Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware that has disabled Regedit.exe and restricted internet access


  • This topic is locked This topic is locked
10 replies to this topic

#1 hirec

hirec

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 25 May 2009 - 07:36 AM

Hi,

I'm using WIN XP SP2, and have recently started getting blue-screen hangups, restricted internet access (random changes to proxy server settings although I dont use a proxy), slowdown in IE startup, with no access to regedit.exe (whenever I try to run the editor, the desktop screen just refreshes). Oh, and I also have a lot of svchost.exe processes running whenever I check taskman. I've disabled amvo.exe and Id08.exe which were in my startup tab under msconfig.exe utility. In short, my computer has been so totally hijacked - where do all these trojans/viruses come from?

Here is my log:


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by VHS at 17:52:54.98 on Mon 05/25/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1.#QNAN.42 [GMT 5.5:30]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DAP\DAP.EXE
C:\Documents and Settings\VHS\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.fulldotfind.com/pubac/ac.php?aid=166&sid=clean
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: 121973 Class: {31c2a4cc-289d-442a-950c-b33b1b06522b} - c:\windows\system32\121973\121973.dll
BHO: 272329 Class: {437a43d5-e5c3-4959-bbd0-f2bfb1edc6fd} - c:\windows\system32\sysloc\sysloc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\styler\tb\StylerTB.dll
mRun: [VTTimer] VTTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [inetprot] "c:\program files\inet protector\iprotect.exe" tray
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [<NO NAME>] c:\documents and settings\acer\.exe /i
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

============= SERVICES / DRIVERS ===============

S2 InternetProtectorService;Internet Protector System Service;c:\program files\inet protector\IProtectorService.exe [2008-12-17 592384]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-5-16 36608]

=============== Created Last 30 ================

2009-05-25 17:22 <DIR> --ds---- c:\documents and settings\vhs\UserData
2009-05-25 17:10 <DIR> --d----- c:\windows\system32\sysloc
2009-05-25 17:08 221,184 a------- c:\windows\system32\wmpns.dll
2009-05-25 17:08 <DIR> --d----- c:\documents and settings\VHS
2009-05-25 10:19 17,408 a------- c:\windows\system32\SYSDLL.exe
2009-05-25 10:19 <DIR> --d----- c:\windows\system32\121973
2009-05-23 13:55 <DIR> --d----- C:\SaveData
2009-05-22 21:22 90,112 a------- c:\windows\unvise32.exe
2009-05-22 21:22 <DIR> --d----- c:\program files\SWiSH Max2
2009-05-21 16:35 <DIR> --d----- c:\program files\Ken Ward's Makeup
2009-05-21 15:45 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-05-21 15:14 <DIR> --d----- c:\windows\pss
2009-05-19 06:11 <DIR> --d----- c:\windows\system32\recover
2009-05-19 06:06 <DIR> --d----- c:\program files\Trend Micro
2009-05-16 17:45 109,704 a------- c:\windows\system32\drivers\ssm_mdm.sys
2009-05-16 17:45 83,592 a------- c:\windows\system32\drivers\ssm_bus.sys
2009-05-16 17:45 15,112 a------- c:\windows\system32\drivers\ssm_mdfl.sys
2009-05-16 17:45 12,424 a------- c:\windows\system32\drivers\ssm_cmnt.sys
2009-05-16 17:45 12,424 a------- c:\windows\system32\drivers\ssm_cm.sys
2009-05-16 17:45 12,424 a------- c:\windows\system32\drivers\ssm_whnt.sys
2009-05-16 17:45 12,424 a------- c:\windows\system32\drivers\ssm_wh.sys
2009-05-16 17:45 <DIR> --d----- c:\windows\system32\Samsung_USB_Drivers
2009-05-16 17:44 110,592 a------- c:\windows\system32\FsUsbExDevice.Dll
2009-05-16 17:44 36,608 a------- c:\windows\system32\FsUsbExDisk.Sys
2009-05-16 17:44 233,472 a------- c:\windows\system32\FsUsbExService.Exe
2009-05-16 17:40 <DIR> --d----- c:\program files\Samsung
2009-05-16 16:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SpeedBit
2009-05-16 16:28 479,298 a------- c:\windows\system32\wbocx.ocx
2009-05-16 16:28 172,032 a------- c:\windows\system32\AniGIF.ocx
2009-05-16 16:28 50,688 a------- c:\windows\system32\wbhelp2.dll
2009-05-16 16:27 <DIR> --d----- c:\program files\DAP
2009-05-16 08:33 <DIR> --d----- c:\program files\Lavasoft
2009-05-12 15:44 <DIR> --d----- c:\program files\AVG
2009-05-03 16:02 <DIR> --d-h--- c:\windows\PIF

==================== Find3M ====================


============= FINISH: 17:54:05.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:46 PM

Posted 25 May 2009 - 07:58 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 hirec

hirec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 25 May 2009 - 08:25 AM

Hi There!

Thanks for your quick reply and help.

Combofix.exe would not run as is - had to rename it. The first scan found an active rootkit and had to restart the computer. Here's the final combofix log:

ComboFix 09-05-24.07 - VHS 05/25/2009 18:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.190.74 [GMT 5.5:30]
Running from: c:\documents and settings\VHS\Desktop\2.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\windows\system32\121973
c:\windows\system32\121973\121973.dll
c:\windows\system32\drivers\UACamrqfvstvvwyfxm.sys
c:\windows\system32\pthread.dll
c:\windows\system32\SYSDLL.exe
c:\windows\system32\UACcgrbcddenkpjimi.log
c:\windows\system32\UACeomtdhbofuytgig.log
c:\windows\system32\UACgxwhkylnbbiuyxm.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACpthmsmjcxikrevg.db
c:\windows\system32\UACpwurriohendjrdu.dll
c:\windows\system32\UACqiesbyclbdwkspe.dll
c:\windows\system32\UACqmybweqcpywgoej.dll
c:\windows\system32\UACtrsfvnrphsxjtbr.log
c:\windows\system32\UACvpnewxlydwumqrs.dll
c:\windows\system32\UACvwqxrylotogjxvj.dat
c:\windows\system32\UACxvgrsktoqvksgev.dll
c:\windows\system32\wordpad.exe
c:\windows\system32\zip32.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_ACPI32
-------\Legacy_ATI64SI
-------\Legacy_FIPS32CUP
-------\Legacy_I386SI
-------\Legacy_KSI32SK
-------\Legacy_NETSIK
-------\Legacy_NICSK32
-------\Legacy_PORT135SIK
-------\Legacy_SECURENTM
-------\Legacy_WS2_32SIK


((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-25 13:00 . 2009-04-06 10:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-25 13:00 . 2009-04-06 10:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-25 13:00 . 2009-05-25 13:01 -------- d-----w c:\program files\1
2009-05-25 13:00 . 2009-05-25 13:00 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-25 11:52 . 2009-05-25 11:52 -------- d-s---w c:\documents and settings\VHS\UserData
2009-05-25 11:47 . 2009-05-25 11:49 -------- d-----w c:\documents and settings\VHS\Local Settings\Application Data\Adobe
2009-05-25 11:40 . 2009-05-25 11:40 -------- d-----w c:\windows\system32\sysloc
2009-05-23 08:25 . 2009-05-23 08:30 -------- d-----w C:\SaveData
2009-05-22 15:52 . 2004-03-29 10:53 90112 ----a-w c:\windows\unvise32.exe
2009-05-22 15:52 . 2009-05-22 15:52 -------- d-----w c:\program files\SWiSH Max2
2009-05-21 11:05 . 2009-05-21 11:27 -------- d-----w c:\program files\Ken Ward's Makeup
2009-05-21 10:15 . 2009-05-21 10:15 -------- d--h--w c:\windows\system32\GroupPolicy
2009-05-20 16:30 . 2009-05-25 10:28 -------- d-----w c:\windows\BDOSCAN8
2009-05-19 00:41 . 2009-05-19 00:41 -------- d-----w c:\windows\system32\recover
2009-05-19 00:36 . 2009-05-19 00:36 -------- d-----w c:\program files\Trend Micro
2009-05-16 12:15 . 2007-05-02 05:42 15112 ----a-w c:\windows\system32\drivers\ssm_mdfl.sys
2009-05-16 12:15 . 2007-05-02 05:42 109704 ----a-w c:\windows\system32\drivers\ssm_mdm.sys
2009-05-16 12:15 . 2007-05-02 05:42 83592 ----a-w c:\windows\system32\drivers\ssm_bus.sys
2009-05-16 12:15 . 2007-05-02 05:42 12424 ----a-w c:\windows\system32\drivers\ssm_cmnt.sys
2009-05-16 12:15 . 2007-05-02 05:42 12424 ----a-w c:\windows\system32\drivers\ssm_cm.sys
2009-05-16 12:15 . 2007-05-02 05:42 12424 ----a-w c:\windows\system32\drivers\ssm_whnt.sys
2009-05-16 12:15 . 2007-05-02 05:42 12424 ----a-w c:\windows\system32\drivers\ssm_wh.sys
2009-05-16 12:15 . 2009-05-16 12:15 -------- d-----w c:\windows\system32\Samsung_USB_Drivers
2009-05-16 12:15 . 2009-05-16 12:15 -------- d-----w c:\program files\DIFX
2009-05-16 12:14 . 2008-12-13 11:45 36608 ----a-w c:\windows\system32\FsUsbExDisk.Sys
2009-05-16 12:14 . 2008-12-13 11:45 110592 ----a-w c:\windows\system32\FsUsbExDevice.Dll
2009-05-16 12:14 . 2008-12-13 11:45 233472 ----a-w c:\windows\system32\FsUsbExService.Exe
2009-05-16 12:10 . 2009-05-19 00:35 -------- d-----w c:\program files\Samsung
2009-05-16 11:30 . 2009-05-16 11:31 83456 ----a-w c:\documents and settings\All Users\Application Data\SpeedBit\DAP\SDCondition.dll
2009-05-16 11:10 . 2009-05-25 11:46 36400 ----a-w c:\documents and settings\All Users\Application Data\SpeedBit\DAP\Updates\Condition.dll
2009-05-16 10:59 . 2009-05-25 13:06 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-16 10:58 . 2009-05-16 10:58 -------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2009-05-16 10:58 . 2009-05-16 10:58 50688 ----a-w c:\windows\system32\wbhelp2.dll
2009-05-16 10:57 . 2009-05-16 11:10 -------- d-----w c:\program files\DAP
2009-05-16 03:38 . 2009-05-19 00:31 -------- dc----w c:\windows\system32\DRVSTORE
2009-05-16 03:03 . 2009-05-19 00:31 -------- d-----w c:\program files\Lavasoft
2009-05-16 03:03 . 2009-05-19 00:31 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-12 10:14 . 2009-05-12 10:14 -------- d-----w c:\program files\AVG
2009-05-03 10:32 . 2009-05-03 10:32 -------- d--h--w c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 09:41 . 2008-12-17 16:09 -------- d-----w c:\program files\AmiBroker
2009-05-20 22:59 . 2008-12-26 09:57 -------- d-----w c:\program files\DNA
2009-05-20 18:13 . 2008-12-17 17:21 -------- d-----w c:\program files\iNet Protector
2009-05-19 00:35 . 2008-12-17 12:35 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-12 10:02 . 2009-01-30 02:58 -------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-05-10 15:25 . 2009-02-24 10:39 -------- d-----w c:\program files\Unlocker
2009-04-20 10:55 . 2009-04-20 10:55 -------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2009-04-20 10:54 . 2009-04-20 10:54 -------- d-----w c:\program files\Common Files\TechSmith Shared
2009-04-20 10:54 . 2009-04-20 10:54 -------- d-----w c:\program files\TechSmith
2009-04-02 18:09 . 2009-04-02 18:09 0 ----a-w c:\windows\nsreg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{437A43D5-E5C3-4959-BBD0-F2BFB1EDC6FD}]
2009-05-25 11:40 22528 ----a-w c:\windows\system32\sysloc\sysloc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"inetprot"="c:\program files\iNet Protector\iprotect.exe" [2008-02-29 1809920]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2003-05-07 36864]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-05-14 55296]

[HKLM\~\startupfolder\C:^Documents and Settings^acer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\acer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

R2 InternetProtectorService;Internet Protector System Service;c:\program files\iNet Protector\IProtectorService.exe [12/17/2008 10:51 PM 592384]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [5/16/2009 5:44 PM 36608]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{31C2A4CC-289D-442A-950C-B33B1B06522B} - c:\windows\system32\121973\121973.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.fulldotfind.com/pubac/ac.php?aid=166&sid=clean
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 18:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2009-05-25 18:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-25 13:21

Pre-Run: 1,588,678,656 bytes free
Post-Run: 1,565,224,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

162

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:46 PM

Posted 25 May 2009 - 08:38 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Collect::[8]
c:\windows\system32\sysloc\sysloc.dll
Dirlook::
c:\windows\system32\sysloc
DDS::
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{437A43D5-E5C3-4959-BBD0-F2BFB1EDC6FD}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

By the way, is there any reason why you don't have an Antivirus installed? Or why your Windows is outdated? How are you supposed to prevent malware otherwise?
Not sure if you are aware of the fact how severly infected your computer is and that all your passwords may be known.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 hirec

hirec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 25 May 2009 - 08:59 AM

Here is the new combofix log:

ComboFix 09-05-24.07 - VHS 05/25/2009 19:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.190.113 [GMT 5.5:30]
Running from: c:\documents and settings\VHS\Desktop\2.exe
Command switches used :: c:\documents and settings\VHS\Desktop\CFScript.txt

file zipped: c:\windows\system32\sysloc\sysloc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\sysloc\sysloc.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-25 13:35 . 2009-05-25 13:35 -------- d-----w c:\documents and settings\VHS\Application Data\Malwarebytes
2009-05-25 13:00 . 2009-04-06 10:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-25 13:00 . 2009-04-06 10:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-25 13:00 . 2009-05-25 13:01 -------- d-----w c:\program files\1
2009-05-25 13:00 . 2009-05-25 13:00 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-25 11:52 . 2009-05-25 11:52 -------- d-s---w c:\documents and settings\VHS\UserData
2009-05-25 11:47 . 2009-05-25 11:49 -------- d-----w c:\documents and settings\VHS\Local Settings\Application Data\Adobe
2009-05-25 11:40 . 2009-05-25 13:46 -------- d-----w c:\windows\system32\sysloc
2009-05-23 08:25 . 2009-05-23 08:30 -------- d-----w C:\SaveData
2009-05-22 15:52 . 2004-03-29 10:53 90112 ----a-w c:\windows\unvise32.exe
2009-05-22 15:52 . 2009-05-22 15:52 -------- d-----w c:\program files\SWiSH Max2
2009-05-21 11:05 . 2009-05-21 11:27 -------- d-----w c:\program files\Ken Ward's Makeup
2009-05-21 10:15 . 2009-05-21 10:15 -------- d--h--w c:\windows\system32\GroupPolicy
2009-05-20 16:30 . 2009-05-25 10:28 -------- d-----w c:\windows\BDOSCAN8
2009-05-19 00:41 . 2009-05-19 00:41 -------- d-----w c:\windows\system32\recover
2009-05-19 00:36 . 2009-05-19 00:36 -------- d-----w c:\program files\Trend Micro
2009-05-16 12:15 . 2007-05-02 05:42 15112 ----a-w c:\windows\system32\drivers\ssm_mdfl.sys
2009-05-16 12:15 . 2007-05-02 05:42 109704 ----a-w c:\windows\system32\drivers\ssm_mdm.sys
2009-05-16 12:15 . 2007-05-02 05:42 83592 ----a-w c:\windows\system32\drivers\ssm_bus.sys
2009-05-16 12:15 . 2007-05-02 05:42 12424 ----a-w c:\windows\system32\drivers\ssm_cmnt.sys
2009-05-16 12:15 . 2007-05-02 05:42 12424 ----a-w c:\windows\system32\drivers\ssm_cm.sys
2009-05-16 12:15 . 2007-05-02 05:42 12424 ----a-w c:\windows\system32\drivers\ssm_whnt.sys
2009-05-16 12:15 . 2007-05-02 05:42 12424 ----a-w c:\windows\system32\drivers\ssm_wh.sys
2009-05-16 12:15 . 2009-05-16 12:15 -------- d-----w c:\windows\system32\Samsung_USB_Drivers
2009-05-16 12:15 . 2009-05-16 12:15 -------- d-----w c:\program files\DIFX
2009-05-16 12:14 . 2008-12-13 11:45 36608 ----a-w c:\windows\system32\FsUsbExDisk.Sys
2009-05-16 12:14 . 2008-12-13 11:45 110592 ----a-w c:\windows\system32\FsUsbExDevice.Dll
2009-05-16 12:14 . 2008-12-13 11:45 233472 ----a-w c:\windows\system32\FsUsbExService.Exe
2009-05-16 12:10 . 2009-05-19 00:35 -------- d-----w c:\program files\Samsung
2009-05-16 11:30 . 2009-05-16 11:31 83456 ----a-w c:\documents and settings\All Users\Application Data\SpeedBit\DAP\SDCondition.dll
2009-05-16 11:10 . 2009-05-25 11:46 36400 ----a-w c:\documents and settings\All Users\Application Data\SpeedBit\DAP\Updates\Condition.dll
2009-05-16 10:59 . 2009-05-25 13:06 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-16 10:58 . 2009-05-16 10:58 -------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2009-05-16 10:58 . 2009-05-16 10:58 50688 ----a-w c:\windows\system32\wbhelp2.dll
2009-05-16 10:57 . 2009-05-16 11:10 -------- d-----w c:\program files\DAP
2009-05-16 03:38 . 2009-05-19 00:31 -------- dc----w c:\windows\system32\DRVSTORE
2009-05-16 03:03 . 2009-05-19 00:31 -------- d-----w c:\program files\Lavasoft
2009-05-16 03:03 . 2009-05-19 00:31 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-12 10:14 . 2009-05-12 10:14 -------- d-----w c:\program files\AVG
2009-05-03 10:32 . 2009-05-03 10:32 -------- d--h--w c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 09:41 . 2008-12-17 16:09 -------- d-----w c:\program files\AmiBroker
2009-05-20 22:59 . 2008-12-26 09:57 -------- d-----w c:\program files\DNA
2009-05-20 18:13 . 2008-12-17 17:21 -------- d-----w c:\program files\iNet Protector
2009-05-19 00:35 . 2008-12-17 12:35 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-12 10:02 . 2009-01-30 02:58 -------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-05-10 15:25 . 2009-02-24 10:39 -------- d-----w c:\program files\Unlocker
2009-04-20 10:55 . 2009-04-20 10:55 -------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2009-04-20 10:54 . 2009-04-20 10:54 -------- d-----w c:\program files\Common Files\TechSmith Shared
2009-04-20 10:54 . 2009-04-20 10:54 -------- d-----w c:\program files\TechSmith
2009-04-02 18:09 . 2009-04-02 18:09 0 ----a-w c:\windows\nsreg.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\sysloc ----

2009-05-25 11:40 . 2009-05-25 13:46 22528 ----a-w c:\windows\system32\sysloc\sysloc.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"inetprot"="c:\program files\iNet Protector\iprotect.exe" [2008-02-29 1809920]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2003-05-07 36864]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-05-14 55296]

[HKLM\~\startupfolder\C:^Documents and Settings^acer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\acer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

R2 InternetProtectorService;Internet Protector System Service;c:\program files\iNet Protector\IProtectorService.exe [12/17/2008 10:51 PM 592384]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [5/16/2009 5:44 PM 36608]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.fulldotfind.com/pubac/ac.php?aid=166&sid=clean
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 19:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-25 19:19
ComboFix-quarantined-files.txt 2009-05-25 13:48
ComboFix2.txt 2009-05-25 13:21

Pre-Run: 1,571,627,008 bytes free
Post-Run: 1,564,356,608 bytes free

112
Upload was successful


_________________________________

Had Norton AV earlier but it was resource hogging. Then shifted to AVG Antivirus, but it didn't prevent this infection from taking place neither could it detect anything. So uninstalled that - Now, looking for some other AV - your suggestions would be most helpful.

Will line up for updating XP as soon as this is done. Thanks for the warning. Also arranging to change all passwords from a different computer.

Uploded the file [8]-Submit_2009-05-25_19.15.53 for your reference and awaiting further instructions.

Thanks!

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:46 PM

Posted 25 May 2009 - 09:56 AM

Hi,

Thank you for the samples.
My personal recommendation for a free Antivirus is Avira. http://www.free-av.com/en/products/1/avira..._antivirus.html
You can also have the Premium version which is more powerful than the free version. See comparison on the same page below.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 hirec

hirec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 25 May 2009 - 10:08 AM

Hello Again,

Combofix uninstalled.

Win XP is currently being updated, Avira downloaded and installed. regedit is working fine. IE is working fine. Startup is normal. Will get back to you if I have any further issues.

Another question - I have two USB pendrives for backing up data - do you think the infection could have crossed over to them? If yes, then how do we clean the pendrives? Also, I have a partition on my HDD - do we need to do anything for the other partition which is used to just store data?

When we say that P2P networks can cause infections, is it only when we try to install keygens/cracks or if we download songs as well? Would zone alarm help me in anyway?

Thanks for all your help and time.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:46 PM

Posted 25 May 2009 - 10:13 AM

Hi,

I see Combofix already deleted leftovers from a potential flashdrive infection, but it's always a good idea to insert it (don't open the DIR yet) and let Avira scan it.

is it only when we try to install keygens/cracks or if we download songs as well

It's for everything. Software, music etc, they may all be infected. As a matter of fact 80% of it is infected.

Would zone alarm help me in anyway?

Ehm, how would it help you if you already downloaded the file and launched it? 50% of the infected files should be detected by most AV, however, keep in mind that it is IMPOSSIBLE for the AVs to detect them all. That's why best prevention is to avoid places where you can get infected.

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 hirec

hirec
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 25 May 2009 - 10:17 AM

Words of wisdom indeed. Shall be looking up all the wonderful links that you have given me. Thanks a lot ! You are an angel !

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:46 PM

Posted 25 May 2009 - 10:20 AM

You're most welcome :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:46 PM

Posted 15 June 2009 - 10:19 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users