Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Agent, Stolen.data & others plus XP blue screen


  • This topic is locked This topic is locked
26 replies to this topic

#1 GeraldUK

GeraldUK

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 16 June 2009 - 10:44 AM

On 23 May in the Am I Infected forum Quietman7 suggested I posted a HJT log here. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/228654/backdoorbot-infections/ ~ OB From this posting date you can see that business took me away for some weeks, and I left my Desktop computer off, running Windows XP Home SP3.

I ran Spybot Search & Destroy and it found:
Win32.Agent.pz
Win32.Zbot.
These 2 problems were fixed and I then ran Malwarebytes which found:
Backdoor.bot
Trojan.Agent
Stolen.data
Malware.Trace
Worm.Koobface
These were all quarantined and deleted successfully.

Using the Sofware programs some weeks ago, I thought I had cleared these, but, it seems, not.
I have run both programs again, and both report all clear.

However, to compound the annoyance I now get the “Blue Screen of Death” with XP
which shuts down XP and leaves the screen which says that it has closed down Windows XP to prevent harm and says it is BAD POOL CALLER. The technical details are:
STOP: 0X000000C2 (0X00000007, 0X00000CD4, 0X02060006, 0X8922C5A0)

Having thought I had got rid of the Malware, I am somewhat worried by the appearance of this screen and XP closing down. The reboots all appear to be normal.

Anyway, as suggested by Quietman, I attach the DDS log. I do have HijackThis and can post the log if requested.

Obviously, any help or guidance would be appreciated

DDS (Ver_09-05-14.01) - NTFSx86
Run by Gerald at 15:36:50.81 on 16/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1357 [GMT 1:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
E:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Eraser\eraser.exe
E:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\SuperAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\DriveCrypt\DcrServ.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
E:\Program Files\Corel\programs\wpwin9.exe
E:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gerald\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://uk.reuters.com/?WT.mc_id=ext_SEM_Google_reuters&WT.srch=1
mWindow Title = Tiscali Internet Access
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Eraser] e:\program files\eraser\eraser.exe -hide
uRun: [PowerBar]
uRun: [SpybotSD TeaTimer] e:\program files\spybot - search & destroy\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] e:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "c:\program files\cyberlink\powerbackup\PBKScheduler.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ZoneAlarm Client] "e:\program files\zonealarm\zlclient.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &ICQ Toolbar Search - e:\program files\icqtoolbar\toolbaru.dll/SEARCH.HTML
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171571248894
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - e:\program files\superantispyware\SASWINLO.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: saifx - saifx.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\progra~1\kasper~2\kasper~1\mzvkbd.dll,c:\progra~1\kasper~2\kasper~1\mzvkbd3.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 DCR;DCR;c:\windows\system32\drivers\DCR.sys [2006-9-7 233472]
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-23 64160]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-10-7 213520]
R1 SASDIFSV;SASDIFSV;e:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;e:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-20 353672]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-5-20 464264]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-7-29 206088]
R2 DriveCryptService;DriveCrypt Service;c:\program files\drivecrypt\DcrServ.exe [2006-9-7 98875]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2006-8-31 12160]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 SASENUM;SASENUM;e:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2009-4-16 11520]
S1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [2006-7-13 11970]
S1 sorrd;Digital Sound S-B;c:\windows\system32\sorrd.sys [2009-5-20 0]
S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [2006-8-31 7040]
S3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [2006-7-13 206912]
S3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [2006-7-13 299715]
S3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [2006-7-13 147009]
S3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [2006-7-13 497216]
S3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [2006-7-13 23104]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2005-11-25 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2005-11-25 51840]

=============== Created Last 30 ================

2009-06-15 12:45 166 a------- C:\x345.bat
2009-05-23 18:13 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-23 18:13 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-05-23 18:12 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2009-05-23 18:12 8,832 ac------ c:\windows\system32\dllcache\wmiacpi.sys
2009-05-23 18:11 31,744 ac------ c:\windows\system32\dllcache\wceusbsh.sys
2009-05-23 18:10 20,608 ac------ c:\windows\system32\dllcache\usbuhci.sys
2009-05-23 18:10 26,112 ac------ c:\windows\system32\dllcache\usbser.sys
2009-05-23 18:09 82,944 ac------ c:\windows\system32\dllcache\tp4mon.exe
2009-05-23 18:08 149,376 ac------ c:\windows\system32\dllcache\tffsport.sys
2009-05-23 18:07 7,552 ac------ c:\windows\system32\dllcache\sonyait.sys
2009-05-23 18:06 6,912 ac------ c:\windows\system32\dllcache\smbclass.sys
2009-05-23 18:06 16,000 ac------ c:\windows\system32\dllcache\smbbatt.sys
2009-05-23 18:05 43,904 ac------ c:\windows\system32\dllcache\sbp2port.sys
2009-05-23 18:04 29,696 ac------ c:\windows\system32\dllcache\rw450ext.dll
2009-05-23 18:04 27,648 ac------ c:\windows\system32\dllcache\rw430ext.dll
2009-05-23 18:04 79,104 ac------ c:\windows\system32\dllcache\rocket.sys
2009-05-23 18:03 6,016 ac------ c:\windows\system32\dllcache\qic157.sys
2009-05-23 18:03 159,232 ac------ c:\windows\system32\dllcache\ptpusd.dll
2009-05-23 18:03 17,664 ac------ c:\windows\system32\dllcache\ppa3.sys
2009-05-23 18:03 8,832 ac------ c:\windows\system32\dllcache\powerfil.sys
2009-05-23 18:02 259,328 ac------ c:\windows\system32\dllcache\perm3dd.dll
2009-05-23 18:02 28,032 ac------ c:\windows\system32\dllcache\perm3.sys
2009-05-23 18:02 211,584 ac------ c:\windows\system32\dllcache\perm2dll.dll
2009-05-23 18:02 27,904 ac------ c:\windows\system32\dllcache\perm2.sys
2009-05-23 18:01 61,696 ac------ c:\windows\system32\dllcache\ohci1394.sys
2009-05-23 18:01 28,672 ac------ c:\windows\system32\dllcache\nscirda.sys
2009-05-23 17:59 49,024 ac------ c:\windows\system32\dllcache\mstape.sys
2009-05-23 17:59 22,016 ac------ c:\windows\system32\dllcache\msircomm.sys
2009-05-23 17:59 51,200 ac------ c:\windows\system32\dllcache\msdv.sys
2009-05-23 17:59 26,112 ac------ c:\windows\system32\dllcache\memstpci.sys
2009-05-23 17:58 7,040 ac------ c:\windows\system32\dllcache\ltotape.sys
2009-05-23 17:58 34,688 ac------ c:\windows\system32\dllcache\lbrtfdc.sys
2009-05-23 17:58 253,952 ac------ c:\windows\system32\dllcache\kdsusd.dll
2009-05-23 17:58 48,640 ac------ c:\windows\system32\dllcache\kdsui.dll
2009-05-23 17:57 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2009-05-23 17:57 28,160 ac------ c:\windows\system32\dllcache\irmon.dll
2009-05-23 17:57 151,552 ac------ c:\windows\system32\dllcache\irftp.exe
2009-05-23 17:57 88,192 ac------ c:\windows\system32\dllcache\irda.sys
2009-05-23 17:56 702,845 ac------ c:\windows\system32\dllcache\i81xdnt5.dll
2009-05-23 17:54 20,352 ac------ c:\windows\system32\dllcache\hidbatt.sys
2009-05-23 17:54 28,288 ac------ c:\windows\system32\dllcache\grserial.sys
2009-05-23 17:54 59,136 ac------ c:\windows\system32\dllcache\gckernel.sys
2009-05-23 17:54 10,624 ac------ c:\windows\system32\dllcache\gameenum.sys
2009-05-23 17:52 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-05-23 17:52 206,976 ac------ c:\windows\system32\dllcache\dot4.sys
2009-05-23 17:52 8,320 ac------ c:\windows\system32\dllcache\dlttape.sys
2009-05-23 17:51 249,856 ac------ c:\windows\system32\dllcache\ctmasetp.dll
2009-05-23 17:51 10,240 ac------ c:\windows\system32\dllcache\compbatt.sys
2009-05-23 17:51 13,952 ac------ c:\windows\system32\dllcache\cmbatt.sys
2009-05-23 17:51 8,192 ac------ c:\windows\system32\dllcache\changer.sys
2009-05-23 17:50 121,856 ac------ c:\windows\system32\dllcache\camext30.dll
2009-05-23 17:50 14,208 ac------ c:\windows\system32\dllcache\battc.sys
2009-05-23 17:50 13,696 ac------ c:\windows\system32\dllcache\avcstrm.sys
2009-05-23 17:49 38,912 ac------ c:\windows\system32\dllcache\avc.sys
2009-05-23 17:48 48,128 ac------ c:\windows\system32\dllcache\61883.sys
2009-05-23 17:48 12,288 ac------ c:\windows\system32\dllcache\4mmdat.sys
2009-05-23 17:47 53,376 ac------ c:\windows\system32\dllcache\1394bus.sys
2009-05-23 15:10 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-23 14:52 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-23 14:49 -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-23 14:49 --d----- c:\program files\Lavasoft
2009-05-21 12:47 --d----- c:\program files\2BrightSparks
2009-05-20 20:52 0 a------- c:\windows\system32\sorrd.sys
2009-05-20 16:49 --d----- c:\program files\AskBarDis
2009-05-20 16:49 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-05-20 16:49 --d----- c:\windows\system32\ZoneLabs
2009-05-20 16:49 350,192 a------- c:\windows\system32\vsconfig.xml
2009-05-20 16:39 --d----- c:\program files\Zone Labs
2009-05-20 11:34 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-20 11:34 --d----- c:\docume~1\gerald\applic~1\SUPERAntiSpyware.com
2009-05-18 17:59 --d----- c:\docume~1\gerald\applic~1\Malwarebytes
2009-05-18 17:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-18 17:59 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-18 17:59 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-18 16:54 -cd-h--- c:\docume~1\alluse~1\applic~1\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}

==================== Find3M ====================

2009-06-16 14:57 3,103,776 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-16 14:57 852,000 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-16 14:57 28,472 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-16 14:57 6,088 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-05-20 16:49 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-05-20 16:11 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-05-20 16:11 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-05 12:24 59,392 a------- c:\windows\system32\inform.dat
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-10-29 16:54 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102920081030\index.dat

============= FINISH: 15:37:31.54 ========

Edited by Orange Blossom, 16 June 2009 - 01:58 PM.


BC AdBot (Login to Remove)

 


#2 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 17 June 2009 - 04:18 AM

Just noticed reading the DDS log that it says I have Comodo Firewall "enabled."

I am sure I had deleted this program as it clashed very badly with Kaspersky Anti Virus. Obviously there may be bits, or a Registry entry which remains?

The firewall I am using is ZoneAlarm (free).

#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 PM

Posted 22 June 2009 - 08:10 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 23 June 2009 - 05:58 AM

Thanks for the reply, etavares

I enclose the most recent DDS log.

Since my original post here I have run Malwarebytes (and others like Kaspersky) and my Trojan/virus problem seems to have been overcome. However, the XP blue screen of Windows being turned off continues, and I notice that these events are logged in the event viewer, so I am enclosing the attachment unzipped. (can't zip it up).

Of course the DDS log might show things that are not right, as loading Windows XP Home still takes an age.

Attached Files

  • Attached File  DDS.txt   11.18KB   17 downloads


#5 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 23 June 2009 - 05:59 AM

Sorry, here is the Attach.txt log

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 PM

Posted 24 June 2009 - 08:20 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#7 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 25 June 2009 - 04:41 AM

Panda

Thanks for the instructions, which I will follow shortly, and add the logs requested.

As I am working to GMT and you are on one of the US time zones (?) there might be a delay in my replies.

#8 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 25 June 2009 - 06:07 AM

Panda - here is the GMER log
Gerald


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-25 11:53:38
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xB41F3940]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xB41F39A8]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous
Code \??\C:\DOCUME~1\Gerald\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- EOF - GMER 1.0.15 ----

#9 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 25 June 2009 - 06:14 AM

Panda
Here is the Combofix log. I thoght I had deleted entirely the Comodo firewall - but obviously not 100%. As it ran I saw 8 or so txt and/or poc files being deleted.
Apart from the odd update to anti-virus programs there have been no changes to my system, with the exception of IE8 replacing IE7 the other day.
Gerald



ComboFix 09-06-24.05 - Gerald 25/06/2009 11:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1548 [GMT 1:00]
Running from: c:\documents and settings\Gerald\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-3232878904-2446211435-2299508953-1003
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\ef6b26db-344d-4ad3-ba24-aca0bdaa999a.cab
c:\windows\Downloaded Program Files\ODCTOOLS\f04d289f-c60a-422b-8396-6c372047042e.cab
c:\windows\system32\bookls
c:\recycler\S-1-5-21-3232878904-2446211435-2299508953-1003\desktop.ini
c:\windows\system32\al.txt
c:\windows\system32\bookls\dooi.poc
c:\windows\system32\bookls\orde.poc
c:\windows\system32\cds.txt
c:\windows\system32\dz1.txt
c:\windows\system32\inform.dat
c:\windows\system32\p1.txt
c:\windows\system32\r24.txt

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\system32\dllcache\grpconv.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\system32\dllcache\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-25 10:33 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-25 10:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-25 10:33 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-06-25 10:33 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-23 12:55 . 2009-06-23 12:55 -------- d-sh--w- c:\documents and settings\Gerald\PrivacIE
2009-06-23 12:54 . 2009-06-23 12:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-23 12:53 . 2009-06-23 12:53 -------- d-sh--w- c:\documents and settings\Gerald\IETldCache
2009-06-23 12:49 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-23 12:49 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-23 12:49 . 2009-06-23 12:50 -------- d-----w- c:\windows\ie8updates
2009-06-23 12:49 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-23 12:46 . 2009-06-23 12:49 -------- dc-h--w- c:\windows\ie8
2009-05-29 16:12 . 2009-06-17 20:31 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-26 15:43 . 2009-05-26 15:43 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-26 15:43 . 2009-05-26 15:43 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-05-26 15:43 . 2009-05-26 15:43 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-05-26 15:43 . 2009-05-26 15:43 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 10:39 . 2008-10-04 10:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-06-25 10:39 . 2009-05-20 10:34 117760 ----a-w- c:\documents and settings\Gerald\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-25 10:38 . 2006-09-15 08:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-25 10:34 . 2008-10-07 11:18 852000 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-25 10:34 . 2008-10-07 11:18 6088 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-25 10:34 . 2008-10-07 11:18 3110944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-25 10:34 . 2008-10-07 11:18 28528 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-24 10:38 . 2006-09-27 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-22 07:45 . 2009-06-22 07:48 273408 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-06-17 10:27 . 2009-05-18 16:59 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 10:27 . 2009-05-18 16:59 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 18:57 . 2007-08-28 14:54 -------- d-----w- c:\documents and settings\Gerald\Application Data\ZoomBrowser EX
2009-06-15 18:24 . 2007-08-28 16:16 -------- d-----w- c:\documents and settings\Gerald\Application Data\CameraWindowDC
2009-05-30 08:20 . 2009-05-22 19:20 3438110 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-05-30 07:42 . 2009-05-30 08:20 1466368 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-05-26 19:26 . 2009-05-26 19:28 411136 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-05-26 19:26 . 2009-05-26 19:28 1436672 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-05-26 16:37 . 2009-05-26 16:39 1434624 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-05-26 15:43 . 2009-05-23 14:10 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-23 13:51 . 2009-05-23 13:52 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-23 13:51 . 2009-05-23 13:51 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-23 13:49 . 2009-05-23 13:49 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-23 13:49 . 2009-05-23 13:49 -------- d-----w- c:\program files\Lavasoft
2009-05-23 13:49 . 2008-11-18 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-23 13:49 . 2008-09-22 18:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-22 19:19 . 2009-05-22 19:20 1401856 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-05-21 11:47 . 2009-05-21 11:47 -------- d-----w- c:\program files\2BrightSparks
2009-05-21 10:30 . 2009-01-04 17:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-20 19:52 . 2009-05-20 19:52 0 ----a-w- c:\windows\system32\sorrd.sys
2009-05-20 15:50 . 2009-05-20 15:49 -------- d-----w- c:\program files\AskBarDis
2009-05-20 15:49 . 2006-10-04 10:38 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-05-20 15:39 . 2009-05-20 15:39 -------- d-----w- c:\program files\Zone Labs
2009-05-20 15:11 . 2008-10-07 11:18 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-20 15:11 . 2008-10-07 11:18 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-05-20 10:34 . 2009-05-20 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-20 10:34 . 2009-05-20 10:34 -------- d-----w- c:\documents and settings\Gerald\Application Data\SUPERAntiSpyware.com
2009-05-18 16:59 . 2009-05-18 16:59 -------- d-----w- c:\documents and settings\Gerald\Application Data\Malwarebytes
2009-05-18 16:59 . 2009-05-18 16:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 15:54 . 2009-05-18 15:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-05-13 05:15 . 2005-09-09 22:03 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-08 15:07 . 2006-08-31 14:59 -------- d-----w- c:\documents and settings\Gerald\Application Data\AdobeUM
2009-05-07 15:32 . 2005-09-09 22:03 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-09-09 22:03 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-09-09 22:03 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-02 20:36 . 2009-04-02 20:36 152576 ----a-w- c:\documents and settings\Gerald\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2007-10-03 17:15 . 2006-09-17 16:14 66408 ------w- c:\program files\mozilla firefox\components\jar50.dll
2007-10-03 17:15 . 2006-09-17 16:14 54112 ------w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-10-03 17:15 . 2007-07-05 14:27 34688 ------w- c:\program files\mozilla firefox\components\myspell.dll
2007-10-03 17:15 . 2007-07-05 14:27 46456 ------w- c:\program files\mozilla firefox\components\spellchk.dll
2007-10-03 17:15 . 2006-09-17 16:14 171880 ------w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Eraser"="e:\program files\Eraser\eraser.exe" [2008-10-09 634880]
"SUPERAntiSpyware"="e:\program files\SuperAntiSpyware\SUPERAntiSpyware.exe" [2009-06-25 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="c:\program files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 69721]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-25 151597]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-25 98304]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-09 225280]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-02-09 206088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ZoneAlarm Client"="e:\program files\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-20 518488]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2003-06-20 118784]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-06-01 1519616]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-06-01 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-11 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SuperAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- e:\program files\SuperAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sorrd.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BT Modem Lock"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program Files\\ICQLite\\ICQLite.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 DCR;DCR;c:\windows\system32\drivers\DCR.sys [07/09/2006 11:15 233472]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 18:29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [23/05/2009 14:52 64160]
R1 SASDIFSV;SASDIFSV;e:\program files\SuperAntiSpyware\sasdifsv.sys [23/03/2009 14:07 9968]
R1 SASKUTIL;SASKUTIL;e:\program files\SuperAntiSpyware\SASKUTIL.SYS [23/03/2009 14:07 72944]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [20/05/2009 16:49 464264]
R2 DriveCryptService;DriveCrypt Service;c:\program files\DriveCrypt\DcrServ.exe [07/09/2006 11:15 98875]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 08:33 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 13:42 148768]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [31/08/2006 16:51 12160]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30/04/2008 18:06 24592]
R3 SASENUM;SASENUM;e:\program files\SuperAntiSpyware\SASENUM.SYS [23/03/2009 14:07 7408]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [16/04/2009 18:13 11520]
S1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [13/07/2006 20:25 11970]
S1 sorrd;Digital Sound S-B;c:\windows\system32\sorrd.sys [20/05/2009 20:52 0]
S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [31/08/2006 16:51 7040]
S3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [13/07/2006 20:25 206912]
S3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [13/07/2006 20:25 299715]
S3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [13/07/2006 20:25 147009]
S3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [13/07/2006 20:25 497216]
S3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [13/07/2006 20:25 23104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1003344]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [25/11/2005 17:44 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [25/11/2005 17:44 51840]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 13:52]

2007-12-05 c:\windows\Tasks\Backup_051207_all.job
- c:\windows\system32\ntbackup.exe [2001-08-17 22:36]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PowerBar - (no file)
Notify-saifx - saifx.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.reuters.com/?WT.mc_id=ext_SEM_Google_reuters&WT.srch=1
mWindow Title = Tiscali Internet Access
IE: &ICQ Toolbar Search - e:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 11:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2731112901-4037366769-1438209861-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
e:\program files\SuperAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(7388)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-06-25 11:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-25 10:42

Pre-Run: 11,286,020,096 bytes free
Post-Run: 11,157,553,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=10 Default=10 Failed=9 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,10,11
280 --- E O F --- 2009-06-23 12:50

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 PM

Posted 25 June 2009 - 07:39 AM

Hello.

Looks like the active infection was disabled even before ComboFix ran.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

With Regards,
The Panda

#11 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 25 June 2009 - 10:09 AM

Panda

Thanks - are you saying that CombiFIx did not find anything wrong?
Would a HIjackThis log help??

Will run the programmes you suggest. One, I have run, and it seems to be similar to CCleaner in cleaning out the IE cache?

Regards

Gerald

#12 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 25 June 2009 - 10:54 AM

Panda

I am having no joy with running F Secure, which conflicts with either ZoneAlarm or Kaspersky and I have had 3 BSODs blaming klif.sys each time as a driver unloading without cancelling pending operations.

I have run Malwarebytes, Skybot Search & Destroy, Ad-Aware and SuperAntispyware which, recently, have not found any trojan or virus. Do we HAVE to go down the FSecure route?

Obviously, I am intrigued to know what caused the BSODs as originally reported, and I take it from your comment that there do not appear to be any viruses on my system at the moment.

As I am intrigued by what the logs show, would a HijackThis log be of any use to us?

Thanks

Gerald

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 PM

Posted 25 June 2009 - 11:37 AM

Hello Gerald.

There were only inactive leftover components of an infection that ComboFix removed.

Sorry. I neglected the fact that Kaspersky doesn't like onlines scans. You can skip that.

DDS shows what HijackThis does and more. HijackThis has not been updated in quite awhile.

I don't see anything that would be causing the BSOD. Neither do the Error Logs reveal anything useful. Are they still occuring now?

That error is more likely to be caused by hardware issues.

With Regards,
The Panda

#14 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 25 June 2009 - 12:18 PM

Hello Panda

Thanks for the reply.

I think we can take it that my computer is clean, and the BSOD is, at he moment, an irritation, and, as you say, could well be caused by a hardware problem.

If the BSODs continue (BAD POOL CALLER) or get worse, I will post that as a new single topic.

Thank you very much for your help.

Gerald

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 PM

Posted 25 June 2009 - 01:05 PM

Hello.

Yes, for BSODs, it's best to post in the Operating System Forum.

Let's uninstall ComboFix.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.

Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users