Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My computer's infected with the Sinowal Trojan


  • This topic is locked This topic is locked
22 replies to this topic

#1 LoRider1

LoRider1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 18 May 2009 - 05:50 PM

Hi. Can you please help me out? :-(

For the past month (?) I am alerted by my AVG anti-virus program resident shield that it detects a threat. In a pop-up window, AVG provides the following info:
* lists the threat name as Trojan horse PSW.Sinowal.S
* says it is "detected on open"
* States the file name is C:\Documents and Settings\All Users\Start Menu\Programs\Startup\uninstall.exe
(although I have seen at least one other file/location listed)
* Says the process name is c:\Windows\explorer.exe
* Process id (= various numbers listed here that are different each time)

I can't heal it, so I have sent this file to AVG's vault numerous times but I keep seeing the same popup threat detection window almost every time I restart my computer. I have run Superantispyware and Malwarebytes and removed whatever infections they found, but it is still there. I have already downloaded Combofix in preparation in case we need it. I also deleted all previous version of Java and reinstalled Java 6 update 13 today as well.

I have also had fairly routine computer crashes that are cited as "serious errors" my computer has recovered from after I reboot. I'm pretty sure they are related to the trojan.

Here is the contents of the DDS scan:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Home at 15:17:49.62 on 18/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.383 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Home\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [VTPreset] VTPreset.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [TELUS_McciTrayApp] c:\program files\telus\telus support centre\bin\McciTrayApp.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\uninstall.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184737022004
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://vpn.integrityconcrete.ca/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-11 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-11 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-11 298776]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2009-2-3 62794]

=============== Created Last 30 ================

2009-05-18 14:47 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-18 14:40 23,392 a------- c:\windows\system32\nscompat.tlb
2009-05-18 14:40 16,832 a------- c:\windows\system32\amcompat.tlb
2009-05-17 16:22 <DIR> --d----- c:\program files\iPod
2009-05-17 16:22 <DIR> --d----- c:\program files\iTunes
2009-05-17 16:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-15 13:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-15 13:15 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-15 13:15 <DIR> --d----- c:\docume~1\home\applic~1\SUPERAntiSpyware.com
2009-05-15 13:13 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-15 12:06 <DIR> --d----- c:\docume~1\home\applic~1\Malwarebytes
2009-05-15 12:06 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-15 12:06 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-15 12:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-15 12:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-15 00:28 127 a------- c:\windows\system32\MRT.INI
2009-05-01 11:30 3,366,912 a------- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2009-05-18 14:46 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-06 02:38 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-06 02:38 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-24 12:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-02-24 12:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-02-24 12:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-02-24 12:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-02-24 12:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-02-24 12:34 684,032 a------- c:\windows\system32\DivX.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2008-11-01 17:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110120081102\index.dat

============= FINISH: 15:19:41.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:15 AM

Posted 31 May 2009 - 02:21 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 LoRider1

LoRider1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 31 May 2009 - 11:14 PM

Hi, here are the DDS scan results (and zipped attach file):

DDS (Ver_09-05-14.01) - NTFSx86
Run by Home at 21:06:19.26 on 31/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.238 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Home\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [VTPreset] VTPreset.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [TELUS_McciTrayApp] c:\program files\telus\telus support centre\bin\McciTrayApp.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\uninstall.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184737022004
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://vpn.integrityconcrete.ca/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-11 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-11 27784]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-11 298776]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2009-2-3 62794]

=============== Created Last 30 ================

2009-05-18 14:47 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-18 14:40 23,392 a------- c:\windows\system32\nscompat.tlb
2009-05-18 14:40 16,832 a------- c:\windows\system32\amcompat.tlb
2009-05-17 16:22 <DIR> --d----- c:\program files\iPod
2009-05-17 16:22 <DIR> --d----- c:\program files\iTunes
2009-05-17 16:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-15 13:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-15 13:15 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-15 13:15 <DIR> --d----- c:\docume~1\home\applic~1\SUPERAntiSpyware.com
2009-05-15 13:13 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-15 12:06 <DIR> --d----- c:\docume~1\home\applic~1\Malwarebytes
2009-05-15 12:06 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-15 12:06 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-15 12:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-15 12:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-15 00:28 127 a------- c:\windows\system32\MRT.INI

==================== Find3M ====================

2009-05-18 14:46 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-06 02:38 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-06 02:38 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-01 11:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2008-11-01 17:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110120081102\index.dat

============= FINISH: 21:07:53.10 ===============

Attached Files



#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:15 AM

Posted 01 June 2009 - 09:02 PM

Hello, LoRider1 :thumbup2:
Please download MBR.exe from here ->
http://www2.gmer.net/mbr/mbr.exe

Save the file to your desktop and double click on it.

A new text file will appear on your desktop, created by the tool. Copy and paste that file here, please.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 LoRider1

LoRider1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 04 June 2009 - 12:27 AM

Hi Billy,

Here is the MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x82f2675c
NDIS: VIA Compatable Fast Ethernet Adapter -> SendCompleteHandler -> 0x82f63790
Warning: possible MBR rootkit infection !
MBR rootkit code detected !
malicious code @ sector 0x4c8ed45 size 0x1fd !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
PE file found in sector at 0x04C8ED45 !

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:15 AM

Posted 06 June 2009 - 03:11 AM

Hello, LoRider1 :thumbup2:
We need to execute a Batch File
  • Go to Start -> Run, and type "notepad" into the box.
  • Press ok.
  • Copy and paste the following code into notepad:
    mbr -f
  • Go to File -> Save
  • To the right of "Save as Type:" in the bottom of the window, change the ComboBox to "All Files"
  • Enter fix.bat into the "File name:" box just above the "Save as Type" box.
  • Double click fix.bat on your desktop.
A new MBR log will be created. Please post this.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 LoRider1

LoRider1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 07 June 2009 - 12:02 AM

Here is the new MBR log you requested:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x82f4875c
NDIS: VIA Compatable Fast Ethernet Adapter -> SendCompleteHandler -> 0x82f85790
Warning: possible MBR rootkit infection !
MBR rootkit code detected !
malicious code @ sector 0x4c8ed45 size 0x1fd !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
PE file found in sector at 0x04C8ED45 !
original MBR restored successfully !

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:15 AM

Posted 08 June 2009 - 08:23 PM

Hello, LoRider1 :thumbup2:
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • GMER's Log
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 LoRider1

LoRider1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 10 June 2009 - 01:13 PM

Hi Billy. Here is the GMER log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-10 08:47:57
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF4FA4DF0]

---- Kernel code sections - GMER 1.0.15 ----

PAGE CLASSPNP.SYS!ClassInitialize + F4 F7A1542C 4 Bytes [56, 87, F4, 82]
PAGE CLASSPNP.SYS!ClassInitialize + FF F7A15437 4 Bytes [AC, 41, F4, 82]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F7A15442 4 Bytes [68, 87, F4, 82]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F7A15449 4 Bytes [5C, 87, F4, 82]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F7A15450 4 Bytes [62, 87, F4, 82]
PAGE ...
? C:\DOCUME~1\Home\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2768] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2768] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 40A51777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2768] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 40A516F8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2768] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 40A5173C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2768] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 40A51684 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2768] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 40A516BE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2768] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 40A517B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2768] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\Cdrom \Device\CdRom0 82F48756
Device \Driver\Cdrom \Device\CdRom1 82F48756
Device \Driver\Disk \Device\Harddisk0\DR0 82F48756

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:564] 82F878D0
Thread System [4:596] 82F74BE0
Thread System [4:600] 82FBCDF0
Thread System [4:620] 82F55110

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\uninstall.exe (size mismatch) 421888/0 bytes executable

---- EOF - GMER 1.0.15 ----

And here is the ComboFix log:

**I should note that I diabled my AVG resident shield and SuperAntiSpyware but I don't think I disabled my Spybot Search and Destroy Resident Shield before running this. Will that be a problem with the results from Combofix?**

ComboFix 09-06-09.06 - Home 10/06/2009 10:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.524 [GMT -7:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-05-17 23:22 . 2009-05-17 23:22 -------- d-----w- c:\program files\iPod
2009-05-17 23:22 . 2009-05-17 23:23 -------- d-----w- c:\program files\iTunes
2009-05-17 23:22 . 2009-05-17 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-17 23:15 . 2009-05-17 23:15 -------- d-----w- c:\program files\Apple Software Update
2009-05-15 20:16 . 2009-06-05 04:28 117760 ----a-w- c:\documents and settings\Home\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-15 20:15 . 2009-05-15 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-15 20:15 . 2009-05-15 20:15 65024 ----a-r- c:\documents and settings\Home\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-05-15 20:15 . 2009-05-15 20:15 18944 ----a-r- c:\documents and settings\Home\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2009-05-15 20:15 . 2009-06-04 05:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-15 20:15 . 2009-05-15 20:15 -------- d-----w- c:\documents and settings\Home\Application Data\SUPERAntiSpyware.com
2009-05-15 20:13 . 2009-05-15 20:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-15 19:06 . 2009-05-15 19:06 -------- d-----w- c:\documents and settings\Home\Application Data\Malwarebytes
2009-05-15 19:06 . 2009-04-06 22:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-15 19:06 . 2009-04-06 22:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-15 19:06 . 2009-05-15 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-15 19:06 . 2009-05-15 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-14 04:46 . 2009-05-14 04:46 -------- d-----w- c:\documents and settings\Home\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 21:46 . 2008-11-26 18:13 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-18 21:37 . 2007-08-01 17:09 -------- d-----w- c:\documents and settings\Home\Application Data\uTorrent
2009-05-18 21:34 . 2007-11-29 16:58 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-18 21:31 . 2008-03-07 16:49 -------- d-----w- c:\program files\QuickTax 2007
2009-05-18 21:29 . 2007-09-04 03:58 -------- d-----w- c:\program files\Java
2009-05-17 23:20 . 2007-07-20 20:12 -------- d-----w- c:\program files\QuickTime
2009-05-14 20:48 . 2008-03-19 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-05-06 09:38 . 2008-07-12 03:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-06 09:38 . 2008-07-12 03:11 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-06 09:38 . 2008-07-12 03:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-06 20:51 . 2009-04-06 20:51 152576 ----a-w- c:\documents and settings\Home\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-02 23:29 . 2009-04-02 23:29 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2006-09-19 21:44 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-04 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 1228800]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-17 49152]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TELUS_McciTrayApp"="c:\program files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe" [2007-10-08 1462272]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-06 1947928]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-18 148888]
"VTPreset"="VTPreset.exe" - c:\windows\system32\VTPreset.exe [2004-02-25 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
uninstall.exe [2009-6-10 421888]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-06 09:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/07/2008 8:11 PM 325896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28/04/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/04/2009 11:33 AM 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/07/2008 8:11 PM 298776]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [22/03/2005 7:17 PM 450400]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/04/2009 11:33 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AUJASNKJ
*Deregistered* - aujasnkj
.
Contents of the 'Scheduled Tasks' folder

2009-06-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 10:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3488)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-10 11:03
ComboFix-quarantined-files.txt 2009-06-10 18:03

Pre-Run: 15,382,986,752 bytes free
Post-Run: 15,931,965,440 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
144 --- E O F --- 2009-05-15 07:29

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:15 AM

Posted 10 June 2009 - 08:27 PM

Hello, LoRider1 :thumbup2:
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:15 AM

Posted 15 June 2009 - 11:22 PM

Hello, LoRider1 :thumbup2:
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:15 AM

Posted 17 June 2009 - 11:11 PM

User returned; topic reopened.
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 LoRider1

LoRider1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 18 June 2009 - 12:28 PM

Hi again Billy :thumbup2:

Well, I ran the ESET online scanner and I wasn't given the option to export to text file as there were no threats found. The scan results said:

Scanned files: 40,714
Infected files: 0
Cleaned files: 0

I should also tell you that our power was out last night and I again had to reboot my computer. So far I have not seen any alerts from AVG however.

What do we do next?

Cheers,
Andrew

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:15 AM

Posted 18 June 2009 - 12:40 PM

Please rerun MBR.exe.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 LoRider1

LoRider1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 19 June 2009 - 12:59 AM

Hi Billy,

Here is the new and improved MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x04C8ED45 !




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users