Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Results Redirect to Ads


  • This topic is locked This topic is locked
21 replies to this topic

#1 DonaldH

DonaldH

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 01 July 2009 - 12:07 AM

Hello,

This computer has had some sort of browser hijack where search engine results get redirect through another site to ads. I don't remember exactly which ones because it has been a few months since we used this computer...it was just too irritating we bought another one.

It doesn't seem to be happening now but it has always come back and there are still traces of "something" when I run some scans...everytime I think the problem is fixed it resurfaced in a few hours or days. MalwareBytes Anti-Malware shows four registry entries that are never removed even when the computer reboots. They are in HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings, bf, bk, iu and mu if that means anything.

Thanks for your help, DDS logs are below!

-Donald


DDS (Ver_09-06-26.01) - NTFSx86
Run by compaq at 20:25:01.80 on Tue 06/30/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.239.108 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\compaq\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Compaq
uStart Page = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
uSearch Bar =
mDefault_Page_URL = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
mStart Page =
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = about:blank
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\ycomp5_6_2_0.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {0b4b1d06-4768-4a22-b639-9e8b8082ecc4} - c:\windows\system32\atl7.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9cf8b5e7-292a-25aa-5dc0-01c20be82f92} - c:\windows\system32\xecqq.dll
BHO: {9cf8b5eb-2922-27ac-5dc2-02c27ce12f90} - c:\windows\system32\xecqq.dll
BHO: {9cf8b5ee-2929-54a4-5dc0-77c27ee02f93} - c:\windows\system32\xecqq.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\ycomp5_6_2_0.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [Airlink101 WLAN Monitor] c:\program files\airlink101\airlink101 wlan monitor\WLANmon.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\progra~1.lnk - c:\windows\installer\{e89956f9-5b89-470e-818d-bd46102d0a01}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: myspace.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.696400463
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 pnckjrtc;pnckjrtc;c:\windows\system32\drivers\suhwczfq.dat --> c:\windows\system32\drivers\suhwczfq.dat [?]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 55024]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2005-6-21 21031]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2005-6-21 15478]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VetEFile.sys [2005-6-21 590190]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2005-6-21 15735]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\VetMonNT.sys [2005-6-21 25703]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 CAISafe;CAISafe;c:\program files\yahoo!\antivirus\iSafe.exe [2005-6-21 259184]
R3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;c:\windows\system32\drivers\N5SG.sys [2006-11-3 467040]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VetEBoot.sys [2005-6-21 102398]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336]
S3 QDFSDRV;QDFSDRV;c:\windows\system32\drivers\qdfsdrv.sys [2005-12-31 13792]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]
S4 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [2005-8-6 64512]
S4 VETMSGNT;VET Message Service;c:\program files\yahoo!\antivirus\VetMsg.exe [2005-6-21 201840]

============== File Associations ===============

inffile=blank
inifile=blank

=============== Created Last 30 ================


==================== Find3M ====================

2009-06-28 18:31 2,678 a------- c:\windows\java\packages\data\83JP7PV1.DAT
2009-06-28 18:31 2,678 a------- c:\windows\java\packages\data\VRJ57NTN.DAT
2009-06-28 18:31 2,678 a------- c:\windows\java\packages\data\WBXFHVPF.DAT
2009-06-28 18:31 2,678 a------- c:\windows\java\packages\data\SRXZZ53X.DAT
2009-06-28 18:31 2,678 a------- c:\windows\java\packages\data\8XVZ5NXZ.DAT
2009-06-28 17:12 107,264 a------- c:\windows\system32\bidisp.dll
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 18,456 a------- c:\windows\system32\drivers\mbam.sys
2006-08-04 13:07 28,592 ac------ c:\docume~1\compaq\applic~1\GDIPFONTCACHEV1.DAT
2004-11-13 12:59 313 ac--h--- c:\documents and settings\compaq\hpothb07.dat

============= FINISH: 20:25:37.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 04 July 2009 - 08:28 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 DonaldH

DonaldH
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 04 July 2009 - 02:12 PM

MalwareBytes continues to report a trojan in the registry keys I identified in my first post and occasionally finds new items. Can provide the log file if needed...

Here is a new DDS log with attachment.


DDS (Ver_09-06-26.01) - NTFSx86
Run by compaq at 11:05:33.12 on Sat 07/04/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.239.114 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\PNAMain.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\compaq\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Compaq
uStart Page = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
uSearch Bar =
mDefault_Page_URL = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
mStart Page =
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = about:blank
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\ycomp5_6_2_0.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {0b4b1d06-4768-4a22-b639-9e8b8082ecc4} - c:\windows\system32\atl7.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9cf8b5e7-292a-25aa-5dc0-01c20be82f92} - c:\windows\system32\xecqq.dll
BHO: {9cf8b5eb-2922-27ac-5dc2-02c27ce12f90} - c:\windows\system32\xecqq.dll
BHO: {9cf8b5ee-2929-54a4-5dc0-77c27ee02f93} - c:\windows\system32\xecqq.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\ycomp5_6_2_0.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [Airlink101 WLAN Monitor] c:\program files\airlink101\airlink101 wlan monitor\WLANmon.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\progra~1.lnk - c:\windows\installer\{e89956f9-5b89-470e-818d-bd46102d0a01}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: myspace.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.696400463
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


============== File Associations ===============

inffile=blank
inifile=blank

=============== Created Last 30 ================


==================== Find3M ====================

2009-06-28 18:31 2,678 a------- c:\windows\java\packages\data\83JP7PV1.DAT
2009-06-28 18:31 2,678 a------- c:\windows\java\packages\data\VRJ57NTN.DAT
2009-06-28 18:31 2,678 a------- c:\windows\java\packages\data\WBXFHVPF.DAT
2009-06-28 18:31 2,678 a------- c:\windows\java\packages\data\SRXZZ53X.DAT
2009-06-28 18:31 2,678 a------- c:\windows\java\packages\data\8XVZ5NXZ.DAT
2009-06-28 17:12 107,264 a------- c:\windows\system32\bidisp.dll
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 18,456 a------- c:\windows\system32\drivers\mbam.sys
2006-08-04 13:07 28,592 ac------ c:\docume~1\compaq\applic~1\GDIPFONTCACHEV1.DAT
2004-11-13 12:59 313 ac--h--- c:\documents and settings\compaq\hpothb07.dat

============= FINISH: 11:06:47.25 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:54 PM

Posted 07 July 2009 - 07:29 AM

Hi DonaldH

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 DonaldH

DonaldH
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 07 July 2009 - 10:08 AM

Yes, I am still here and checking this topic regularly!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:54 PM

Posted 07 July 2009 - 06:28 PM

Hi DonaldH,

There's traces of a trojan called Vundo. MBAM finds this but can't always remove it.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please also run this program

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 DonaldH

DonaldH
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 09 July 2009 - 01:00 AM

Sorry, I don't think I got whatever I needed to disable. This is my wife's computer (from before I met her) so I don't know what all she has on it. I think I left TeaTime enabled and maybe some other stuff but could you please let me know if this has messed anything up? If I need to run these again I'll be happy to.

Here is the first log from ComboFix, I'll post the other in a second post:
ComboFix 09-07-08.04 - compaq 07/08/2009 18:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.239.106 [GMT -8:00]
Running from: c:\documents and settings\compaq\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\recycler\S-1-5-21-4212676017-3322274812-248915221-1003
c:\recycler\S-1-5-21-4289225659-3018156175-1100138172-1008
c:\windows\desktop
c:\windows\desktop\Compaq Knowledge Center.lnk
c:\windows\Installer\15e964.msi
c:\windows\Installer\6ac90.msi
c:\windows\Installer\79ae6.msi
c:\windows\system32\_003007_.tmp.dll
c:\windows\system32\_003023_.tmp.dll
c:\windows\system32\_003031_.tmp.dll
c:\windows\system32\_003039_.tmp.dll
c:\windows\system32\_003062_.tmp.dll
c:\windows\system32\_003174_.tmp.dll
c:\windows\system32\_003175_.tmp.dll
c:\windows\system32\_003176_.tmp.dll
c:\windows\system32\_003177_.tmp.dll
c:\windows\system32\_003182_.tmp.dll
c:\windows\system32\_003183_.tmp.dll
c:\windows\system32\_003184_.tmp.dll
c:\windows\system32\_003185_.tmp.dll
c:\windows\system32\_003190_.tmp.dll
c:\windows\system32\_003191_.tmp.dll
c:\windows\system32\_003192_.tmp.dll
c:\windows\system32\_003193_.tmp.dll
c:\windows\system32\_003198_.tmp.dll
c:\windows\system32\_003199_.tmp.dll
c:\windows\system32\_003200_.tmp.dll
c:\windows\system32\_003201_.tmp.dll
c:\windows\system32\_003206_.tmp.dll
c:\windows\system32\_003207_.tmp.dll
c:\windows\system32\_003208_.tmp.dll
c:\windows\system32\_003209_.tmp.dll
c:\windows\system32\_003215_.tmp.dll
c:\windows\system32\_003217_.tmp.dll
c:\windows\system32\_003223_.tmp.dll
c:\windows\system32\_003225_.tmp.dll
c:\windows\system32\_003229_.tmp.dll
c:\windows\system32\_003230_.tmp.dll
c:\windows\system32\_003231_.tmp.dll
c:\windows\system32\_003232_.tmp.dll
c:\windows\system32\_003237_.tmp.dll
c:\windows\system32\_003238_.tmp.dll
c:\windows\system32\_003240_.tmp.dll
c:\windows\system32\_003247_.tmp.dll
c:\windows\system32\_003248_.tmp.dll
c:\windows\system32\_003249_.tmp.dll
c:\windows\system32\_003251_.tmp.dll
c:\windows\system32\_003252_.tmp.dll
c:\windows\system32\_003255_.tmp.dll
c:\windows\system32\_003256_.tmp.dll
c:\windows\system32\_003259_.tmp.dll
c:\windows\system32\_003262_.tmp.dll
c:\windows\system32\_003265_.tmp.dll
c:\windows\system32\_003270_.tmp.dll
c:\windows\system32\_003272_.tmp.dll
c:\windows\system32\_003275_.tmp.dll
c:\windows\system32\_003278_.tmp.dll
c:\windows\system32\_003279_.tmp.dll
c:\windows\system32\_003280_.tmp.dll
c:\windows\system32\_003283_.tmp.dll
c:\windows\system32\_003285_.tmp.dll
c:\windows\system32\_003286_.tmp.dll
c:\windows\system32\_003287_.tmp.dll
c:\windows\system32\_003291_.tmp.dll
c:\windows\system32\_004277_.tmp.dll
c:\windows\system32\_004278_.tmp.dll
c:\windows\system32\_004279_.tmp.dll
c:\windows\system32\_004280_.tmp.dll
c:\windows\system32\_004287_.tmp.dll
c:\windows\system32\_004288_.tmp.dll
c:\windows\system32\_004289_.tmp.dll
c:\windows\system32\_004290_.tmp.dll
c:\windows\system32\_004292_.tmp.dll
c:\windows\system32\_004293_.tmp.dll
c:\windows\system32\_004296_.tmp.dll
c:\windows\system32\_004297_.tmp.dll
c:\windows\system32\_004299_.tmp.dll
c:\windows\system32\_004300_.tmp.dll
c:\windows\system32\_004301_.tmp.dll
c:\windows\system32\_004302_.tmp.dll
c:\windows\system32\_004303_.tmp.dll
c:\windows\system32\_004304_.tmp.dll
c:\windows\system32\_004306_.tmp.dll
c:\windows\system32\_004310_.tmp.dll
c:\windows\system32\_004311_.tmp.dll
c:\windows\system32\_004313_.tmp.dll
c:\windows\system32\_004316_.tmp.dll
c:\windows\system32\_004318_.tmp.dll
c:\windows\system32\_004319_.tmp.dll
c:\windows\system32\_004320_.tmp.dll
c:\windows\system32\_004321_.tmp.dll
c:\windows\system32\_004322_.tmp.dll
c:\windows\system32\_004325_.tmp.dll
c:\windows\system32\_004327_.tmp.dll
c:\windows\system32\_004328_.tmp.dll
c:\windows\system32\_004329_.tmp.dll
c:\windows\system32\_004333_.tmp.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\tmp.reg
c:\windows\system32\wpcap.dll
c:\windows\system32\bidisp.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-06-30 06:12 . 2009-06-30 06:15 117760 -c--a-w- c:\documents and settings\compaq\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 02:15 . 2007-04-16 04:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-06 02:13 . 2007-04-16 04:31 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-07-01 03:09 . 2004-07-08 02:36 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-30 06:15 . 2008-11-21 21:45 -------- dc----w- c:\program files\SUPERAntiSpyware
2009-06-29 03:46 . 2008-11-15 20:18 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 02:31 . 2009-06-29 02:31 2678 ----a-w- c:\windows\JAVA\Packages\Data\83JP7PV1.DAT
2009-06-29 02:31 . 2009-06-29 02:31 2678 ----a-w- c:\windows\JAVA\Packages\Data\VRJ57NTN.DAT
2009-06-29 02:31 . 2009-06-29 02:31 2678 ----a-w- c:\windows\JAVA\Packages\Data\WBXFHVPF.DAT
2009-06-29 02:31 . 2009-06-29 02:31 2678 ----a-w- c:\windows\JAVA\Packages\Data\SRXZZ53X.DAT
2009-06-29 02:31 . 2009-06-29 02:31 2678 ----a-w- c:\windows\JAVA\Packages\Data\8XVZ5NXZ.DAT
2009-06-29 01:15 . 2005-01-25 01:23 -------- dc--a-w- c:\documents and settings\compaq\Application Data\yahoo!
2009-06-29 01:15 . 2005-01-25 01:21 -------- dc--a-w- c:\documents and settings\All Users\Application Data\yahoo!
2009-06-29 01:12 . 2008-09-01 03:01 107264 ----a-w- c:\windows\system32\bidisp.dll
2009-06-17 19:27 . 2008-11-15 20:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 19:27 . 2008-11-15 20:18 18456 ----a-w- c:\windows\system32\drivers\mbam.sys
2007-10-09 05:33 . 2007-10-28 17:00 66408 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-10-09 05:33 . 2007-10-28 17:00 54112 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-10-09 05:33 . 2007-10-28 17:00 34688 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-10-09 05:33 . 2007-10-28 17:00 46456 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-10-09 05:33 . 2007-10-28 17:00 171880 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2007-06-22 02:38 . 2007-06-22 02:38 30280 -c--a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-22 02:38 . 2007-06-22 02:38 79432 -c--a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-22 02:38 . 2007-06-22 02:38 71240 -c--a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-22 02:38 . 2007-06-22 02:38 140872 -c--a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-22 02:39 . 2007-06-22 02:39 38472 -c--a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-22 02:39 . 2007-06-22 02:39 46664 -c--a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-22 02:39 . 2007-06-22 02:39 34376 -c--a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-22 02:39 . 2007-06-22 02:39 685640 -c--a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-22 02:40 . 2007-06-22 02:40 30280 -c--a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1207080]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2006-10-13 958464]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-30 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-12 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Program Neighborhood Agent.lnk - c:\windows\Installer\{E89956F9-5B89-470E-818D-BD46102D0A01}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2007-10-28 38480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-02-03 03:09 356352 -c--a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 6.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 6.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 6.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YPCService"=3 (0x3)
"VETMSGNT"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SNDSrvc"=3 (0x3)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"PackethSvc"=2 (0x2)
"iPodService"=3 (0x3)
"InCDsrv"=2 (0x2)
"IDriverT"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"Iomega App Services"=2 (0x2)

R0 pnckjrtc;pnckjrtc;c:\windows\System32\drivers\suhwczfq.dat --> c:\windows\System32\drivers\suhwczfq.dat [?]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 3:11 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 3:11 PM 55024]
R3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;c:\windows\SYSTEM32\DRIVERS\N5SG.sys [11/3/2006 3:30 PM 467040]
S3 QDFSDRV;QDFSDRV;c:\windows\SYSTEM32\DRIVERS\qdfsdrv.sys [12/31/2005 11:05 AM 13792]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 3:11 PM 7408]
S4 PackethSvc;Virtual NIC Service;c:\windows\SYSTEM32\PackethSvc.exe [8/6/2005 12:54 PM 64512]
.
Contents of the 'Scheduled Tasks' folder

2004-11-27 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8092958820.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2009-07-06 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-08-17 19:24]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0B4B1D06-4768-4A22-B639-9E8B8082ECC4} - c:\windows\System32\atl7.dll
BHO-{9CF8B5E7-292A-25AA-5DC0-01C20BE82F92} - c:\windows\System32\xecqq.dll
BHO-{9CF8B5EB-2922-27AC-5DC2-02C27CE12F90} - c:\windows\System32\xecqq.dll
BHO-{9CF8B5EE-2929-54A4-5DC0-77C27EE02F93} - c:\windows\System32\xecqq.dll
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
mStart Page =
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
LSP: c:\windows\System32\VetRedir.dll
Trusted Zone: myspace.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\compaq\Application Data\Mozilla\Firefox\Profiles\1tgdq0gx.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.
.
------- File Associations -------
.
inffile=blank
inifile=blank
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 19:01
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pnckjrtc]
"ImagePath"="system32\drivers\suhwczfq.dat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(776)
c:\windows\System32\VetRedir.dll
c:\windows\System32\ISafeIf.dll
c:\windows\system32\dssenh.dll

- - - - - - - > 'explorer.exe'(3340)
c:\windows\System32\VetRedir.dll
c:\windows\System32\ISafeIf.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Yahoo!\Antivirus\iSafe.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Citrix\ICA Client\pnamain.exe
.
**************************************************************************
.
Completion time: 2009-07-09 19:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-09 03:13

Pre-Run: 3,754,748,416 bytes free
Post-Run: 3,783,730,688 bytes free

winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

299 --- E O F --- 2009-07-01 03:17


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-08 21:58:28
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT FF8A77B0 ZwConnectPort

Code \??\C:\DOCUME~1\compaq\LOCALS~1\Temp\catchme.sys pIofCallDriver
Code suhwczfq.dat ObOpenObjectByName

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObOpenObjectByName 805556C9 6 Bytes JMP F9AD4076 suhwczfq.dat
? suhwczfq.dat The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\compaq\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\System32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:54 PM

Posted 09 July 2009 - 07:00 PM

Hi DonaldH,

Thanks for the logs. Gmer shows no sign of a rootkit but does pinpoint a bad driver and Combofix has found and deleted a number of items.

There are still traces of malware in the Combofix log so we need to run it again.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\bidisp.dll
c:\windows\System32\drivers\suhwczfq.dat

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pnckjrtc]

Driver::
pnckjrtc


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#9 DonaldH

DonaldH
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 09 July 2009 - 11:20 PM

OK, disabled anti-virus/malware...here is the new log after creating the script:

ComboFix 09-07-09.06 - compaq 07/09/2009 19:35.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.239.137 [GMT -8:00]
Running from: c:\documents and settings\compaq\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\compaq\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\bidisp.dll"
"c:\windows\System32\drivers\suhwczfq.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bidisp.dll
c:\windows\System32\drivers\suhwczfq.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PNCKJRTC
-------\Service_pnckjrtc


((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-06-30 06:12 . 2009-06-30 06:15 117760 -c--a-w- c:\documents and settings\compaq\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 01:45 . 2004-05-05 04:00 28164 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2009-07-06 02:15 . 2007-04-16 04:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-06 02:13 . 2007-04-16 04:31 -------- dc----w- c:\program files\Spybot - Search & Destroy
2009-07-01 03:09 . 2004-07-08 02:36 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-30 06:15 . 2008-11-21 21:45 -------- dc----w- c:\program files\SUPERAntiSpyware
2009-06-29 03:46 . 2008-11-15 20:18 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 02:31 . 2009-06-29 02:31 2678 ----a-w- c:\windows\JAVA\Packages\Data\83JP7PV1.DAT
2009-06-29 02:31 . 2009-06-29 02:31 2678 ----a-w- c:\windows\JAVA\Packages\Data\VRJ57NTN.DAT
2009-06-29 02:31 . 2009-06-29 02:31 2678 ----a-w- c:\windows\JAVA\Packages\Data\WBXFHVPF.DAT
2009-06-29 02:31 . 2009-06-29 02:31 2678 ----a-w- c:\windows\JAVA\Packages\Data\SRXZZ53X.DAT
2009-06-29 02:31 . 2009-06-29 02:31 2678 ----a-w- c:\windows\JAVA\Packages\Data\8XVZ5NXZ.DAT
2009-06-29 01:15 . 2005-01-25 01:23 -------- dc--a-w- c:\documents and settings\compaq\Application Data\yahoo!
2009-06-29 01:15 . 2005-01-25 01:21 -------- dc--a-w- c:\documents and settings\All Users\Application Data\yahoo!
2009-06-17 19:27 . 2008-11-15 20:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 19:27 . 2008-11-15 20:18 18456 ----a-w- c:\windows\system32\drivers\mbam.sys
2007-10-09 05:33 . 2007-10-28 17:00 66408 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-10-09 05:33 . 2007-10-28 17:00 54112 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-10-09 05:33 . 2007-10-28 17:00 34688 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-10-09 05:33 . 2007-10-28 17:00 46456 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-10-09 05:33 . 2007-10-28 17:00 171880 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2007-06-22 02:38 . 2007-06-22 02:38 30280 -c--a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-22 02:38 . 2007-06-22 02:38 79432 -c--a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-22 02:38 . 2007-06-22 02:38 71240 -c--a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-22 02:38 . 2007-06-22 02:38 140872 -c--a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-22 02:39 . 2007-06-22 02:39 38472 -c--a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-22 02:39 . 2007-06-22 02:39 46664 -c--a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-22 02:39 . 2007-06-22 02:39 34376 -c--a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-22 02:39 . 2007-06-22 02:39 685640 -c--a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-22 02:40 . 2007-06-22 02:40 30280 -c--a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-09_03.05.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-25 19:19 . 2009-07-10 03:27 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2001-08-25 19:19 . 2009-07-06 03:27 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2001-08-25 19:19 . 2009-07-10 03:27 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2001-08-25 19:19 . 2009-07-06 03:27 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B4B1D06-4768-4A22-B639-9E8B8082ECC4}]
c:\windows\System32\atl7.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2006-10-13 958464]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-30 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-12 282624]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2002-08-29 145408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Program Neighborhood Agent.lnk - c:\windows\Installer\{E89956F9-5B89-470E-818D-BD46102D0A01}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2007-10-28 38480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-02-03 03:09 356352 -c--a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 6.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 6.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 6.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YPCService"=3 (0x3)
"VETMSGNT"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SNDSrvc"=3 (0x3)
"rpcapd"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"PackethSvc"=2 (0x2)
"iPodService"=3 (0x3)
"InCDsrv"=2 (0x2)
"IDriverT"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"Iomega App Services"=2 (0x2)
"CAISafe"=2 (0x2)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 3:11 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 3:11 PM 55024]
R3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;c:\windows\SYSTEM32\DRIVERS\N5SG.sys [11/3/2006 3:30 PM 467040]
S3 QDFSDRV;QDFSDRV;c:\windows\SYSTEM32\DRIVERS\qdfsdrv.sys [12/31/2005 11:05 AM 13792]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 3:11 PM 7408]
S4 PackethSvc;Virtual NIC Service;c:\windows\SYSTEM32\PackethSvc.exe [8/6/2005 12:54 PM 64512]
.
Contents of the 'Scheduled Tasks' folder

2004-11-27 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8092958820.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2009-07-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-08-17 19:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
mStart Page =
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
LSP: c:\windows\System32\VetRedir.dll
Trusted Zone: myspace.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\compaq\Application Data\Mozilla\Firefox\Profiles\1tgdq0gx.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 19:50
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(776)
c:\windows\System32\VetRedir.dll
c:\windows\System32\ISafeIf.dll
c:\windows\system32\dssenh.dll

- - - - - - - > 'explorer.exe'(3212)
c:\windows\System32\VetRedir.dll
c:\windows\System32\ISafeIf.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Citrix\ICA Client\pnamain.exe
.
**************************************************************************
.
Completion time: 2009-07-10 19:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 03:58
ComboFix2.txt 2009-07-09 03:14

Pre-Run: 3,768,150,528 bytes free
Post-Run: 3,774,289,408 bytes free

184 --- E O F --- 2009-07-01 03:17

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:54 PM

Posted 10 July 2009 - 03:39 PM

There's a little bit more work to do but it's looking a lot better DonaldH.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Files
    c:\windows\System32\atl7.dll
    :Reg
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B4B1D06-4768-4A22-B639-9E8B8082ECC4}]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.

That should be the end of the big baddies :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 DonaldH

DonaldH
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 10 July 2009 - 08:57 PM

OK, did not ask for a reboot, here is that log as requested:

========== FILES ==========
File/Folder c:\windows\System32\atl7.dll not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B4B1D06-4768-4A22-B639-9E8B8082ECC4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B4B1D06-4768-4A22-B639-9E8B8082ECC4}\ deleted successfully.

OTM by OldTimer - Version 3.0.0.4 log created on 07102009_175720

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:54 PM

Posted 11 July 2009 - 03:08 AM

We should be good now. How are the redirects?

Just an online scan left to check out any malware remnants.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 DonaldH

DonaldH
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 11 July 2009 - 06:26 PM

Well, this doesn't look good unless these are false positives but let me know the next step, I really appreciate all your help!

BitDefender Online Scanner



Scan report generated at: Sat, Jul 11, 2009 - 14:06:00





Scan path: A:\;C:\;







Statistics

Time
02:33:15

Files
210598

Folders
4630

Boot Sectors
0

Archives
20747

Packed Files
13244




Results

Identified Viruses
11

Infected Files
13

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
16




Engines Info

Virus Definitions
3676369

Engine build
AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins
17

Archive plugins
45

Unpack plugins
7

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\compaq\.housecall6.6\Quarantine\A0000114.exe.bac_a02636=>(Quarantine-4)
Infected with: Dropped:Trojan.Vundo.Gen.1

C:\Documents and Settings\compaq\.housecall6.6\Quarantine\A0000114.exe.bac_a02636=>(Quarantine-4)
Disinfection failed

C:\Documents and Settings\compaq\.housecall6.6\Quarantine\A0000114.exe.bac_a02636=>(Quarantine-4)
Deleted

C:\Documents and Settings\compaq\.housecall6.6\Quarantine\A0000114.exe.bac_a02636
Deleted

C:\Documents and Settings\compaq\.housecall6.6\Quarantine\A0001229.dll.bac_a02636=>(Quarantine-4)
Infected with: Rootkit.7655

C:\Documents and Settings\compaq\.housecall6.6\Quarantine\A0001229.dll.bac_a02636=>(Quarantine-4)
Deleted

C:\Documents and Settings\compaq\.housecall6.6\Quarantine\A0001229.dll.bac_a02636
Deleted

C:\Documents and Settings\compaq\Local Settings\Application Data\Identities\{2993BD13-4274-45F9-BE34-90FB9C2AE00E}\Microsoft\Outlook Express\Hotmail.dbx=>(message 73): John sent you a greeting card.
Infected with: Generic.Peed.Eml.98F35E7E

C:\Documents and Settings\compaq\Local Settings\Application Data\Identities\{2993BD13-4274-45F9-BE34-90FB9C2AE00E}\Microsoft\Outlook Express\Hotmail.dbx=>(message 73): John sent you a greeting card.
Disinfection failed

C:\Documents and Settings\compaq\Local Settings\Application Data\Identities\{2993BD13-4274-45F9-BE34-90FB9C2AE00E}\Microsoft\Outlook Express\Hotmail.dbx=>(message 73): John sent you a greeting card.
Deleted

C:\Documents and Settings\compaq\Local Settings\Application Data\Identities\{2993BD13-4274-45F9-BE34-90FB9C2AE00E}\Microsoft\Outlook Express\Hotmail.dbx
Updated

C:\Documents and Settings\compaq\Local Settings\Application Data\Identities\{2993BD13-4274-45F9-BE34-90FB9C2AE00E}\Microsoft\Outlook Express\Inbox.dbx=>(message 1417): 2=>[Subject: 2][Date: Fri, 27 Aug 2004 10:20:28 -0600]=>(MIME part)
Infected with: Trojan.Script.86471

C:\Documents and Settings\compaq\Local Settings\Application Data\Identities\{2993BD13-4274-45F9-BE34-90FB9C2AE00E}\Microsoft\Outlook Express\Inbox.dbx=>(message 1417): 2=>[Subject: 2][Date: Fri, 27 Aug 2004 10:20:28 -0600]=>(MIME part)
Disinfection failed

C:\Documents and Settings\compaq\Local Settings\Application Data\Identities\{2993BD13-4274-45F9-BE34-90FB9C2AE00E}\Microsoft\Outlook Express\Inbox.dbx=>(message 1417): 2=>[Subject: 2][Date: Fri, 27 Aug 2004 10:20:28 -0600]=>(MIME part)
Deleted

C:\Documents and Settings\compaq\Local Settings\Application Data\Identities\{2993BD13-4274-45F9-BE34-90FB9C2AE00E}\Microsoft\Outlook Express\Inbox.dbx=>(message 1417): 2
Updated

C:\Documents and Settings\compaq\Local Settings\Application Data\Identities\{2993BD13-4274-45F9-BE34-90FB9C2AE00E}\Microsoft\Outlook Express\Inbox.dbx
Updated

C:\Documents and Settings\compaq\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: John sent you a greeting card.][From: 123Greetings.com Postmaster]=>(body)=>(Compressed Rtf)
Infected with: Generic.Peed.Eml.04D8D097

C:\Documents and Settings\compaq\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: John sent you a greeting card.][From: 123Greetings.com Postmaster]=>(body)=>(Compressed Rtf)
Disinfection failed

C:\Documents and Settings\compaq\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: John sent you a greeting card.][From: 123Greetings.com Postmaster]=>(body)=>(Compressed Rtf)
Deleted

C:\Documents and Settings\compaq\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[Subject: John sent you a greeting card.][From: 123Greetings.com Postmaster]=>(body)
Deleted

C:\Documents and Settings\compaq\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
Updated

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>wise0024
Detected with: Application.Whenu.Weathercast.J

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>wise0024
Disinfection failed

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>wise0024
Deleted

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe
Update failed

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>wise0028
Infected with: Gen:Adware.Heur.6025DA7878

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>wise0028
Disinfection failed

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>wise0028
Deleted

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe
Update failed

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>(Embedded EXE r)=>wise0024
Detected with: Application.Whenu.Weathercast.J

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>(Embedded EXE r)=>wise0024
Disinfection failed

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>(Embedded EXE r)=>wise0024
Deleted

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>(Embedded EXE r)
Update failed

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>(Embedded EXE r)=>wise0028
Infected with: Gen:Adware.Heur.6025DA7878

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>(Embedded EXE r)=>wise0028
Disinfection failed

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>(Embedded EXE r)=>wise0028
Deleted

C:\Documents and Settings\compaq\My Documents\BSINSTALL.exe=>(Embedded EXE r)
Update failed

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_suhwczfq_.dat.zip=>suhwczfq.dat
Infected with: Rootkit.Agent.VJ

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_suhwczfq_.dat.zip=>suhwczfq.dat
Deleted

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_suhwczfq_.dat.zip
Updated

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_bidisp_.dll.zip=>bidisp.dll
Infected with: Gen:Adware.Heur.605E3F4E4E

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_bidisp_.dll.zip=>bidisp.dll
Disinfection failed

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_bidisp_.dll.zip=>bidisp.dll
Deleted

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_bidisp_.dll.zip
Updated

C:\WINDOWS\SYSTEM32\DRIVERS\gkbfmupi.dat
Infected with: Trojan.Spy.Agent.NJP

C:\WINDOWS\SYSTEM32\DRIVERS\gkbfmupi.dat
Deleted

C:\WINDOWS\SYSTEM32\nowhsgu.exe
Detected with: Adware.Callinghome.B

C:\WINDOWS\SYSTEM32\nowhsgu.exe
Deleted

#14 DonaldH

DonaldH
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 11 July 2009 - 06:28 PM

Forgot to mention...redirects are better, this computer is useful again!

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:54 PM

Posted 11 July 2009 - 06:59 PM

Okay, the log looks ominous but the majority of the deletions are from quarantine folders and there are a few Outlook folder items too. Some infected files (including BearShare's own executable file) and a bad driver.

No problems there.

Let's just check that assertion with a different scanner.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
This should be clean. :thumbup2:
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users