Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - not sure with what - Possibly Spywareprotect 2009


  • This topic is locked This topic is locked
22 replies to this topic

#1 acatlin

acatlin

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 02 July 2009 - 09:17 AM

My Sunbelt Vipre gave me an active alert of an attempt from Spywareprotect 2009 to run. I think it still put something on my system.

WHAT I HAVE TRIED ALREADY:
1. Run Sunbelt Vipre quick, and full in regular boot and quick and full in safe mode.
2. Run Malwarebytes quick and full in regular boot and quick and full in safe mode.
3. Run SpyBot Search & Destroy in regular boot mode.

REMAINING PROBLEMS
1. My computer drives have had their letters reassigned to different ones. My Computer > Manage > Disk Management shows NO DRIVES despite rescanning disks.

2. Internet explorer searches with Google will redirect when you click the results. Examples of sites that I am redirected to:
a. Search Google > Skytron > Click products result: [http://78.41.205.57/go.php?data=sVYsVFD%2BbiSiH3rRtApOF7BRXS8yJroPPzq7VwAZEF4q6vFlFyVQt%2B53htA59gW8nDg83GnqPyk%2BYyv5eu58rTePofTsGk38ea9dhbxcC2G9Zpijr%2BYEcJD%2ByZ%2BA7AWMTIYsThnD0HqBY57IHjcOV6AX2IdisYsIuMQzGMiGswyLeA8WLiY1a%2BtHxnRCoc1JmaII%2Bo%2BZYlJS9aJCSUssOw26tIZa16WcrvVfkOaCT9Pq%2BT3GXMHz7oo0GqAGIGDzkv8hr03bzd9uc5Z1wyviOQbTToNZfgyD9mWa25SFBHJcl9Bgf9l2XmUQCeqTOqdJIlXd2A7ZSPv%2F9PNpg%2BKvHzV3PeOnEQiJEAoC2v7vR3ThhXharDpsFw%3D%3D]

b. Search Google > Bleepingcomputer.com search > Click main result: [http://nbaok.net/in.cgi?16¶meter=bleepingcomputer.com&ur=1&HTTP_REFERER=30633]

c. Other random redirect: [http://overclick.cn/rv00IhDx8O6qs3U1YmlkPTFFOTMxRDg4QUQ3MTVEMjYxRjUwMjY4MDQ2RUFDMEVGJmFpZD0xMDA1OCZzaWQ9MCZ1PWFIUjBjRG92THpZMkxqSXpNQzR4T0RndU5qY3ZZMnhwWTJzdWNHaHdQMk05WlU1dmJGVTRkWFZ4YTBGQkxYbEJVMXBaWWtoTlNYVjZVVXBTUWtKVlUyVjNkVmxIUjBKQlZVVlZabXRaWm1vMFpUSTFkVzFxV25BeWFUVmlUSGRMUTNscFRFSjRaa3hXTUdaaGRsQjNkVjlCY25wNVdGOXJSamhxZW0xRlVUazFVbGxKUVV4RGJrSjNkRFYzYURjeGVFRkdiVGwxVTJWSE9XTnRhRkJsT0VwSWNFNUpMWFUxU2pnNWExUmhZVUZyU0U5UWIxOVFUemRVTFZWaldYTjNja0psUWt4QlVXbExWMGRoV2xKSFZYRlJjbXR6T0ZJNVFqUlFUbE5HUlZkRlFrWkhhVk5wTkZWaFZqVkxWVU41VEVsemREUm9RbU5uVERKQmNEZE5ORTh0ZGpWc1lraG1WMDl0U0hjMFMzVk5VemhWTURSRGNqQndTM0ZxYlZkWlJGaFJSMHQ2Tm1FNU1UVm1lbFJXV1VWUFZHaE9hREpEV1VwWVpTMDFXbWRLYlVFMFZtWTJVbTE1Y0ZnNU0wMU1VMWt0T0VORWJWUkZaemgwYTFKSlZFdEtRbVp3WVV3d2JuaFFjVmhYTW0xb00xaDRjR1JZYW5aMllWOVhOMkoxV1RNMGVFZ3lSbUpHVVZFdFNHd3pXbXAwWkhwbVYxOHhXVXBrY0UwNGJraFlkWFY0UjI1SVVUTm1lQzFrY0dobFNFeEhPVEJWV2trNWF5MVpXRlZXVjFCTldYWnhaM1JJTkZaRVgzSXpkSE0yZW14MUxVczNWalJUYTBreFRtMW1aRnBXYjFsb1VGcHZZbUU1VWxORGVtZFNSRVpuUWw5a05rMWFja2RJT0dSeFpYVm9UM0pEWkhsMFpXdGtTM1U1YzJFNWRYbEZWbmxhY0VaRllXUmZXbTFtZFZCWU5HRjZRbVZ3ZVhVMldGQkVRVzFKTVZsbWFUSjNjRkV3VmxOVFpqVjNRa2RrVDA5SE1GOWxiRzFTZEdSNFZXczJjelJVVlZjMGMxbzFhMmR6VERsM1lucFphRlJUTTNaRVgwaEZTbkoxWWtodU5XNWhkbk5wV1dKQ05qRlRNQzFwVlhGWlFtMXVTV1ZXV2pKeVpVbzFRakpGTlVwT1lXUXdlSFZHUlU5WU9WOU5OazEwZW5GWmF6UkdielpqU0ZaTk1XeDBUWGt3ZWxKNlJYcFNhREkxUlVKU1FYRnNRMmc1VEdaWldsOUtaMDgyWW5WU1owYzFVekZwU1RadWNISTNaRWg1VG1RdGVHWjFMVE5HZVZGT1dFOVpWemxhUkdzM05scHBTMmh5VUhJMmQwTndOMUpSTUVkZmFVbHVZVTFRVjJnek5WaERiVmhFTUhwR1NXTkJVMFpqYmtWRFRsTjBZVFIzWkhabVpGVndPRmxrVFRFMlJEaEdlV0o0WDNaVU1FOWlla3BRZEhoaFRXVmlOMnBEUkhSM0xXRnFNV3hWVGpOcWRuWTVUSFZaTUdjM1JIb3dYemMwWlZJNU5VOVFOMHBMV0hscVRWUlRORmxrUzBRNU5tbzVjelZoYzFOR2VHSmxlRnBrYW1sa1dHWm5iWEpWUlZWd2JrUjNVRWhQTTAxV1pYRTJPVGxsZWxwMWJreDBUM0JPWVRWdGNVSm1NemRpYm00MU9FWjNRbFZWTkVGdlozTkpUR2M1TVRCTVZXeGhhWFpDUzFaR1drSXRNMUZKV0V0c1JFSmlUM2h1U20xNU5rZFBOQzFOWTFRNVlsOUpVR2szUkVWclVYWnFVMHh2Ykd0a2RsODRjbVZvZGpOTmFFaElUWGxrWTI1R0xYUTRkVlUxVWtwdFVYaENiV3ROV2tsdmFFVlFkakV6UzFsd2VVaHBaMXBmUVhSe]

DDS.TXT CONTENTS
DDS (Ver_09-06-26.01) - NTFSx86
Run by acatlin at 9:03:49.66 on Thu 07/02/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2232 [GMT -4:00]

AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe -k drv
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\SAAZOD\SAAZDPMACTL.EXE
C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe
C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\X1\X1FileMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\AeroSnap\AeroSnap.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\My Folders\MyFolders.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Nortel\CallPilot\cpnotifier.exe
C:\Program Files\CD-Indexer v1.1\CD-Indexer Monitor.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\X1\X1Systray.exe
C:\Program Files\X1\X1.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\X1\X1SERV~1.EXE
svchost
C:\PROGRA~1\X1\textExtractor.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\PROGRA~1\SAAZOD\RMHLPDSK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\acatlin\Desktop\dds.bat

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/ig
uWindow Title = Microsoft Internet Explorer provided by Skytron
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LogitechSetup] "c:\docume~1\acatlin\locals~1\temp\quickcam_11.1.0\setup.exe" /skip_all_checks /p /start /restart /l:enu
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [X1FileMonitor.exe] c:\progra~1\x1\X1FileMonitor.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [AeroSnap] c:\program files\aerosnap\AeroSnap.exe
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
uRun: [My Folders] c:\program files\my folders\MyFolders.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimageworkstation\TrueImageMonitor.exe"
mRun: [AcronisTimounterMonitor] "c:\program files\acronis\trueimageworkstation\TimounterMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [OrderReminder] "c:\program files\hewlett-packard\orderreminder\OrderReminder.exe"
mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SBAMTray] c:\program files\sunbelt software\sbeagent\SBAMTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\acatlin\startm~1\programs\startup\x1syst~1.lnk - c:\program files\x1\X1Systray.exe
StartupFolder: c:\docume~1\acatlin\startm~1\programs\startup\x1.lnk - c:\program files\x1\X1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\callpi~1.lnk - c:\program files\nortel\callpilot\cpnotifier.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cd-ind~1.lnk - c:\program files\cd-indexer v1.1\CD-Indexer Monitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 8\SnagIt32.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Open Selected URL - c:\windows\openselectedurl.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {FAB24596-1193-44D4-818D-C81A65DAB0B8}\Lang040c
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_12.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {FAB24596-1193-44D4-818D-C81A65DAB0B8} - {E0129168-78FA-49E8-BEC5-258FC94A767A} - c:\program files\colligo reader 3.2\CGOIEExtension.dll
Trusted Zone: attainia.com
Trusted Zone: attainia.com\flex
Trusted Zone: attainia.com\reports
Trusted Zone: attainia.com\www
Trusted Zone: itsupport247.net
Trusted Zone: skycrm
Trusted Zone: skytron.us\skytron
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {3591A50E-18FD-42BC-8D10-6C93BDAF2DA0} - hxxps://itsupport247.net/components/SG20o.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187214079781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://attainia.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E3089160-E8AD-4C5B-B47C-ADDF3DF660DD} - hxxp://skytest2/pwa/_layouts/pwa/objects/pjclient.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R?2 drv;drv;c:\windows\system32\svchost.exe -k drv [2006-9-27 14336]
R1 drvdrv;drvdrv;c:\program files\drv\drv.sys [2009-7-1 9344]
R1 NmPar;MosChip PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2007-9-27 76416]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-6-15 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-6-5 202928]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\saazod\SAAZDPMACTL.EXE [2009-3-12 81920]
R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\saazod\SAAZRemoteSupport.exe [2009-3-12 73728]
R2 SAAZScheduler;SAAZScheduler;c:\progra~1\saazod\SAAZScheduler.exe [2009-3-12 77824]
R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\saazod\SAAZServerPlus.exe [2006-11-21 77824]
R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\saazod\\saazwatchdog --> c:\progra~1\saazod\\SAAZWatchDog [?]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\sunbelt software\sbeagent\SBAMSvc.exe [2009-4-22 894248]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-6-15 69936]
S2 WTAMSVC_Analysis Series 7.0;WebTrends Alerting and Monitoring for Analysis Series 7.0;c:\program files\webtrends analysis series\WTAM_Service.exe [2001-12-14 241664]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-22 92464]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-07-01 12:22 <DIR> --d----- c:\windows\system32\NtmsData
2009-07-01 10:57 <DIR> --d----- c:\program files\drv
2009-06-26 10:53 1,409 a------- c:\windows\QTFont.for
2009-06-18 13:37 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-18 13:37 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-18 13:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 11:19 <DIR> --d----- c:\program files\RoboGen
2009-06-15 10:27 69,936 a------- c:\windows\system32\drivers\sbapifs.sys
2009-06-15 10:27 13,360 a------- c:\windows\system32\drivers\sbaphd.sys
2009-06-12 14:35 54,156 a---h--- c:\windows\QTFont.qfn
2009-06-05 13:52 <DIR> --d----- c:\docume~1\acatlin\applic~1\Sunbelt
2009-06-05 13:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-06-05 13:52 202,928 a------- c:\windows\system32\drivers\sbtis.sys
2009-06-05 13:52 <DIR> --d----- c:\program files\Sunbelt Software
2009-06-05 13:52 <DIR> --d----- C:\SunbeltSoftwareInstall

==================== Find3M ====================

2009-04-22 06:01 65,320 a------- c:\windows\system32\sbbd.exe
2008-08-05 10:25 60,744 a------- c:\documents and settings\acatlin\g2mdlhlpx.exe
2007-12-05 11:34 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
1764-11-19 03:53 4,252 ---sh--- c:\windows\win320.sys

============= FINISH: 9:05:14.40 ===============

Edited by Orange Blossom, 02 July 2009 - 10:44 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:58 PM

Posted 04 July 2009 - 01:57 PM

Hello acatlin,

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

***************

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Sunbelt VIPRE Antivirus before running ComboFix, as it will prevent it from running.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 acatlin

acatlin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 04 July 2009 - 04:09 PM

Hi SifuMike,

Thanks very much for your reply. I am not in my office right now but can access my computer using LogMeIn. I was able to run SecurityCheck and the contents of checkup.txt are below

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
AdobeAfterEffectsCS3Presets
WebTrendsAnalysisSeries7.0b
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Spybot - Search & Destroy
Malwarebytes' Anti-Malware
Java™ 6 Update 12
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Spybot SDHelper is disabled!
Spybot - Search & Destroy TeaTimer.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

POOR! (NOT RANDOM-- Consider OPENDNS)

Scan took 47 seconds.
`````````End of Log```````````


Unfortunately I am unable to run Combofix.exe. I disabled my Vipre services and closed SpyBot (recently added as dupicate for this problem only). However I am getting this error when I try Combofix:

Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
I have even renamed the combofix.exe to bob.exe but no luck.

I don't think I can run in safe mode due to being remote at the moment. The logmein service probably wouldn't start and I would not be able to access my computer. That being said, is there anything else I should try right now or should I wait until I can get back in the office on Monday?

Thank you.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:58 PM

Posted 04 July 2009 - 05:42 PM

Hi acatlin,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 12
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586.exe to install the newest version.
Is this a business, work or corporate computer?

Edited by SifuMike, 04 July 2009 - 05:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 acatlin

acatlin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 06 July 2009 - 07:19 AM

I have removed my old version of Java and have updated to Java 6 Update 14. jre-6u14-windows-i586-s.exe. I tried running combofix.exe after reboot and it still would not run. Tried in safe mode too with no luck. Yes this is one of my work computers. Any suggestions?

Thank you.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:58 PM

Posted 06 July 2009 - 09:45 AM

Hi acatlin,

You said this is a work computer. Do you have an IT department? If so, this is job for them.

In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources.

In fact, most companies will require you to read those policies and sign a statement of understanding.

Further, they usually have procedures in place to deal with infections on the network and do not approve of employees seeking help at an online forum or outside the business office. If their typical solution is to re-image, then have your supervisor speak to them about taking another approach.

Further, the malware you are dealing with may have already infected the network. The IT Department needs to be advised right away so they can take the appropriate measures.

Let me know.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 acatlin

acatlin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 06 July 2009 - 10:28 AM

I am a competent computer trouble-shooter but not formally trained in IT. We have one IT person and he recommended Bleepingcomputer as he was stumped on this problem as well.

My remaining options are:
1. Obtain possible fix from genererous Bleepingcomputer volunteer.
2. Search bleepingcomputer.com for any and all fixes/tools that may have been used on other peoples infections. Not recommended, but an option nonetheless.
3. Reformat computer and reload. Pros and cons to this. It's nice to have a clean computer every so often, but the process is time consuming.

I realize this is a volunteer site and I actually can't believe it's a free offering for the value it provides. I will respect whatever recommendation you have for this issue including closing this topic if it deemed an abuse of service.

Thanks for your time.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:58 PM

Posted 06 July 2009 - 01:47 PM

Hi acatlin,

We have one IT person and he recommended Bleepingcomputer as he was stumped on this problem as well.


Since your IT dept has approved you contacting Bleeping Computer we shall continue.
It surprises me he did not want to reformat and reload, which is the normal and safest road for business computer.

Since this computer is heavily infected, we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Sunbelt VIPRE Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 acatlin

acatlin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 06 July 2009 - 04:05 PM

Thanks for your help. We are not a big shop and don't have images for every computer. My system is highly specialized and customized so reimaging would be a lot of work. Not out of the question but a fix would be great. Things seem to be better after the combofix run (which I did in safe mode due to not being able to get Vipre to end even after killing both processes).

Here is the contents of the combofix log:
ComboFix 09-07-05.04 - acatlin 07/06/2009 16:26.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2982 [GMT -4:00]
Running from: c:\documents and settings\acatlin\Desktop\combofix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\13462964
c:\documents and settings\All Users\Application Data\13462964\13462964
c:\documents and settings\All Users\Application Data\13462964\13462964.exe
c:\recycler\S-1-5-21-4218423214-999704715-2563452465-500
c:\windows\2417.EXE
c:\windows\Downloaded Program Files\x64
c:\windows\Downloaded Program Files\x64\racodec.ax
c:\windows\Downloaded Program Files\x86
c:\windows\Downloaded Program Files\x86\racodec.ax
c:\windows\Installer\10d22a2.msi
c:\windows\Installer\dd9ddf6.msi
c:\windows\Installer\e1971c2.msi
c:\windows\system32\_005022_.tmp.dll
c:\windows\system32\_005023_.tmp.dll
c:\windows\system32\_005024_.tmp.dll
c:\windows\system32\_005025_.tmp.dll
c:\windows\system32\_005032_.tmp.dll
c:\windows\system32\_005033_.tmp.dll
c:\windows\system32\_005034_.tmp.dll
c:\windows\system32\_005035_.tmp.dll
c:\windows\system32\_005037_.tmp.dll
c:\windows\system32\_005038_.tmp.dll
c:\windows\system32\_005041_.tmp.dll
c:\windows\system32\_005042_.tmp.dll
c:\windows\system32\_005044_.tmp.dll
c:\windows\system32\_005045_.tmp.dll
c:\windows\system32\_005046_.tmp.dll
c:\windows\system32\_005048_.tmp.dll
c:\windows\system32\_005049_.tmp.dll
c:\windows\system32\_005051_.tmp.dll
c:\windows\system32\_005052_.tmp.dll
c:\windows\system32\_005054_.tmp.dll
c:\windows\system32\_005056_.tmp.dll
c:\windows\system32\_005057_.tmp.dll
c:\windows\system32\_005059_.tmp.dll
c:\windows\system32\_005060_.tmp.dll
c:\windows\system32\_005062_.tmp.dll
c:\windows\system32\_005064_.tmp.dll
c:\windows\system32\_005065_.tmp.dll
c:\windows\system32\_005066_.tmp.dll
c:\windows\system32\_005067_.tmp.dll
c:\windows\system32\_005068_.tmp.dll
c:\windows\system32\_005071_.tmp.dll
c:\windows\system32\_005072_.tmp.dll
c:\windows\system32\_005073_.tmp.dll
c:\windows\system32\_005074_.tmp.dll
c:\windows\system32\_005075_.tmp.dll
c:\windows\system32\_005080_.tmp.dll
c:\windows\system32\_005082_.tmp.dll
c:\windows\system32\Cache
c:\windows\system32\drivers\hjgruihudnsbth.sys
c:\windows\system32\hjgruibfsixynd.dat
c:\windows\system32\hjgruidieafbsy.dll
c:\windows\system32\hjgruiiwhdeetv.dat
c:\windows\system32\hjgruisqptjegg.dll
c:\windows\system32\wbem\proquota.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiaaeyrjxo
-------\Legacy_DRV
-------\Service_drv


((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-06 17:12 . 2009-07-06 17:12 -------- d-----w- c:\windows\LastGood
2009-07-06 11:51 . 2009-07-06 11:51 -------- d-----w- c:\program files\Java
2009-07-06 11:51 . 2009-07-06 11:51 152576 ----a-w- c:\documents and settings\acatlin\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-01 17:55 . 2009-07-01 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-01 16:22 . 2009-07-01 17:49 -------- d-----w- c:\windows\system32\NtmsData
2009-07-01 14:57 . 2009-07-01 14:57 -------- d-----w- c:\program files\drv
2009-06-18 17:37 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-18 17:37 . 2009-06-18 17:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-18 17:37 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 15:19 . 2009-06-17 15:19 6144 ----a-r- c:\documents and settings\acatlin\Application Data\Microsoft\Installer\{B4B07251-0CBD-4D19-B183-F2C0D0766FA3}\IconB4B07251.exe
2009-06-17 15:19 . 2009-06-17 15:19 5120 ----a-r- c:\documents and settings\acatlin\Application Data\Microsoft\Installer\{B4B07251-0CBD-4D19-B183-F2C0D0766FA3}\IconB4B072513.exe
2009-06-17 15:19 . 2009-06-17 15:24 -------- d-----w- c:\program files\RoboGen
2009-06-15 14:27 . 2009-04-10 02:32 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2009-06-15 14:27 . 2009-04-10 02:32 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 20:11 . 2009-03-11 19:50 -------- d-----w- c:\program files\SAAZOD
2009-07-06 17:36 . 2008-08-07 18:26 -------- d-----w- c:\documents and settings\acatlin\Application Data\LogMeIn Rescue
2009-07-06 14:59 . 2009-04-20 16:36 -------- d-----w- c:\program files\Taskbar Shuffle
2009-07-06 11:51 . 2009-02-18 15:26 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-06 11:45 . 2009-03-11 20:11 -------- d-----w- c:\program files\LogMeIn
2009-07-02 17:16 . 2008-08-12 14:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-01 16:48 . 2008-06-30 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-01 16:34 . 2008-06-30 16:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-01 14:52 . 2007-09-24 14:13 -------- d-----w- c:\program files\FlashGet
2009-06-30 14:43 . 2007-09-21 13:58 -------- d-----w- c:\documents and settings\acatlin\Application Data\uTorrent
2009-06-07 04:53 . 2008-04-09 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-07 03:42 . 2007-09-14 20:19 103728 ----a-w- c:\documents and settings\acatlin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 03:25 . 2008-04-09 15:28 -------- d-----w- c:\program files\Microsoft Works
2009-06-05 17:53 . 2007-09-14 17:18 -------- d-----w- c:\program files\CA
2009-06-05 17:52 . 2009-06-05 17:52 -------- d-----w- c:\documents and settings\acatlin\Application Data\Sunbelt
2009-06-05 17:52 . 2009-06-05 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-06-05 17:52 . 2009-06-05 17:52 -------- d-----w- c:\program files\Sunbelt Software
2009-06-05 14:11 . 2009-06-05 14:11 278528 ----a-w- c:\documents and settings\acatlin\Application Data\Microsoft\SharePoint Designer\ProxyAssemblyCache\12.0.0.6219\Microsoft.Office.Server.Proxy.dll
2009-05-22 17:41 . 2007-09-18 14:13 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-14 14:57 . 2009-05-14 14:57 -------- d-----w- c:\documents and settings\Administrator.SKYTRON1\Application Data\VMware
2009-05-14 14:52 . 2009-05-14 14:52 103728 ----a-w- c:\documents and settings\Administrator.SKYTRON1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 14:52 . 2009-05-14 14:52 -------- d-----w- c:\documents and settings\Administrator.SKYTRON1\Application Data\Launchy
2009-05-14 14:52 . 2009-05-14 14:52 -------- d-----w- c:\documents and settings\Administrator.SKYTRON1\Application Data\Nortel
2009-04-22 10:01 . 2009-04-22 10:01 65320 ----a-w- c:\windows\system32\sbbd.exe
1764-11-19 07:53 . 1764-11-19 07:53 4252 --sh--w- c:\windows\win320.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"X1FileMonitor.exe"="c:\progra~1\X1\X1FileMonitor.exe" [2007-05-14 428544]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"AeroSnap"="c:\program files\AeroSnap\AeroSnap.exe" [2008-12-06 886784]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"My Folders"="c:\program files\My Folders\MyFolders.exe" [2004-03-28 454656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-03-07 184408]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2006-09-14 503808]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2007-01-31 1129232]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2007-01-31 1862112]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-01-31 140832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-30 98304]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2008-08-21 267296]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2009-04-22 664872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-06 148888]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\STTRAY.EXE [2006-11-06 303104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\documents and settings\acatlin\Start Menu\Programs\Startup\
X1 System Tray.lnk - c:\program files\X1\X1Systray.exe [2007-5-14 345088]
X1.lnk - c:\program files\X1\X1.exe [2007-5-14 4965888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-9-17 82026]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-17 110592]
CallPilot MWI Icon.lnk - c:\program files\Nortel\CallPilot\cpnotifier.exe [2007-5-9 978944]
CD-Indexer.lnk - c:\program files\CD-Indexer v1.1\CD-Indexer Monitor.exe [2001-7-8 40448]
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-6-2 274432]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2007-5-1 6395464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-03-11 20:13 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1637723038-682003330-1930\Scripts\Logoff\0\0]
"Script"=logoff.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [6/5/2009 1:52 PM 202928]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [4/22/2009 6:01 AM 894248]
S1 drvdrv;drvdrv;c:\program files\drv\drv.sys [7/1/2009 10:57 AM 9344]
S1 NmPar;MosChip PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [9/27/2007 1:02 PM 76416]
S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [6/15/2009 10:27 AM 13360]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 3:09 PM 12856]
S2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.EXE [3/12/2009 2:36 AM 81920]
S2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [3/12/2009 2:36 AM 73728]
S2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [3/12/2009 2:36 AM 77824]
S2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [11/21/2006 2:18 PM 77824]
S2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\\SAAZWatchDog --> c:\progra~1\SAAZOD\\SAAZWatchDog [?]
S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [6/15/2009 10:27 AM 69936]
S2 WTAMSVC_Analysis Series 7.0;WebTrends Alerting and Monitoring for Analysis Series 7.0;c:\program files\WebTrends Analysis Series\WTAM_Service.exe [12/14/2001 1:51 PM 241664]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/22/2008 5:08 PM 92464]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-13462964 - c:\documents and settings\All Users\Application Data\13462964\13462964.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/ig
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open Selected URL - c:\windows\openselectedurl.htm
IE: {{FAB24596-1193-44D4-818D-C81A65DAB0B8}\Lang040c
IE: {{FAB24596-1193-44D4-818D-C81A65DAB0B8} - {E0129168-78FA-49E8-BEC5-258FC94A767A} - c:\program files\Colligo Reader 3.2\CGOIEExtension.dll
Trusted Zone: attainia.com
Trusted Zone: attainia.com\flex
Trusted Zone: attainia.com\reports
Trusted Zone: attainia.com\www
Trusted Zone: itsupport247.net
Trusted Zone: skycrm
Trusted Zone: skytron.us\skytron
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {3591A50E-18FD-42BC-8D10-6C93BDAF2DA0} - hxxps://itsupport247.net/components/SG20o.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {E3089160-E8AD-4C5B-B47C-ADDF3DF660DD} - hxxp://skytest2/pwa/_layouts/pwa/objects/pjclient.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 16:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAAZWatchDog]
"ImagePath"="c:\progra~1\SAAZOD\\SAAZWatchDog"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-1637723038-682003330-1115\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C843485F-0324-8E97-1D5F-B65C10D96FE6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\relog_ap.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(1392)
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-07-06 16:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-06 20:44

Pre-Run: 279,624,859,648 bytes free
Post-Run: 280,053,694,464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /safeboot:network

271 --- E O F --- 2007-09-16 07:00

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:58 PM

Posted 06 July 2009 - 08:22 PM

Hi acatlin,

Your very welcome. :thumbup2:

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    • c:\program files\drv\drv.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • If Copy to Clipbard does not work, then just copy and paste the output in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 acatlin

acatlin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 07 July 2009 - 07:01 AM

Here is the result from virscan:

VirSCAN.org Scanned Report :
Scanned time : 2009/07/07 07:52:34 (EDT)
Scanner results: 47% Scanner(18/38) found malware!
File Name : drv.sys
File Size : 9344 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : ef68e3c5136fe4432eb9ea88f7e7764e
SHA1 : 52c9b8405ba34081e64482cdc843bc4c86201e03
Online report : http://virscan.org/report/42b14d4769bfb92a...9d510a7e84.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.1 20090707013107 2009-07-07 0.62 -
AhnLab V3 2009.07.07.02 2009.07.07 2009-07-07 1.74 -
AntiVir 8.2.0.204 7.1.4.192 2009-07-07 0.09 TR/Agent.clsj.B
Antiy 2.0.18 20090705.2596636 2009-07-05 0.13 -
Arcavir 2009 200907062115 2009-07-06 0.22 -
Authentium 5.1.1 200907070054 2009-07-07 2.08 -
AVAST! 4.7.4 090706-0 2009-07-06 0.00 Win32:Rootkit-gen [Rtk]
AVG 8.5.286 270.13.7/2222 2009-07-07 8.07 Rootkit-Agent.EA
BitDefender 7.81008.3654575 7.26421 2009-07-07 4.65 -
CA (VET) 9.0.0.143 31.6.6598 2009-07-07 12.95 -
ClamAV 0.95.2 9539 2009-07-07 0.01 -
Comodo 3.9 1538 2009-07-02 0.92 -
CP Secure 1.1.0.715 2009.07.07 2009-07-07 10.99 -
Dr.Web 4.44.0.9170 2009.07.07 2009-07-07 5.66 Trojan.NtRootKit.3021
F-Prot 4.4.4.56 20090706 2009-07-06 1.69 -
F-Secure 5.51.6100 2009.07.07.05 2009-07-07 0.10 -
Fortinet 2.81-3.120 10.578 2009-07-07 0.27 -
GData 19.6321/19.388 20090707 2009-07-07 5.34 Rootkit.Win32.Small.adn [Engine:A]
ViRobot 20090706 2009.07.06 2009-07-06 1.15 -
Ikarus T3.1.01.64 2009.07.07.72992 2009-07-07 2.99 Virtool.Winnt
JiangMin 11.0.800 2009.07.07 2009-07-07 9.13 Trojan/Agent.cqyz
Kaspersky 5.5.10 2009.07.07 2009-07-07 0.05 Rootkit.Win32.Small.adn
KingSoft 2009.2.5.15 2009.7.7.14 2009-07-07 0.47 Win32.Hack.Rootkit.9344
McAfee 5.3.00 5668 2009-07-06 3.00 Generic Rootkit.d
Microsoft 1.4803 2009.07.07 2009-07-07 5.65 VirTool:WinNT/Koobface.gen!B
mks_vir 2.01 2009.07.06 2009-07-06 3.36 -
Norman 6.01.09 6.01.00 2009-07-06 4.01 -
Panda 9.05.01 2009.07.06 2009-07-06 8.93 W32/Koobface.DO.worm
Trend Micro 8.700-1004 6.254.01 2009-07-06 0.02 RTKT_KOOBFACE.MJ
Quick Heal 10.00 2009.07.07 2009-07-07 3.39 Rootkit.Agent.lvq
Rising 20.0 21.37.13.00 2009-07-07 2.07 RootKit.Win32.Agent.fig
Sophos 2.88.0 4.43 2009-07-07 2.70 Mal/Generic-A
Sunbelt 5231 5231 2009-07-06 1.01 Bulk Trojan
Symantec 1.3.0.24 20090706.016 2009-07-06 0.24 -
nProtect 20090707.02 4658524 2009-07-07 6.06 Trojan/W32.Rootkit.9344.D
The Hacker 6.3.4.3 v00364 2009-07-06 0.76 -
VBA32 3.12.10.7 20090706.1452 2009-07-06 2.50 -
VirusBuster 4.5.11.10 10.107.38/1763041 2009-07-06 2.15 -

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:58 PM

Posted 07 July 2009 - 09:46 AM

Hi acatlin,

You need to disable your Sunbelt VIPRE Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Rootkit:: 
c:\program files\drv\drv.sys
Driver::
drvdrv


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 acatlin

acatlin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 07 July 2009 - 10:29 AM

Thank you for the custom script.

Here is the contents of the latest combofix log:

ComboFix 09-07-06.07 - acatlin 07/07/2009 10:58.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3323.2980 [GMT -4:00]
Running from: c:\documents and settings\acatlin\Desktop\combofix.exe
Command switches used :: c:\documents and settings\acatlin\Desktop\CFScript.txt
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRVDRV
-------\Service_drvdrv


((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-06 20:34 . 2008-04-14 09:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-06 11:51 . 2009-07-06 11:51 -------- d-----w- c:\program files\Java
2009-07-01 16:22 . 2009-07-01 17:49 -------- d-----w- c:\windows\system32\NtmsData
2009-07-01 14:57 . 2009-07-07 15:06 -------- d-----w- c:\program files\drv
2009-06-18 17:37 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-18 17:37 . 2009-06-18 17:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-18 17:37 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 15:19 . 2009-06-17 15:24 -------- d-----w- c:\program files\RoboGen
2009-06-15 14:27 . 2009-04-10 02:32 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2009-06-15 14:27 . 2009-04-10 02:32 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 14:50 . 2008-08-12 14:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-07 12:08 . 2009-03-11 19:50 -------- d-----w- c:\program files\SAAZOD
2009-07-07 12:03 . 2009-04-20 16:36 -------- d-----w- c:\program files\Taskbar Shuffle
2009-07-07 11:36 . 2009-03-11 20:11 -------- d-----w- c:\program files\LogMeIn
2009-07-06 11:51 . 2009-02-18 15:26 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-01 16:48 . 2008-06-30 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-01 16:34 . 2008-06-30 16:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-01 14:52 . 2007-09-24 14:13 -------- d-----w- c:\program files\FlashGet
2009-06-07 04:53 . 2008-04-09 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-07 03:25 . 2008-04-09 15:28 -------- d-----w- c:\program files\Microsoft Works
2009-06-05 17:53 . 2007-09-14 17:18 -------- d-----w- c:\program files\CA
2009-06-05 17:52 . 2009-06-05 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-06-05 17:52 . 2009-06-05 17:52 -------- d-----w- c:\program files\Sunbelt Software
2009-05-22 17:41 . 2007-09-18 14:13 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-04-22 10:01 . 2009-04-22 10:01 65320 ----a-w- c:\windows\system32\sbbd.exe
1764-11-19 07:53 . 1764-11-19 07:53 4252 --sh--w- c:\windows\win320.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-06_20.37.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-24 14:18 . 2009-07-07 14:52 221284 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"X1FileMonitor.exe"="c:\progra~1\X1\X1FileMonitor.exe" [2007-05-14 428544]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"AeroSnap"="c:\program files\AeroSnap\AeroSnap.exe" [2008-12-06 886784]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"My Folders"="c:\program files\My Folders\MyFolders.exe" [2004-03-28 454656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-03-07 184408]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2006-09-14 503808]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2007-01-31 1129232]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2007-01-31 1862112]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-01-31 140832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-30 98304]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2008-08-21 267296]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2009-04-22 664872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-06 148888]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\STTRAY.EXE [2006-11-06 303104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-9-17 82026]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-17 110592]
CallPilot MWI Icon.lnk - c:\program files\Nortel\CallPilot\cpnotifier.exe [2007-5-9 978944]
CD-Indexer.lnk - c:\program files\CD-Indexer v1.1\CD-Indexer Monitor.exe [2001-7-8 40448]
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-6-2 274432]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2007-5-1 6395464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-03-11 20:13 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-796845957-1637723038-682003330-1930\Scripts\Logoff\0\0]
"Script"=logoff.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [6/5/2009 1:52 PM 202928]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [4/22/2009 6:01 AM 894248]
S1 NmPar;MosChip PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [9/27/2007 1:02 PM 76416]
S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [6/15/2009 10:27 AM 13360]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 3:09 PM 12856]
S2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.EXE [3/12/2009 2:36 AM 81920]
S2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [3/12/2009 2:36 AM 73728]
S2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [3/12/2009 2:36 AM 77824]
S2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [11/21/2006 2:18 PM 77824]
S2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\\SAAZWatchDog --> c:\progra~1\SAAZOD\\SAAZWatchDog [?]
S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [6/15/2009 10:27 AM 69936]
S2 WTAMSVC_Analysis Series 7.0;WebTrends Alerting and Monitoring for Analysis Series 7.0;c:\program files\WebTrends Analysis Series\WTAM_Service.exe [12/14/2001 1:51 PM 241664]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/22/2008 5:08 PM 92464]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/ig
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Open Selected URL - c:\windows\openselectedurl.htm
IE: {{FAB24596-1193-44D4-818D-C81A65DAB0B8}\Lang040c
IE: {{FAB24596-1193-44D4-818D-C81A65DAB0B8} - {E0129168-78FA-49E8-BEC5-258FC94A767A} - c:\program files\Colligo Reader 3.2\CGOIEExtension.dll
Trusted Zone: attainia.com
Trusted Zone: attainia.com\flex
Trusted Zone: attainia.com\reports
Trusted Zone: attainia.com\www
Trusted Zone: itsupport247.net
Trusted Zone: skycrm
Trusted Zone: skytron.us\skytron
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {3591A50E-18FD-42BC-8D10-6C93BDAF2DA0} - hxxps://itsupport247.net/components/SG20o.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {E3089160-E8AD-4C5B-B47C-ADDF3DF660DD} - hxxp://skytest2/pwa/_layouts/pwa/objects/pjclient.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 11:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAAZWatchDog]
"ImagePath"="c:\progra~1\SAAZOD\\SAAZWatchDog"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-1637723038-682003330-1115\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C843485F-0324-8E97-1D5F-B65C10D96FE6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\relog_ap.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(796)
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-07-07 11:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-07 15:15
ComboFix2.txt 2009-07-06 20:44

Pre-Run: 279,747,633,152 bytes free
Post-Run: 279,934,533,632 bytes free

191 --- E O F --- 2007-09-16 07:00

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:58 PM

Posted 07 July 2009 - 02:20 PM

  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    c:\windows\win320.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • If Copy to Clipbard does not work, then just copy and paste the output in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Edited by SifuMike, 07 July 2009 - 02:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 acatlin

acatlin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 07 July 2009 - 02:24 PM

Here is the latest virscan log:
VirSCAN.org Scanned Report :
Scanned time : 2009/07/07 15:19:11 (EDT)
Scanner results: All Scanners reported not find malware!
File Name : win320.sys
File Size : 4252 byte
File Type : Non-ISO extended-ASCII text, with very long lines, with CRLF
MD5 : c2861f9da660dd4b41e7e04b8e23b30e
SHA1 : 4f8f4a6902616f23ce97722744e3dd206b52f9ac
Online report : http://virscan.org/report/2c3a987f009327f3...bc888bb300.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.1 20090707230323 2009-07-07 0.42 -
AhnLab V3 2009.07.08.01 2009.07.08 2009-07-08 1.34 -
AntiVir 8.2.0.204 7.1.4.197 2009-07-07 0.25 -
Antiy 2.0.18 20090705.2596636 2009-07-05 0.12 -
Arcavir 2009 200907071345 2009-07-07 0.02 -
Authentium 5.1.1 200907070054 2009-07-07 1.13 -
AVAST! 4.7.4 090706-0 2009-07-06 0.00 -
AVG 8.5.286 270.13.7/2222 2009-07-07 3.37 -
BitDefender 7.81008.3654845 7.26428 2009-07-08 3.17 -
CA (VET) 9.0.0.143 31.6.6598 2009-07-07 5.12 -
ClamAV 0.95.2 9540 2009-07-07 0.00 -
Comodo 3.9 1538 2009-07-02 1.53 -
CP Secure 1.1.0.715 2009.07.08 2009-07-08 10.89 -
Dr.Web 4.44.0.9170 2009.07.07 2009-07-07 4.84 -
F-Prot 4.4.4.56 20090707 2009-07-07 1.11 -
F-Secure 5.51.6100 2009.07.07.13 2009-07-07 0.06 -
Fortinet 2.81-3.120 10.580 2009-07-07 0.41 -
GData 19.6331/19.388 20090707 2009-07-07 5.85 -
ViRobot 20090707 2009.07.07 2009-07-07 0.43 -
Ikarus T3.1.01.64 2009.07.07.72994 2009-07-07 2.98 -
JiangMin 11.0.800 2009.07.07 2009-07-07 3.39 -
Kaspersky 5.5.10 2009.07.07 2009-07-07 0.03 -
KingSoft 2009.2.5.15 2009.7.7.18 2009-07-07 0.44 -
McAfee 5.3.00 5669 2009-07-07 2.92 -
Microsoft 1.4803 2009.07.07 2009-07-07 4.97 -
mks_vir 2.01 2009.07.06 2009-07-06 3.17 -
Norman 6.01.09 6.01.00 2009-07-06 4.00 -
Panda 9.05.01 2009.07.07 2009-07-07 1.49 -
Trend Micro 8.700-1004 6.256.02 2009-07-07 0.02 -
Quick Heal 10.00 2009.07.07 2009-07-07 1.86 -
Rising 20.0 21.37.14.00 2009-07-07 0.32 -
Sophos 2.88.0 4.43 2009-07-08 2.69 -
Sunbelt 5231 5231 2009-07-06 0.81 -
Symantec 1.3.0.24 20090707.003 2009-07-07 0.26 -
nProtect 20090707.02 4658524 2009-07-07 5.96 -
The Hacker 6.3.4.3 v00364 2009-07-06 0.60 -
VBA32 3.12.10.7 20090706.1452 2009-07-06 2.04 -
VirusBuster 4.5.11.10 10.107.38/1763041 2009-07-06 2.13 -




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users