Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NTOSKRNL-HOOK root trojan infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 adrianshelley

adrianshelley

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 13 August 2009 - 08:05 AM

My laptop has acquired this trojan and I have read other posts on this site and tried all basic suggestions but I am unable remove. I hope someone can give me a hand?

Symptoms:
Infection followed multiple pop-ups from spurious anonymous AVscan programme (ie not one installed on pc).

When tried to resolve discovered that all restore points had been deleted

Up-to-date mcafee was installed (and still is) - detects trojan in normal mode - deletes it but trojan is still there if scan repeated. Not detected if mcafee run in safe mode

SpybotSD was installed on system but the trojan seems to prevent it running (the spybot exe file cannot be seen and so does not run - interesting that when spybot is installed on usb flash drive from a 'good' pc and exe file is clearly present it 'disappears' when flash drive is connected to infected machine - it is not simply a 'hidden' file).

Following other posts on here tried to install Malwarebytes but installation is blocked (hangs when either installation is initiated or an exe file from another machine is copied and run). I have tried renaming but the execution/installation is still blocked.

dss.scr also not running properly - on running this, pc does not recognise it and asks for information on which programme created it. As a result have run hijackthis as a standalone in order to produce log below.
As dds did not run i am unsure where to locate the 'attach' file requested - I only have the log so will paste that as and attachment

Thank you in advance for any help during the holiday season as I have run out of ideas
Adrian
............................................................................

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:56:55, on 13/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\MARTIN~1\LOCALS~1\Temp\a.exe
C:\WINDOWS\msa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Samsung\DisplayManager\DisplayManager.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\igfxext.exe
C:\temp\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\martin bradshaw\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\temp\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [DisplayManager] C:\Program Files\Samsung\DisplayManager\DMLoader.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\MARTIN~1\LOCALS~1\Temp\a.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\temp\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\temp\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\temp\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://staff.ts.shu.ac.uk/tsweb/msrdp.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: QoS RSVP RSVPsrservice (RSVPsrservice) - Unknown owner - C:\WINDOWS\TEMP\2.tmp.exe (file missing)
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SNM WLAN Service - Unknown owner - C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
O23 - Service: SRS PostInstaller Service (SRS_PostInstaller) - SRS Labs, Inc. - C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller.exe
O23 - Service: WebClient WebClientSchedule (WebClientSchedule) - Unknown owner - C:\WINDOWS\TEMP\2.tmp.exe (file missing)

--
End of file - 12932 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:55 PM

Posted 24 August 2009 - 02:07 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Shannon

#3 adrianshelley

adrianshelley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 24 August 2009 - 05:04 PM

Dear Shannon

Thanks for getting in touch - I still have the problem

I can see some things that don't look right when reading the log but I don't have expertise to figure out solution

An extra piece of information is that I get errors with IE on start up (IE has encountered a problem and has to close) even though I have not opened/clicked on it - I also recall when the problem started a similar error report for acrobat

As per my original post dds.scr still will not run (computer doesn't recognise it and asks for the programme that created it) but the dds.pif version did the trick - thanks

DSS log follows and attach file attached in both file and zipped format

Thanks in advance for help from you and bleepingcomputer team - I have access to an alternative PC but not 24/7 so please bear with me if I do not respond instantly to your replies

Adrian


DDS (Ver_09-07-30.01) - NTFSx86
Run by martin bradshaw at 22:40:29.40 on 24/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.694 [GMT 1:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\MARTIN~1\LOCALS~1\Temp\a.exe
C:\WINDOWS\msa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Samsung\DisplayManager\DisplayManager.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcconsol.exe
C:\Documents and Settings\martin bradshaw\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\temp\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [PowerBar]
uRun: [Power2GoExpress] NA
uRun: [Monopod] c:\docume~1\martin~1\locals~1\temp\a.exe
uRun: [SpybotSD TeaTimer] c:\temp\spybot - search & destroy\TeaTimer.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [farstone]
mRun: [RestoreIT!] "c:\program files\phoenix technologies ltd\recoverpro_xp\VBPTASK.EXE" VBStart
mRun: [DisplayManager] c:\program files\samsung\displaymanager\DMLoader.exe
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [OdTray.exe] "c:\program files\funk software\odyssey client\OdTray.exe"
mRun: [<NO NAME>]
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [B'sCLiP] c:\progra~1\cyberl~1\instan~1\win2k\IBurn.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [net] "c:\windows\system32\net.net"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\temp\spybot - search & destroy\SDHelper.dll
Trusted Zone: shu.ac.uk\exchange
Trusted Zone: shu.ac.uk\staff
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://staff.ts.shu.ac.uk/tsweb/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://help.broadbandassist.com/bbdesktop/PreQual/files/MotivePreQual.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Notify: OdysseyClient - odyEvent.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\martin~1\applic~1\mozilla\firefox\profiles\vl7mnym1.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2008-1-27 10112]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [2006-5-24 254208]
R0 RITCPT;RITCPT;c:\windows\system32\drivers\RITCPT.SYS [2006-3-29 43512]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [2008-1-27 165376]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2006-3-29 4300]
R2 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2006-3-29 5088]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-7-4 104000]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 SNM WLAN Service;SNM WLAN Service;c:\program files\samsung\samsung network manager\SNMWLANService.exe [2005-5-28 36864]
R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\srs labs\wowxt and tsxt driver\SRS_PostInstaller.exe [2005-11-28 31744]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-3-11 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-3-11 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-3-11 168776]
R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [2005-11-28 19456]
S2 RSVPsrservice;QoS RSVP RSVPsrservice;c:\windows\temp\2.tmp srv --> c:\windows\temp\2.tmp srv [?]
S2 WebClientSchedule;WebClient WebClientSchedule;c:\windows\temp\2.tmp srv --> c:\windows\temp\2.tmp srv [?]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-1-14 41864]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-1-14 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-1-14 81288]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-1-14 747912]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-1-14 946568]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [2008-3-6 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [2008-3-6 44928]

=============== Created Last 30 ================

2009-08-13 01:36 <DIR> --d----- c:\windows\system32\scripting
2009-08-13 01:36 <DIR> --d----- c:\windows\l2schemas
2009-08-13 01:36 <DIR> --d----- c:\windows\system32\en
2009-08-13 01:36 <DIR> --d----- c:\windows\system32\bits
2009-08-13 01:31 <DIR> --d----- c:\windows\network diagnostic
2009-08-13 01:07 197 a------- c:\windows\system32\MRT.INI
2009-08-13 01:04 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-13 01:02 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-13 00:15 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 00:15 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-13 00:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 00:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-12 09:50 16,409,960 a------- c:\temp\killtrojan.exe
2009-08-12 01:41 <DIR> --d----- c:\temp\Spybot - Search & Destroy
2009-08-12 01:33 16,409,960 a------- c:\temp\spybotsd162.exe
2009-08-12 00:04 <DIR> --d----- c:\docume~1\martin~1\applic~1\Logs
2009-08-11 23:59 147,456 a------- c:\windows\msa.exe
2009-08-11 23:57 164,623 a------- c:\windows\system32\net.net
2009-08-06 23:26 18,015,723 a------- c:\temp\vlc-1.0.1-win32.exe
2009-08-05 10:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 19:33 <DIR> --dsh--- c:\documents and settings\martin bradshaw\IECompatCache
2009-08-03 19:30 <DIR> --dsh--- c:\documents and settings\martin bradshaw\PrivacIE
2009-08-03 19:28 <DIR> --dsh--- c:\documents and settings\martin bradshaw\IETldCache
2009-08-03 19:01 1,985,536 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-08-03 19:01 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-08-03 19:01 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-03 19:01 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-03 19:01 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-03 19:01 11,067,392 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-08-03 19:01 <DIR> --d----- c:\windows\ie8updates
2009-08-03 19:00 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-03 18:58 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-08-13 01:39 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-09 12:16 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-07-09 12:16 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 08:19 69,120 a------- c:\windows\system32\27.tmp
2009-06-25 19:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 19:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 19:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 19:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 19:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 19:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 19:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 19:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 19:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 19:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 19:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 19:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-22 12:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 12:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 12:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 13:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 13:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 15:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 07:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-10-14 20:39 1,024 a------- c:\docume~1\alluse~1\applic~1\imgpdf2.dll
2003-08-27 14:19 36,963 a----r-- c:\program files\common files\SM1updtr.dll

============= FINISH: 22:42:03.51 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:55 PM

Posted 31 August 2009 - 05:34 PM

Hi adrianshelley,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Let's deal with this nasty hooking trojan fast.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 adrianshelley

adrianshelley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 31 August 2009 - 07:41 PM

Dear m0le

thanks for taking the time to help me

before I post combofix log I should say I couldn't get access to the Security Centre to check/switch off firewall as requested or turn off virus protection maybe an effect of the infection as it previously prevented me running malware progs
- for the virus scanner (mcafee VSE 8.5.0) I disabled each component including on-access scanning then deselected 'prevent mcafee services from being stopped' - I hope this was sufficient to avoid problems though I noticed it tried to run on the final reboot whilst ComboFix was preparing the log report

seven files in rootkit were found on first pass

c:\windows\system32\drivers\UACfeemafrtaw.sys
c:\windows\system32\UACotstxieots.dll
c:\windows\system32\UACqivukeulvg.dll
c:\windows\system32\UACrdqapedxdy.dat
c:\windows\system32\UAChoarifraae.db
c:\windows\system32\UACboijbifyko.dll
c:\windows\system32\UACwpqsejbpli.dll

many thanks

Adrian



ComboFix 09-08-31.03 - martin bradshaw 01/09/2009 1:12.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.737 [GMT 1:00]
Running from: c:\documents and settings\martin bradshaw\Desktop\Combo-Fix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Microsoft Common
c:\recycler\S-1-5-21-1482476501-1547161642-839522115-500
c:\windows\Fonts\ZWAdobeF.TTF
c:\windows\Installer\d22b7c.msi
c:\windows\msa.exe
c:\windows\system32\_id.dat
c:\windows\system32\1009421875.dat
c:\windows\system32\2435038701.dat
c:\windows\system32\drivers\UACfeemafrtaw.sys
c:\windows\system32\net.net
c:\windows\system32\twain_32
c:\windows\system32\UACboijbifyko.dll
c:\windows\system32\UAChoarifraae.db
c:\windows\system32\uacinit.dll
c:\windows\system32\UACotstxieots.dll
c:\windows\system32\UACqivukeulvg.dll
c:\windows\system32\UACrdqapedxdy.dat
c:\windows\system32\UACwpqsejbpli.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_RSVPSRSERVICE
-------\Legacy_WEBCLIENTSCHEDULE
-------\Service_RSVPsrservice
-------\Service_WebClientSchedule


((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-08-13 00:36 . 2009-08-13 00:36 -------- d-----w- c:\windows\system32\scripting
2009-08-13 00:36 . 2009-08-13 00:36 -------- d-----w- c:\windows\l2schemas
2009-08-13 00:36 . 2009-08-13 00:36 -------- d-----w- c:\windows\system32\en
2009-08-13 00:36 . 2009-08-13 00:36 -------- d-----w- c:\windows\system32\bits
2009-08-13 00:04 . 2009-08-13 00:33 -------- d-----w- c:\windows\ServicePackFiles
2009-08-13 00:02 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 23:15 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 23:15 . 2009-08-13 20:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 23:15 . 2009-08-12 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-12 23:15 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 08:50 . 2009-08-12 00:33 16409960 ----a-w- c:\temp\killtrojan.exe
2009-08-12 00:41 . 2009-08-12 00:41 -------- d-----w- c:\temp\Spybot - Search & Destroy
2009-08-12 00:33 . 2009-08-12 00:33 16409960 ----a-w- c:\temp\spybotsd162.exe
2009-08-12 00:17 . 2009-08-12 00:17 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-12 00:16 . 2009-08-12 00:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-11 23:04 . 2009-08-11 23:04 -------- d-----w- c:\documents and settings\martin bradshaw\Application Data\Logs
2009-08-11 22:58 . 2009-08-11 22:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-07 21:22 . 2009-08-07 21:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-06 22:43 . 2009-08-11 21:30 -------- d-----w- c:\documents and settings\martin bradshaw\Application Data\vlc
2009-08-06 22:26 . 2009-08-06 22:29 18015723 ----a-w- c:\temp\vlc-1.0.1-win32.exe
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 12:26 . 2009-08-04 12:27 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-08-04 12:25 . 2009-08-04 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-04 12:25 . 2009-08-04 16:00 -------- d-----w- c:\program files\NOS
2009-08-03 18:33 . 2009-08-03 18:33 -------- d-sh--w- c:\documents and settings\martin bradshaw\IECompatCache
2009-08-03 18:30 . 2009-08-03 18:30 -------- d-sh--w- c:\documents and settings\martin bradshaw\PrivacIE
2009-08-03 18:28 . 2009-08-03 18:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-03 18:28 . 2009-08-03 18:28 -------- d-sh--w- c:\documents and settings\martin bradshaw\IETldCache
2009-08-03 18:01 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-03 18:01 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-03 18:01 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-03 18:01 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-03 18:01 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-03 18:01 . 2009-07-19 17:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-03 18:01 . 2009-08-03 18:01 -------- d-----w- c:\windows\ie8updates
2009-08-03 18:00 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-03 17:58 . 2009-08-03 18:00 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 00:31 . 2009-02-01 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-08-24 21:37 . 2006-07-07 20:04 79664 ----a-w- c:\documents and settings\martin bradshaw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-13 00:55 . 2006-07-10 21:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-13 00:39 . 2006-03-29 07:01 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-12 23:47 . 2009-03-02 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-08-12 00:47 . 2006-07-10 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-11 23:48 . 2006-03-29 07:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-11 23:48 . 2006-03-29 07:15 -------- d-----w- c:\program files\Samsung
2009-08-05 09:01 . 2006-03-29 04:38 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-20 20:08 . 2009-07-20 20:08 -------- d-----w- c:\program files\iTunes
2009-07-20 20:08 . 2009-07-20 20:08 -------- d-----w- c:\program files\iPod
2009-07-20 20:08 . 2007-12-16 17:36 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 19:58 . 2009-07-20 19:58 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-20 19:51 . 2009-07-20 19:50 -------- d-----w- c:\program files\QuickTime
2009-07-20 19:48 . 2009-07-20 19:48 -------- d-----w- c:\program files\Apple Software Update
2009-07-19 15:30 . 2006-03-29 07:18 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-17 19:01 . 2006-03-29 04:37 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-03-29 04:38 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 11:16 . 2009-03-12 19:27 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-09 11:16 . 2008-07-25 20:53 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-03 17:09 . 2006-03-29 04:38 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 07:19 . 2009-07-03 07:19 69120 ----a-w- c:\windows\system32\27.tmp
2009-06-25 18:36 . 2006-03-29 04:38 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-03-29 04:38 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-03-29 04:38 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-03-29 04:38 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-03-29 04:38 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-03-29 04:38 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-03-29 04:38 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 2006-03-29 04:38 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-03-29 04:38 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-03-29 04:38 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-03-29 04:38 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-03-29 04:38 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-22 11:49 . 2006-03-29 04:38 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2006-03-29 04:38 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2006-03-29 04:38 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2006-03-29 04:38 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:36 . 2006-03-29 04:38 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-03-29 04:37 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2006-03-29 04:38 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-03-29 04:38 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-03-29 04:37 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2006-03-29 04:38 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-08 22:26 . 2009-06-08 22:26 126976 ----a-w- C:\~WRD0002.tmp
2009-06-03 19:09 . 2006-03-29 04:38 1291264 ----a-w- c:\windows\system32\quartz.dll
2003-08-27 13:19 . 2006-07-03 23:55 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-13 136600]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-01 925696]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2006-06-20 2764800]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2005-04-11 151552]
"RestoreIT!"="c:\program files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" [2004-09-23 114688]
"DisplayManager"="c:\program files\Samsung\DisplayManager\DMLoader.exe" [2005-11-16 356352]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"OdTray.exe"="c:\program files\Funk Software\Odyssey Client\OdTray.exe" [2006-05-24 1052735]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"B'sCLiP"="c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2006-06-23 700416]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-12-12 88204]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-9-19 581693]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2007-12-07 12:18 106496 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\cygwin\\usr\\X11R6\\bin\\XWin.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [1/27/2008 4:00 PM 10112]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [5/24/2006 1:58 PM 254208]
R0 RITCPT;RITCPT;c:\windows\system32\drivers\RITCPT.SYS [3/29/2006 8:17 AM 43512]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [1/27/2008 4:00 PM 165376]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [3/29/2006 8:15 AM 4300]
R2 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [3/29/2006 8:17 AM 5088]
R2 SNM WLAN Service;SNM WLAN Service;c:\program files\Samsung\Samsung Network Manager\SNMWLANService.exe [5/28/2005 5:35 PM 36864]
R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller.exe [11/28/2005 9:06 PM 31744]
R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [11/28/2005 9:06 PM 19456]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/14/2008 12:57 AM 747912]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [3/6/2008 9:35 PM 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [3/6/2008 9:35 PM 44928]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-PowerBar - (no file)
HKLM-Run-net - c:\windows\system32\net.net
HKLM-Run-farstone - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: shu.ac.uk\exchange
Trusted Zone: shu.ac.uk\staff
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\martin bradshaw\Application Data\Mozilla\Firefox\Profiles\vl7mnym1.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 01:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RichVideo]
"ImagePath"="\"c:\program files\CyberLink\Shared Files\RichVideo.exe\"\00:\00:\00\00\00\00\00\00\00\00\00\12\00*\00ZF<\00Z\01\00\00\00\00\00\00\00|l||\00\00"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1348)
c:\windows\system32\odyEvent.dll

- - - - - - - > 'explorer.exe'(1556)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Funk Software\Odyssey Client\odClientService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Network Associates\Common Framework\Mctray.exe
c:\program files\Samsung\MagicKBD\MagicKBD.exe
c:\program files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-09-01 1:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-01 00:34

Pre-Run: 16,609,218,560 bytes free
Post-Run: 16,747,786,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
311 --- E O F --- 2009-08-13 07:10

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:55 PM

Posted 01 September 2009 - 02:02 PM

UAC is a rootkit so that's a good start.

A few things for you to do.

c:\temp\killtrojan.exe

killtrojan.exe is very often HijackThis which has been renamed at the request of the source of the download. Is this known to you?

If not please do the following - along with Fbapi.sys, a driver that can be a problem.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\temp\killtrojan.exe
c:\windows\system32\drivers\FBAPI.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal


Please also run MBAM


Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 adrianshelley

adrianshelley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 01 September 2009 - 06:00 PM

Dear m0le

I believe that killtrojan.exe is a renamed spybot SD programme - I'm not 100% because its now 3 weeks since I started trying to solve this - but its details (date/time/size) are all exactly the same as spybotSD version 1.6.2 that I downloaded for use but couldn't install - I'm pretty sure that I followed advice on renaming to see if that worked but it didn't. I haven't therefore got a Jotti report for it

Jotti report for FBAPI.sys

Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.
--------------------------------------------------------------------------------
Filename: FBAPI.sys
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 20 May 2009 06:23:13 (CET) Permalink
--------------------------------------------------------------------------------
Additional info
File size: 5088 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 47c5ac0b87567b0876081183de9a4704
SHA1: 60ec4c8f6def3fbc85fc2624c877631ae6382ade


I downloaded Malwarebytes as I have done before (see my first post) - this time it ran through to installation - but with the following error reports
runtime error '0' is reported during extraction phase at point 'vbAccelerator SGrid II Control followed
runtime error '440' automation error
which I'm hoping are not significant


The scan for Malwarebytes produced

Malwarebytes' Anti-Malware 1.40
Database version: 2727
Windows 5.1.2600 Service Pack 3

01/09/2009 23:39:12
mbam-log-2009-09-01 (23-39-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 460793
Time elapsed: 1 hour(s), 47 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6f74-2d53-2644-206d7942484f} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{53707962-6f74-2d53-2644-206d7942484f} (Trojan.BHO.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\11145004 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\temp\Spybot - Search & Destroy\SDHelper.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACboijbifyko.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACotstxieots.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACqivukeulvg.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwpqsejbpli.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACfeemafrtaw.sys.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8EACC9D-5980-4B1D-841A-59DF771F94FB}\RP0\A0000001.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8EACC9D-5980-4B1D-841A-59DF771F94FB}\RP0\A0000002.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8EACC9D-5980-4B1D-841A-59DF771F94FB}\RP0\A0000003.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8EACC9D-5980-4B1D-841A-59DF771F94FB}\RP0\A0000004.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8EACC9D-5980-4B1D-841A-59DF771F94FB}\RP0\A0000005.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8EACC9D-5980-4B1D-841A-59DF771F94FB}\RP1\A0000034.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\27.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\11145004\11145004.glu (Rogue.Multiple) -> Quarantined and deleted successfully.


thanks in advance for any further advice - I wondered whether a good idea to run Malwarebytes again to check?
Adrian

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:55 PM

Posted 01 September 2009 - 06:48 PM

Hey adrianshelley,

That driver is legit then. It sounds like the killtrojan.exe is related to a renamed Spybot file - they like to rename them with those kind of names even if they then start to look like malicious files...

I would imagine that the PC is working better now.

MBAM has found the remnants of trojans which were at one running and active on your PC. It has also deleted Combofix's quarantined files and system restore which often houses copies of the malware.

It's all looking very good now.


We don't need to run MBAM again, instead please run this online scanner.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Let's see if there's any other remnants hanging around. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#9 adrianshelley

adrianshelley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 02 September 2009 - 02:43 PM

Hi m0le

The ESET scan found 2 items which were deleted/quarantined
I didn't initiate any further deletions but it looked like I could delete the quarantined items

I've attached the text file output

Hoping that I'm close now

thanks

Adrian

Attached Files

  • Attached File  eset.txt   275bytes   4 downloads


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:55 PM

Posted 02 September 2009 - 02:48 PM

That shows the Bagel worm was present on your PC.

I'd like to see another MBAM log now please and then a new DDS log

Yep, nearly there :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 adrianshelley

adrianshelley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 02 September 2009 - 06:54 PM

Dear m0le

here is Malwarebytes output


Malwarebytes' Anti-Malware 1.40
Database version: 2732
Windows 5.1.2600 Service Pack 3

03/09/2009 00:40:29
mbam-log-2009-09-03 (00-40-29).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 461059
Time elapsed: 2 hour(s), 30 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS output

DDS (Ver_09-07-30.01) - NTFSx86
Run by martin bradshaw at 0:44:02.57 on 03/09/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.687 [GMT 1:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Samsung\DisplayManager\DisplayManager.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\martin bradshaw\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Power2GoExpress] NA
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [RestoreIT!] "c:\program files\phoenix technologies ltd\recoverpro_xp\VBPTASK.EXE" VBStart
mRun: [DisplayManager] c:\program files\samsung\displaymanager\DMLoader.exe
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [OdTray.exe] "c:\program files\funk software\odyssey client\OdTray.exe"
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [B'sCLiP] c:\progra~1\cyberl~1\instan~1\win2k\IBurn.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: shu.ac.uk\exchange
Trusted Zone: shu.ac.uk\staff
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://staff.ts.shu.ac.uk/tsweb/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://help.broadbandassist.com/bbdesktop/PreQual/files/MotivePreQual.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Notify: OdysseyClient - odyEvent.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\martin~1\applic~1\mozilla\firefox\profiles\vl7mnym1.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2008-1-27 10112]
R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [2006-5-24 254208]
R0 RITCPT;RITCPT;c:\windows\system32\drivers\RITCPT.SYS [2006-3-29 43512]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [2008-1-27 165376]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2006-3-29 4300]
R2 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2006-3-29 5088]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-7-4 104000]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 SNM WLAN Service;SNM WLAN Service;c:\program files\samsung\samsung network manager\SNMWLANService.exe [2005-5-28 36864]
R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\srs labs\wowxt and tsxt driver\SRS_PostInstaller.exe [2005-11-28 31744]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-3-11 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-3-11 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-3-11 168776]
R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [2005-11-28 19456]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-1-14 41864]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-1-14 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-1-14 81288]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-1-14 747912]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-1-14 946568]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [2008-3-6 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [2008-3-6 44928]

=============== Created Last 30 ================

2009-09-02 17:48 <DIR> --d----- c:\program files\ESET
2009-09-01 21:47 <DIR> --d----- c:\docume~1\martin~1\applic~1\Malwarebytes
2009-09-01 01:33 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-09-01 00:54 <DIR> a-dshr-- C:\cmdcons
2009-09-01 00:49 229,376 a------- c:\windows\PEV.exe
2009-09-01 00:49 161,792 a------- c:\windows\SWREG.exe
2009-09-01 00:49 98,816 a------- c:\windows\sed.exe
2009-08-13 01:36 <DIR> --d----- c:\windows\system32\scripting
2009-08-13 01:36 <DIR> --d----- c:\windows\l2schemas
2009-08-13 01:36 <DIR> --d----- c:\windows\system32\en
2009-08-13 01:36 <DIR> --d----- c:\windows\system32\bits
2009-08-13 01:31 <DIR> --d----- c:\windows\network diagnostic
2009-08-13 01:07 197 a------- c:\windows\system32\MRT.INI
2009-08-13 01:04 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-13 01:02 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-13 00:15 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 00:15 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-13 00:15 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 00:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-12 09:50 16,409,960 a------- c:\temp\killtrojan.exe
2009-08-12 01:41 <DIR> --d----- c:\temp\Spybot - Search & Destroy
2009-08-12 01:33 16,409,960 a------- c:\temp\spybotsd162.exe
2009-08-12 00:04 <DIR> --d----- c:\docume~1\martin~1\applic~1\Logs
2009-08-06 23:26 18,015,723 a------- c:\temp\vlc-1.0.1-win32.exe
2009-08-05 10:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-13 01:39 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-09 12:16 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-07-09 12:16 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-07-03 18:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-25 19:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 19:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 19:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 19:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 19:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 19:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 19:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 19:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 19:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 19:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 19:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 19:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-22 12:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 12:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 12:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 13:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 13:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 15:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:14 132,096 a------- c:\windows\system32\wkssvc.dll
2008-10-14 20:39 1,024 a------- c:\docume~1\alluse~1\applic~1\imgpdf2.dll
2003-08-27 14:19 36,963 a----r-- c:\program files\common files\SM1updtr.dll

============= FINISH: 0:44:36.70 ===============


hope this is OK

Adrian

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:55 PM

Posted 02 September 2009 - 07:05 PM

Yes, that's okay. MBAM is clean and the DDS log is good too.

Your logs are clean.

Good stuff! :thumbup2:

Let's do some housekeeping


Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Old Java versions are gateways for malware. JavaRa will clear up your old files and let you upload the latest release.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

I recommend that you download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it adrianshelley, happy surfing!

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#13 adrianshelley

adrianshelley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 03 September 2009 - 04:16 PM

Dear m0le

Sorry for delay in replying but the scans below took several hours in total - and as a result I'm not sure if everything has gone

I followed through the instructions in last posting though I had some problems getting HostMan to install but I guess that can wait

I haven't used the PC online except to download the various programmes you've specified or to update virus checker and spybotsd

After finishing I ran the latest version of SpybotSD in normal mode - it found some items
Win32.TDSS.reg 7 entries
Win32.ZBot 2 entries
which I 'fixed'

I then ran a full virus scan in normal mode with Mcafee - nothing detected

So ran spybotSD a second time and it found
Win32.TDSS.reg just 1 entry this time
'fixed' it

rebooted and ran spybotsd again
this time no threats found

Do you have any suggestions? - perhaps it was just cleaning out the remnants

Thanks
Adrian

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:55 PM

Posted 03 September 2009 - 04:39 PM

TDSS is detected by both Combofix and MBAM so I think that Spybot is flagging false positives.

However, if removing what it asked you to remove hasn't caused you any problems then that's okay. Your logs were definitely clean before that run. I suggest you take a look at a better antispyware product such as SuperAntiSpyware from the antispyware list in my last post.
Posted Image
m0le is a proud member of UNITE

#15 adrianshelley

adrianshelley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 03 September 2009 - 05:19 PM

OK will do

thanks for all your help which was very easy to follow and got me out of a tight corner - I've never been unable to get out of a problem before this one came along
just hope I don't need your help in the future!

best wishes

Adrian




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users