Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sys32dll.exe - Aimdes worm?


  • This topic is locked This topic is locked
13 replies to this topic

#1 romymichelle21

romymichelle21

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 11 May 2009 - 03:29 AM

First, several days ago I was on a site and became infected with... something. CounterSpy, I believe, cleaned it, and I think Spybot also found something and cleaned it. That's fine and dandy, except I noticed something running that shouldn't have been, and looked it up. The file is sys32dll.exe, and was created the very same night I became infected. When I do a search through XP, the description when I hover over it is complete gibberish. (Which means, I know it's not legit). AVG, Malwarebytes, and CounterSpy cannot detect anything wrong with this file - I told each one to scan it directly.

I decided to download & install something else - but that's where I ran into my second problem. McAfee and Avast will not even install. Both give various messages about not being able to connect. Ad-Aware won't run - it opens to the load screen, but then disappears. Avira installed, but does the same - nothing happens when I try to open it. HijackThis did the same, but I tried renaming it like another site suggested, and it worked then.

So I have 2 issues:

1) sys32dll.exe, whatever it is, is on my computer and won't be detected by anything.
2) I cannot open, or install, antivirus or antispyware programs.

Also, possibly unrelated to the "unable to connect" messages from the installations, my Internet Explorer won't load any websites. I use Firefox exclusively, but I checked IE today and it doesn't work. No idea how long that's been going on. It says "www.yahoo.com" is the homepage - but just doesn't load.

My system info is in the log, but I do NOT have a firewall currently. (The Windows one is not active). Also, I notice in the log file that Avira was/is running... which is odd, since it won't start up. AVG is shown, even though I uninstalled it just prior. I forgot to cancel SuperAntispyware's scan when I ran DDS.

Any help would be appreciated! I will post any other requested logs. Here is the one from DDS:


DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Owner at 22:33:01.56 on Sun 05/10/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.116 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe "C:\WINDOWS\system32\1025v.exe"
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,fggqnux.exe,
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
uPolicies-explorer: nosimplestartmenu = 0 (0x0)
uPolicies-explorer: norecentdochistory = 0 (0x0)
uPolicies-explorer: maxrecentdocs = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
DPF: {00000161-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaud.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\lfdrtt3s.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\lfdrtt3s.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\windows\system32\npmirage.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-2 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-2 27784]
R3 C0100Afx;Provides a software interface to control audio effects of VC0100 camera.;c:\windows\system32\drivers\C0100Afx.sys [2008-5-21 143104]
R3 C0100Aud;Provides a software interface to control noise cancellation of VC0100 camera.;c:\windows\system32\drivers\C0100Aud.sys [2008-5-21 93440]
R3 C0100Dev;Creative Camera VC0100 Driver;c:\windows\system32\drivers\C0100Dev.sys [2008-5-21 239968]
R3 C0100Vfx;Creative Camera VC0100 Video VFX Driver;c:\windows\system32\drivers\C0100Vfx.sys [2008-5-21 7168]
S3 AsAudioDevice_351;AsAudioDevice_351;c:\windows\system32\drivers\AsAudioDevice_351.sys [2009-3-14 16640]

=============== Created Last 30 ================

2009-05-10 22:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-10 22:19 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-10 22:19 <DIR> --d----- c:\docume~1\hp_owner\applic~1\SUPERAntiSpyware.com
2009-05-10 22:19 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-10 22:10 <DIR> --d----- C:\Combo-Fix
2009-05-10 22:10 388,608 a------- c:\windows\system32\CF18082.exe
2009-05-10 22:09 388,608 a------- c:\windows\system32\cmd.execf
2009-05-10 22:02 161,792 a------- c:\windows\SWREG.exe
2009-05-10 22:02 98,816 a------- c:\windows\sed.exe
2009-05-10 22:02 388,608 a------- c:\windows\system32\CF16321.exe
2009-05-10 17:39 <DIR> --d----- c:\documents and settings\hp_owner\.housecall6.6
2009-05-10 17:31 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-10 17:30 <DIR> --d----- c:\program files\Avira
2009-05-10 17:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-10 11:56 <DIR> --d----- c:\program files\Ripdev
2009-05-07 18:52 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Ripdev
2009-05-07 11:17 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-07 11:06 14,048 -------- c:\windows\system32\spmsg2.dll
2009-05-07 10:57 <DIR> --d----- c:\program files\MSXML 6.0
2009-05-06 21:56 <DIR> --d----- c:\docume~1\hp_owner\applic~1\HouseCall 6.6
2009-05-05 20:36 <DIR> --d----- c:\program files\Trend Micro
2009-05-05 11:39 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-05 11:33 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-05 11:32 <DIR> --d----- c:\program files\Lavasoft
2009-05-04 21:54 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-04 21:54 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 21:54 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-04 21:02 32 a--s---- c:\windows\system32\2247266038.dat
2009-05-04 21:01 29,696 a------- c:\windows\system32\SYS32DLL.exe
2009-05-04 21:01 51,200 ---shr-- c:\windows\system32\1025v.exe

==================== Find3M ====================

2009-05-09 08:58 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-09 08:58 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-07 19:04 249,856 a------- c:\windows\system32\pdfmona.dll
2009-04-07 19:04 51,716 a------- c:\windows\system32\pdf995mon.dll
2007-04-25 19:38 24 a------- c:\documents and settings\hp_owner\mylist.dat
2007-01-26 14:13 25 a------- c:\documents and settings\hp_owner\snkHiScore.dat
2006-04-23 21:12 262 a------- c:\documents and settings\hp_owner\n.bat
2008-11-25 22:03 1,004 a--sh--- c:\windows\system32\sys_drv.dat

============= FINISH: 22:34:36.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 AM

Posted 24 May 2009 - 02:54 PM

Hello romymichelle21,

If you have resolved your issues, or if you are getting help elsewhere, please let me know.

Otherwise, if same issues are present and you want help here, then do the following:
You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for this member only. If you are a casual observer, do NOT try this on your system!


If at any point, if you have a question or problem, STOP & make a post to the forum.
Also, do not run or start any other programs while these utilities and tools are in use!

Please do NOT run any other tools on your own or do any fixes other than what is listed here.

=

Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

=

Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
After that, also do this:
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now ! Posted Image
We must get the latest version, and you have an old version on this system. Delete it.

Next, Download and SAVE this file -- to your Desktop -- (Do NOT run the file straight away from download) from any one of these sources:
Link 1
Link 2
Link 3

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:
KILLALL::

DDS::
mWinlogon: Userinit=c:\windows\system32\userinit.exe,fggqnux.exe,
mWinlogon: SFCDisable=-99 (0xffffff9d)
uRun: [SUPERAntiSpyware]

File::
c:\windows\system32\digiwet.dll
c:\windows\system32\SYS32DLL.exe
c:\windows\system32\1025v.exe

Folder::
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:
Posted Image
  • Posted Image Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once Posted Image

=

Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2171 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Next:

If you have a prior copy of SmitFraudFix, delete it now :!:
Please download SmitfraudFix (by S!Ri) :hand: Don't download SmitfraudFix until you're ready to run/use it. It's very important that you be using the most recent version (v2.417 as of this post).
Extract the contents of the exe file (a folder named SmitfraudFix) to your Desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual user account.
1. Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

2. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

3. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

4. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

5. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

6. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:
  • process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  • Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you're infected.
=

Once Complete, reboot! Posted Image

After following the above, post back with 1. Contents of C:\Combofix.txt;
2. the MBAM log
3. C:\rapport.txt
4. Tell me, How is your system now ?
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 romymichelle21

romymichelle21
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 24 May 2009 - 03:17 PM

Thanks for replying! Fortunately, *some* of the issues have been taken care of. Unfortunately, some have not.

I still cannot open AdAware, but managed to install both Vipre Antivirus and Sunbelt Firewall from the same company. None of the others would work.

Shortly after posting this, we got a message from our ISP when we opened Firefox:

"Dear Customer,

You are seeing this message because Time Warner Cable Regional Internet Abuse Department
has received a report of unwanted Internet activity being transmitted from a computer
connected to the cable modem on your Road Runner Internet connection.

We are aware that the majority of such activity is caused by an infected or compromised
computer and may not be intentional.

At this time, this violates the Road Runner Acceptable Use Policy for your residential
account and we ask that you take immediate action to resolve this issue to avoid further
interruptions of your service."


This showed up on both of our computers - on the same network. (The other has the modem, mine has the wireless router). Vipre ran, found some things, and took care of them - but a few days ago we got that same message again from our ISP. It's not very specific, unfortunately, so I don't know exactly what they're detecting.

Currently, I cannot open AdAware or regedit. Task Manager opens fine - I managed to open the registry (I had to delete an AVG string, even though I ran the AVG uninstaller) using 'EmergencyUtils'. I can't remember if that was what it was called, but that's the name of the folder the 'copy' of regedit is in.

The file - sys32dll.exe - is gone. Vipre didn't mention it specifically, but now when I do a search through XP, it doesn't find it.

Some things that require connecting to the internet in order to install still won't connect. This was the same issue that prevented the antivirus programs from working. Yesterday, it was a Microsoft DirectX update. (Which I downloaded the manual version of).

Here is a fresh log from DDS - please let me know if any of the advice you posted still applies!



DDS (Ver_09-05-14.01) - NTFSx86
Run by HP_Owner at 13:11:24.95 on Sun 05/24/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.62 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sunbelt Personal Firewall *disabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost -k DComLaunch
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,fggqnux.exe,
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [SBAMTray] c:\program files\sunbelt software\counterspy\SBAMTray.exe
uPolicies-explorer: nosimplestartmenu = 0 (0x0)
uPolicies-explorer: norecentdochistory = 0 (0x0)
uPolicies-explorer: maxrecentdocs = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program

files\bonjour\ExplorerPlugin.dll
DPF: {00000161-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaud.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} -

hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {cafeefac-0016-0000-0013-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\lfdrtt3s.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\hp_owner\application

data\mozilla\firefox\profiles\lfdrtt3s.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp

07074039.dll
FF - plugin: c:\progra~1\sony online entertainment\npsoe.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\windows\system32\npmirage.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-5 64160]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-5-20 13360]
R1 sbfw;SbFw;c:\windows\system32\drivers\SbFw.sys [2009-5-20 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-5-18 202928]
R2 sbamsvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\counterspy\SBAMSvc.exe [2009-3-17 894248]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-5-20 69936]
R2 sbpf.launcher;SbPF.Launcher;c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [2008-10-31 95528]
R2 spf4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [2008-10-31 1365288]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2008-5-17

53307]
R3 C0100Afx;Provides a software interface to control audio effects of VC0100 camera.;c:\windows\system32\drivers\C0100Afx.sys

[2008-5-21 143104]
R3 C0100Aud;Provides a software interface to control noise cancellation of VC0100

camera.;c:\windows\system32\drivers\C0100Aud.sys [2008-5-21 93440]
R3 C0100Dev;Creative Camera VC0100 Driver;c:\windows\system32\drivers\C0100Dev.sys [2008-5-21 239968]
R3 C0100Vfx;Creative Camera VC0100 Video VFX Driver;c:\windows\system32\drivers\C0100Vfx.sys [2008-5-21 7168]
R3 sbfwimcl;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2009-5-20 65576]
S2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe --> c:\progra~1\mcafee.com\vso\mcshield.exe [?]
S3 AsAudioDevice_351;AsAudioDevice_351;c:\windows\system32\drivers\AsAudioDevice_351.sys [2009-3-14 16640]
S3 dfsdks;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2009-5-22 410976]
S3 ppctlpriv;PPCtlPriv;"c:\program files\ca\ca internet security suite\ca anti-spyware\ppctlpriv.exe" --> c:\program

files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [?]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-22 92464]
S3 XIRLINK;Mickey Web Camera;c:\windows\system32\drivers\ucdnt.sys [2005-11-10 1001404]

=============== Created Last 30 ================

2009-05-23 16:32 <DIR> --d----- c:\program files\Sony Online Entertainment
2009-05-22 18:35 39,776 a------- c:\windows\system32\DfSdkBt64.exe
2009-05-22 18:35 33,632 a------- c:\windows\system32\DfSdkBt.exe
2009-05-20 20:39 270,888 a----r-- c:\windows\system32\drivers\SbFw.sys
2009-05-20 20:39 65,576 a------- c:\windows\system32\drivers\SbFwIm.sys
2009-05-20 11:29 69,936 a------- c:\windows\system32\drivers\sbapifs.sys
2009-05-20 11:29 13,360 a------- c:\windows\system32\drivers\sbaphd.sys
2009-05-18 19:35 202,928 a------- c:\windows\system32\drivers\sbtis.sys
2009-05-18 18:47 <DIR> --d----- C:\EmergencyUtils
2009-05-16 11:43 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-15 22:05 <DIR> --d----- c:\program files\ESET
2009-05-15 21:15 <DIR> --d----- C:\KAV
2009-05-15 20:24 <DIR> --d----- c:\program files\BitDefender
2009-05-15 20:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-05-15 20:19 <DIR> --d----- c:\program files\common files\BitDefender
2009-05-15 19:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-05-15 19:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-05-14 08:17 91,584 a------- c:\windows\system32\drivers\4b55aa60.sys
2009-05-10 22:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-10 22:10 388,608 a------- c:\windows\system32\CF18082.exe
2009-05-10 22:09 388,608 a------- c:\windows\system32\cmd.execf
2009-05-10 22:02 161,792 a------- c:\windows\SWREG.exe
2009-05-10 22:02 98,816 a------- c:\windows\sed.exe
2009-05-10 22:02 388,608 a------- c:\windows\system32\CF16321.exe
2009-05-10 17:39 <DIR> --d----- c:\documents and settings\hp_owner\.housecall6.6
2009-05-10 17:31 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-10 11:56 <DIR> --d----- c:\program files\Ripdev
2009-05-07 18:52 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Ripdev
2009-05-07 11:17 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-07 11:06 14,048 -------- c:\windows\system32\spmsg2.dll
2009-05-07 10:57 <DIR> --d----- c:\program files\MSXML 6.0
2009-05-05 20:36 <DIR> --d----- c:\program files\Trend Micro
2009-05-05 11:39 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-05 11:33 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-05 11:32 <DIR> --d----- c:\program files\Lavasoft
2009-05-04 21:54 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-04 21:54 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 21:54 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-04 21:02 100 a--s---- c:\windows\system32\2247266038.dat

==================== Find3M ====================

2009-04-07 19:04 249,856 a------- c:\windows\system32\pdfmona.dll
2009-04-07 19:04 51,716 a------- c:\windows\system32\pdf995mon.dll
2009-03-17 13:26 65,320 a------- c:\windows\system32\sbbd.exe
2009-03-16 14:18 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-03-16 14:18 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-03-16 14:18 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 14:18 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 15:27 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-03-09 15:27 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 15:27 453,456 a------- c:\windows\system32\d3dx10_41.dll
2007-04-25 19:38 24 a------- c:\documents and settings\hp_owner\mylist.dat
2007-01-26 14:13 25 a------- c:\documents and settings\hp_owner\snkHiScore.dat
2006-04-23 21:12 262 a------- c:\documents and settings\hp_owner\n.bat
2008-11-25 22:03 1,004 a--sh--- c:\windows\system32\sys_drv.dat

============= FINISH: 13:13:34.43 ===============

Attached Files



#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 AM

Posted 24 May 2009 - 03:34 PM

On a minor point, things like Microsoft DirectX update are not of concern, until all malwares that are found are removed.
Also, you should contact your ISP and write or email to customer technical support, that you are actively working on this.
Your infection(s) may be sending out spam emails.

Most important for now: Have you done all the steps I outlined in my prior reply? I need for you to do that and reply back with copies of those reports. Yes, the advice I posted still applies.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 romymichelle21

romymichelle21
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 25 May 2009 - 10:18 PM

Ok, ran everything as instructed. When running ComboFix, it started up, and then prompted me with this message:

"There is no disk in the drive. Please insert a disk into drive \Device\Harddisk1\DR3"

With the options "cancel", "try again", and "continue". It did allow me to continue.

Regedit now OPENS! AdAware, however, still does not. Maybe that's unrelated to any infection, I'm not sure. It shows up in Task Manager for about 30 seconds (during the load screen) as it did before, but then disappears from the list. It's the most recent one available from the website.

I'm not sure what I was infected with, how it was fixed, or which one did it, but from what I can tell (regedit), it helped! The rest only you would know for sure, as I can't interpret these logs. Please let me know if I'm "clean" or need to try something else. (And, if anything shown on these logs might be responsible for my ISP sending me that message).

Also, ComboFix said that AVG is "active" on my system - when, as far as I know, it has been uninstalled properly using both Revo and the AVG tool, and the registry keys deleted manually. What is causing it to still show up? I want to be RID of it.

Here is the ComboFix log:

ComboFix 09-05-24.05 - HP_Owner 05/25/2009 11:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.250 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sunbelt Personal Firewall *disabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}

FILE ::
c:\windows\system32\1025v.exe
c:\windows\system32\digiwet.dll
c:\windows\system32\SYS32DLL.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Owner\Application Data\.#
C:\recycler
c:\recycler\S-1-5-18\Dc48.gif
c:\recycler\S-1-5-18\Dc49.html
c:\recycler\S-1-5-18\Dc50.gif
c:\recycler\S-1-5-18\Dc51.ini
c:\recycler\S-1-5-18\Dc52.gif
c:\recycler\S-1-5-18\Dc53.gif
c:\recycler\S-1-5-18\Dc54.gif
c:\recycler\S-1-5-18\Dc55.dll
c:\recycler\S-1-5-18\desktop.ini
c:\recycler\S-1-5-18\INFO2
c:\recycler\S-1-5-21-2447577657-3186217117-3792966884-1009\desktop.ini
c:\recycler\S-1-5-21-2447577657-3186217117-3792966884-1009\INFO2
c:\recycler\S-1-5-21-3342506433-3627549531-1178864722-1003\desktop.ini
c:\recycler\S-1-5-21-3342506433-3627549531-1178864722-1003\INFO2
c:\windows\deca5f07-5a00-4716-8465-3efaca97303b.ocx
c:\windows\IA
c:\windows\system32\b21672ec-5b1b-40a6-91a9-92cddcd30ac3.dll
c:\windows\system32\zip32.dll
D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-25 19:15 . 2009-05-25 19:15 -------- d-----w c:\program files\microsoft frontpage
2009-05-25 18:36 . 2009-05-25 18:36 -------- d-----w c:\program files\ERUNT
2009-05-23 23:32 . 2009-05-23 23:59 -------- d-----w c:\program files\Sony Online Entertainment
2009-05-23 01:35 . 2009-01-09 19:46 39776 ----a-w c:\windows\system32\DfSdkBt64.exe
2009-05-23 01:35 . 2009-01-09 19:46 33632 ----a-w c:\windows\system32\DfSdkBt.exe
2009-05-21 03:39 . 2008-10-31 14:09 270888 ----a-r c:\windows\system32\drivers\SbFw.sys
2009-05-21 03:39 . 2008-06-21 11:54 65576 ----a-w c:\windows\system32\drivers\SbFwIm.sys
2009-05-20 18:29 . 2009-03-05 06:30 69936 ----a-w c:\windows\system32\drivers\sbapifs.sys
2009-05-20 18:29 . 2008-09-12 16:38 13360 ----a-w c:\windows\system32\drivers\sbaphd.sys
2009-05-19 02:35 . 2008-10-09 16:48 202928 ----a-w c:\windows\system32\drivers\sbtis.sys
2009-05-19 01:47 . 2009-05-19 01:47 -------- d-----w C:\EmergencyUtils
2009-05-16 18:43 . 2009-05-16 18:42 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-16 05:05 . 2009-05-16 05:05 -------- d-----w c:\program files\ESET
2009-05-16 04:15 . 2009-05-16 04:15 -------- d-----w C:\KAV
2009-05-16 03:24 . 2009-05-16 03:52 -------- d-----w c:\program files\BitDefender
2009-05-16 03:24 . 2009-05-16 03:28 -------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2009-05-16 03:19 . 2009-05-16 03:47 -------- d-----w c:\program files\Common Files\BitDefender
2009-05-16 02:37 . 2009-05-16 02:37 -------- d-----w c:\documents and settings\HP_Owner\Local Settings\Application Data\Symantec
2009-05-16 02:35 . 2009-05-19 02:29 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-05-16 02:35 . 2009-05-19 02:12 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-14 15:17 . 2009-05-25 19:19 91584 ----a-w c:\windows\system32\drivers\4b55aa60.sys
2009-05-11 05:20 . 2009-05-11 05:20 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 00:39 . 2009-05-11 04:39 -------- d-----w c:\documents and settings\HP_Owner\.housecall6.6
2009-05-11 00:31 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-10 23:45 . 2009-05-11 00:00 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-05-10 18:56 . 2009-05-10 18:56 -------- d-----w c:\program files\Ripdev
2009-05-08 17:36 . 2009-05-08 17:36 -------- d-----w c:\documents and settings\HP_Owner\Local Settings\Application Data\Ripdev
2009-05-08 01:52 . 2009-05-08 01:52 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Ripdev
2009-05-07 18:19 . 2009-05-07 18:19 197536 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-07 18:17 . 2009-05-07 18:17 -------- d-----w c:\program files\MSBuild
2009-05-07 18:17 . 2009-05-07 18:17 -------- d-----w c:\windows\system32\XPSViewer
2009-05-07 18:17 . 2009-05-07 18:17 -------- d-----w c:\program files\Reference Assemblies
2009-05-07 18:06 . 2006-06-29 20:07 14048 ------w c:\windows\system32\spmsg2.dll
2009-05-07 17:57 . 2009-05-07 17:57 -------- d-----w c:\program files\MSXML 6.0
2009-05-06 03:36 . 2009-05-06 03:36 -------- d-----w c:\program files\Trend Micro
2009-05-05 18:39 . 2009-05-05 18:37 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-05 18:38 . 2009-05-05 18:38 299352 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-05-05 18:38 . 2009-05-05 18:38 25440 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-05-05 18:38 . 2009-05-05 18:38 165728 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-05-05 18:38 . 2009-05-05 18:38 15688 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-05-05 18:38 . 2009-05-05 18:38 343888 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-05-05 18:38 . 2009-05-05 18:38 289632 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-05-05 18:38 . 2009-05-05 18:38 82784 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-05-05 18:38 . 2009-05-05 18:38 1629024 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-05-05 18:38 . 2009-05-05 18:38 212848 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-05-05 18:37 . 2009-05-05 18:37 64160 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-05-05 18:37 . 2009-05-05 18:37 40288 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-05-05 18:37 . 2009-05-05 18:37 632680 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-05-05 18:37 . 2009-05-05 18:37 539512 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-05-05 18:37 . 2009-05-05 18:37 552808 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-05-05 18:37 . 2009-05-05 18:37 2324808 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-05-05 18:37 . 2009-05-05 18:37 626000 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-05-05 18:37 . 2009-05-05 18:37 516440 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-05-05 18:37 . 2009-05-05 18:37 953168 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-05-05 18:33 . 2009-05-05 18:33 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-05 18:33 . 2009-03-12 08:17 2902048 -c--a-w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-05-05 18:32 . 2009-05-05 18:32 -------- d-----w c:\program files\Lavasoft
2009-05-05 04:54 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-05 04:54 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 04:54 . 2009-05-05 04:55 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-05 04:02 . 2009-05-14 15:17 100 --s-a-w c:\windows\system32\2247266038.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 04:58 . 2007-03-17 07:40 -------- d-----w c:\program files\PeerGuardian2
2009-05-25 04:58 . 2007-03-17 00:20 -------- d-----w c:\documents and settings\HP_Owner\Application Data\uTorrent
2009-05-25 04:26 . 2008-02-20 21:57 -------- d-----w c:\documents and settings\HP_Owner\Application Data\FrostWire
2009-05-23 20:20 . 2008-10-29 05:34 1 ----a-w c:\documents and settings\HP_Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-23 01:34 . 2008-06-22 22:45 -------- d-----w c:\program files\Ashampoo
2009-05-21 03:39 . 2008-11-09 22:11 -------- d-----w c:\program files\Sunbelt Software
2009-05-19 17:58 . 2008-02-20 21:57 -------- d-----w c:\program files\FrostWire
2009-05-19 02:13 . 2005-06-14 18:07 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-16 18:41 . 2005-06-14 17:07 -------- d-----w c:\program files\Java
2009-05-16 18:11 . 2007-04-26 03:56 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-16 07:57 . 2006-04-24 02:21 -------- d-----w c:\program files\PopCap Games
2009-05-16 04:30 . 2006-03-03 02:27 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-16 02:37 . 2005-06-14 18:07 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-05-11 05:04 . 2008-11-02 19:36 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-09 01:55 . 2005-09-26 05:22 85488 ----a-w c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-05 17:37 . 2006-03-03 02:27 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-08 02:19 . 2009-04-08 02:04 -------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2009-04-08 02:04 . 2009-04-08 02:04 25 ----a-w c:\windows\wpd99.drv
2009-04-08 02:04 . 2009-04-08 02:04 51716 ----a-w c:\windows\system32\pdf995mon.dll
2009-04-08 02:04 . 2009-04-08 02:04 249856 ----a-w c:\windows\system32\pdfmona.dll
2009-04-07 04:52 . 2009-03-21 05:46 -------- d-----w c:\program files\Windows Installer Clean Up
2009-03-21 05:46 . 2009-03-21 05:46 3584 ----a-r c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-03-17 20:26 . 2009-03-17 20:26 65320 ----a-w c:\windows\system32\sbbd.exe
2009-03-16 21:18 . 2009-05-23 23:57 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 21:18 . 2009-05-23 23:57 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 21:18 . 2009-05-23 23:57 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 21:18 . 2009-05-23 23:57 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-14 19:11 . 2009-03-14 19:10 466944 ----a-w c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\MusicLoad.dll
2009-03-14 19:09 . 2009-03-14 19:09 419096 ----a-w c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\SevenLoad.dll
2009-03-14 19:09 . 2009-03-14 19:09 439576 ----a-w c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\MyVideo.dll
2009-03-14 19:09 . 2009-03-14 19:09 423192 ----a-w c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\MetaCafe.dll
2009-03-14 19:09 . 2009-03-14 19:09 409600 ----a-w c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\BlipTV.dll
2009-03-14 19:09 . 2009-03-14 19:09 421888 ----a-w c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\MySpace.dll
2009-03-14 19:09 . 2009-03-14 19:09 409600 ----a-w c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\DailyMotion.dll
2009-03-14 19:09 . 2009-03-14 19:09 413696 ----a-w c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\YouTube.dll
2009-03-09 22:27 . 2009-05-23 23:57 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 22:27 . 2009-05-23 23:57 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-09 22:27 . 2009-05-23 23:57 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2008-11-26 05:03 . 2008-11-26 05:00 1004 --sha-w c:\windows\system32\sys_drv.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-07-02 495616]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2009-03-17 955688]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"nosimplestartmenu"= 0 (0x0)
"norecentdochistory"= 0 (0x0)
"maxrecentdocs"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sbamsvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\HP_Owner\\My Documents\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58557:TCP"= 58557:TCP:test

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/5/2009 11:39 AM 64160]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [5/20/2009 11:29 AM 13360]
R1 sbfw;SbFw;c:\windows\system32\drivers\SbFw.sys [5/20/2009 8:39 PM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [6/21/2008 4:54 AM 66600]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [5/18/2009 7:35 PM 202928]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [5/20/2009 11:29 AM 69936]
R2 sbpf.launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 7:24 AM 95528]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [5/17/2008 4:28 PM 53307]
R3 C0100Afx;Provides a software interface to control audio effects of VC0100 camera.;c:\windows\system32\drivers\C0100Afx.sys [5/21/2008 6:49 PM 143104]
R3 C0100Aud;Provides a software interface to control noise cancellation of VC0100 camera.;c:\windows\system32\drivers\C0100Aud.sys [5/21/2008 6:49 PM 93440]
R3 C0100Dev;Creative Camera VC0100 Driver;c:\windows\system32\drivers\C0100Dev.sys [5/21/2008 6:49 PM 239968]
R3 C0100Vfx;Creative Camera VC0100 Video VFX Driver;c:\windows\system32\drivers\C0100Vfx.sys [5/21/2008 6:49 PM 7168]
R3 sbfwimcl;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [5/20/2009 8:39 PM 65576]
S2 sbamsvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [3/17/2009 1:26 PM 894248]
S2 spf4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 7:24 AM 1365288]
S3 AsAudioDevice_351;AsAudioDevice_351;c:\windows\system32\drivers\AsAudioDevice_351.sys [3/14/2009 1:51 AM 16640]
S3 dfsdks;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [5/22/2009 6:35 PM 410976]
S3 ppctlpriv;PPCtlPriv;"c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" --> c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [?]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/22/2008 5:08 PM 92464]
S3 XIRLINK;Mickey Web Camera;c:\windows\system32\drivers\ucdnt.sys [11/10/2005 3:31 AM 1001404]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll
SafeBoot-procexp90.Sys
SafeBoot-Lavasoft Ad-Aware Service


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lfdrtt3s.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lfdrtt3s.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\progra~1\Sony Online Entertainment\npsoe.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\windows\system32\npmirage.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 12:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4b55aa60]
"ImagePath"="\SystemRoot\System32\drivers\4b55aa60.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-2447577657-3186217117-3792966884-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3300)
c:\program files\RocketDock\RocketDock.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-25 12:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-25 19:25

Pre-Run: 65,823,772,672 bytes free
Post-Run: 65,812,406,272 bytes free

276

#6 romymichelle21

romymichelle21
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 25 May 2009 - 10:21 PM

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 2178
Windows 5.1.2600 Service Pack 2

5/25/2009 12:36:04 PM
mbam-log-2009-05-25 (12-36-04).txt

Scan type: Quick Scan
Objects scanned: 79588
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And the SmitFraud log:

SmitFraudFix v2.417

Scan done at 19:52:53.32, Mon 05/25/2009
Run from C:\Documents and Settings\HP_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CS3\Services\Tcpip\..\{8B560461-CB8C-4065-9FAC-6D2CDB97967F}: DhcpNameServer=66.75.160.63 66.75.160.64
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=66.75.160.63 66.75.160.64


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


RK.2



Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 AM

Posted 26 May 2009 - 06:00 PM

Make sure your Sunbelt Firewall is re-enabled.
You will likely have to de-install Ad-Aware and later on {after we are all done}, download & install {assuming you want to have it}.
I cannot tell why Combofix is reporting AVG presence. That needs research and may be addressed later.

This system had a W32/Aimdes-C WORM infection and autorun infection.

For now, do the following:

Download this utility by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiem...orepolicies.zip
Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install.

Delete the download, the unzipped folder and all contents.

=

Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced.
=

Go here and download RootRepeal to your Desktop. Doubleclick to extract the compressed file to it's own folder and then rightclick on RootRepeal.exe and choose "Run as Administrator" Click on the Report tab and then click on Scan. A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

You will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and paste it in this thread.

=

Next, Scan the system with the Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner

Posted Image Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.
2) Accept the agreement
3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )
4) For XP SP2-SP3, click the Install button when prompted
5) The necessary files will be downloaded and installed. Please have plenty of patience.
6) After Kaspersky AntiVirus Database is updated, look at the Scan box.
7) Click the My Computer line
8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.
Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or SmitFraudFix items, or ComboFix's Qoobox & quarantine.
Kaspersky is a report only and does not remove files.

Post back with copies of the Kaspersky.txt report.
How is your system now :?:
Also, tell me if your Vipre app is active again, and whether you can manage to use it's Update function.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#8 romymichelle21

romymichelle21
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 27 May 2009 - 01:01 PM

Ok, downloaded and installed the VArestorepolicies.

Used TweakUI as suggested, however AutoPlay was already unchecked on all the boxes. (I have no USB drives).

Ran Flash Drive Disinfector, which did... nothing. Visually, anyway. But I'm assuming it did its job silently.

Ran RootRepeal, which shut down the first time (I walked away and came back, and it was just gone), but then ran successfully on the second attempt.

Kaspersky online turned up nothing. Nada. (Yay :thumbup2:)

Here is the RootRepeal log: (Down at the bottom, those symbols just show up as boxes on my PC).



ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/26 20:50
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEDF87000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A73000 Size: 8192 File Visible: No
Status: -

Name: PCI_NTPNP7208
Image Path: \Driver\PCI_NTPNP7208
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xECB3B000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\4b55aa60.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\temp\etilqs_sTIcoGAhvJJ2ZOJZZwiu
Status: Allocation size mismatch (API: 65536, Raw: 32768)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xee2e9160

#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\System32\drivers\4b55aa60.sys" at address 0xf8747e2d

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xee2e8868

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\drivers\4b55aa60.sys" at address 0xf8745f05

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xee2e7e90

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xee2e7d9c

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xee2e83fc

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xee2e9210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xee2e5786

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xee2e5846

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf843cfb2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf843d340

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\sbhips.sys" at address 0xf86e301c

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\drivers\sbhips.sys" at address 0xf86e3168

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xee2e8b54

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\drivers\4b55aa60.sys" at address 0xf8745fc5

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf843d418

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf843d298

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xee2e84ec

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xee2e8e8c

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sbaphd.sys" at address 0xf8a6b520

#: 274 Function Name: NtWriteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\SbFw.sys" at address 0xee2e8de0

Stealth Objects
-------------------
Object: Hidden Module [Name: S2PCISE.exe]
Process: Explorer.EXE (PID: 416) Address: 0x027c0000 Size: 36864

Object: Hidden Module [Name: System.Drawing.dll]
Process: Explorer.EXE (PID: 416) Address: 0x02df0000 Size: 643072

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x823571e8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x821962f8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x823c61e8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x823c61e8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823c61e8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823c61e8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x823c61e8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823c61e8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x823c61e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x821ce648 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x821ce648 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x821ce648 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x821ce648 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x821ce648 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x821ce648 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x821ce648 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x821ce648 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x821ce648 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x821ce648 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x821ce648 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x820aa1e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x820aa1e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x820aa1e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x820aa1e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x820aa1e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x820aa1e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x820aa1e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x820aa1e8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x820aa1e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8213b1e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8213b1e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8213b1e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8213b1e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8213b1e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8213b1e8 Size: -

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8213b1e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x823591e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x823591e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x823591e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823591e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823591e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823591e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823591e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x823591e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x823591e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823591e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x823591e8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x819c7790 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x819c7790 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x819c7790 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x819c7790 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x819c7790 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x819c7790 Size: -

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_CREATE]
Process: System Address: 0x823581e8 Size: -

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_CLOSE]
Process: System Address: 0x823581e8 Size: -

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823581e8 Size: -

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823581e8 Size: -

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_POWER]
Process: System Address: 0x823581e8 Size: -

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823581e8 Size: -

Object: Hidden Code [Driver: fasttx2k, IRP_MJ_PNP]
Process: System Address: 0x823581e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x821de1e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x821de1e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x821de1e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x821de1e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x821de1e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x821de1e8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x821de1e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x818781e8 Size: -

Object: Hidden Code [Driver: Cdfsȅఅ瑎獆鍸䜠, IRP_MJ_CREATE]
Process: System Address: 0x820b51e8 Size: -

Object: Hidden Code [Driver: Cdfsȅఅ瑎獆鍸䜠, IRP_MJ_CLOSE]
Process: System Address: 0x820b51e8 Size: -

Object: Hidden Code [Driver: Cdfsȅఅ瑎獆鍸䜠, IRP_MJ_READ]
Process: System Address: 0x820b51e8 Size: -

Object: Hidden Code [Driver: Cdfsȅఅ瑎獆鍸䜠, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x820b51e8 Size: -

Object: Hidden Code [Driver: Cdfsȅఅ瑎獆鍸䜠, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x820b51e8 Size: -

Object: Hidden Code [Driver: Cdfsȅఅ瑎獆鍸䜠, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x820b51e8 Size: -

Object: Hidden Code [Driver: Cdfsȅఅ瑎獆鍸䜠, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x820b51e8 Size: -

Object: Hidden Code [Driver: Cdfsȅఅ瑎獆鍸䜠, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x820b51e8 Size: -

Object: Hidden Code [Driver: Cdfsȅఅ瑎獆鍸䜠, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x820b51e8 Size: -

Object: Hidden Code [Driver: Cdfsȅఅ瑎獆鍸䜠, IRP_MJ_SHUTDOWN]
Process: System Address: 0x820b51e8 Size: -

Object: Hidden Code [Driver: Cdfsȅఅ瑎獆鍸䜠, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x820b51e8 Size: -

Object: Hidden Code [Driver: Cdfsȅఅ瑎獆鍸䜠, IRP_MJ_CLEANUP]
Process: System Address: 0x820b51e8 Size: -

Object: Hidden Code [Driver: Cdfsȅఅ瑎獆鍸䜠, IRP_MJ_PNP]
Process: System Address: 0x820b51e8 Size: -

#9 romymichelle21

romymichelle21
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 27 May 2009 - 01:05 PM

Here is the Kaspersky log, just in case:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, May 27, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, May 27, 2009 05:00:58
Records in database: 2256160
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 141106
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 05:10:42

No malware has been detected. The scan area is clean.

The selected area was scanned.

#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 AM

Posted 30 May 2009 - 06:26 AM

The main problem this had (the sys32dll.exe) has been gone and the Kaspersky scan is very very good.
We are almost ready for tools cleanup and wrapping this up.

Download Security Check by screen317 and save it to your Desktop: here or here
  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; copy all of its contents for posting here
Posted Image If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.[/list]Reply with copy of the contents of checkup.txt
and let me know of any outstanding malware-related issues !
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 romymichelle21

romymichelle21
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 30 May 2009 - 01:41 PM

Here is the Security Check log:


Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Disabled!
VIPREAntivirus+Antispyware
SunbeltPersonalFirewall
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Out of date Spybot installed!
Ad-Aware
Spybot - Search & Destroy 1.4
VIPRE Antivirus + Antispyware
Spybot - Search & Destroy
Malwarebytes' Anti-Malware
Advanced WindowsCare Personal
Abexo Free Registry Cleaner
CCleaner (remove only)
Java™ 6 Update 13
Java™ 6 Update 7
Out of date Java installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Spybot SDHelper is disabled!
Sunbelt Software Personal Firewall SbPFLnch.exe
Sunbelt Software Personal Firewall SbPFSvc.exe
Sunbelt Software Personal Firewall SbPFCl.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````


Scan took 60 seconds.
`````````End of Log```````````


Though I'm not sure why it says something about Java outdated, I just updated it the other day. And two Spybot entries... that's weird. I updated that the last time I ran it, too. Well, anyway.

No other issues so far! AdAware still isn't running, but that must be its own problem. If I uninstall it, no big deal I guess.

#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 AM

Posted 30 May 2009 - 02:49 PM

Hello romymichelle21.
We are ready to wrap this up.

The Security Check did properly note that Java runtime is out-of-date. Update 14 was just recently released.
Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.
If you see any other Java versions there,
such as
J2SE Runtime Environment 5.0
Java SE Runtime Environment
Java 6


uninstall all of them. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.Do NOT delete C:\Program Files\JavaVM <=this folder, if found!
Open an IE window and go to http://java.sun.com/javase/downloads/index.jsp
> In top of the page (second in the list), click on the Download button to the right of Java Runtime Environment (JRE) 6 Update 14
> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content; You do not have to install the Java Web Start ActiveX Control
> Accept the license agreement
> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.
  • Tip: Choose Custom install to select only the part(s) you need/want.
Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.

To test your Java Run-time, you may go to this page http://www.javatester.org/version.html
When all is well, you should see Java Version: 1.6.0_14 from Sun Microsystems Inc.
=

RE: Abexo Free Registry Cleaner ---- I have no knowledge of it; just to say, most people do not need a registry cleaner.

If you like to use Spybot Search and Destroy, the version you have is outdated. The current version is 1.6.2


Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you need to un-install it. Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.
Do the same for Kaspersky online scan.
OK & Exit out of Control Panel

You may revert the My Computer {Windows Explorer} Folder options/View settings back to where they were before.

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combofix Posted Image), put that name in the RUN box stated just below.
The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after x and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, then click Run.

    In the command box that opens, type or copy/paste combofix /u and then click OK.
  • Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Please double-click OTListIt2.exe to run it.
  • Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTListIt2 attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.
We are finished here. Best regards.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#13 romymichelle21

romymichelle21
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 31 May 2009 - 12:03 AM

Great! Thank you for all your help! :thumbup2:

#14 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:05 AM

Posted 31 May 2009 - 11:25 AM

You are welcome. All the best to you.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users