
Scan process 'TosA2dp.exe' - '1' Module(s) have been scanned
Scan process 'TosBtMng.exe' - '1' Module(s) have been scanned
Scan process 'KHost.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'E_FATIAAE.EXE' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'daemon.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'HydraDM.exe' - '1' Module(s) have been scanned
Scan process 'mixer.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'KService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
41 processes with 41 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '63' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Qoobox\Quarantine\[4]-Submit_2009-05-26_13.24.09.zip
[0] Archive type: ZIP
--> dtmb.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\Qoobox\Quarantine\C\dtmb.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\971313497.exe.vir
[DETECTION] Is the TR/Spy.Ambler.D.27 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\glsetup.exe.vir
[DETECTION] Is the TR/Monder.chce Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\lmn_setup.exe.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\loader49.exe.vir
[DETECTION] Is the TR/Dldr.FraudLoad.vtxj Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthfopnkqhtmfeobamtaoyicypdaqurejqs.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthvxryiwujlvcaovaoesdppguhwyjffdko.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthwjgqpuikcstvltogebsvsvubpoucnlch.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\rohamuda.exe.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\vp_setup.exe.vir
[DETECTION] Is the TR/PSW.Wow.ohg.4 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthipwuhndugrfhrfujqtqaiwxyesmbwfns.sys.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP784\A0129374.exe
[0] Archive type: NSIS
--> ProgramFilesDir/3_sbcg4ap103_pc_music_and_sounds.ttarch
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP814\A0134434.dll
[DETECTION] Is the TR/PSW.Agent.mso Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP815\A0134772.dll
[DETECTION] Is the TR/Agent.btjt.2 Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137945.sys
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137946.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137947.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137948.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137951.dll
[DETECTION] Is the TR/Spy.Agent.argt Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137952.dll
[DETECTION] Is the TR/Spy.Agent.argt Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137953.dll
[DETECTION] Is the TR/Spy.Agent.argt Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137970.exe
[DETECTION] Is the TR/Monder.chce Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137971.exe
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137972.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vtxj Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137973.exe
[DETECTION] Is the TR/PSW.Wow.ohg.4 Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137979.exe
[DETECTION] Is the TR/Spy.Ambler.D.27 Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137982.exe
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP850\A0138077.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP850\A0138154.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!

Beginning disinfection:
C:\Qoobox\Quarantine\[4]-Submit_2009-05-26_13.24.09.zip
[NOTE] The file was moved to '4a792be9.qua'!
C:\Qoobox\Quarantine\C\dtmb.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4a892c29.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\971313497.exe.vir
[DETECTION] Is the TR/Spy.Ambler.D.27 Trojan
[NOTE] The file was moved to '4a4d2bec.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\glsetup.exe.vir
[DETECTION] Is the TR/Monder.chce Trojan
[NOTE] The file was moved to '4a8f2c21.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\lmn_setup.exe.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a8a2c22.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\loader49.exe.vir
[DETECTION] Is the TR/Dldr.FraudLoad.vtxj Trojan
[NOTE] The file was moved to '4a7d2c24.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthfopnkqhtmfeobamtaoyicypdaqurejqs.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4a822c2b.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthvxryiwujlvcaovaoesdppguhwyjffdko.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '49b3468c.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthwjgqpuikcstvltogebsvsvubpoucnlch.dll.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '49b05e44.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\rohamuda.exe.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a842c24.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\vp_setup.exe.vir
[DETECTION] Is the TR/PSW.Wow.ohg.4 Trojan
[NOTE] The file was moved to '4a7b2c25.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthipwuhndugrfhrfujqtqaiwxyesmbwfns.sys.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a822c2c.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP814\A0134434.dll
[DETECTION] Is the TR/PSW.Agent.mso Trojan
[NOTE] The file was moved to '4a4d2be6.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP815\A0134772.dll
[DETECTION] Is the TR/Agent.btjt.2 Trojan
[NOTE] The file was moved to '497d493f.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137945.sys
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4b301ba7.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137946.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '49ec9fff.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137947.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4975b2bf.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137948.dll
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '49748ac7.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137951.dll
[DETECTION] Is the TR/Spy.Agent.argt Trojan
[NOTE] The file was moved to '4977830f.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137952.dll
[DETECTION] Is the TR/Spy.Agent.argt Trojan
[NOTE] The file was moved to '49769b57.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137953.dll
[DETECTION] Is the TR/Spy.Agent.argt Trojan
[NOTE] The file was moved to '4971939f.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137970.exe
[DETECTION] Is the TR/Monder.chce Trojan
[NOTE] The file was moved to '4970eba7.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137971.exe
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4973e3ef.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137972.exe
[DETECTION] Is the TR/Dldr.FraudLoad.vtxj Trojan
[NOTE] The file was moved to '4972e437.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137973.exe
[DETECTION] Is the TR/PSW.Wow.ohg.4 Trojan
[NOTE] The file was moved to '490dfc7f.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137979.exe
[DETECTION] Is the TR/Spy.Ambler.D.27 Trojan
[NOTE] The file was moved to '490cf487.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP849\A0137982.exe
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '490fcccf.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP850\A0138077.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '490ec517.qua'!
C:\System Volume Information\_restore{8D3693DD-0A48-443F-8526-C7B23A19F4A0}\RP850\A0138154.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4978a227.qua'!


End of the scan: 26 May 2009 18:49
Used time: 1:13:22 Hour(s)

The scan has been done completely.

10431 Scanned directories
402277 Files were scanned
29 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
29 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
402246 Files not concerned
1448 Archives were scanned
4 Warnings
30 Notes
48526 Objects were scanned with rootkit scan
0 Hidden objects were found

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:39 PM

Posted 26 May 2009 - 01:43 PM

Well done :thumbup2:

We are almost there.
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. That would be:

      J2SE Runtime Environment 5.0 Update 11
      Java™ 6 Update 11
      Java™ 6 Update 2
      Java™ 6 Update 3
      Java™ 6 Update 5
      Java™ 6 Update 7
      Java™ SE Runtime Environment 6 Update 1

    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Please post a new DDS log for a final review and tell me how is your computer running.


#14 jaf72

jaf72
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 26 May 2009 - 06:12 PM

OK, Java has been installed, and both scans are completed.

Here is the MalwareBytes log:

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

5/26/2009 23:45:01
mbam-log-2009-05-26 (23-45-01).txt

Scan type: Quick Scan
Objects scanned: 101052
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Jason\userinit.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



and here is the DDS report:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Jason at 23:55:05.00 on Tue 05/26/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.860 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Jason\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [HydraVisionDesktopManager] c:\program files\ati technologies\ati hydravision\HydraDM.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [EPSON Stylus D68 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O16 "Epson Stylus D68" /M "Stylus D68"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229780191703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jason\applic~1\mozilla\firefox\profiles\qlywt0hz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-6 35328]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-5-30 3968]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-26 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-26 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-26 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-26 55640]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]

=============== Created Last 30 ================

2009-05-26 23:26 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-26 16:21 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-26 16:21 <DIR> --d----- c:\program files\Avira
2009-05-26 16:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-26 11:22 <DIR> a-dshr-- C:\cmdcons
2009-05-26 11:19 161,792 a------- c:\windows\SWREG.exe
2009-05-26 11:19 154,624 a------- c:\windows\PEV.exe
2009-05-26 11:19 98,816 a------- c:\windows\sed.exe
2009-05-26 10:52 105 a------- C:\tj.vbs
2009-05-26 10:51 107,254 a------- c:\windows\system32\vic_setup.exe
2009-05-22 12:32 26,112 ac------ c:\windows\system32\dllcache\userinit.exe

==================== Find3M ====================

2009-05-26 23:26 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 23:55:59.53 ===============


Both of the problems that I started this topic for seem to have been resolved. The little warning telling me that my Automatic Updates is switched off is now gone and firefox seems to have stopped redirecting me to random websites instead of opening the links I click on.
My computer is also running a little bit faster than before. :thumbup2:

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:39 PM

Posted 26 May 2009 - 06:30 PM

Good news. Just this step and the next post we will round off.

Open Firefox. Go Tools -> Options -> Advanced -> click on the Network Tab, then click Settings.
Select the radio button that says Auto Detect Proxy Settings for all this Network. Click Ok.

Reboot the computer and post a DDS log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users