Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

uacd infection


  • This topic is locked This topic is locked
17 replies to this topic

#1 adaniel

adaniel

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 30 May 2009 - 02:36 PM

I have gotten a uacd infection on a laptop I use for software development. It has much software loaded, so I would prefer very much not to have to reload. Running XP SP2. Have researched several posts here and elsewhere and tried several scans, but, as with others whose posts I have reviewed, it returns upon reboot. I can run mbam if I rename it and download updates if I do it quickly after reboot. Once PC has been online for any length of time, google links get redirected to windoowsclick. Am posting from another machine to minimize exposure on infected machine.

Thanks for any assistance you can offer.

adaniel

My apologies for jumping the gun. I will download DDS Tool and post logs per instructions.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 15:56:59.51 on Sat 05/30/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.427 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\UBL\bin\UBLServ.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\fdhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.ADASBSW2K\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CARPService] carpserv.exe
mRun: [Display Settings] c:\program files\hpq\notebook utilities\hptasks.exe /s
mRun: [QT4HPOT] c:\program files\hpq\one-touch\OneTouch.EXE
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wireless-g notebook adapter\Gcc.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://www.daviencrod.org/controls/LTOCX14N.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://help.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210787405424
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/luxr/default/mjolauncher.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - hxxp://www.daviencrod.org/controls/prntpro2.CAB
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://w1.webex.com/client/T26L10NSP49/webex/ieatgpc.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {237BBED6-6359-47F4-98E9-8990EE67E7E2} = 208.216.228.253,205.152.37.23
TCP: {70B5FB41-8C88-4273-8DCD-936E0154093A} = 10.0.100.4,10.0.100.225
TCP: {85B98F4F-034D-42C5-B177-273EAA6CF856} = 208.216.228.253,208.216.228.221
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.ada\applic~1\mozilla\firefox\profiles\rvgrkxe7.default\

============= SERVICES / DRIVERS ===============

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [2009-4-14 36624]
R0 csdf;cdsf;c:\windows\system32\drivers\csdf.sys [2009-4-14 39440]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-29 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-2-13 47640]
R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2008-7-21 193888]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-11-14 106586]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2003-9-29 237657]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2003-9-29 69706]
R2 UBLService5;U/BL Server;c:\ubl\bin\UBLServ.exe [2007-7-19 16384]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [2005-11-14 26112]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [2005-11-14 291328]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2005-11-14 244608]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2003-10-17 16512]
R3 MSSQLFDLauncher$SQLEXPRESS;SQL Full-text Filter Daemon Launcher (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\fdlauncher.exe [2008-7-10 31256]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S2 nqrhbsdbiwas;nqrhbsdbiwas;\??\c:\windows\system32\drivers\bdvsbufimzbs.sys --> c:\windows\system32\drivers\bdvsbufimzbs.sys [?]
S2 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);c:\program files\microsoft sql server\msrs10.sqlexpress\reporting services\reportserver\bin\ReportingServicesService.exe [2008-7-10 1106968]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2009-5-30 20160]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [2006-11-16 24618]
S3 IOWEBLP;IOWEBLP;c:\docume~1\admini~1.ada\locals~1\temp\ioweblp.exe --> c:\docume~1\admini~1.ada\locals~1\temp\IOWEBLP.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-4-16 40160]
S3 sshvnic;SSH Virtual Network Adapter (sshvnic);c:\windows\system32\drivers\sshvnic5.sys --> c:\windows\system32\drivers\sshvnic5.sys [?]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-8-11 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-8-11 369688]

=============== Created Last 30 ================

2009-05-30 15:49 20,160 ac------ c:\windows\system32\dllcache\adm8511.sys
2009-05-30 15:49 20,160 a------- c:\windows\system32\drivers\ADM8511.SYS
2009-05-29 16:46 161,792 a------- c:\windows\SWREG.exe
2009-05-29 16:46 154,624 a------- c:\windows\PEV.exe
2009-05-29 16:46 98,816 a------- c:\windows\sed.exe
2009-05-29 14:30 0 a------- C:\backup.reg
2009-05-29 12:54 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-05-29 12:08 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-29 08:12 <DIR> --d----- c:\documents and settings\administrator.adasbsw2k\.housecall6.6
2009-05-28 23:26 127 a------- c:\windows\system32\MRT.INI
2009-05-28 21:05 1,193,414 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-05-28 21:05 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-05-01 11:30 1,325 a------- C:\3000.UB320D.090501

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-04-02 14:38 51,304 -------- c:\windows\system32\drivers\atnt40k.sys
2009-04-02 14:37 202,314 -------- c:\windows\system32\atasnt40.dll
2009-03-19 09:38 7,928 a------- c:\windows\system32\cnat.exe
2009-03-09 05:19 410,984 -------- c:\windows\system32\deploytk.dll
2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll

============= FINISH: 15:58:37.19 ===============

Attached Files


Edited by adaniel, 30 May 2009 - 03:07 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:31 AM

Posted 31 May 2009 - 10:13 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 adaniel

adaniel
  • Topic Starter

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 31 May 2009 - 01:05 PM

Hi Sam. Thank you for your help. Will do my best to get Combofix downloaded and run. Seems every time I connect to Internet, I get hammered again.

adaniel

#4 adaniel

adaniel
  • Topic Starter

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 31 May 2009 - 04:12 PM

Sam,

Here is te ComboFix log. Thank you again for your help.

adaniel


As I pasted the log, I notice that it says resident AV is active. I checked again and it looks like I have disabled both my McAfee and all the Antispyware. I am running McAfee Enterprise. Is there more I need to do and re-run ComboFix, or are we OK? Also noticed name is OAD3. Before I posted here, I had researched the UACDsys.dll and saw instructions for running ComboFix. That was before I saw the warning here to run it only with supervision. At that point, it would not run without renaming it. When I ran it this time, it said there was an updated version, so I installed that but I originally launched it from the renamed version.

Thanks


ComboFix 09-05-31.02 - Administrator 05/31/2009 16:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.500 [GMT -4:00]
Running from: c:\documents and settings\Administrator.ADASBSW2K\Desktop\oad3.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-30 19:49 . 2001-08-17 16:11 20160 -c--a-w- c:\windows\system32\dllcache\adm8511.sys
2009-05-30 19:49 . 2001-08-17 16:11 20160 ----a-w- c:\windows\system32\drivers\ADM8511.SYS
2009-05-29 18:30 . 2009-05-29 18:30 0 ----a-w- C:\backup.reg
2009-05-29 16:54 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-05-29 16:08 . 2007-08-02 02:47 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-05-29 13:40 . 2009-05-29 13:40 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-29 12:59 . 2009-05-29 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-05-29 12:59 . 2009-05-29 18:36 -------- d-----w- c:\program files\NOS
2009-05-29 12:12 . 2009-05-29 16:32 -------- d-----w- c:\documents and settings\Administrator.ADASBSW2K\.housecall6.6
2009-05-29 01:09 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-29 01:09 . 2009-02-06 16:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-05-29 01:09 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-05-29 01:09 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-29 01:09 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-29 01:09 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-29 01:09 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-29 01:09 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-29 01:09 . 2009-02-09 10:20 723456 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-29 01:09 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-29 01:09 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-29 01:05 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 18:01 . 2009-04-17 17:23 117760 ----a-w- c:\documents and settings\Administrator.ADASBSW2K\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-31 04:05 . 2009-02-13 14:31 -------- d-----w- c:\program files\LogMeIn
2009-05-29 19:12 . 2008-05-09 22:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-29 13:36 . 2005-11-23 14:29 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-29 11:25 . 2008-07-24 13:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-29 04:00 . 2008-05-07 03:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-29 04:00 . 2008-05-07 03:49 -------- d-----w- c:\program files\SpywareBlaster
2009-05-28 20:49 . 2009-04-16 13:32 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-26 17:20 . 2009-04-16 13:32 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2008-05-09 22:09 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-04-17 16:52 . 2009-04-17 16:52 22528 ----a-w- c:\documents and settings\Administrator.ADASBSW2K\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10000.dll
2009-04-17 16:52 . 2009-04-17 16:52 6144 ----a-w- c:\documents and settings\Administrator.ADASBSW2K\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10001.dll
2009-04-15 20:58 . 2008-05-16 01:37 -------- d-----w- c:\program files\Max Registry Cleaner
2009-04-15 14:38 . 2005-11-15 16:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-04-15 13:05 . 2005-11-15 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-14 15:57 . 2009-04-14 15:57 -------- d-----w- c:\program files\COMODO
2009-04-03 16:19 . 2008-11-18 18:52 -------- d-----w- c:\program files\Java
2009-04-03 16:16 . 2009-04-03 16:16 152576 ------w- c:\documents and settings\Administrator.ADASBSW2K\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-02 18:38 . 2008-07-02 15:24 -------- d-----w- c:\documents and settings\Administrator.ADASBSW2K\Application Data\webex
2009-04-02 18:38 . 2009-04-02 18:38 51304 ------w- c:\windows\system32\drivers\atnt40k.sys
2009-04-02 18:37 . 2009-04-02 18:37 202314 ------w- c:\windows\system32\atasnt40.dll
2009-03-19 13:38 . 2009-04-14 15:57 7928 ----a-w- c:\windows\system32\cnat.exe
2009-03-18 13:54 . 2009-04-14 15:57 39440 ----a-w- c:\windows\system32\drivers\csdf.sys
2009-03-18 13:53 . 2009-04-14 15:57 36624 ----a-w- c:\windows\system32\drivers\crpf.sys
2009-03-09 09:19 . 2008-11-18 18:53 410984 ------w- c:\windows\system32\deploytk.dll
2009-03-06 14:44 . 2002-08-29 20:00 283648 ----a-w- c:\windows\system32\pdh.dll
2005-09-15 23:26 . 2005-11-14 19:13 44153 ------w- c:\program files\mozilla firefox\components\inspector.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-29_21.42.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-31 17:56 . 2009-05-31 17:56 16384 c:\windows\Temp\Perflib_Perfdata_4ec.dat
+ 2008-12-02 03:02 . 2009-05-31 18:00 225173 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-29 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-14 290816]
"Display Settings"="c:\program files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 45056]
"QT4HPOT"="c:\program files\HPQ\One-Touch\OneTouch.EXE" [2003-01-31 106496]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-19 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-19 610304]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-26 90112]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-02-26 180316]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]
"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2007-05-08 589824]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"CARPService"="carpserv.exe" - c:\windows\system32\carpserv.exe [2003-05-21 4608]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2002-08-15 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-5-21 36864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-04-16 13:28 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ------w- c:\windows\system32\LMIinit.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TightVNC\\vncviewer.exe"=
"c:\\Program Files\\Maxtor\\OneTouch Status\\MaxMenuMgr.exe"=

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [4/14/2009 11:57 AM 36624]
R0 csdf;cdsf;c:\windows\system32\drivers\csdf.sys [4/14/2009 11:57 AM 39440]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/29/2009 12:54 PM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 10:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 7:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2/13/2009 10:32 AM 47640]
R2 UBLService5;U/BL Server;c:\ubl\bin\UBLServ.exe [7/19/2007 6:55 AM 16384]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [11/14/2005 12:43 PM 26112]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [11/14/2005 12:27 PM 291328]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [11/14/2005 12:27 PM 244608]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [10/17/2003 1:38 PM 16512]
R3 MSSQLFDLauncher$SQLEXPRESS;SQL Full-text Filter Daemon Launcher (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe [7/10/2008 2:15 AM 31256]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 7408]
S2 nqrhbsdbiwas;nqrhbsdbiwas;\??\c:\windows\system32\drivers\bdvsbufimzbs.sys --> c:\windows\system32\drivers\bdvsbufimzbs.sys [?]
S2 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSRS10.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe [7/10/2008 3:22 AM 1106968]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [5/30/2009 3:49 PM 20160]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [11/16/2006 10:58 PM 24618]
S3 IOWEBLP;IOWEBLP;c:\docume~1\ADMINI~1.ADA\LOCALS~1\Temp\IOWEBLP.exe --> c:\docume~1\ADMINI~1.ADA\LOCALS~1\Temp\IOWEBLP.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/16/2009 9:32 AM 40160]
S3 sshvnic;SSH Virtual Network Adapter (sshvnic);c:\windows\system32\DRIVERS\sshvnic5.sys --> c:\windows\system32\DRIVERS\sshvnic5.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [8/11/2008 3:31 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 3:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [8/11/2008 3:31 PM 369688]

--- Other Services/Drivers In Memory ---

*Deregistered* - NaiAvFilter101
.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\Rescue Reminder for 2HAS4SHW.job
- c:\program files\Maxtor\ManagerApp\MaxUtilities.exe [2008-07-21 21:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {237BBED6-6359-47F4-98E9-8990EE67E7E2} = 208.216.228.253,205.152.37.23
TCP: {70B5FB41-8C88-4273-8DCD-936E0154093A} = 10.0.100.4,10.0.100.225
TCP: {85B98F4F-034D-42C5-B177-273EAA6CF856} = 208.216.228.253,208.216.228.221
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://www.daviencrod.org/controls/LTOCX14N.cab
DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - hxxp://www.daviencrod.org/controls/prntpro2.CAB
FF - ProfilePath - c:\documents and settings\Administrator.ADASBSW2K\Application Data\Mozilla\Firefox\Profiles\rvgrkxe7.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 16:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MMTray = c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g`x??V??g`x??SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp??????? ?w?????????????\?wp ?w???????w???g ??????????g?????DY????????gbx??2???????????<?????@???X???X????????????????? ?Y???????Q?????
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????7?5?0?1??????? ??3B?????????????T?B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1308)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(236)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-05-31 16:38
ComboFix-quarantined-files.txt 2009-05-31 20:38
ComboFix2.txt 2009-05-29 21:51

Pre-Run: 16,514,433,024 bytes free
Post-Run: 16,552,386,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

190 --- E O F --- 2009-03-13 04:19

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:31 AM

Posted 01 June 2009 - 03:15 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
nqrhbsdbiwas

File::
c:\windows\system32\drivers\bdvsbufimzbs.sys
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



==================



Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 adaniel

adaniel
  • Topic Starter

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 01 June 2009 - 09:35 PM

Sam,

I am running Combo Fix now (posting from another PC). I just wanted to make certain that it is normal for ComboFix to query about updating to a newer version. Both times I have started it in the past two days it has updated and restarted. It occurred to me that my malware may be doing that. Also, I can find no way to further disable my McAfee Enterprise AV; I have both On Demand and On Access disabled.

Shall I post both ComboFix and GMER logs in one post, or post ComboFix, then run GMER?

Thank you again for your help.

adaniel

#7 adaniel

adaniel
  • Topic Starter

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 01 June 2009 - 10:02 PM

Sam,

Here is the ComboFix log. I'll now download and run GMER and post that ASAP.

Thank you,
adaniel

ComboFix 09-05-31.06 - Administrator 06/01/2009 22:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.540 [GMT -4:00]
Running from: c:\documents and settings\Administrator.ADASBSW2K\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.ADASBSW2K\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\bdvsbufimzbs.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NQRHBSDBIWAS
-------\Service_nqrhbsdbiwas


((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-05-30 19:49 . 2001-08-17 16:11 20160 -c--a-w- c:\windows\system32\dllcache\adm8511.sys
2009-05-30 19:49 . 2001-08-17 16:11 20160 ----a-w- c:\windows\system32\drivers\ADM8511.SYS
2009-05-29 18:30 . 2009-05-29 18:30 0 ----a-w- C:\backup.reg
2009-05-29 16:54 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-05-29 16:08 . 2007-08-02 02:47 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-05-29 13:40 . 2009-05-29 13:40 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-29 12:59 . 2009-05-29 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-05-29 12:59 . 2009-05-29 18:36 -------- d-----w- c:\program files\NOS
2009-05-29 12:12 . 2009-05-29 16:32 -------- d-----w- c:\documents and settings\Administrator.ADASBSW2K\.housecall6.6
2009-05-29 01:09 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-29 01:09 . 2009-02-06 16:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-05-29 01:09 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-05-29 01:09 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-29 01:09 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-29 01:09 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-29 01:09 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-29 01:09 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-29 01:09 . 2009-02-09 10:20 723456 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-29 01:09 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-29 01:09 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-29 01:05 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 02:45 . 2009-04-17 17:23 117760 ----a-w- c:\documents and settings\Administrator.ADASBSW2K\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-01 04:04 . 2009-02-13 14:31 -------- d-----w- c:\program files\LogMeIn
2009-05-29 19:12 . 2008-05-09 22:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-29 13:36 . 2005-11-23 14:29 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-29 11:25 . 2008-07-24 13:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-29 04:00 . 2008-05-07 03:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-29 04:00 . 2008-05-07 03:49 -------- d-----w- c:\program files\SpywareBlaster
2009-05-28 20:49 . 2009-04-16 13:32 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-26 17:20 . 2009-04-16 13:32 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2008-05-09 22:09 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-04-17 16:52 . 2009-04-17 16:52 22528 ----a-w- c:\documents and settings\Administrator.ADASBSW2K\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10000.dll
2009-04-17 16:52 . 2009-04-17 16:52 6144 ----a-w- c:\documents and settings\Administrator.ADASBSW2K\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10001.dll
2009-04-15 20:58 . 2008-05-16 01:37 -------- d-----w- c:\program files\Max Registry Cleaner
2009-04-15 14:38 . 2005-11-15 16:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-04-15 13:05 . 2005-11-15 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-14 15:57 . 2009-04-14 15:57 -------- d-----w- c:\program files\COMODO
2009-04-03 16:19 . 2008-11-18 18:52 -------- d-----w- c:\program files\Java
2009-04-03 16:16 . 2009-04-03 16:16 152576 ------w- c:\documents and settings\Administrator.ADASBSW2K\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-02 18:38 . 2009-04-02 18:38 51304 ------w- c:\windows\system32\drivers\atnt40k.sys
2009-04-02 18:37 . 2009-04-02 18:37 202314 ------w- c:\windows\system32\atasnt40.dll
2009-03-19 13:38 . 2009-04-14 15:57 7928 ----a-w- c:\windows\system32\cnat.exe
2009-03-18 13:54 . 2009-04-14 15:57 39440 ----a-w- c:\windows\system32\drivers\csdf.sys
2009-03-18 13:53 . 2009-04-14 15:57 36624 ----a-w- c:\windows\system32\drivers\crpf.sys
2009-03-09 09:19 . 2008-11-18 18:53 410984 ------w- c:\windows\system32\deploytk.dll
2009-03-06 14:44 . 2002-08-29 20:00 283648 ----a-w- c:\windows\system32\pdh.dll
2005-09-15 23:26 . 2005-11-14 19:13 44153 ------w- c:\program files\mozilla firefox\components\inspector.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-29_21.42.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-02 03:02 . 2009-06-02 02:45 225179 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-29 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-14 290816]
"Display Settings"="c:\program files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 45056]
"QT4HPOT"="c:\program files\HPQ\One-Touch\OneTouch.EXE" [2003-01-31 106496]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-19 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-19 610304]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-26 90112]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-02-26 180316]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]
"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2007-05-08 589824]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"CARPService"="carpserv.exe" - c:\windows\system32\carpserv.exe [2003-05-21 4608]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2002-08-15 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-5-21 36864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-04-16 13:28 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ------w- c:\windows\system32\LMIinit.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TightVNC\\vncviewer.exe"=
"c:\\Program Files\\Maxtor\\OneTouch Status\\MaxMenuMgr.exe"=

R2 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSRS10.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2008-07-10 1106968]
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
R3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\DRIVERS\fa410nd5.sys [2001-08-17 24618]
R3 IOWEBLP;IOWEBLP;c:\docume~1\ADMINI~1.ADA\LOCALS~1\Temp\IOWEBLP.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-05-26 40160]
R3 sshvnic;SSH Virtual Network Adapter (sshvnic);c:\windows\system32\DRIVERS\sshvnic5.sys [x]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-08-11 47128]
R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-08-11 369688]
S0 crpf;crpf;c:\windows\System32\drivers\crpf.sys [2009-03-18 36624]
S0 csdf;cdsf;c:\windows\System32\drivers\csdf.sys [2009-03-18 39440]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-16 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-24 47640]
S2 UBLService5;U/BL Server;c:\ubl\bin\UBLServ.exe [2006-05-09 16384]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\DRIVERS\aliirda.sys [2001-12-18 26112]
S3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [2002-11-05 291328]
S3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2002-11-05 244608]
S3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\DRIVERS\DP83815.SYS [2003-10-17 16512]
S3 MSSQLFDLauncher$SQLEXPRESS;SQL Full-text Filter Daemon Launcher (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe [2008-07-10 31256]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]


--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Arp1394
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - BackupExecAgentAccelerator
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - BrPar
*Deregistered* - CBTNDIS5
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - COMSysApp
*Deregistered* - crpf
*Deregistered* - CryptSvc
*Deregistered* - csdf
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - IISADMIN
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - irda
*Deregistered* - Irmon
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - LMIInfo
*Deregistered* - LMIMaint
*Deregistered* - lmimirr
*Deregistered* - LMIRfsDriver
*Deregistered* - LogMeIn
*Deregistered* - Maxtor Sync Service
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - mdmxsdk
*Deregistered* - mmc_2K
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - MSSQL$SQLEXPRESS
*Deregistered* - MSSQLFDLauncher$SQLEXPRESS
*Deregistered* - Mup
*Deregistered* - NaiAvFilter1
*Deregistered* - NaiAvFilter101
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netlogon
*Deregistered* - Netman
*Deregistered* - NICSer_WPC54G
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - NtmsSvc
*Deregistered* - Null
*Deregistered* - odysseyIM4
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - pavboot
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasirda
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SMTPSVC
*Deregistered* - Spooler
*Deregistered* - SQLWriter
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - StreamDispatcher
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - tmcomm
*Deregistered* - TrkWks
*Deregistered* - UBLService5
*Deregistered* - UdfReadr_xp
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - W3SVC
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - winvnc
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\Rescue Reminder for 2HAS4SHW.job
- c:\program files\Maxtor\ManagerApp\MaxUtilities.exe [2008-07-21 21:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {237BBED6-6359-47F4-98E9-8990EE67E7E2} = 208.216.228.253,205.152.37.23
TCP: {70B5FB41-8C88-4273-8DCD-936E0154093A} = 10.0.100.4,10.0.100.225
TCP: {85B98F4F-034D-42C5-B177-273EAA6CF856} = 208.216.228.253,208.216.228.221
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://www.daviencrod.org/controls/LTOCX14N.cab
DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - hxxp://www.daviencrod.org/controls/prntpro2.CAB
FF - ProfilePath - c:\documents and settings\Administrator.ADASBSW2K\Application Data\Mozilla\Firefox\Profiles\rvgrkxe7.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-01 22:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MMTray = c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe?w???g`x??V??g`x??SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\TrayApp??????? ?w?????????????\?wp ?w???????w???g ??????????g?????DY????????gbx??2???????????<?????@???X???X????????????????? ?Y???????Q?????
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????7?5?0?1??????? ??3B?????????????T?B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1660)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\LMIinit.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3368)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\program files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\VERITAS\Backup Exec\RANT\beremote.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\fdhost.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
.
**************************************************************************
.
Completion time: 2009-06-02 22:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-02 02:59
ComboFix2.txt 2009-05-31 20:39
ComboFix3.txt 2009-05-29 21:51

Pre-Run: 18,250,727,424 bytes free
Post-Run: 18,187,853,824 bytes free

348 --- E O F --- 2009-03-13 04:19

#8 adaniel

adaniel
  • Topic Starter

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 01 June 2009 - 11:52 PM

Sam,

The GMER scan threw an error which triggered the Visual Basic debugger. When I clicked No on the debugger, GMER exited. I have restarted GMER scan. Any suggestions? Should I click Yes on the debugger?

Thank you again for your assistance,
adaniel

#9 adaniel

adaniel
  • Topic Starter

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 02 June 2009 - 11:21 AM

Sam,

The GMER scan ran successfully, but when I clicked OK, the screen cleared. Am I to post what is on the screen at the end of the scan? Should I save it to a file; if so where?

Thank you very much for your help. This is my first experience with GMER, so please pardon my ignorance.

adaniel

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:31 AM

Posted 02 June 2009 - 12:23 PM

Gmer should have created a log when it completed its scan. Odd that you didn't get it.

It's not unusual for Combofix to be updated daily, so that's nothing to be concerned about.


Are you still being redirected in your searches?


Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 adaniel

adaniel
  • Topic Starter

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 02 June 2009 - 04:05 PM

Thanks, Sam. I restarted GMER this afternoon after my post; it is still running. To get the log you need, do I just click Copy and paste it to this thread? As soon as it finishes, I'll download and run GooredFix per instructions.

I have not been doing anything on that laptop while trying to clean it up. In fact, when I know it's ok to do so, I have been disconnecting from the internet to avoid reinfection. After I run the GooredFix, I try to Google something and let you know the results in my next post.

Thank you again for your help.

adaniel

#12 adaniel

adaniel
  • Topic Starter

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 02 June 2009 - 08:42 PM

Sam,

OK here are the logs you requested. Just before posting, I tried a couple of google seaches and the correct sites were loaded - no redirection.

Thank you again for all your help.

adaniel


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-02 21:32:12
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xABE9CF20]

Code \??\C:\DOCUME~1\ADMINI~1.ADA\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\ADMINI~1.ADA\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? \Device\NaiAvFilter101.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs crpf.sys (COMODO Safe Delete Filter/COMODO Security Solutions Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat crpf.sys (COMODO Safe Delete Filter/COMODO Security Solutions Inc.)
AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)

---- EOF - GMER 1.0.15 ----

===================================================================

GooredFix v1.92 by jpshortstuff
Log created at 21:35 on 02/06/2009 running Option #1 (administrator)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:31 AM

Posted 03 June 2009 - 03:02 PM

Looking much better!


Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 adaniel

adaniel
  • Topic Starter

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 03 June 2009 - 07:17 PM

Sam,

Here are the results of the MBAM scan.

Google searches continue to perform correctly. Also, I was getting an error on my Maxtor OneTouch every time I rebooted saying it had no partition and asking if I wanted to reformat. Windows could access it, but the backup would fail. That problem is now resolved as well.

Thank you so much for all your help.

adaniel

Malwarebytes' Anti-Malware 1.37
Database version: 2225
Windows 5.1.2600 Service Pack 2

6/3/2009 8:13:26 PM
mbam-log-2009-06-03 (20-13-26).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 223211
Time elapsed: 2 hour(s), 57 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\qoobox\quarantine\c\windows\system32\UACbvyfthdfjgccouk.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\qoobox\quarantine\c\windows\system32\UACiiikebxboupssep.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\qoobox\quarantine\c\windows\system32\UACrrkqlcjuhnkuusx.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\qoobox\quarantine\c\windows\system32\UACwnkftjmyvrxoccl.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\UACprfxaysywbdxcuq.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

Edited by adaniel, 03 June 2009 - 07:23 PM.


#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:31 AM

Posted 04 June 2009 - 10:08 AM

Looks good! :)


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users