Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tdss nasty rootkit


  • This topic is locked This topic is locked
26 replies to this topic

#1 devilspride2k1

devilspride2k1

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London UK
  • Local time:03:27 PM

Posted 12 May 2009 - 08:04 AM

Have had help in other forums on bc, on scanning with mbam, atf cleaner and sas, it showed i had Vundo, Alureon WD and the dreaded tdss, which is why i have been referred here. I had tdss before and am wondering if we didnt get it all before, (removed manually using ubuntu/linux with a sophos tech) or i'm just plain unlucky and have it again.
All scans come back that everything has been quarantined and deleted successfully, although the mbam found files are still in its quarantine folder. I also ran a sophos linux/tdss detect and fix disc and that also came back clear.
I have now run the DDS scan as it says at the top of this forum i should do...and have included the DDS.txt below. and would now be OOOOBER grateful for any help in trying to kick this out the backdoor it came in !!!

Many thanx in advance



DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 13:43:03.81 on 12/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.135 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
mCustomizeSearch =
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook
uRun: [<NO NAME>]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [DeviceDiscovery] "c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1088590265218
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab
DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - hxxp://www.cult3d.com/download/cult.cab
DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - hxxp://zone.msn.com/bingame/pacz/default/pandaonline.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} - hxxp://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.truprint.co.uk/TruprintActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://emmajay91.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} - hxxp://www.gamehouse.com/ghdlctl.cab
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://207.188.7.150/1847c55011bf2462ac18/netzip/RdxIE601.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://real.gamehouse.com/games/chainz2/mjolauncher.cab
DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} - hxxp://zone.msn.com/bingame/zpagames/zpa_dmno.cab42341.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - hxxp://install.wildtangent.com/bgn/partners/shockwave/cannonballs/install.cab
DPF: {AB676D96-BE22-4133-A45F-9FD6376366DA} - hxxp://www.freefunmp3.com/contenido/IconoMail.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
DPF: {B90CD242-E0CB-4BAD-A1CE-44F2AE29A01E} - hxxp://www.internet-time.com/contenido/InternetTime.cab
DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} - hxxps://www.tescophoto.com/wpp/tesco/app/opcuploader.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game05.zylom.com/activex/zylomgamesplayer.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://real.gamehouse.com/real/games/SproutLauncher.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://zone.msn.com/bingame/gold/default/gf.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab41227.cab
DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab31267.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://antu.popcap.com/games/popcaploader_v5.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab31267.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://lw14fd.law14.hotmail.msn.com/activex/HMAtchmt.ocx
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2008-5-11 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2008-5-11 38528]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-28 55152]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2008-9-22 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-8-21 98304]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2008-12-23 172032]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 AEAY;AEAY;c:\docume~1\owner\locals~1\temp\aeay.exe --> c:\docume~1\owner\locals~1\temp\AEAY.exe [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-7-31 31592]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-11-30 14976]

=============== Created Last 30 ================

2009-05-11 09:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-11 09:36 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-08 22:54 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-05-08 21:53 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-08 21:51 117,760 -------- c:\windows\system32\prntvpt.dll
2009-05-08 21:51 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-05-08 21:51 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-08 21:51 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-08 21:51 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-08 21:51 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-05-08 21:51 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-05-08 21:51 <DIR> --d----- C:\f624ec035489692ac3da558aafc2fc
2009-05-08 21:40 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-05-08 21:40 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-05-08 21:40 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-05-08 21:40 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-08 21:40 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-05-08 21:40 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-05-08 21:40 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-05-08 21:40 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-05-08 21:40 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-05-08 21:39 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-08 21:39 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-05-08 21:39 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-05-08 20:45 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-05-08 20:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-08 20:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-08 20:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-08 20:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-08 16:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CA
2009-05-07 14:17 130,104 a------- c:\windows\system32\sdccoinstaller.dll
2009-05-07 14:17 23,552 a------- c:\windows\system32\SophosBootTasks.exe
2009-05-07 14:16 <DIR> --d----- c:\program files\Sophos
2009-05-07 13:09 <DIR> --d----- c:\program files\Sophos(3)

==================== Find3M ====================

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 19:09 78,336 a------- c:\windows\system32\ieencode.dll
2008-11-13 17:18 60,968 a------- c:\documents and settings\owner\GoToAssistDownloadHelper.exe
2008-03-29 18:26 0 ac------ c:\program files\temp01
2007-03-23 22:30 92,064 a------- c:\documents and settings\owner\mqdmmdm.sys
2007-03-23 22:30 79,328 a------- c:\documents and settings\owner\mqdmserd.sys
2007-03-23 22:30 66,656 a------- c:\documents and settings\owner\mqdmbus.sys
2007-03-23 22:30 25,600 a------- c:\documents and settings\owner\usbsermptxp.sys
2007-03-23 22:30 9,232 a------- c:\documents and settings\owner\mqdmmdfl.sys
2007-03-23 22:30 6,208 a------- c:\documents and settings\owner\mqdmcmnt.sys
2007-03-23 22:30 5,936 a------- c:\documents and settings\owner\mqdmwhnt.sys
2007-03-23 22:30 4,048 a------- c:\documents and settings\owner\mqdmcr.sys
2007-03-23 22:30 22,768 a------- c:\documents and settings\owner\usbsermpt.sys
2006-09-06 18:53 124,968 ac------ c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2005-05-14 13:59 80 -c-shr-- c:\windows\system32\A44FCD5D80.dll

============= FINISH: 13:44:03.79 ===============

BC AdBot (Login to Remove)

 


#2 devilspride2k1

devilspride2k1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London UK
  • Local time:03:27 PM

Posted 13 May 2009 - 12:45 PM

:thumbup2: please please please can someone advise me what to do next ...my daughter has her final A2 IT exam in a couple weeks and needs to take the work on our pc into school...which I cant allow untill i'm clean.....and since last post i ran dr.web in safe mode and it dleted 2 killapp ...TERRIFIC ...thanx in advance
===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 13 May 2009 - 08:01 PM.


#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:27 AM

Posted 16 May 2009 - 01:54 PM

Hello.

Information on backdoors.

Backdoor Threat

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

IF YOU WISH TO CONTINUE FOLLOW THE STEPS BELOW, OTHERWISE LET ME KNOW

Install Recovery Console and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Please download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 devilspride2k1

devilspride2k1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London UK
  • Local time:03:27 PM

Posted 16 May 2009 - 02:23 PM

thanks for your help....i am having trouble...i dont know how to disable sophos, ever link i try for combofix alerts sophos as being adware...and on double clicking combofix icon i get the following message .. windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item ..sorry but where do i go from here.

Also I did have tdss a while ago....could it be remnant parts left from before (in case this helps)

OK extremeboy ... i could not compltely disable sophos, but managed to disable on access scanning and ran combofix ...i hope this is ok...if not I await your further instruction ....
Many thanks

Carla

ComboFix 09-05-16.01 - Owner 16/05/2009 21:40:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.221 [GMT 1:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
C:\RECYCLER\S-1-5-21-1097021601-189710942-1697597423-500\INFO2
C:\WINDOWS\cdmxtras
C:\WINDOWS\Readme.txt
C:\WINDOWS\system32\ATHPRXY(2).DLL
C:\WINDOWS\system32\iAlmcoin.dll
D:\resycled

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCPROC


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-12 17:44:26 . 2009-05-12 17:44:26 0 d-----w C:\Documents and Settings\Owner\DoctorWeb
2009-05-12 17:30:30 . 2009-05-12 17:34:09 0 d-----w C:\Documents and Settings\All Users\Application Data\PrevxCSI
2009-05-11 08:57:49 . 2009-05-11 08:57:49 0 d-----w C:\Documents and Settings\Administrator.YOUR-3HCEF8Q6J0\Application Data\SUPERAntiSpyware.com
2009-05-11 08:37:40 . 2009-05-11 08:37:40 0 d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 08:36:58 . 2009-05-11 08:36:58 0 d-----w C:\Program Files\Common Files\Wise Installation Wizard
2009-05-08 20:53:25 . 2009-05-08 20:53:25 0 d-----w C:\WINDOWS\system32\XPSViewer
2009-05-08 20:53:20 . 2009-05-08 20:53:20 0 d-----w C:\Program Files\MSBuild
2009-05-08 20:53:06 . 2009-05-08 20:53:06 0 d-----w C:\Program Files\Reference Assemblies
2009-05-08 20:51:55 . 2008-07-06 12:06:10 117760 ------w C:\WINDOWS\system32\prntvpt.dll
2009-05-08 20:51:54 . 2008-07-06 12:06:10 89088 -c----w C:\WINDOWS\system32\dllcache\filterpipelineprintproc.dll
2009-05-08 20:51:54 . 2008-07-06 10:50:03 597504 -c----w C:\WINDOWS\system32\dllcache\printfilterpipelinesvc.exe
2009-05-08 20:51:54 . 2008-07-06 12:06:10 575488 -c----w C:\WINDOWS\system32\dllcache\xpsshhdr.dll
2009-05-08 20:51:54 . 2008-07-06 12:06:10 575488 ------w C:\WINDOWS\system32\xpsshhdr.dll
2009-05-08 20:51:54 . 2008-07-06 12:06:10 1676288 -c----w C:\WINDOWS\system32\dllcache\xpssvcs.dll
2009-05-08 20:51:54 . 2008-07-06 12:06:10 1676288 ------w C:\WINDOWS\system32\xpssvcs.dll
2009-05-08 20:51:53 . 2009-05-08 20:52:46 0 d-----w C:\f624ec035489692ac3da558aafc2fc
2009-05-08 20:40:18 . 2009-03-06 14:22:18 284160 -c----w C:\WINDOWS\system32\dllcache\pdh.dll
2009-05-08 20:40:18 . 2009-02-09 12:10:48 401408 -c----w C:\WINDOWS\system32\dllcache\rpcss.dll
2009-05-08 20:40:17 . 2009-02-06 11:11:05 110592 -c----w C:\WINDOWS\system32\dllcache\services.exe
2009-05-08 20:40:17 . 2009-02-09 12:10:48 473600 -c----w C:\WINDOWS\system32\dllcache\fastprox.dll
2009-05-08 20:40:17 . 2009-02-06 10:10:02 227840 -c----w C:\WINDOWS\system32\dllcache\wmiprvse.exe
2009-05-08 20:40:17 . 2009-02-09 12:10:48 453120 -c----w C:\WINDOWS\system32\dllcache\wmiprvsd.dll
2009-05-08 20:40:16 . 2009-02-09 12:10:49 729088 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll
2009-05-08 20:40:16 . 2009-02-09 12:10:48 617472 -c----w C:\WINDOWS\system32\dllcache\advapi32.dll
2009-05-08 20:40:15 . 2009-02-09 12:10:48 714752 -c----w C:\WINDOWS\system32\dllcache\ntdll.dll
2009-05-08 20:39:07 . 2008-05-03 11:55:36 2560 ------w C:\WINDOWS\system32\xpsp4res.dll
2009-05-08 20:39:06 . 2008-04-21 12:08:15 215552 -c----w C:\WINDOWS\system32\dllcache\wordpad.exe
2009-05-08 19:45:52 . 2009-05-08 19:45:52 0 d-----w C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-05-08 19:45:43 . 2009-04-06 14:32:46 15504 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2009-05-08 19:45:39 . 2009-04-06 14:32:54 38496 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-05-08 19:45:38 . 2009-05-08 19:45:38 0 d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-08 19:45:38 . 2009-05-08 19:45:50 0 d-----w C:\Program Files\Malwarebytes' Anti-Malware
2009-05-08 15:46:20 . 2009-05-08 15:46:20 0 d-----w C:\Documents and Settings\All Users\Application Data\CA
2009-05-08 15:45:04 . 2009-05-08 15:45:25 0 d-----w C:\WINDOWS\BDOSCAN8
2009-05-07 13:17:47 . 2008-05-19 15:35:34 130104 ----a-w C:\WINDOWS\system32\sdccoinstaller.dll
2009-05-07 13:17:03 . 2008-08-21 12:22:59 23552 ----a-w C:\WINDOWS\system32\SophosBootTasks.exe
2009-05-07 13:16:51 . 2009-05-07 13:19:25 0 d-----w C:\Program Files\Sophos
2009-05-07 12:09:16 . 2009-05-07 12:17:36 0 d-----w C:\Program Files\Sophos(3)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 18:16:10 . 2004-09-15 08:34:24 0 d-----w C:\Program Files\Microsoft Home Publishing 2000
2009-05-11 08:37:26 . 2007-10-25 11:46:28 0 d-----w C:\Program Files\SUPERAntiSpyware
2009-05-11 08:37:23 . 2007-10-25 11:46:28 0 d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2009-05-07 13:01:21 . 2005-05-22 15:37:43 0 d-----w C:\Program Files\Google
2009-05-07 13:00:37 . 2008-08-03 19:05:53 0 d-----w C:\Program Files\Ahead
2009-04-09 13:54:37 . 2005-12-14 15:14:43 0 d-----w C:\Program Files\Java
2009-03-29 20:52:26 . 2009-03-28 19:28:33 0 d-----w C:\Program Files\Microsoft Silverlight
2009-03-28 19:28:55 . 2003-10-04 19:40:32 133448 -c--a-w C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-28 19:28:24 . 2009-03-28 19:20:02 0 d-----w C:\Program Files\Microsoft
2009-03-28 19:28:17 . 2009-03-28 19:28:17 0 d-----w C:\Program Files\Microsoft Office Outlook Connector
2009-03-28 19:26:51 . 2008-02-29 16:03:50 0 d-----w C:\Program Files\Windows Live
2009-03-28 19:26:12 . 2009-03-28 19:26:12 0 d-----w C:\Program Files\Microsoft Sync Framework
2009-03-28 19:19:42 . 2009-03-28 19:19:42 0 d-----w C:\Program Files\Windows Live SkyDrive
2009-03-09 04:19:08 . 2008-12-25 13:02:48 410984 ----a-w C:\WINDOWS\system32\deploytk.dll
2009-03-06 14:22:18 . 2003-01-02 19:10:53 284160 ----a-w C:\WINDOWS\system32\pdh.dll
2009-03-03 00:18:25 . 2004-02-06 17:05:06 826368 ----a-w C:\WINDOWS\system32\wininet.dll
2009-02-20 18:09:38 . 2004-08-04 07:56:42 78336 ----a-w C:\WINDOWS\system32\ieencode.dll
2008-03-29 17:26:23 . 2008-03-29 17:26:23 0 -c--a-w C:\Program Files\temp01
2005-05-14 12:59:08 . 2005-05-14 12:27:06 80 -csh--r C:\WINDOWS\system32\A44FCD5D80.dll
.

Edited by devilspride2k1, 16 May 2009 - 04:02 PM.


#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:27 AM

Posted 16 May 2009 - 04:24 PM

Hello.

The Combofix log doesn't look complete.. Are you sure that's the full log?

If it is, then please re-run Combofix and post the new log. If not, I would like to see the full log please.

After that, please run this tool:

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 devilspride2k1

devilspride2k1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London UK
  • Local time:03:27 PM

Posted 17 May 2009 - 02:27 AM

sorry about the last log, not sure what happened but i ran it again and here it is, i have also run the flash disinfector now as well. thanks

ComboFix 09-05-16.05 - Owner 17/05/2009 8:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.225 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\recycler\S-1-5-21-1097021601-189710942-1697597423-500\INFO2
c:\windows\cdmxtras
c:\windows\Readme.txt
c:\windows\system32\ATHPRXY(2).DLL
c:\windows\system32\iAlmcoin.dll
D:\resycled

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCPROC


((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-12 17:44 . 2009-05-12 17:44 -------- d-----w c:\documents and settings\Owner\DoctorWeb
2009-05-12 17:30 . 2009-05-12 17:34 -------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-05-11 08:57 . 2009-05-11 08:57 -------- d-----w c:\documents and settings\Administrator.YOUR-3HCEF8Q6J0\Application Data\SUPERAntiSpyware.com
2009-05-11 08:37 . 2009-05-11 08:37 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 08:36 . 2009-05-11 08:36 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-08 20:53 . 2009-05-08 20:53 -------- d-----w c:\windows\system32\XPSViewer
2009-05-08 20:53 . 2009-05-08 20:53 -------- d-----w c:\program files\MSBuild
2009-05-08 20:53 . 2009-05-08 20:53 -------- d-----w c:\program files\Reference Assemblies
2009-05-08 20:51 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-05-08 20:51 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-08 20:51 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-08 20:51 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-08 20:51 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-05-08 20:51 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-05-08 20:51 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-05-08 20:51 . 2009-05-08 20:52 -------- d-----w C:\f624ec035489692ac3da558aafc2fc
2009-05-08 20:40 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-05-08 20:40 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-05-08 20:40 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-05-08 20:40 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-05-08 20:40 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-08 20:40 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-08 20:40 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-05-08 20:40 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-05-08 20:40 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-05-08 20:39 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-08 20:39 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-05-08 19:45 . 2009-05-08 19:45 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-08 19:45 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-08 19:45 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-08 19:45 . 2009-05-08 19:45 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-08 19:45 . 2009-05-08 19:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-08 15:46 . 2009-05-08 15:46 -------- d-----w c:\documents and settings\All Users\Application Data\CA
2009-05-08 15:45 . 2009-05-08 15:45 -------- d-----w c:\windows\BDOSCAN8
2009-05-07 13:17 . 2008-05-19 15:35 130104 ----a-w c:\windows\system32\sdccoinstaller.dll
2009-05-07 13:17 . 2008-08-21 12:22 23552 ----a-w c:\windows\system32\SophosBootTasks.exe
2009-05-07 13:16 . 2009-05-07 13:19 -------- d-----w c:\program files\Sophos
2009-05-07 12:09 . 2009-05-07 12:17 -------- d-----w c:\program files\Sophos(3)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 18:16 . 2004-09-15 08:34 -------- d-----w c:\program files\Microsoft Home Publishing 2000
2009-05-11 08:37 . 2007-10-25 11:46 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-11 08:37 . 2007-10-25 11:46 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-05-07 13:01 . 2005-05-22 15:37 -------- d-----w c:\program files\Google
2009-05-07 13:00 . 2008-08-03 19:05 -------- d-----w c:\program files\Ahead
2009-04-09 13:54 . 2005-12-14 15:14 -------- d-----w c:\program files\Java
2009-03-29 20:52 . 2009-03-28 19:28 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-28 19:28 . 2003-10-04 19:40 133448 -c--a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-28 19:28 . 2009-03-28 19:20 -------- d-----w c:\program files\Microsoft
2009-03-28 19:28 . 2009-03-28 19:28 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-03-28 19:26 . 2008-02-29 16:03 -------- d-----w c:\program files\Windows Live
2009-03-28 19:26 . 2009-03-28 19:26 -------- d-----w c:\program files\Microsoft Sync Framework
2009-03-28 19:19 . 2009-03-28 19:19 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-09 04:19 . 2008-12-25 13:02 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2003-01-02 19:10 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 17:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2008-03-29 17:26 . 2008-03-29 17:26 0 -c--a-w c:\program files\temp01
2005-05-14 12:59 . 2005-05-14 12:27 80 -csh--r c:\windows\system32\A44FCD5D80.dll
.

------- Sigcheck -------

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-11-02 20:15 361600 CBEEBEB899E31EF52B962CB31FC8CA5C c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NVIEW"="nview.dll" - c:\windows\system32\nview.dll [2003-03-04 831557]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2003-04-04 50176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2008-12-23 245760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=c:\windows\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\CIMSVR.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28/04/2009 11:33 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/04/2009 11:33 72944]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [11/05/2008 22:09 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [11/05/2008 22:09 38528]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [28/03/2009 20:26 55152]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [22/09/2008 12:18 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [21/08/2008 13:04 98304]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [14/01/2009 18:53 226656]
S3 AEAY;AEAY;c:\docume~1\Owner\LOCALS~1\Temp\AEAY.exe --> c:\docume~1\Owner\LOCALS~1\Temp\AEAY.exe [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [31/07/2008 18:08 31592]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/04/2009 11:33 7408]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [30/11/2008 18:31 14976]
.
Contents of the 'Scheduled Tasks' folder

2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-05-17 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-01-01 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AB676D96-BE22-4133-A45F-9FD6376366DA} - hxxp://www.freefunmp3.com/contenido/IconoMail.cab
DPF: {B90CD242-E0CB-4BAD-A1CE-44F2AE29A01E} - hxxp://www.internet-time.com/contenido/InternetTime.cab
DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game05.zylom.com/activex/zylomgamesplayer.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 08:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1097021601-189710942-1697597423-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1596)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-17 8:11
ComboFix-quarantined-files.txt 2009-05-17 07:10

Pre-Run: 80,438,906,880 bytes free
Post-Run: 80,425,254,912 bytes free

240 --- E O F --- 2009-05-13 08:43

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:27 AM

Posted 17 May 2009 - 04:11 PM

Hello.

Please do the following.

Delete Combofix and re-download it on your desktop.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    c:\windows\system32\A44FCD5D80.dll
    c:\program files\temp01
    Driver::
    rkhdrv40
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 devilspride2k1

devilspride2k1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London UK
  • Local time:03:27 PM

Posted 18 May 2009 - 08:19 AM

Hi there .. below are the logs of combofix with CFScript and mbam as requested.. I will await your reply..
Thanks
Carla


ComboFix 09-05-17.04 - Owner 18/05/2009 13:39.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.186 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

FILE ::
c:\program files\temp01
c:\windows\system32\A44FCD5D80.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\temp01
c:\windows\system32\A44FCD5D80.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHDRV40
-------\Service_rkhdrv40


((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-12 17:44 . 2009-05-12 17:44 -------- d-----w c:\documents and settings\Owner\DoctorWeb
2009-05-12 17:30 . 2009-05-12 17:34 -------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-05-11 08:57 . 2009-05-11 08:57 -------- d-----w c:\documents and settings\Administrator.YOUR-3HCEF8Q6J0\Application Data\SUPERAntiSpyware.com
2009-05-11 08:37 . 2009-05-11 08:37 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-11 08:36 . 2009-05-11 08:36 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-08 20:53 . 2009-05-08 20:53 -------- d-----w c:\windows\system32\XPSViewer
2009-05-08 20:53 . 2009-05-08 20:53 -------- d-----w c:\program files\MSBuild
2009-05-08 20:53 . 2009-05-08 20:53 -------- d-----w c:\program files\Reference Assemblies
2009-05-08 20:51 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-05-08 20:51 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-08 20:51 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-08 20:51 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-08 20:51 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-05-08 20:51 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-05-08 20:51 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-05-08 20:51 . 2009-05-08 20:52 -------- d-----w C:\f624ec035489692ac3da558aafc2fc
2009-05-08 20:40 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-05-08 20:40 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-05-08 20:40 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-05-08 20:40 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-05-08 20:40 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-08 20:40 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-08 20:40 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-05-08 20:40 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-05-08 20:40 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-05-08 20:39 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-05-08 20:39 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-05-08 19:45 . 2009-05-08 19:45 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-08 19:45 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-08 19:45 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-08 19:45 . 2009-05-08 19:45 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-08 19:45 . 2009-05-08 19:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-08 15:46 . 2009-05-08 15:46 -------- d-----w c:\documents and settings\All Users\Application Data\CA
2009-05-08 15:45 . 2009-05-08 15:45 -------- d-----w c:\windows\BDOSCAN8
2009-05-07 13:17 . 2008-05-19 15:35 130104 ----a-w c:\windows\system32\sdccoinstaller.dll
2009-05-07 13:17 . 2008-08-21 12:22 23552 ----a-w c:\windows\system32\SophosBootTasks.exe
2009-05-07 13:16 . 2009-05-07 13:19 -------- d-----w c:\program files\Sophos
2009-05-07 12:09 . 2009-05-07 12:17 -------- d-----w c:\program files\Sophos(3)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 07:17 . 2003-10-04 19:40 133448 -c--a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-15 18:16 . 2004-09-15 08:34 -------- d-----w c:\program files\Microsoft Home Publishing 2000
2009-05-11 08:37 . 2007-10-25 11:46 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-11 08:37 . 2007-10-25 11:46 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-05-07 13:01 . 2005-05-22 15:37 -------- d-----w c:\program files\Google
2009-05-07 13:00 . 2008-08-03 19:05 -------- d-----w c:\program files\Ahead
2009-04-09 13:54 . 2005-12-14 15:14 -------- d-----w c:\program files\Java
2009-03-29 20:52 . 2009-03-28 19:28 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-28 19:28 . 2009-03-28 19:20 -------- d-----w c:\program files\Microsoft
2009-03-28 19:28 . 2009-03-28 19:28 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-03-28 19:26 . 2008-02-29 16:03 -------- d-----w c:\program files\Windows Live
2009-03-28 19:26 . 2009-03-28 19:26 -------- d-----w c:\program files\Microsoft Sync Framework
2009-03-28 19:19 . 2009-03-28 19:19 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-09 04:19 . 2008-12-25 13:02 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2003-01-02 19:10 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 17:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
.

------- Sigcheck -------

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-11-02 20:15 361600 CBEEBEB899E31EF52B962CB31FC8CA5C c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-05-17_07.08.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-18 12:45 . 2007-03-30 16:04 73728 c:\windows\Temp\sophos_autoupdate1.dir\xmltok.dll
+ 2009-05-18 12:45 . 2007-03-30 16:05 57344 c:\windows\Temp\sophos_autoupdate1.dir\xmlparse.dll
+ 2009-05-18 12:45 . 2007-04-03 08:17 14336 c:\windows\Temp\sophos_autoupdate1.dir\xmlcpp.dll
+ 2009-05-18 12:45 . 2008-02-13 15:49 18432 c:\windows\Temp\sophos_autoupdate1.dir\SharedRes.dll
+ 2009-05-18 12:45 . 2007-04-03 08:17 20480 c:\windows\Temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-05-18 12:45 . 2007-04-02 10:07 45056 c:\windows\Temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
+ 2009-05-18 12:44 . 2009-05-18 12:44 16384 c:\windows\Temp\Perflib_Perfdata_544.dat
+ 2009-05-18 12:45 . 2008-12-24 11:35 2970 c:\windows\Temp\sophos_autoupdate1.dir\scf.dat
+ 2009-05-18 12:45 . 2008-12-24 11:33 208896 c:\windows\Temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-05-18 12:45 . 2004-03-17 18:06 348160 c:\windows\Temp\sophos_autoupdate1.dir\MSVCR71.DLL
+ 2009-05-18 12:45 . 2004-03-17 18:06 499712 c:\windows\Temp\sophos_autoupdate1.dir\MSVCP71.DLL
+ 2009-05-18 12:45 . 2007-03-30 16:12 745472 c:\windows\Temp\sophos_autoupdate1.dir\libeay32.dll
+ 2009-05-18 12:45 . 2008-12-23 19:47 159744 c:\windows\Temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-05-18 12:45 . 2008-12-24 11:34 176128 c:\windows\Temp\sophos_autoupdate1.dir\CidSync.dll
+ 2009-05-18 12:45 . 2008-12-24 11:34 172032 c:\windows\Temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-05-18 12:45 . 2008-12-24 11:34 659456 c:\windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe
+ 2009-05-18 12:44 . 2008-12-16 21:59 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NVIEW"="nview.dll" - c:\windows\system32\nview.dll [2003-03-04 831557]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2003-04-04 50176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2008-12-23 245760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=c:\windows\pss\GStartup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\CIMSVR.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28/04/2009 11:33 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/04/2009 11:33 72944]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [11/05/2008 22:09 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [11/05/2008 22:09 38528]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [28/03/2009 20:26 55152]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [22/09/2008 12:18 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [21/08/2008 13:04 98304]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [14/01/2009 18:53 226656]
S3 AEAY;AEAY;c:\docume~1\Owner\LOCALS~1\Temp\AEAY.exe --> c:\docume~1\Owner\LOCALS~1\Temp\AEAY.exe [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [31/07/2008 18:08 31592]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/04/2009 11:33 7408]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [30/11/2008 18:31 14976]
.
Contents of the 'Scheduled Tasks' folder

2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-05-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-01-01 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AB676D96-BE22-4133-A45F-9FD6376366DA} - hxxp://www.freefunmp3.com/contenido/IconoMail.cab
DPF: {B90CD242-E0CB-4BAD-A1CE-44F2AE29A01E} - hxxp://www.internet-time.com/contenido/InternetTime.cab
DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - hxxp://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game05.zylom.com/activex/zylomgamesplayer.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 13:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1097021601-189710942-1697597423-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1344)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [684]
??\c:\windows\system32\csrss.exe [732]
??\c:\windows\system32\winlogon.exe [760]
c:\windows\system32\services.exe [804]
c:\windows\system32\lsass.exe [816]
c:\windows\system32\Ati2evxx.exe [988]
c:\windows\system32\svchost.exe [1004]
c:\windows\system32\svchost.exe [1084]
c:\windows\System32\svchost.exe [1180]
c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [1224]
c:\windows\system32\svchost.exe [1236]
c:\windows\system32\Ati2evxx.exe [1496]
c:\windows\System32\svchost.exe [1964]
c:\windows\system32\svchost.exe [2008]
c:\windows\system32\spoolsv.exe [180]
c:\windows\system32\CF16593.exe [616]
c:\windows\System32\svchost.exe [940]
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1144]
c:\program files\Java\jre6\bin\jqs.exe [1348]
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [1448]
c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [1780]
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [1824]
c:\program files\Sophos\AutoUpdate\ALsvc.exe [1924]
c:\windows\System32\svchost.exe [1960]
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2040]
c:\windows\System32\MsPMSPSv.exe [1892]
c:\windows\System32\alg.exe [2132]
c:\windows\system32\wscntfy.exe [2444]
c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [2864]
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2888]
c:\windows\ALCXMNTR.EXE [2900]
c:\windows\system32\ps2.exe [2964]
c:\windows\system\hpsysdrv.exe [2984]
c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe [3076]
c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [3092]
c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [3120]
c:\program files\QuickTime\QTTask.exe [3160]
c:\program files\iTunes\iTunesHelper.exe [3184]
c:\program files\Logitech\QuickCam\Quickcam.exe [3212]
c:\program files\Java\jre6\bin\jusched.exe [3236]
c:\windows\system32\ctfmon.exe [3268]
c:\program files\Sophos\AutoUpdate\ALMon.exe [3408]
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe [3544]
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe [2348]
c:\program files\iPod\bin\iPodService.exe [2840]
c:\program files\Common Files\Teleca Shared\Generic.exe [3524]
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe [4072]
c:\windows\explorer.exe [1344]
c:\combofix\catchme.cfexe [5156]
.
**************************************************************************
.
Completion time: 2009-05-18 13:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-18 12:51
ComboFix2.txt 2009-05-17 07:11

Pre-Run: 80,015,376,384 bytes free
Post-Run: 79,939,870,720 bytes free

310 --- E O F --- 2009-05-13 08:43




Malwarebytes' Anti-Malware 1.36
Database version: 2147
Windows 5.1.2600 Service Pack 3

18/05/2009 14:09:02
mbam-log-2009-05-18 (14-09-02).txt

Scan type: Quick Scan
Objects scanned: 97704
Time elapsed: 6 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:27 AM

Posted 18 May 2009 - 10:16 AM

Hello.

Please remove ALL older versions of Java except Java 6 update 13.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with a fresh DDS log once it's done.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 devilspride2k1

devilspride2k1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London UK
  • Local time:03:27 PM

Posted 18 May 2009 - 03:05 PM

Hi Extremeboy ...reallyembarassed to say I dont know how to remove all versions of java except the one you mentioned..do I do it through add/remove programs???
regards
C

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:27 AM

Posted 18 May 2009 - 03:11 PM

Hello.

Nothing to be embarrassed about. Yes, you do remove them via add/remove.

I should of been a bit more helpful as well. Sorry about that.

Here's how you do it.

Removing Programs using Add/Remove

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

>>Remove ALL older versions of Java EXCEPT Java 6 Update 13<<

Additional instructions can be found here if needed.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 devilspride2k1

devilspride2k1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London UK
  • Local time:03:27 PM

Posted 18 May 2009 - 03:22 PM

(shame) thats ok was having a blond moment...children in bed now...and mind a bit more focused !!!! i have removed all java as requested....do i remove all J2SE as well...i think so but dont want to do the wrong t

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:27 AM

Posted 18 May 2009 - 07:31 PM

Hello.

i have removed all java as requested....do i remove all J2SE as well...i think so but dont want to do the wrong t

Yes. :thumbup2:

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 devilspride2k1

devilspride2k1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London UK
  • Local time:03:27 PM

Posted 19 May 2009 - 09:27 AM

Hi there i finally removed all the java, but am unable to run a kaspersky scan as it updates and then this message appears ...

Update has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.
You must be online to update the Kaspersky Online Scanner 7.0 database. With the latest database updates, you can find new viruses and other threats. Please go online to use KasperskyOnline Scanner 7.0 [ERROR: Invalid file signature]

I have tried 4 times now and always the same ..i will wait to hear from you

Thanks

#15 devilspride2k1

devilspride2k1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:London UK
  • Local time:03:27 PM

Posted 19 May 2009 - 02:20 PM

Hi again ...just tried kaspersky again in the hope that it may be a problem thier end not mine....and hey ho!! it appears it was as it is scanning now....i will get back to you as soon as i have completed it and i have run a new DDS
Regards

C




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users