Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unusual window shows at startup, after a removal of malware


  • This topic is locked This topic is locked
27 replies to this topic

#1 Anylopectina12

Anylopectina12

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 17 May 2009 - 09:25 PM

I post a topic here as suggested by a member of the Am I infected? What do I do?

here's the link : http://www.bleepingcomputer.com/forums/t/226764/unusual-window-shows-at-startup-moved/

Help me I am having a probelm with my computer. A window shows up everytime I open my computer after a removal of a malware. How to remove this?

Can't understand what is says so I cannot post the message within it. Kindly visit the link for more details and for the screenshot of the said window.

Everyday I update this report for I run my anti-virus scan(Avira Free) everyday might as well some things have change. I also run MBAM everyday, if you want i can post logs here.

Pseudo HJT Report:


DDS (Ver_09-05-14.01) - NTFSx86
Run by user at 10:20:32.14 on Mon 05/18/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.114 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\8CE26C\EBB9E4.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\8CE26C\V5-D74DF.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [L08AXLRD_19483312] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ChikkaIndiaTimes] c:\progra~1\chikka~1\indiat~1.4\ChikkaLauncher.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [FixCamera] c:\windows\FixCamera.exe
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [EBB9E4] c:\windows\system32\8ce26c\EBB9E4.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\user\startm~1\programs\startup\ebb9e4.lnk - c:\windows\system32\8ce26c\EBB9E4.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\warkey~1.lnk - c:\program files\warkeys\autowarkey\autohotkey\AutoHotkey.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\4nq09nj8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-17 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-17 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-17 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-17 55640]
S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\common files\microsoft shared\speech\csvd.exe --> c:\program files\common files\microsoft shared\speech\csvd.exe [?]
S3 asc3360pr;asc3360pr;\??\c:\windows\system32\drivers\tepnpn.sys --> c:\windows\system32\drivers\tepnpn.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S4 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys --> c:\windows\system32\drivers\CDAWDM.sys [?]

=============== Created Last 30 ================

2009-05-17 13:36 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-17 13:36 --d----- c:\program files\Avira
2009-05-17 13:36 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-17 13:20 --d----- c:\documents and settings\user\DoctorWeb
2009-05-15 19:44 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-15 19:44 --d----- c:\program files\SUPERAntiSpyware
2009-05-15 19:44 --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-05-15 18:36 --d----- c:\program files\common files\Wise Installation Wizard
2009-05-14 12:44 695,578 a------- c:\windows\system32\unins000.exe
2009-05-14 12:44 65,536 a------- c:\windows\system32\camcodec.dll
2009-05-14 12:44 1,078 a------- c:\windows\system32\unins000.dat
2009-05-14 12:44 1,078 a------- c:\windows\system32\camcodec.ico
2009-05-14 12:39 --d----- c:\program files\CamStudio
2009-05-14 11:59 --d----- c:\docume~1\user\applic~1\dota-allstars.71E01812711E1682B196CE418CDA466F24682743.1
2009-05-14 11:58 --d----- c:\docume~1\user\applic~1\dota_allstars
2009-05-14 11:58 --d----- C:\Games
2009-05-07 20:55 --d----- c:\program files\Garena
2009-04-29 20:54 --d-h--- c:\windows\PIF
2009-04-25 07:33 --d-h--- c:\windows\system32\FCC5CE
2009-04-25 07:33 --d-h--- c:\windows\system32\231FCC
2009-04-25 07:32 --d-h--- c:\windows\system32\DEBB9E
2009-04-25 07:32 --d-h--- c:\windows\system32\8CE26C
2009-04-19 01:23 --d----- c:\program files\ABC Amber LIT Converter

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-28 00:31 88,970 a------- c:\windows\War3Unin.dat
2009-03-10 23:33 2,829 a------- c:\windows\War3Unin.pif
2009-03-10 23:33 139,264 a------- c:\windows\War3Unin.exe
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2008-08-02 22:46 1,126 a------- c:\program files\.lnk
2008-09-20 22:29 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 10:21:20.23 ===============

Attached Files


Edited by Anylopectina12, 18 May 2009 - 01:45 PM.


BC AdBot (Login to Remove)

 


#2 Anylopectina12

Anylopectina12
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 19 May 2009 - 04:37 AM

Sorry i can't edit my post so i have to add a reply to this one
I update my log above for a scan my antivirus yesterday

DDS (Ver_09-05-14.01) - NTFSx86
Run by user at 17:04:08.45 on Tue 05/19/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.181 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\My Documents\Jan\removevirus files\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [L08AXLRD_19483312] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ChikkaIndiaTimes] c:\progra~1\chikka~1\indiat~1.4\ChikkaLauncher.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [FixCamera] c:\windows\FixCamera.exe
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [EBB9E4] c:\windows\system32\8ce26c\EBB9E4.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\user\startm~1\programs\startup\ebb9e4.lnk - c:\windows\system32\8ce26c\EBB9E4.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\warkey~1.lnk - c:\program files\warkeys\autowarkey\autohotkey\AutoHotkey.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\4nq09nj8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-17 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-17 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-17 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-17 55640]
S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\common files\microsoft shared\speech\csvd.exe --> c:\program files\common files\microsoft shared\speech\csvd.exe [?]
S3 asc3360pr;asc3360pr;\??\c:\windows\system32\drivers\tepnpn.sys --> c:\windows\system32\drivers\tepnpn.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S4 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys --> c:\windows\system32\drivers\CDAWDM.sys [?]

=============== Created Last 30 ================

2009-05-18 23:26 <DIR> --d----- c:\docume~1\user\applic~1\Camfrog
2009-05-18 21:38 <DIR> --d----- c:\program files\Jmgr.info
2009-05-18 11:53 <DIR> --d----- c:\program files\Garena
2009-05-17 13:36 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-17 13:36 <DIR> --d----- c:\program files\Avira
2009-05-17 13:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-17 13:20 <DIR> --d----- c:\documents and settings\user\DoctorWeb
2009-05-15 19:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-15 19:44 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-15 19:44 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-05-15 18:36 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-14 12:44 695,578 a------- c:\windows\system32\unins000.exe
2009-05-14 12:44 65,536 a------- c:\windows\system32\camcodec.dll
2009-05-14 12:44 1,078 a------- c:\windows\system32\unins000.dat
2009-05-14 12:44 1,078 a------- c:\windows\system32\camcodec.ico
2009-05-14 12:39 <DIR> --d----- c:\program files\CamStudio
2009-05-14 11:59 <DIR> --d----- c:\docume~1\user\applic~1\dota-allstars.71E01812711E1682B196CE418CDA466F24682743.1
2009-05-14 11:58 <DIR> --d----- c:\docume~1\user\applic~1\dota_allstars
2009-05-14 11:58 <DIR> --d----- C:\Games
2009-04-29 20:54 <DIR> --d-h--- c:\windows\PIF
2009-04-25 07:33 <DIR> --d-h--- c:\windows\system32\FCC5CE
2009-04-25 07:33 <DIR> --d-h--- c:\windows\system32\231FCC
2009-04-25 07:32 <DIR> --d-h--- c:\windows\system32\DEBB9E
2009-04-25 07:32 <DIR> --d-h--- c:\windows\system32\8CE26C

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-28 00:31 88,970 a------- c:\windows\War3Unin.dat
2009-03-10 23:33 2,829 a------- c:\windows\War3Unin.pif
2009-03-10 23:33 139,264 a------- c:\windows\War3Unin.exe
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2008-08-02 22:46 1,126 a------- c:\program files\.lnk
2008-09-20 22:29 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 17:04:56.37 ===============

Attached Files



#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:10:02 AM

Posted 31 May 2009 - 02:01 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 Anylopectina12

Anylopectina12
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 03 June 2009 - 04:15 AM

Sorry for replying late. Well i was to forget this thread for long response but i clearly understand you harwork and i'm very sorry to reply late. I still have this problem on my computer after the removal of the malware(using MBAM) . I think this malware redirects my internet browser into a Chinese website or a website with unknown language. After the removal of it, a window appears at the startup of my computer. Maybe it is an error of faling to run the said virus. I follow every instructions from the What do I do? Am I infected Thead(link on my first post). I have updated and run full scan from MBAM and as well as AntiSpyware.

As you said, I've done following you instructions. Dont worry I have disabled my a/v (avira) and disconnect from the internet. I am willing to remove this window from showing up even though it does not affect my computer by this time. I'm very sorry for replying late and I promise to look at this always.




DDS (Ver_09-05-14.01) - NTFSx86
Run by user at 17:07:26.82 on Wed 06/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.227 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - c:\windows\system32\BHOManager.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [L08AXLRD_19483312] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [FixCamera] c:\windows\FixCamera.exe
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [EBB9E4] c:\windows\system32\8ce26c\EBB9E4.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SoundMan] SOUNDMAN.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\ebb9e4.lnk - c:\windows\system32\8ce26c\EBB9E4.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\warkey~1.lnk - c:\program files\warkeys\autowarkey\autohotkey\AutoHotkey.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\4nq09nj8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-17 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-17 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-17 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-17 55640]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2009-5-30 10951]
S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\common files\microsoft shared\speech\csvd.exe --> c:\program files\common files\microsoft shared\speech\csvd.exe [?]
S3 asc3360pr;asc3360pr;\??\c:\windows\system32\drivers\tepnpn.sys --> c:\windows\system32\drivers\tepnpn.sys [?]
S3 GarenaPEngine;GarenaPEngine;c:\docume~1\user\locals~1\temp\JWL39.tmp [2009-6-3 18704]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S4 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys --> c:\windows\system32\drivers\CDAWDM.sys [?]

=============== Created Last 30 ================

2009-06-02 03:37 <DIR> --d----- c:\program files\Garena Hack EXP
2009-06-02 03:28 <DIR> --d----- c:\program files\Garena
2009-06-02 03:24 4,096 a------- c:\windows\system32\detoured.dll
2009-06-01 23:45 49,152 a------- c:\windows\system32\ChCfg.exe
2009-06-01 23:44 4,122,368 a----r-- c:\windows\system32\drivers\alcxwdm.sys
2009-06-01 23:44 <DIR> --d----- c:\program files\Realtek AC97
2009-06-01 23:44 10,528,768 a------- c:\windows\system32\RTLCPL.exe
2009-06-01 23:44 141,016 a------- c:\windows\system32\alsndmgr.wav
2009-06-01 23:44 18,804,736 a------- c:\windows\system32\alsndmgr.cpl
2009-06-01 23:44 577,536 a------- c:\windows\soundman.exe
2009-06-01 23:44 147,456 a------- c:\windows\system32\RtlCPAPI.dll
2009-06-01 23:44 315,392 a------- c:\windows\alcupd.exe
2009-06-01 23:44 217,088 a------- c:\windows\Alcrmv.exe
2009-05-31 00:27 <DIR> --d----- c:\program files\common files\Bcgsoft
2009-05-30 15:41 22 a------- c:\windows\AQTProductInfo.INI
2009-05-30 01:38 1,025 a------- c:\windows\system32\urwx4o1.tgz
2009-05-30 01:36 10,951 a------- c:\windows\system32\pal_drv.sys
2009-05-30 01:32 140 a------- c:\windows\ODBC.INI
2009-05-30 01:31 <DIR> --d----- c:\program files\common files\Mercury Interactive
2009-05-30 01:26 <DIR> --d----- c:\program files\Mercury Interactive
2009-05-30 01:25 <DIR> --d----- c:\program files\Microsoft Script Debugger
2009-05-30 01:25 1,118 a------- c:\windows\mercury.ini
2009-05-30 01:23 <DIR> --d----- c:\windows\system32\URTTEMP
2009-05-30 01:21 102,400 a------- c:\windows\system32\tsccvid.dll
2009-05-29 20:46 721,168 a------- c:\windows\system32\vb40032.dll
2009-05-29 20:10 1,273,856 a------- c:\windows\system32\TTF16.ocx
2009-05-29 20:10 148,480 a------- c:\windows\system32\tlbinf32.dll
2009-05-29 19:59 229,376 a------- c:\windows\system32\duzactx.dll
2009-05-29 19:59 108,792 a------- c:\windows\system32\BHOManager.dll
2009-05-29 19:45 253,952 a------- c:\windows\system32\dzactx.dll
2009-05-29 19:45 73,728 a------- c:\windows\system32\dzocx32.ocx
2009-05-29 19:45 71,680 a------- c:\windows\system32\DUZOCX32.OCX
2009-05-29 19:45 69,632 a------- c:\windows\system32\dzstactx.dll
2009-05-29 19:45 42,496 a------- c:\windows\system32\DZSTAT32.OCX
2009-05-28 22:36 200,704 a------- c:\windows\system32\threed32.ocx
2009-05-28 22:36 81,712 a------- c:\windows\system32\pdx2dzez.ldl
2009-05-28 22:36 45,056 a------- c:\windows\system32\ShellHook.dll
2009-05-28 19:22 1,277,952 a------- c:\windows\system32\ExGrid.dll
2009-05-28 16:12 210,944 a------- c:\windows\system32\graph32.ocx
2009-05-28 16:12 131,072 a------- c:\windows\system32\dzip32.dll
2009-05-28 16:12 110,592 a------- c:\windows\system32\dunzip32.dll
2009-05-28 16:12 89,088 a------- c:\windows\system32\atl71.dll
2009-05-28 16:12 49,152 a------- c:\windows\system32\dz_ez32.dll
2009-05-28 16:12 32,768 a------- c:\windows\system32\dzprog32.exe
2009-05-28 14:35 166,408 a------- c:\windows\system32\msmask32.ocx
2009-05-28 14:35 133,904 a------- c:\windows\system32\MFCANS32.DLL
2009-05-28 13:44 446,464 a------- c:\windows\system32\HHActiveX.dll
2009-05-28 13:37 640,512 a------- c:\windows\system32\OC30.DLL
2009-05-28 13:30 290,816 a------- c:\windows\system32\gsw32.exe
2009-05-28 13:30 279,040 a------- c:\windows\system32\gswag32.dll
2009-05-28 12:52 159,744 a------- c:\windows\system32\ExPrint.dll
2009-05-26 14:15 69,632 a------- c:\windows\system32\gswdll32.dll
2009-05-22 14:25 208,744 a------- c:\windows\system32\muweb.dll
2009-05-22 14:25 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-05-22 14:25 268,648 a------- c:\windows\system32\mucltui.dll
2009-05-21 23:51 <DIR> --d----- c:\program files\common files\Windows Live
2009-05-18 23:26 <DIR> --d----- c:\docume~1\user\applic~1\Camfrog
2009-05-18 21:38 <DIR> --d----- c:\program files\Jmgr.info
2009-05-17 13:36 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-17 13:36 <DIR> --d----- c:\program files\Avira
2009-05-17 13:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-17 13:20 <DIR> --d----- c:\documents and settings\user\DoctorWeb
2009-05-15 19:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-15 19:44 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-15 19:44 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-05-15 18:36 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-14 12:44 695,578 a------- c:\windows\system32\unins000.exe
2009-05-14 12:44 65,536 a------- c:\windows\system32\camcodec.dll
2009-05-14 12:44 1,078 a------- c:\windows\system32\unins000.dat
2009-05-14 12:44 1,078 a------- c:\windows\system32\camcodec.ico
2009-05-14 12:39 <DIR> --d----- c:\program files\CamStudio
2009-05-14 11:59 <DIR> --d----- c:\docume~1\user\applic~1\dota-allstars.71E01812711E1682B196CE418CDA466F24682743.1
2009-05-14 11:58 <DIR> --d----- c:\docume~1\user\applic~1\dota_allstars
2009-05-14 11:58 <DIR> --d----- C:\Games

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-03-28 00:31 88,970 a------- c:\windows\War3Unin.dat
2009-03-10 23:33 2,829 a------- c:\windows\War3Unin.pif
2009-03-10 23:33 139,264 a------- c:\windows\War3Unin.exe
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2008-09-20 22:29 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 17:07:56.18 ===============

Attached Files



#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 AM

Posted 03 June 2009 - 02:57 PM

Hello.

One of the infection is a file infector Sality.

I recommend you format your computer and start over. These infections are very nasty and even once we try to clean it up it ends up with a very unstable machine.

More information on Sality can be found over here and here

Let me know if you have any questions or problems you may wish to ask.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 Anylopectina12

Anylopectina12
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 04 June 2009 - 12:58 AM

Well i don't know about the format thing but i my father said that our computer is being reformat once a year and he said that our computer is formateed last 2 months. So is there any other way to remove it, like using removal tools or hijackthis tool (I use it to remove a window saying "Sowar.vbs cannot be run" last month). I think the virus you have said is already benn removed my only problem is the window that shows up that cannot run the virus. So if removing it is dangerous then i would not like to remove it and just waith for 10 months :thumbup2:

Thanks for replying fast.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 AM

Posted 04 June 2009 - 04:21 PM

Hello.

We will start off with Combofix.

It doesn't matter when you formatted. Even if I formatted my computer yesterday and got a nasty infection like this today then a format is still a good option. I understand that you may not want to take the time to do it over again but I wanted to let you know.

Download and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
Link 3

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Anylopectina12

Anylopectina12
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 05 June 2009 - 04:19 AM

Sorry for replying late. I recently send a report about my computer in windows genuine stuffs. (well i think im a victim)

ComboFix 09-06-04.06 - user 06/05/2009 16:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.227 [GMT -7:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 1
'PV' is not recognized as an internal or external command


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\System\Uninstall
c:\recycle\D-0-060-0000000000-1111111-2222222
c:\recycle\D-0-060-0000000000-1111111-2222222\Desktop.ini
c:\recycler\k-1-3542-4232123213-7676767-8888886
c:\recycler\k-1-3542-4232123213-7676767-8888886\Desktop.ini
c:\windows\system32\drirlj9.dll
c:\windows\system32\mdm.exe
c:\windows\system32\prsgrc.dll
c:\windows\system32\rohz3k6.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\toylg98.dll
c:\windows\system32\u9x11ex.dll
c:\windows\system32\uninstall.exe
c:\windows\system32\vfah2pb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_asc3360pr


((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-04 08:54 . 2009-06-04 08:54 77256 ----a-w- c:\documents and settings\Ate\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 07:36 . 2009-06-04 07:36 -------- d-----w- c:\documents and settings\Ate\Local Settings\Application Data\Adobe
2009-06-04 04:06 . 2009-06-05 22:16 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\BearShare
2009-06-04 04:06 . 2009-06-04 04:08 -------- d-----w- c:\program files\BearShare Applications
2009-06-03 23:16 . 2009-06-03 23:16 -------- d-----w- c:\documents and settings\Ate\Application Data\skypePM
2009-06-03 23:14 . 2009-06-03 23:29 -------- d-----w- c:\documents and settings\Ate\Application Data\Skype
2009-06-03 21:27 . 2009-06-03 21:27 -------- d-----w- c:\documents and settings\Ate\Local Settings\Application Data\Mozilla
2009-06-02 10:37 . 2009-06-02 10:37 -------- d-----w- c:\program files\Garena Hack EXP
2009-06-02 10:28 . 2009-06-03 07:20 -------- d-----w- c:\program files\Garena
2009-06-02 10:24 . 2009-06-02 10:24 4096 ----a-w- c:\windows\system32\detoured.dll
2009-06-02 06:45 . 2006-08-01 22:02 49152 ----a-w- c:\windows\system32\ChCfg.exe
2009-06-02 06:44 . 2008-09-24 17:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2009-06-02 06:44 . 2009-06-02 06:44 -------- d-----w- c:\program files\Realtek AC97
2009-06-02 06:44 . 2006-12-08 22:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2009-06-02 06:44 . 2007-04-16 22:28 577536 ----a-w- c:\windows\soundman.exe
2009-06-02 06:44 . 2006-10-18 09:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2009-06-02 06:44 . 2006-07-31 18:27 217088 ----a-w- c:\windows\Alcrmv.exe
2009-06-02 06:44 . 2006-07-31 18:19 315392 ----a-w- c:\windows\alcupd.exe
2009-05-31 07:27 . 2009-05-31 07:27 -------- d-----w- c:\program files\Common Files\Bcgsoft
2009-05-30 22:40 . 2009-05-30 22:40 127 ----a-w- c:\documents and settings\user\Local Settings\Application Data\fusioncache.dat
2009-05-30 22:40 . 2009-06-05 01:31 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\ApplicationHistory
2009-05-30 08:36 . 2009-05-26 07:13 10951 ----a-w- c:\windows\system32\pal_drv.sys
2009-05-30 08:31 . 2009-05-30 08:32 -------- d-----w- c:\program files\Common Files\Mercury Interactive
2009-05-30 08:26 . 2009-05-30 08:26 -------- d-----w- c:\program files\Mercury Interactive
2009-05-30 08:25 . 2009-05-30 08:26 -------- d-----w- c:\program files\Microsoft Script Debugger
2009-05-30 08:23 . 2009-05-30 08:23 -------- d-----w- c:\windows\system32\URTTEMP
2009-05-30 08:21 . 2005-06-15 10:00 102400 ----a-w- c:\windows\system32\tsccvid.dll
2009-05-30 03:46 . 2009-05-30 03:46 721168 ----a-w- c:\windows\system32\vb40032.dll
2009-05-30 03:10 . 2009-05-30 03:10 148480 ----a-w- c:\windows\system32\tlbinf32.dll
2009-05-30 02:59 . 2009-05-30 02:59 229376 ----a-w- c:\windows\system32\duzactx.dll
2009-05-30 02:59 . 2009-05-30 02:59 108792 ----a-w- c:\windows\system32\BHOManager.dll
2009-05-30 02:45 . 2009-05-30 02:45 69632 ----a-w- c:\windows\system32\dzstactx.dll
2009-05-30 02:45 . 2009-05-30 02:45 253952 ----a-w- c:\windows\system32\dzactx.dll
2009-05-29 05:36 . 2009-05-29 05:36 45056 ----a-w- c:\windows\system32\ShellHook.dll
2009-05-29 02:22 . 2009-05-29 02:22 1277952 ----a-w- c:\windows\system32\ExGrid.dll
2009-05-28 23:12 . 2009-05-28 23:12 89088 ----a-w- c:\windows\system32\atl71.dll
2009-05-28 23:12 . 2009-05-28 23:12 49152 ----a-w- c:\windows\system32\dz_ez32.dll
2009-05-28 23:12 . 2009-05-28 23:12 32768 ----a-w- c:\windows\system32\dzprog32.exe
2009-05-28 23:12 . 2009-05-28 23:12 131072 ----a-w- c:\windows\system32\dzip32.dll
2009-05-28 23:12 . 2009-05-28 23:12 110592 ----a-w- c:\windows\system32\dunzip32.dll
2009-05-28 21:35 . 2009-05-28 21:35 133904 ----a-w- c:\windows\system32\MFCANS32.DLL
2009-05-28 20:44 . 2009-05-28 20:44 446464 ----a-w- c:\windows\system32\HHActiveX.dll
2009-05-28 20:37 . 2009-05-28 20:37 640512 ----a-w- c:\windows\system32\OC30.DLL
2009-05-28 20:30 . 2009-05-28 20:30 290816 ----a-w- c:\windows\system32\gsw32.exe
2009-05-28 20:30 . 2009-05-28 20:30 279040 ----a-w- c:\windows\system32\gswag32.dll
2009-05-28 19:52 . 2009-05-28 19:52 159744 ----a-w- c:\windows\system32\ExPrint.dll
2009-05-26 21:15 . 2009-05-26 21:15 69632 ----a-w- c:\windows\system32\gswdll32.dll
2009-05-22 21:25 . 2008-10-16 21:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-05-22 21:25 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-05-22 06:51 . 2009-05-22 06:51 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-19 06:30 . 2009-05-19 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-19 06:26 . 2009-05-19 06:26 -------- d-----w- c:\documents and settings\user\Application Data\Camfrog
2009-05-19 04:38 . 2009-05-19 04:38 -------- d-----w- c:\program files\Jmgr.info
2009-05-17 20:36 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-17 20:36 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-17 20:36 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-17 20:36 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-17 20:36 . 2009-05-17 20:36 -------- d-----w- c:\program files\Avira
2009-05-17 20:36 . 2009-05-17 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-17 20:20 . 2009-05-17 20:20 -------- d-----w- c:\documents and settings\user\DoctorWeb
2009-05-16 17:25 . 2009-05-16 19:06 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-16 02:44 . 2009-05-16 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-16 02:44 . 2009-05-16 02:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-16 02:44 . 2009-05-16 02:44 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-05-16 01:36 . 2009-05-16 01:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-14 19:44 . 2009-05-14 19:44 1078 ----a-w- c:\windows\system32\unins000.dat
2009-05-14 19:44 . 2009-05-14 19:44 695578 ----a-w- c:\windows\system32\unins000.exe
2009-05-14 19:44 . 2008-10-01 02:35 65536 ----a-w- c:\windows\system32\camcodec.dll
2009-05-14 19:39 . 2009-05-14 19:47 -------- d-----w- c:\program files\CamStudio
2009-05-14 18:59 . 2009-05-14 18:59 -------- d-----w- c:\documents and settings\user\Application Data\dota-allstars.71E01812711E1682B196CE418CDA466F24682743.1
2009-05-14 18:58 . 2009-05-15 20:48 -------- d-----w- c:\documents and settings\user\Application Data\dota_allstars
2009-05-14 18:58 . 2009-05-14 18:58 -------- d-----w- C:\Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 23:42 . 2009-02-01 03:41 -------- d-----w- c:\program files\DNA
2009-06-05 23:42 . 2009-02-01 03:41 -------- d-----w- c:\documents and settings\user\Application Data\DNA
2009-06-05 04:51 . 2009-03-10 05:02 -------- d-----w- c:\program files\Warcraft III
2009-06-04 04:07 . 2009-01-16 16:23 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2009-06-04 04:07 . 2009-01-16 16:26 -------- d-----w- c:\documents and settings\user\Application Data\skypePM
2009-06-02 06:44 . 2008-08-02 19:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-01 18:06 . 2009-04-19 08:23 -------- d-----w- c:\program files\ABC Amber LIT Converter
2009-05-30 08:38 . 2004-08-03 21:56 1025 ----a-w- c:\windows\system32\urwx4o1.dll
2009-05-30 08:37 . 2004-08-03 21:56 1024 ----a-w- c:\windows\system32\grcauth2.dll
2009-05-30 08:37 . 2004-08-03 21:56 1024 ----a-w- c:\windows\system32\grcauth1.dll
2009-05-30 08:37 . 2004-08-03 21:56 1025 ----a-w- c:\windows\system32\clauth2.dll
2009-05-30 08:37 . 2004-08-03 21:56 1025 ----a-w- c:\windows\system32\clauth1.dll
2009-05-30 08:28 . 2008-08-02 19:03 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-30 04:39 . 2009-02-01 03:56 -------- d-----w- c:\documents and settings\user\Application Data\BitTorrent
2009-05-29 07:11 . 2008-10-26 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-29 07:10 . 2009-02-26 05:09 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-26 20:20 . 2008-10-26 01:50 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 20:19 . 2008-10-26 01:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-25 07:25 . 2008-08-02 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-19 06:25 . 2008-08-04 07:03 -------- d-----w- c:\program files\Yahoo!
2009-05-08 00:53 . 2008-08-03 18:15 -------- d-----w- c:\documents and settings\user\Application Data\Wildfire
2009-05-06 00:46 . 2009-05-06 00:46 0 ----a-w- c:\windows\nsreg.dat
2009-05-05 07:28 . 2008-08-02 20:09 -------- d-----w- c:\program files\Windows Media Connect 2
2009-04-24 20:32 . 2008-08-25 22:28 40 ----a-w- c:\windows\RSoftInfo.dat
2009-04-17 04:00 . 2009-02-01 03:41 -------- d-----w- c:\program files\BitTorrent
2009-04-13 22:48 . 2009-04-13 20:18 -------- d-----w- c:\program files\Warkeys
2009-04-03 07:41 . 2008-08-02 19:06 77256 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-02 04:06 . 2009-04-02 04:06 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-28 07:31 . 2009-03-11 06:28 88970 ----a-w- c:\windows\War3Unin.dat
2009-03-13 00:43 . 2009-01-16 17:22 785176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-03-13 00:43 . 2009-01-16 17:22 582936 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-03-13 00:43 . 2009-01-16 17:23 591640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgnsx.exe
2009-03-11 06:33 . 2009-03-11 06:28 2829 ----a-w- c:\windows\War3Unin.pif
2009-03-11 06:33 . 2009-03-11 06:28 139264 ----a-w- c:\windows\War3Unin.exe
2009-03-09 12:19 . 2009-02-27 05:27 410984 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"L08AXLRD_19483312"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 351000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-06 4347120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-01 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FixCamera"="c:\windows\FixCamera.exe" [2007-07-11 20480]
"snpstd3"="c:\windows\vsnpstd3.exe" [2007-05-10 835584]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-04-21 270336]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"EBB9E4"="c:\windows\system32\8CE26C\EBB9E4.EXE" [2009-04-25 114688]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

c:\documents and settings\user\Start Menu\Programs\Startup\
EBB9E4.lnk - c:\windows\system32\8CE26C\EBB9E4.EXE [2009-4-25 114688]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Warkeys Update.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [2008-3-9 240640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2009-05-29 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/17/2009 1:36 PM 108289]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [5/30/2009 1:36 AM 10951]
S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\Common Files\Microsoft Shared\Speech\csvd.exe --> c:\program files\Common Files\Microsoft Shared\Speech\csvd.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S4 cdawdm;CDAWDM;c:\windows\system32\DRIVERS\CDAWDM.sys --> c:\windows\system32\DRIVERS\CDAWDM.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
napagent
hkmsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX3C644141}]
c:\config\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe
.
Contents of the 'Scheduled Tasks' folder

2009-06-05 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 05:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\4nq09nj8.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-05 16:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WgaTray.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-06-05 16:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-05 23:51

Pre-Run: 16,625,582,080 bytes free
Post-Run: 17,441,742,848 bytes free

257 --- E O F --- 2009-06-01 10:40

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 AM

Posted 06 June 2009 - 07:12 PM

Hello.

Sorry for replying late. I recently send a report about my computer in windows genuine stuffs. (well i think im a victim)

What do you mean exactly? What report and "stuffs"?

You had a backdoor infection. Let me know what you wish to do.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Anylopectina12

Anylopectina12
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 07 June 2009 - 01:16 AM

Hello.

QUOTE
Sorry for replying late. I recently send a report about my computer in windows genuine stuffs. (well i think im a victim)

What do you mean exactly? What report and "stuffs"?


I have my windows genuine now so disregard this problem.

Don't worry I'm just 16 years old and I dont have any transactions on internet (except neobux) for extra money and I still don't redeemed it. Well I think I got this trojam because my older brother downloaded dangerous programs (camfrog and free bearshare). My father won't let me reformat this computer as I said, every year only.

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If it is possible then be it. If I need to uninstall some programs that are prone to viruses then tell me. I have no choice but to clean this machine.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 AM

Posted 07 June 2009 - 03:05 PM

Hello.

Uninstalling some programs won't remove this infection. Could you pleaes delete Combofix re-download it from one of those links and run it again.

Post the log once it's complete.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 Anylopectina12

Anylopectina12
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 08 June 2009 - 09:55 AM

OK here's the log

ComboFix 09-06-07.07 - user 06/08/2009 22:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.278 [GMT -7:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\prsgrc.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.

2009-06-07 20:55 . 2009-06-07 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\2E251
2009-06-07 20:53 . 2009-06-07 20:53 -------- d-----w- c:\documents and settings\Ate\Application Data\Yahoo!
2009-06-07 20:45 . 2009-06-07 20:48 -------- d-----w- c:\documents and settings\Ate\Local Settings\Application Data\BearShare
2009-06-04 08:54 . 2009-06-04 08:54 77256 ----a-w- c:\documents and settings\Ate\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 07:36 . 2009-06-04 07:36 -------- d-----w- c:\documents and settings\Ate\Local Settings\Application Data\Adobe
2009-06-04 04:06 . 2009-06-09 03:03 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\BearShare
2009-06-04 04:06 . 2009-06-09 00:18 -------- d-----w- c:\program files\BearShare Applications
2009-06-03 23:16 . 2009-06-03 23:16 -------- d-----w- c:\documents and settings\Ate\Application Data\skypePM
2009-06-03 23:14 . 2009-06-03 23:29 -------- d-----w- c:\documents and settings\Ate\Application Data\Skype
2009-06-03 21:27 . 2009-06-03 21:27 -------- d-----w- c:\documents and settings\Ate\Local Settings\Application Data\Mozilla
2009-06-02 10:28 . 2009-06-08 07:50 -------- d-----w- c:\program files\Garena
2009-06-02 10:24 . 2009-06-02 10:24 4096 ----a-w- c:\windows\system32\detoured.dll
2009-06-02 06:45 . 2006-08-01 22:02 49152 ----a-w- c:\windows\system32\ChCfg.exe
2009-06-02 06:44 . 2008-09-24 17:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys
2009-06-02 06:44 . 2009-06-02 06:44 -------- d-----w- c:\program files\Realtek AC97
2009-06-02 06:44 . 2006-12-08 22:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe
2009-06-02 06:44 . 2007-04-16 22:28 577536 ----a-w- c:\windows\soundman.exe
2009-06-02 06:44 . 2006-10-18 09:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll
2009-06-02 06:44 . 2006-07-31 18:27 217088 ----a-w- c:\windows\Alcrmv.exe
2009-06-02 06:44 . 2006-07-31 18:19 315392 ----a-w- c:\windows\alcupd.exe
2009-05-31 07:27 . 2009-05-31 07:27 -------- d-----w- c:\program files\Common Files\Bcgsoft
2009-05-30 22:40 . 2009-05-30 22:40 127 ----a-w- c:\documents and settings\user\Local Settings\Application Data\fusioncache.dat
2009-05-30 22:40 . 2009-06-06 03:26 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\ApplicationHistory
2009-05-30 08:36 . 2009-05-26 07:13 10951 ----a-w- c:\windows\system32\pal_drv.sys
2009-05-30 08:31 . 2009-05-30 08:32 -------- d-----w- c:\program files\Common Files\Mercury Interactive
2009-05-30 08:26 . 2009-05-30 08:26 -------- d-----w- c:\program files\Mercury Interactive
2009-05-30 08:25 . 2009-05-30 08:26 -------- d-----w- c:\program files\Microsoft Script Debugger
2009-05-30 08:23 . 2009-05-30 08:23 -------- d-----w- c:\windows\system32\URTTEMP
2009-05-30 08:21 . 2005-06-15 10:00 102400 ----a-w- c:\windows\system32\tsccvid.dll
2009-05-30 03:46 . 2009-05-30 03:46 721168 ----a-w- c:\windows\system32\vb40032.dll
2009-05-30 03:10 . 2009-05-30 03:10 148480 ----a-w- c:\windows\system32\tlbinf32.dll
2009-05-30 02:59 . 2009-05-30 02:59 229376 ----a-w- c:\windows\system32\duzactx.dll
2009-05-30 02:59 . 2009-05-30 02:59 108792 ----a-w- c:\windows\system32\BHOManager.dll
2009-05-30 02:45 . 2009-05-30 02:45 69632 ----a-w- c:\windows\system32\dzstactx.dll
2009-05-30 02:45 . 2009-05-30 02:45 253952 ----a-w- c:\windows\system32\dzactx.dll
2009-05-29 05:36 . 2009-05-29 05:36 45056 ----a-w- c:\windows\system32\ShellHook.dll
2009-05-29 02:22 . 2009-05-29 02:22 1277952 ----a-w- c:\windows\system32\ExGrid.dll
2009-05-28 23:12 . 2009-05-28 23:12 89088 ----a-w- c:\windows\system32\atl71.dll
2009-05-28 23:12 . 2009-05-28 23:12 49152 ----a-w- c:\windows\system32\dz_ez32.dll
2009-05-28 23:12 . 2009-05-28 23:12 32768 ----a-w- c:\windows\system32\dzprog32.exe
2009-05-28 23:12 . 2009-05-28 23:12 131072 ----a-w- c:\windows\system32\dzip32.dll
2009-05-28 23:12 . 2009-05-28 23:12 110592 ----a-w- c:\windows\system32\dunzip32.dll
2009-05-28 21:35 . 2009-05-28 21:35 133904 ----a-w- c:\windows\system32\MFCANS32.DLL
2009-05-28 20:44 . 2009-05-28 20:44 446464 ----a-w- c:\windows\system32\HHActiveX.dll
2009-05-28 20:37 . 2009-05-28 20:37 640512 ----a-w- c:\windows\system32\OC30.DLL
2009-05-28 20:30 . 2009-05-28 20:30 290816 ----a-w- c:\windows\system32\gsw32.exe
2009-05-28 20:30 . 2009-05-28 20:30 279040 ----a-w- c:\windows\system32\gswag32.dll
2009-05-28 19:52 . 2009-05-28 19:52 159744 ----a-w- c:\windows\system32\ExPrint.dll
2009-05-26 21:15 . 2009-05-26 21:15 69632 ----a-w- c:\windows\system32\gswdll32.dll
2009-05-22 21:25 . 2008-10-16 21:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-05-22 21:25 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-05-22 06:51 . 2009-05-22 06:51 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-19 06:30 . 2009-05-19 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-19 06:26 . 2009-05-19 06:26 -------- d-----w- c:\documents and settings\user\Application Data\Camfrog
2009-05-17 20:36 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-17 20:36 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-17 20:36 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-17 20:36 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-17 20:36 . 2009-05-17 20:36 -------- d-----w- c:\program files\Avira
2009-05-17 20:36 . 2009-05-17 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-17 20:20 . 2009-05-17 20:20 -------- d-----w- c:\documents and settings\user\DoctorWeb
2009-05-16 17:25 . 2009-06-09 00:30 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-16 02:44 . 2009-05-16 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-16 02:44 . 2009-05-16 02:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-16 02:44 . 2009-05-16 02:44 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-05-16 01:36 . 2009-05-16 01:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-14 19:44 . 2009-05-14 19:44 1078 ----a-w- c:\windows\system32\unins000.dat
2009-05-14 19:44 . 2009-05-14 19:44 695578 ----a-w- c:\windows\system32\unins000.exe
2009-05-14 19:44 . 2008-10-01 02:35 65536 ----a-w- c:\windows\system32\camcodec.dll
2009-05-14 19:39 . 2009-05-14 19:47 -------- d-----w- c:\program files\CamStudio
2009-05-14 18:59 . 2009-05-14 18:59 -------- d-----w- c:\documents and settings\user\Application Data\dota-allstars.71E01812711E1682B196CE418CDA466F24682743.1
2009-05-14 18:58 . 2009-05-15 20:48 -------- d-----w- c:\documents and settings\user\Application Data\dota_allstars

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 05:49 . 2009-02-01 03:41 -------- d-----w- c:\documents and settings\user\Application Data\DNA
2009-06-09 04:40 . 2009-03-10 05:02 -------- d-----w- c:\program files\Warcraft III
2009-06-09 02:18 . 2009-02-01 03:41 -------- d-----w- c:\program files\DNA
2009-06-09 02:05 . 2008-08-25 22:28 40 ----a-w- c:\windows\RSoftInfo.dat
2009-06-08 08:41 . 2009-01-16 16:23 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2009-06-08 07:01 . 2009-01-16 16:26 -------- d-----w- c:\documents and settings\user\Application Data\skypePM
2009-06-02 06:44 . 2008-08-02 19:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-30 08:38 . 2004-08-03 21:56 1025 ----a-w- c:\windows\system32\urwx4o1.dll
2009-05-30 08:37 . 2004-08-03 21:56 1024 ----a-w- c:\windows\system32\grcauth2.dll
2009-05-30 08:37 . 2004-08-03 21:56 1024 ----a-w- c:\windows\system32\grcauth1.dll
2009-05-30 08:37 . 2004-08-03 21:56 1025 ----a-w- c:\windows\system32\clauth2.dll
2009-05-30 08:37 . 2004-08-03 21:56 1025 ----a-w- c:\windows\system32\clauth1.dll
2009-05-30 08:28 . 2008-08-02 19:03 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-30 04:39 . 2009-02-01 03:56 -------- d-----w- c:\documents and settings\user\Application Data\BitTorrent
2009-05-29 07:11 . 2008-10-26 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-29 07:10 . 2009-02-26 05:09 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-26 20:20 . 2008-10-26 01:50 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 20:19 . 2008-10-26 01:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-25 07:25 . 2008-08-02 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-19 06:25 . 2008-08-04 07:03 -------- d-----w- c:\program files\Yahoo!
2009-05-08 00:53 . 2008-08-03 18:15 -------- d-----w- c:\documents and settings\user\Application Data\Wildfire
2009-05-06 00:46 . 2009-05-06 00:46 0 ----a-w- c:\windows\nsreg.dat
2009-05-05 07:28 . 2008-08-02 20:09 -------- d-----w- c:\program files\Windows Media Connect 2
2009-04-17 04:00 . 2009-02-01 03:41 -------- d-----w- c:\program files\BitTorrent
2009-04-13 22:48 . 2009-04-13 20:18 -------- d-----w- c:\program files\Warkeys
2009-04-03 07:41 . 2008-08-02 19:06 77256 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-02 04:06 . 2009-04-02 04:06 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-28 07:31 . 2009-03-11 06:28 88970 ----a-w- c:\windows\War3Unin.dat
2009-03-13 00:43 . 2009-01-16 17:22 785176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-03-13 00:43 . 2009-01-16 17:22 582936 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-03-13 00:43 . 2009-01-16 17:23 591640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgnsx.exe
2009-03-11 06:33 . 2009-03-11 06:28 2829 ----a-w- c:\windows\War3Unin.pif
2009-03-11 06:33 . 2009-03-11 06:28 139264 ----a-w- c:\windows\War3Unin.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-05_23.42.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-09 02:18 . 2009-06-09 02:18 16384 c:\windows\Temp\Perflib_Perfdata_1a8.dat
+ 2007-04-10 21:02 . 2009-02-06 19:35 1486208 c:\windows\system32\LegitCheckControl.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"L08AXLRD_19483312"="c:\program files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 351000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-06 4347120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-01 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FixCamera"="c:\windows\FixCamera.exe" [2007-07-11 20480]
"snpstd3"="c:\windows\vsnpstd3.exe" [2007-05-10 835584]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-04-21 270336]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"EBB9E4"="c:\windows\system32\8CE26C\EBB9E4.EXE" [2009-04-25 114688]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

c:\documents and settings\user\Start Menu\Programs\Startup\
EBB9E4.lnk - c:\windows\system32\8CE26C\EBB9E4.EXE [2009-4-25 114688]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Warkeys Update.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [2008-3-9 240640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2009-05-29 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\GameHouse Games Collection\\Wheel of Fortune\\Wheel of Fortune.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Mercury Interactive\\QuickTest Professional\\bin\\AQTRmtAgent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/17/2009 1:36 PM 108289]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [5/30/2009 1:36 AM 10951]
S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\Common Files\Microsoft Shared\Speech\csvd.exe --> c:\program files\Common Files\Microsoft Shared\Speech\csvd.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S4 cdawdm;CDAWDM;c:\windows\system32\DRIVERS\CDAWDM.sys --> c:\windows\system32\DRIVERS\CDAWDM.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX3C644141}]
c:\config\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe
.
Contents of the 'Scheduled Tasks' folder

2009-06-09 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\4nq09nj8.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 22:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-06-09 22:57
ComboFix-quarantined-files.txt 2009-06-09 05:57
ComboFix2.txt 2009-06-05 23:51

Pre-Run: 17,285,558,272 bytes free
Post-Run: 17,297,788,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

229 --- E O F --- 2009-06-01 10:40

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 AM

Posted 08 June 2009 - 07:28 PM

Hello.

Please do the following.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/227691/unusual-window-shows-at-startup-after-a-removal-of-malware/
    Collect::[68]
    c:\windows\system32\8CE26C\EBB9E4.EXE
    DirLook::
    c:\documents and settings\All Users\Application Data\2E251
    c:\windows\system32\8CE26C
    File::
    c:\documents and settings\user\Start Menu\Programs\Startup\EBB9E4.lnk
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    "FirewallOverride"=dword:00000000
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".
**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.

Let me know how it goes and if the upload went successfully or not in your next reply.

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 Anylopectina12

Anylopectina12
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 09 June 2009 - 09:36 AM

The uploading of the samples(combofix) went fine.

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.37
Database version: 2253
Windows 5.1.2600 Service Pack 3

6/9/2009 10:29:26 PM
mbam-log-2009-06-09 (22-29-26).txt

Scan type: Quick Scan
Objects scanned: 92514
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCHE (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 AM

Posted 09 June 2009 - 04:32 PM

Post the Combofix log please.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users