Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit/StolenData/and others


  • This topic is locked This topic is locked
17 replies to this topic

#1 rellsaii

rellsaii

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 18 July 2009 - 12:00 AM

I've tried scanning with online scanners, malware, etc to get rid of these but they seem to keep popping up. I am getting BSOD on load occassionally but I'm not sure of the exact message because it restarts immediately. My google searches are being hijacked and redirected sometimes as well. Here are my latest logs.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 23:48:57.01 on Fri 07/17/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1526 [GMT -5:00]

FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {108AFF64-5F7D-432D-8A60-7D2FE2846F7A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\TEMP\GEA10.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
mSearchURL = hxxp://www.google.com/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
uRun: [SpeedswitchXP] c:\program files\speedswitchxp\SpeedswitchXP.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"
mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7y7kpu0z.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\program files\trend micro\officescan client\OfcPfwSvc.exe [2006-2-7 233552]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2005-11-9 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2005-11-9 36368]
RUnknown ebcaq;ebcaq; [x]
S0 yllsbskk;yllsbskk;c:\windows\system32\drivers\tduhio.sys --> c:\windows\system32\drivers\tduhIo.sys [?]
S2 ithswte;ithswte;c:\windows\system32\drivers\bhecofs.sys --> c:\windows\system32\drivers\bhecofs.sys [?]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-9-17 3712]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2009-7-17 99248]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-3-12 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-3-12 3072]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\admini~1\locals~1\temp\dku2.tmp --> c:\docume~1\admini~1\locals~1\temp\DKU2.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-12-16 36928]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 XDva020;XDva020;\??\c:\windows\system32\xdva020.sys --> c:\windows\system32\XDva020.sys [?]
SUnknown bhtatrqm;bhtatrqm; [x]

=============== Created Last 30 ================

2009-07-17 23:28 213,024 a------- c:\windows\system32\drivers\str.sys
2009-07-17 14:51 <DIR> --d----- c:\program files\JRE
2009-07-17 14:51 <DIR> --d----- c:\windows\SxsCaPendDel
2009-07-17 08:12 <DIR> --d----- c:\docume~1\admini~1\applic~1\Lexmark Productivity Studio
2009-07-17 08:09 <DIR> --d----- c:\program files\Lx_cats
2009-07-17 08:09 <DIR> -cd----- C:\logs
2009-07-17 08:08 40,960 a------- c:\windows\system32\lxddvs.dll
2009-07-17 08:08 344,064 a------- c:\windows\system32\lxddcoin.dll
2009-07-17 08:08 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-07-17 08:08 87,040 a------- c:\windows\system32\wiafbdrv.dll
2009-07-17 08:08 692,224 a------- c:\windows\system32\lxdddrs.dll
2009-07-17 08:08 69,632 a------- c:\windows\system32\lxddcnv4.dll
2009-07-17 08:08 65,536 a------- c:\windows\system32\lxddcaps.dll
2009-07-17 08:08 44 a------- c:\windows\system32\lxddrwrd.ini
2009-07-17 08:08 <DIR> --d----- c:\program files\Lexmark Toolbar
2009-07-17 08:08 <DIR> --d----- c:\program files\Lexmark 2500 Series
2009-07-05 16:34 <DIR> --d----- c:\program files\ESET
2009-07-04 19:29 74,752 a------- c:\windows\system32\drivers\tgiovtd.sys
2009-06-26 22:10 52 ac------ C:\z40a8lmmo.bat

==================== Find3M ====================

2009-07-17 14:49 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-25 15:30 409,600 a------- c:\windows\system32\wrap_oal.dll
2009-05-25 15:30 114,688 a------- c:\windows\system32\OpenAL32.dll
2009-04-07 14:46 22,328 a------- c:\docume~1\admini~1\applic~1\PnkBstrK.sys
2007-12-15 20:00 13,195 a------- c:\documents and settings\administrator\zguicfgw.dat

============= FINISH: 23:52:10.45 ===============


Malwarebytes' Anti-Malware 1.39
Database version: 2453
Windows 5.1.2600 Service Pack 2

7/17/2009 11:25:57 PM
mbam-log-2009-07-17 (23-25-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 273191
Time elapsed: 43 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
c:\windows\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\windows\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.


I see that malwares is noting something as stolen.data. Obviously I should be concerned but to what extent from this message?
Thank you for your time and consideration.

Attached Files



BC AdBot (Login to Remove)

 


#2 rellsaii

rellsaii
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 18 July 2009 - 09:47 PM

BUMP, plz thx :thumbup2:

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 18 July 2009 - 11:57 PM.


#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:36 AM

Posted 27 July 2009 - 07:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 rellsaii

rellsaii
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 27 July 2009 - 03:54 PM

Here's my updated DDS log. Let me know what else is needed.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 15:50:12.09 on Mon 07/27/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1238 [GMT -5:00]

FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {108AFF64-5F7D-432D-8A60-7D2FE2846F7A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\TEMP\BBD2F7.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
mSearchURL = hxxp://www.google.com/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
uRun: [SpeedswitchXP] c:\program files\speedswitchxp\SpeedswitchXP.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"
mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7y7kpu0z.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\program files\trend micro\officescan client\OfcPfwSvc.exe [2006-2-7 233552]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2005-11-9 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2005-11-9 36368]
S0 yllsbskk;yllsbskk;c:\windows\system32\drivers\tduhio.sys --> c:\windows\system32\drivers\tduhIo.sys [?]
S2 ithswte;ithswte;c:\windows\system32\drivers\bhecofs.sys --> c:\windows\system32\drivers\bhecofs.sys [?]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-9-17 3712]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2009-7-17 99248]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-3-12 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-3-12 3072]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\admini~1\locals~1\temp\dku2.tmp --> c:\docume~1\admini~1\locals~1\temp\DKU2.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-12-16 36928]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 XDva020;XDva020;\??\c:\windows\system32\xdva020.sys --> c:\windows\system32\XDva020.sys [?]
SUnknown bhtatrqm;bhtatrqm; [x]

=============== Created Last 30 ================

2009-07-18 00:08 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-07-18 00:08 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-07-18 00:08 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-07-18 00:08 <DIR> --d----- c:\windows\Logs
2009-07-18 00:08 <DIR> --d----- c:\program files\Heroes of Newerth
2009-07-17 23:28 213,024 a------- c:\windows\system32\drivers\str.sys
2009-07-17 14:51 <DIR> --d----- c:\program files\JRE
2009-07-17 14:51 <DIR> --d----- c:\windows\SxsCaPendDel
2009-07-17 08:12 <DIR> --d----- c:\docume~1\admini~1\applic~1\Lexmark Productivity Studio
2009-07-17 08:09 <DIR> --d----- c:\program files\Lx_cats
2009-07-17 08:09 <DIR> -cd----- C:\logs
2009-07-17 08:08 40,960 a------- c:\windows\system32\lxddvs.dll
2009-07-17 08:08 344,064 a------- c:\windows\system32\lxddcoin.dll
2009-07-17 08:08 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-07-17 08:08 87,040 a------- c:\windows\system32\wiafbdrv.dll
2009-07-17 08:08 692,224 a------- c:\windows\system32\lxdddrs.dll
2009-07-17 08:08 69,632 a------- c:\windows\system32\lxddcnv4.dll
2009-07-17 08:08 65,536 a------- c:\windows\system32\lxddcaps.dll
2009-07-17 08:08 44 a------- c:\windows\system32\lxddrwrd.ini
2009-07-17 08:08 <DIR> --d----- c:\program files\Lexmark Toolbar
2009-07-17 08:08 <DIR> --d----- c:\program files\Lexmark 2500 Series
2009-07-05 16:34 <DIR> --d----- c:\program files\ESET
2009-07-04 19:29 74,752 a------- c:\windows\system32\drivers\tgiovtd.sys

==================== Find3M ====================

2009-07-17 14:49 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-26 22:10 52 ac------ C:\z40a8lmmo.bat
2009-05-25 15:30 409,600 a------- c:\windows\system32\wrap_oal.dll
2009-05-25 15:30 114,688 a------- c:\windows\system32\OpenAL32.dll
2009-04-07 14:46 22,328 a------- c:\docume~1\admini~1\applic~1\PnkBstrK.sys
2007-12-15 20:00 13,195 a------- c:\documents and settings\administrator\zguicfgw.dat

============= FINISH: 15:52:57.84 ===============

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:36 PM

Posted 28 July 2009 - 07:09 PM

Hi rellsaii,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

There is more than one bad driver running on the PC so we need to go in straight away.

First though

I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Next we need to remove the drivers and associated files

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Then

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

That should remove the main elements of the infection. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 rellsaii

rellsaii
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 28 July 2009 - 09:14 PM

Thank you m0le, I have done the scans you requested. I have also downloaded and installed Avast. Here are the logs, let me know if any further action is required.

ComboFix 09-07-28.01 - Administrator 07/28/2009 19:32.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1666 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {108AFF64-5F7D-432D-8A60-7D2FE2846F7A}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\17473124
c:\documents and settings\All Users\Application Data\17473124\17473124
c:\documents and settings\All Users\Application Data\17473124\17473124.exe
c:\windows\Installer\2d110c.msp
c:\windows\Installer\5136855.msp
c:\windows\Installer\513685e.msp
c:\windows\system32\drivers\hjgruitmmojnbo.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\tgiovtd.sys
c:\windows\system32\hjgruijkqninmy.dat
c:\windows\system32\hjgruipevrcimq.dll
c:\windows\system32\hjgruisaptdjne.dll
c:\windows\system32\hjgruixopbhcvh.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiaikovabb
-------\Legacy_BHTATRQM
-------\Legacy_MSUPDATE


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-27 18:26 . 2009-07-27 18:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-07-27 05:37 . 2008-12-04 06:25 120832 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7y7kpu0z.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-07-18 05:08 . 2008-10-10 09:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-07-18 05:08 . 2008-10-10 09:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-07-18 05:08 . 2008-10-10 09:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-07-18 05:08 . 2009-07-18 05:08 -------- d-----w- c:\windows\Logs
2009-07-18 05:08 . 2009-07-18 05:10 -------- d-----w- c:\program files\Heroes of Newerth
2009-07-17 19:51 . 2009-07-17 19:51 -------- d-----w- c:\program files\JRE
2009-07-17 19:51 . 2009-07-18 05:08 -------- d-----w- c:\windows\SxsCaPendDel
2009-07-17 13:12 . 2009-07-17 13:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lexmark Productivity Studio
2009-07-17 13:09 . 2009-07-27 16:19 -------- d-----w- c:\program files\Lx_cats
2009-07-17 13:09 . 2009-07-17 13:09 -------- dc----w- C:\logs
2009-07-17 13:08 . 2006-05-18 07:47 40960 ----a-w- c:\windows\system32\lxddvs.dll
2009-07-17 13:08 . 2007-03-28 19:16 344064 ----a-w- c:\windows\system32\lxddcoin.dll
2009-07-17 13:08 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-07-17 13:08 . 2001-08-18 03:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2009-07-17 13:08 . 2007-01-24 00:40 65536 ----a-w- c:\windows\system32\lxddcaps.dll
2009-07-17 13:08 . 2007-01-09 22:13 692224 ----a-w- c:\windows\system32\lxdddrs.dll
2009-07-17 13:08 . 2006-10-06 22:08 69632 ----a-w- c:\windows\system32\lxddcnv4.dll
2009-07-17 13:08 . 2009-07-17 13:08 -------- d-----w- c:\program files\Lexmark Toolbar
2009-07-17 13:08 . 2009-07-17 13:08 -------- d-----w- c:\program files\Lexmark 2500 Series
2009-07-05 21:34 . 2009-07-05 21:34 -------- d-----w- c:\program files\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-27 14:44 . 2009-05-06 18:27 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-26 22:05 . 2008-05-26 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-25 04:59 . 2006-02-20 03:21 -------- d-----w- c:\program files\Trillian
2009-07-18 03:33 . 2006-02-18 20:25 80280 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 19:51 . 2009-05-06 18:08 -------- d-----w- c:\program files\OpenOffice.org 3
2009-07-17 19:49 . 2009-03-28 21:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:49 . 2006-02-18 20:02 -------- d-----w- c:\program files\Java
2009-07-17 03:23 . 2009-05-13 00:11 -------- d-----w- c:\program files\World of Warcraft
2009-07-15 04:47 . 2008-11-17 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 04:40 . 2008-12-23 20:50 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 18:36 . 2008-11-17 21:50 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 18:36 . 2008-11-17 21:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-07 19:47 . 2006-12-04 07:50 16 -c--a-w- c:\windows\popcinfot.dat
2009-07-07 18:57 . 2008-01-20 20:45 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-27 03:10 . 2009-06-27 03:10 52 -c--a-w- C:\z40a8lmmo.bat
2009-06-19 00:33 . 2009-01-13 04:37 -------- d-----w- c:\program files\Crayon Physics Deluxe
2009-06-06 17:54 . 2009-05-19 15:32 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-05-25 20:30 . 2009-05-25 20:30 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-05-25 20:30 . 2009-05-25 20:30 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-07-28 19:30 . 2008-11-09 03:58 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedswitchXP"="c:\program files\SpeedswitchXP\SpeedswitchXP.exe" [2006-07-14 626688]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 356352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-12 13582336]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-12 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-17 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-9-17 593920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"AresChatServer"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"TuneUp.Defrag"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6113:TCP"= 6113:TCP:WC3

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/4/2008 1:50 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50 PM 55024]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 8:34 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 8:34 PM 36368]
S0 yllsbskk;yllsbskk;c:\windows\system32\drivers\tduhIo.sys --> c:\windows\system32\drivers\tduhIo.sys [?]
S2 bhtatrqm;bhtatrqm;\??\c:\windows\system32\drivers\tgiovtd.sys --> c:\windows\system32\drivers\tgiovtd.sys [?]
S2 ithswte;ithswte;c:\windows\system32\drivers\bhecofs.sys --> c:\windows\system32\drivers\bhecofs.sys [?]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [9/17/2006 8:22 PM 3712]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [7/17/2009 8:08 AM 99248]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [3/12/2009 3:56 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [3/12/2009 3:56 PM 3072]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\DKU2.tmp --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DKU2.tmp [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [11/17/2008 4:50 PM 38160]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [12/16/2008 4:41 PM 36928]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50 PM 7408]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2009-07-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-26 04:23]

2009-07-21 c:\windows\Tasks\O&O Defrag.job
- c:\documents and settings\All Users\Start Menu\Programs\O&O Software\O&O Defrag\O&O Defrag.lnk [2006-02-18 09:37]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-17473124 - c:\documents and settings\All Users\Application Data\17473124\17473124.exe


.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
mSearchURL = hxxp://www.google.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7y7kpu0z.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
.

**************************************************************************

driver loading error catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-28 19:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\DKU2.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C3E67C84-FF81-4ACD-401BD333BA56E9EA}\{F4E9985F-0D7B-FE76-62CD8C76B0126B78}\{BB457FA5-4647-F88E-4919FBC3754B9322}*]
"RA4KGUJC6T6LBNJRIDQ63C2L6C1"=hex:01,00,01,00,00,00,00,00,f7,8a,3d,85,55,45,07,
82,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\sowebore.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2920)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxddcoms.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\program files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
c:\windows\temp\LH690B.EXE
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\OfficeScan Client\PccNTUpd.exe
.
**************************************************************************
.
Completion time: 2009-07-29 19:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-29 00:52
ComboFix2.txt 2009-03-12 04:15

Pre-Run: 158,127,210,496 bytes free
Post-Run: 158,062,260,224 bytes free

243



Malwarebytes' Anti-Malware 1.39
Database version: 2524
Windows 5.1.2600 Service Pack 2

7/28/2009 9:03:39 PM
mbam-log-2009-07-28 (21-03-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 271505
Time elapsed: 1 hour(s), 3 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\hjgruipevrcimq.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{32a4c9fd-e632-479e-9950-a4b9f3b72022}\RP584\A0281022.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

Edited by rellsaii, 28 July 2009 - 09:17 PM.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:36 PM

Posted 29 July 2009 - 03:48 PM

That's quite a collection of malware, rellsaii. :thumbup2:

We need to run Combofix again but slightly differently.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
ithswte
epmntdrv

File::
c:\windows\popcinfot.dat
c:\windows\system32\drivers\bhecofs.sys
c:\windows\system32\epmntdrv.sys
c:\windows\\system32\sowebore.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks :)
Posted Image
m0le is a proud member of UNITE

#8 rellsaii

rellsaii
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 29 July 2009 - 08:47 PM

Alright. I've done as you've asked, here is the log. Please let me know if further action is required.

[b][/bComboFix 09-07-29.03 - Administrator 07/29/2009 20:25.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1629 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt
AV: avast! antivirus 4.8.1335 [VPS 090729-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {108AFF64-5F7D-432D-8A60-7D2FE2846F7A}

FILE ::
"c:\windows\\system32\sowebore.dll"
"c:\windows\popcinfot.dat"
"c:\windows\system32\drivers\bhecofs.sys"
"c:\windows\system32\epmntdrv.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\popcinfot.dat
c:\windows\system32\epmntdrv.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EPMNTDRV
-------\Legacy_ITHSWTE
-------\Service_epmntdrv
-------\Service_ithswte


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2009-07-29 02:25 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-29 02:25 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-29 02:25 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-29 02:25 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-29 02:25 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-29 02:25 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-29 02:25 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-29 02:25 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-29 02:25 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-29 02:25 . 2009-07-29 02:25 -------- d-----w- c:\program files\Alwil Software
2009-07-27 18:26 . 2009-07-27 18:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-07-27 05:37 . 2008-12-04 06:25 120832 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7y7kpu0z.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-07-18 05:08 . 2008-10-10 09:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-07-18 05:08 . 2008-10-10 09:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-07-18 05:08 . 2008-10-10 09:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-07-18 05:08 . 2009-07-18 05:08 -------- d-----w- c:\windows\Logs
2009-07-18 05:08 . 2009-07-30 01:20 -------- d-----w- c:\program files\Heroes of Newerth
2009-07-17 19:51 . 2009-07-17 19:51 -------- d-----w- c:\program files\JRE
2009-07-17 19:51 . 2009-07-18 05:08 -------- d-----w- c:\windows\SxsCaPendDel
2009-07-17 13:12 . 2009-07-17 13:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lexmark Productivity Studio
2009-07-17 13:09 . 2009-07-27 16:19 -------- d-----w- c:\program files\Lx_cats
2009-07-17 13:09 . 2009-07-17 13:09 -------- dc----w- C:\logs
2009-07-17 13:08 . 2006-05-18 07:47 40960 ----a-w- c:\windows\system32\lxddvs.dll
2009-07-17 13:08 . 2007-03-28 19:16 344064 ----a-w- c:\windows\system32\lxddcoin.dll
2009-07-17 13:08 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-07-17 13:08 . 2001-08-18 03:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2009-07-17 13:08 . 2007-01-24 00:40 65536 ----a-w- c:\windows\system32\lxddcaps.dll
2009-07-17 13:08 . 2007-01-09 22:13 692224 ----a-w- c:\windows\system32\lxdddrs.dll
2009-07-17 13:08 . 2006-10-06 22:08 69632 ----a-w- c:\windows\system32\lxddcnv4.dll
2009-07-17 13:08 . 2009-07-17 13:08 -------- d-----w- c:\program files\Lexmark Toolbar
2009-07-17 13:08 . 2009-07-17 13:08 -------- d-----w- c:\program files\Lexmark 2500 Series
2009-07-05 21:34 . 2009-07-05 21:34 -------- d-----w- c:\program files\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 01:14 . 2008-05-26 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-27 14:44 . 2009-05-06 18:27 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-25 04:59 . 2006-02-20 03:21 -------- d-----w- c:\program files\Trillian
2009-07-18 03:33 . 2006-02-18 20:25 80280 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 19:51 . 2009-05-06 18:08 -------- d-----w- c:\program files\OpenOffice.org 3
2009-07-17 19:49 . 2009-03-28 21:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:49 . 2006-02-18 20:02 -------- d-----w- c:\program files\Java
2009-07-17 03:23 . 2009-05-13 00:11 -------- d-----w- c:\program files\World of Warcraft
2009-07-15 04:47 . 2008-11-17 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 04:40 . 2008-12-23 20:50 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 18:36 . 2008-11-17 21:50 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 18:36 . 2008-11-17 21:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-07 18:57 . 2008-01-20 20:45 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-27 03:10 . 2009-06-27 03:10 52 -c--a-w- C:\z40a8lmmo.bat
2009-06-19 00:33 . 2009-01-13 04:37 -------- d-----w- c:\program files\Crayon Physics Deluxe
2009-06-06 17:54 . 2009-05-19 15:32 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-05-25 20:30 . 2009-05-25 20:30 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-05-25 20:30 . 2009-05-25 20:30 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-07-28 19:30 . 2008-11-09 03:58 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-29_00.45.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-30 01:36 . 2009-07-30 01:36 16384 c:\windows\temp\Perflib_Perfdata_750.dat
+ 2009-07-29 02:37 . 2009-07-29 02:37 16384 c:\windows\temp\Perflib_Perfdata_460.dat
+ 2009-07-30 01:36 . 2009-07-30 01:36 16384 c:\windows\temp\Perflib_Perfdata_214.dat
+ 2009-07-30 01:37 . 2006-02-07 21:10 172099 c:\windows\temp\FG2E7E.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedswitchXP"="c:\program files\SpeedswitchXP\SpeedswitchXP.exe" [2006-07-14 626688]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 356352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-12 13582336]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-12 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-17 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-9-17 593920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"AresChatServer"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"TuneUp.Defrag"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6113:TCP"= 6113:TCP:WC3

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/28/2009 9:25 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/4/2008 1:50 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50 PM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/28/2009 9:25 PM 20560]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 8:34 PM 36368]
S0 yllsbskk;yllsbskk;c:\windows\system32\drivers\tduhIo.sys --> c:\windows\system32\drivers\tduhIo.sys [?]
S2 bhtatrqm;bhtatrqm;\??\c:\windows\system32\drivers\tgiovtd.sys --> c:\windows\system32\drivers\tgiovtd.sys [?]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [9/17/2006 8:22 PM 3712]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [7/17/2009 8:08 AM 99248]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 8:34 PM 225296]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [3/12/2009 3:56 PM 3072]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\DKU2.tmp --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DKU2.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [12/16/2008 4:41 PM 36928]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50 PM 7408]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2009-07-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-26 04:23]

2009-07-21 c:\windows\Tasks\O&O Defrag.job
- c:\documents and settings\All Users\Start Menu\Programs\O&O Software\O&O Defrag\O&O Defrag.lnk [2006-02-18 09:37]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
mSearchURL = hxxp://www.google.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7y7kpu0z.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-29 20:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\DKU2.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C3E67C84-FF81-4ACD-401BD333BA56E9EA}\{F4E9985F-0D7B-FE76-62CD8C76B0126B78}\{BB457FA5-4647-F88E-4919FBC3754B9322}*]
"RA4KGUJC6T6LBNJRIDQ63C2L6C1"=hex:01,00,01,00,00,00,00,00,f7,8a,3d,85,55,45,07,
82,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\sowebore.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(996)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxddcoms.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\OfficeScan Client\Misc\xpupg.exe
c:\program files\Trend Micro\OfficeScan Client\PccNTUpd.exe
.
**************************************************************************
.
Completion time: 2009-07-30 20:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-30 01:45
ComboFix2.txt 2009-07-29 00:52
ComboFix3.txt 2009-03-12 04:15

Pre-Run: 157,942,906,880 bytes free
Post-Run: 157,946,245,120 bytes free

254

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:36 PM

Posted 30 July 2009 - 05:12 PM

This infection is persistent.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
yllsbskk
bhtatrqm

File::
c:\windows\system32\drivers\tduhIo.sys
c:\windows\system32\drivers\tgiovtd.sys
c:\\windows\\system32\\sowebore.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 rellsaii

rellsaii
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 31 July 2009 - 08:37 PM

My latest log:

ComboFix 09-07-31.02 - Administrator 07/31/2009 18:16.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1555 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt
AV: avast! antivirus 4.8.1335 [VPS 090731-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {108AFF64-5F7D-432D-8A60-7D2FE2846F7A}
* Created a new restore point

FILE ::
"c:\\windows\\system32\\sowebore.dll"
"c:\windows\system32\drivers\tduhIo.sys"
"c:\windows\system32\drivers\tgiovtd.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_bhtatrqm
-------\Service_yllsbskk


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
.

2009-07-29 02:25 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-29 02:25 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-29 02:25 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-29 02:25 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-29 02:25 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-29 02:25 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-29 02:25 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-29 02:25 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-29 02:25 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-29 02:25 . 2009-07-29 02:25 -------- d-----w- c:\program files\Alwil Software
2009-07-27 18:26 . 2009-07-27 18:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-07-27 05:37 . 2008-12-04 06:25 120832 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7y7kpu0z.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-07-18 05:08 . 2008-10-10 09:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-07-18 05:08 . 2008-10-10 09:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-07-18 05:08 . 2008-10-10 09:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-07-18 05:08 . 2009-07-18 05:08 -------- d-----w- c:\windows\Logs
2009-07-18 05:08 . 2009-07-30 01:57 -------- d-----w- c:\program files\Heroes of Newerth
2009-07-17 19:51 . 2009-07-17 19:51 -------- d-----w- c:\program files\JRE
2009-07-17 19:51 . 2009-07-18 05:08 -------- d-----w- c:\windows\SxsCaPendDel
2009-07-17 13:12 . 2009-07-17 13:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lexmark Productivity Studio
2009-07-17 13:09 . 2009-07-27 16:19 -------- d-----w- c:\program files\Lx_cats
2009-07-17 13:09 . 2009-07-17 13:09 -------- dc----w- C:\logs
2009-07-17 13:08 . 2006-05-18 07:47 40960 ----a-w- c:\windows\system32\lxddvs.dll
2009-07-17 13:08 . 2007-03-28 19:16 344064 ----a-w- c:\windows\system32\lxddcoin.dll
2009-07-17 13:08 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-07-17 13:08 . 2001-08-18 03:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2009-07-17 13:08 . 2007-01-24 00:40 65536 ----a-w- c:\windows\system32\lxddcaps.dll
2009-07-17 13:08 . 2007-01-09 22:13 692224 ----a-w- c:\windows\system32\lxdddrs.dll
2009-07-17 13:08 . 2006-10-06 22:08 69632 ----a-w- c:\windows\system32\lxddcnv4.dll
2009-07-17 13:08 . 2009-07-17 13:08 -------- d-----w- c:\program files\Lexmark Toolbar
2009-07-17 13:08 . 2009-07-17 13:08 -------- d-----w- c:\program files\Lexmark 2500 Series
2009-07-05 21:34 . 2009-07-05 21:34 -------- d-----w- c:\program files\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 05:41 . 2008-05-26 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-27 14:44 . 2009-05-06 18:27 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-25 04:59 . 2006-02-20 03:21 -------- d-----w- c:\program files\Trillian
2009-07-18 03:33 . 2006-02-18 20:25 80280 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 19:51 . 2009-05-06 18:08 -------- d-----w- c:\program files\OpenOffice.org 3
2009-07-17 19:49 . 2009-03-28 21:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:49 . 2006-02-18 20:02 -------- d-----w- c:\program files\Java
2009-07-17 03:23 . 2009-05-13 00:11 -------- d-----w- c:\program files\World of Warcraft
2009-07-15 04:47 . 2008-11-17 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 04:40 . 2008-12-23 20:50 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 18:36 . 2008-11-17 21:50 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 18:36 . 2008-11-17 21:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-07 18:57 . 2008-01-20 20:45 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-27 03:10 . 2009-06-27 03:10 52 -c--a-w- C:\z40a8lmmo.bat
2009-06-19 00:33 . 2009-01-13 04:37 -------- d-----w- c:\program files\Crayon Physics Deluxe
2009-06-06 17:54 . 2009-05-19 15:32 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-05-25 20:30 . 2009-05-25 20:30 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-05-25 20:30 . 2009-05-25 20:30 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-07-28 19:30 . 2008-11-09 03:58 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-29_00.45.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-31 22:24 . 2009-07-31 22:24 16384 c:\windows\temp\Perflib_Perfdata_210.dat
+ 2009-07-31 23:28 . 2009-07-31 23:28 16384 c:\windows\temp\Perflib_Perfdata_1d8.dat
+ 2009-07-31 23:28 . 2009-07-31 23:28 16384 c:\windows\temp\Perflib_Perfdata_140.dat
+ 2009-07-31 23:29 . 2006-02-07 21:10 172099 c:\windows\temp\TO7BD4.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedswitchXP"="c:\program files\SpeedswitchXP\SpeedswitchXP.exe" [2006-07-14 626688]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 356352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-12 13582336]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-12 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-17 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-9-17 593920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"AresChatServer"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"TuneUp.Defrag"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6113:TCP"= 6113:TCP:WC3

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/28/2009 9:25 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/4/2008 1:50 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50 PM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/28/2009 9:25 PM 20560]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 8:34 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 8:34 PM 36368]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [9/17/2006 8:22 PM 3712]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [7/17/2009 8:08 AM 99248]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [3/12/2009 3:56 PM 3072]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\DKU2.tmp --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DKU2.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [12/16/2008 4:41 PM 36928]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50 PM 7408]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2009-07-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-26 04:23]

2009-07-21 c:\windows\Tasks\O&O Defrag.job
- c:\documents and settings\All Users\Start Menu\Programs\O&O Software\O&O Defrag\O&O Defrag.lnk [2006-02-18 09:37]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
mSearchURL = hxxp://www.google.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7y7kpu0z.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 18:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\DKU2.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C3E67C84-FF81-4ACD-401BD333BA56E9EA}\{F4E9985F-0D7B-FE76-62CD8C76B0126B78}\{BB457FA5-4647-F88E-4919FBC3754B9322}*]
"RA4KGUJC6T6LBNJRIDQ63C2L6C1"=hex:01,00,01,00,00,00,00,00,f7,8a,3d,85,55,45,07,
82,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\sowebore.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3324)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxddcoms.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\program files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\windows\temp\TO7BD4.EXE
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-07-31 18:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-31 23:37
ComboFix2.txt 2009-07-30 01:45
ComboFix3.txt 2009-07-29 00:52
ComboFix4.txt 2009-03-12 04:15

Pre-Run: 157,825,667,072 bytes free
Post-Run: 157,836,787,712 bytes free

254

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:36 PM

Posted 01 August 2009 - 04:47 AM

One more go with Combofix. :thumbup2:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\XDva020.sys
c:\\windows\\system32\\sowebore.dll

Reglockdel:
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]

Driver::
XDva020


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

This should remove the rest of the components.

Then

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Thanks :)
Posted Image
m0le is a proud member of UNITE

#12 rellsaii

rellsaii
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 01 August 2009 - 11:58 PM

Is the latest combofix log required? I have it but don't see it requested. I accidentally deleted the incurables rather than moving them, hopefully this doesn't cause problems, here is my Dr. Web log:

17473124.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\17473124;Trojan.Fakealert.4494;Deleted.;
A0251082.EXE;C:\System Volume Information\_restore{32A4C9FD-E632-479E-9950-A4B9F3B72022}\RP518;Probably Trojan.Packed.197;Incurable.Deleted.;
A0251083.exe;C:\System Volume Information\_restore{32A4C9FD-E632-479E-9950-A4B9F3B72022}\RP518;Probably Trojan.Packed.197;Incurable.Deleted.;
A0251084.exe;C:\System Volume Information\_restore{32A4C9FD-E632-479E-9950-A4B9F3B72022}\RP518;Probably Trojan.Packed.197;Incurable.Deleted.;
A0253885.exe;C:\System Volume Information\_restore{32A4C9FD-E632-479E-9950-A4B9F3B72022}\RP545;Probably DLOADER.Trojan;Incurable.Deleted.;
A0281047.exe;C:\System Volume Information\_restore{32A4C9FD-E632-479E-9950-A4B9F3B72022}\RP584;Trojan.Fakealert.4494;Deleted.;
A0281124.dll;C:\System Volume Information\_restore{32A4C9FD-E632-479E-9950-A4B9F3B72022}\RP584;Trojan.Virtumod.based.25;Incurable.Moved.;
A0281125.dll;C:\System Volume Information\_restore{32A4C9FD-E632-479E-9950-A4B9F3B72022}\RP584;Trojan.Virtumod.based.25;Incurable.Moved.;
A0281126.dll;C:\System Volume Information\_restore{32A4C9FD-E632-479E-9950-A4B9F3B72022}\RP584;Trojan.Virtumod.based.25;Incurable.Moved.;

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:36 PM

Posted 02 August 2009 - 03:48 AM

Is the latest combofix log required?


When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Yes please, rellsaii. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#14 rellsaii

rellsaii
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 02 August 2009 - 06:37 PM

Must have missed it, sorry here it is:

ComboFix 09-07-31.04 - Administrator 08/01/2009 14:05.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1534 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090801-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {108AFF64-5F7D-432D-8A60-7D2FE2846F7A}

FILE ::
"c:\\windows\\system32\\sowebore.dll"
"c:\windows\system32\XDva020.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\catchme.dll
c:\documents and settings\Administrator\Local Settings\temp\catchme.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA020
-------\Service_XDva020


((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-07-29 02:25 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-29 02:25 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-29 02:25 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-29 02:25 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-29 02:25 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-29 02:25 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-29 02:25 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-29 02:25 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-29 02:25 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-29 02:25 . 2009-07-29 02:25 -------- d-----w- c:\program files\Alwil Software
2009-07-27 18:26 . 2009-07-27 18:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-07-27 05:37 . 2008-12-04 06:25 120832 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7y7kpu0z.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-07-18 05:08 . 2008-10-10 09:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-07-18 05:08 . 2008-10-10 09:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-07-18 05:08 . 2008-10-10 09:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-07-18 05:08 . 2009-07-18 05:08 -------- d-----w- c:\windows\Logs
2009-07-18 05:08 . 2009-07-30 01:57 -------- d-----w- c:\program files\Heroes of Newerth
2009-07-17 19:51 . 2009-07-17 19:51 -------- d-----w- c:\program files\JRE
2009-07-17 19:51 . 2009-07-18 05:08 -------- d-----w- c:\windows\SxsCaPendDel
2009-07-17 13:12 . 2009-07-17 13:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lexmark Productivity Studio
2009-07-17 13:09 . 2009-07-27 16:19 -------- d-----w- c:\program files\Lx_cats
2009-07-17 13:09 . 2009-07-17 13:09 -------- dc----w- C:\logs
2009-07-17 13:08 . 2006-05-18 07:47 40960 ----a-w- c:\windows\system32\lxddvs.dll
2009-07-17 13:08 . 2007-03-28 19:16 344064 ----a-w- c:\windows\system32\lxddcoin.dll
2009-07-17 13:08 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-07-17 13:08 . 2001-08-18 03:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2009-07-17 13:08 . 2007-01-24 00:40 65536 ----a-w- c:\windows\system32\lxddcaps.dll
2009-07-17 13:08 . 2007-01-09 22:13 692224 ----a-w- c:\windows\system32\lxdddrs.dll
2009-07-17 13:08 . 2006-10-06 22:08 69632 ----a-w- c:\windows\system32\lxddcnv4.dll
2009-07-17 13:08 . 2009-07-17 13:08 -------- d-----w- c:\program files\Lexmark Toolbar
2009-07-17 13:08 . 2009-07-17 13:08 -------- d-----w- c:\program files\Lexmark 2500 Series
2009-07-05 21:34 . 2009-07-05 21:34 -------- d-----w- c:\program files\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-01 06:42 . 2008-05-26 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-27 14:44 . 2009-05-06 18:27 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-25 04:59 . 2006-02-20 03:21 -------- d-----w- c:\program files\Trillian
2009-07-18 03:33 . 2006-02-18 20:25 80280 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 19:51 . 2009-05-06 18:08 -------- d-----w- c:\program files\OpenOffice.org 3
2009-07-17 19:49 . 2009-03-28 21:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:49 . 2006-02-18 20:02 -------- d-----w- c:\program files\Java
2009-07-17 03:23 . 2009-05-13 00:11 -------- d-----w- c:\program files\World of Warcraft
2009-07-15 04:47 . 2008-11-17 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-15 04:40 . 2008-12-23 20:50 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 18:36 . 2008-11-17 21:50 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 18:36 . 2008-11-17 21:50 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-07 18:57 . 2008-01-20 20:45 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-27 03:10 . 2009-06-27 03:10 52 -c--a-w- C:\z40a8lmmo.bat
2009-06-19 00:33 . 2009-01-13 04:37 -------- d-----w- c:\program files\Crayon Physics Deluxe
2009-06-06 17:54 . 2009-05-19 15:32 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-05-25 20:30 . 2009-05-25 20:30 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-05-25 20:30 . 2009-05-25 20:30 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-07-28 19:30 . 2008-11-09 03:58 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-29_00.45.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-01 19:18 . 2009-08-01 19:18 16384 c:\windows\temp\Perflib_Perfdata_3f0.dat
+ 2009-08-01 02:19 . 2009-08-01 02:19 16384 c:\windows\temp\Perflib_Perfdata_200.dat
+ 2009-08-01 19:18 . 2006-02-07 21:10 172099 c:\windows\temp\YT38B7.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedswitchXP"="c:\program files\SpeedswitchXP\SpeedswitchXP.exe" [2006-07-14 626688]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 356352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-12 13582336]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-12 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-17 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-9-17 593920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"AresChatServer"=3 (0x3)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"TuneUp.Defrag"=3 (0x3)
"ZuneNetworkSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6113:TCP"= 6113:TCP:WC3

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/28/2009 9:25 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/4/2008 1:50 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50 PM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/28/2009 9:25 PM 20560]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 8:34 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 8:34 PM 36368]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [9/17/2006 8:22 PM 3712]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [7/17/2009 8:08 AM 99248]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [3/12/2009 3:56 PM 3072]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\DKU2.tmp --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DKU2.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [12/16/2008 4:41 PM 36928]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2009-08-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-26 04:23]

2009-07-21 c:\windows\Tasks\O&O Defrag.job
- c:\documents and settings\All Users\Start Menu\Programs\O&O Software\O&O Defrag\O&O Defrag.lnk [2006-02-18 09:37]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
mSearchURL = hxxp://www.google.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7y7kpu0z.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 14:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\DKU2.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C3E67C84-FF81-4ACD-401BD333BA56E9EA}\{F4E9985F-0D7B-FE76-62CD8C76B0126B78}\{BB457FA5-4647-F88E-4919FBC3754B9322}*]
"RA4KGUJC6T6LBNJRIDQ63C2L6C1"=hex:01,00,01,00,00,00,00,00,f7,8a,3d,85,55,45,07,
82,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\sowebore.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3400)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxddcoms.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\program files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
c:\windows\temp\YT38B7.EXE
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-08-01 14:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-01 19:27
ComboFix2.txt 2009-07-31 23:38
ComboFix3.txt 2009-07-30 01:45
ComboFix4.txt 2009-07-29 00:52
ComboFix5.txt 2009-08-01 19:04

Pre-Run: 157,804,068,864 bytes free
Post-Run: 157,795,487,744 bytes free

254

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:36 PM

Posted 02 August 2009 - 07:18 PM

No more bad drivers but I need a final run as the registry entry is still there thanks to a typo. My bad :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Reglockdel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Then

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks, and apologies for the rerunning of Combofix, some infections are harder to remove than others. :thumbup2:
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users