Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windowsclick/uacinit.dll infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 Trant

Trant

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 22 August 2009 - 10:30 AM

I first noticed the infection because my search results were being redirected via windowsclick.com. Followed existing directions on another site to remove a windowsclick.com infection via Malwarebytes Anti-malware. Several items were corrected, however two items remain and appear to resist the attempts at removal via Malwarebytes: uacinit.dll and a registry entry.

Also - my system is occasionally having trouble when booting, only started after I attempted removal of uacinit.dll file. As well my system appears to stop processing whatever it is doing but my mouse can move but clicks are not recognized. After a few clicks a "beep" sounds and then the mouse pointer won't move any more either and the only option is a hard-reboot via power off. I have attempted via "Safe Mode" to cause a chkdsk /F on reboot but it never appears to get run. I have no idea if these things are related to the infection at all. I do have a WD EBook external drive which was attached and that I have removed and am not currently experiencing the halting issue.



DDS (Ver_09-07-30.01) - NTFSx86
Run by Dad at 11:07:26.25 on Sat 08/22/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1195 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Security Utilities\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Security Utilities\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Security Utilities\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Demos\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Utilities\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Google\Google Media Server\GoogleMediaServer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Wireless Desktop\LgWDskTp.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Security Utilities\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Utilities\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Security Utilities\Comodo\COMODO Internet Security\cfp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Media Server\GoogleMediaScanner.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Utilities\Productivity\Launchy\Launchy.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\hott notes 4\hottnotes.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dad\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sony.com/vaiopeople
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Alcohol Toolbar Helper: {52d06f97-5511-43fa-8fda-c481864fd26e} - c:\program files\alcohol toolbar\v3.2.0.0\Alcohol_Toolbar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\securi~1\spybot~1\SDHelper.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Alcohol Toolbar: {4c4e7cdb-5bfc-4d74-83e2-8ae659b7eda2} - c:\program files\alcohol toolbar\v3.2.0.0\Alcohol_Toolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\dad\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Google Media Scanner] "c:\program files\google\google media server\GoogleMediaScanner.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [LgWDskTp] c:\program files\wireless desktop\LgWDskTp.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avgnt] "c:\program files\security utilities\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [GhostStartTrayApp] c:\program files\utilities\symantec\norton ghost 2003\GhostStartTrayApp.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [COMODO Internet Security] "c:\program files\security utilities\comodo\comodo internet security\cfp.exe" -h
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\dad\startm~1\programs\startup\hottno~1.lnk - c:\program files\hott notes 4\hottnotes.exe
StartupFolder: c:\docume~1\dad\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\utilities\productivity\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{a7091e1d-36a4-47f1-a739-173cc341414f}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\securi~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli c:\windows\system32\ronohuza.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\afzz64bd.default\
FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\afzz64bd.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar3.dll
FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\afzz64bd.default\extensions\mimmeo@iterasi.com\platform\winnt_x86-msvc\components\trotter.dll
FF - component: c:\program files\browsers\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\dad\application data\mozilla\firefox\profiles\afzz64bd.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\dad\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\dad\local settings\application data\huludesktop\instances\0.9.7.1\nphdplg.dll
FF - plugin: c:\program files\browsers\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\browsers\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\browsers\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\browsers\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\browsers\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\security utilities\avira\antivir personaledition classic\avgio.sys [2008-12-20 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-12-20 132040]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-12-20 25160]
R1 GhPciScan;GhostPciScanner;c:\program files\utilities\symantec\norton ghost 2003\GhPciScan.sys [2003-12-17 5632]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\security utilities\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\security utilities\avira\antivir personaledition classic\sched.exe [2008-12-20 68865]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\security utilities\comodo\comodo internet security\cmdagent.exe [2008-12-20 707152]
R2 CoLinuxDriver;CoLinuxDriver;c:\temp\pubuntu\portable_ubuntu\linux.sys [2009-4-4 68096]
R2 Google MediaServer;Google MediaServer;c:\program files\google\google media server\GoogleMediaServer.exe [2009-2-7 622080]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-9-19 65536]
S2 gupdate1c99f64dd2e048;Google Update Service (gupdate1c99f64dd2e048);c:\program files\google\update\GoogleUpdate.exe [2009-3-7 133104]
S2 udpf;udpf;c:\windows\system32\drivers\tyab.sys --> c:\windows\system32\drivers\tyab.sys [?]
S3 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\security utilities\avira\antivir personaledition classic\avguard.exe [2008-12-20 151297]
S3 avgntflt;avgntflt;c:\program files\security utilities\avira\antivir personaledition classic\avgntflt.sys [2008-12-20 52056]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-2-7 30192]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-08-22 10:07 <DIR> --d----- c:\program files\Cobian Backup 8
2009-08-22 09:38 <DIR> --d----- c:\program files\Western Digital Technologies
2009-08-21 18:18 <DIR> --d----- c:\docume~1\dad\applic~1\Malwarebytes
2009-08-21 18:11 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 18:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-21 18:11 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-21 18:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-20 15:53 <DIR> --d----- c:\program files\KingsIsle Entertainment
2009-08-19 22:27 784,630 a------- c:\windows\system32\xa.tmp
2009-07-27 20:49 <DIR> --d----- c:\docume~1\dad\applic~1\Ubisoft
2009-07-27 20:49 281,760 a------- c:\windows\system32\drivers\atksgt.sys
2009-07-27 20:49 25,888 a------- c:\windows\system32\drivers\lirsgt.sys
2009-07-27 20:49 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-07-27 20:49 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-07-27 20:49 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-07-27 20:49 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-07-27 20:49 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-07-27 20:49 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-07-27 20:49 22,360 a------- c:\windows\system32\X3DAudio1_6.dll

==================== Find3M ====================

2009-08-21 21:34 98,304 a------- c:\windows\DUMP371d.tmp
2009-08-15 11:53 11,376 a------- c:\windows\system32\drivers\secdrv.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-12 15:49 179,792 a------- c:\windows\system32\guard32.dll
2009-07-12 15:49 132,040 a------- c:\windows\system32\drivers\cmdguard.sys
2009-07-12 15:49 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-06-14 17:22 34 a------- c:\documents and settings\dad\jagex_runescape_preferences.dat
2009-03-21 22:32 87,608 a------- c:\docume~1\dad\applic~1\inst.exe
2009-03-21 22:32 47,360 a------- c:\docume~1\dad\applic~1\pcouffin.sys

============= FINISH: 11:09:39.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 AM

Posted 03 September 2009 - 06:51 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Trant

Trant
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 04 September 2009 - 09:48 AM

Erased everything -- I am a dope. I did experience a shut-down which appeared to hang, but upon restart I clicked the wrong user and logged in as a basically unused user on my PC which caused "weird things" to happen. I will now run DDS on my primary user.

Edited by Trant, 04 September 2009 - 10:57 AM.


#4 Trant

Trant
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 04 September 2009 - 11:02 AM

I have taken some steps under direction of a fellow co-worker and things appear better; specifically the windowsclick appears to be gone and virus scanners recently have not indicated an infection. However I did appear to have a rootkit and am still concerned that this is present. My start-up feels like it is slower than it should be and my windows update fail due to some dll issue.

Here are the logs:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Dad at 11:58:15.59 on Fri 09/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1027 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Security Utilities\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Security Utilities\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Demos\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Utilities\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Wireless Desktop\LgWDskTp.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Utilities\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Security Utilities\Comodo\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\SUPERAntiSpyware\something.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Utilities\Productivity\Launchy\Launchy.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\hott notes 4\hottnotes.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Browsers\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dad\Desktop\MSTS Stuff\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sony.com/vaiopeople
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Alcohol Toolbar Helper: {52d06f97-5511-43fa-8fda-c481864fd26e} - c:\program files\alcohol toolbar\v3.2.0.0\Alcohol_Toolbar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\securi~1\spybot~1\SDHelper.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Alcohol Toolbar: {4c4e7cdb-5bfc-4d74-83e2-8ae659b7eda2} - c:\program files\alcohol toolbar\v3.2.0.0\Alcohol_Toolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\dad\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\something.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [LgWDskTp] c:\program files\wireless desktop\LgWDskTp.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GhostStartTrayApp] c:\program files\utilities\symantec\norton ghost 2003\GhostStartTrayApp.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [COMODO Internet Security] "c:\program files\security utilities\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\dad\startm~1\programs\startup\hottno~1.lnk - c:\program files\hott notes 4\hottnotes.exe
StartupFolder: c:\docume~1\dad\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\utilities\productivity\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{a7091e1d-36a4-47f1-a739-173cc341414f}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\securi~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\ronohuza.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\afzz64bd.default\
FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\afzz64bd.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar3.dll
FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\afzz64bd.default\extensions\mimmeo@iterasi.com\platform\winnt_x86-msvc\components\trotter.dll
FF - component: c:\program files\browsers\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\dad\application data\mozilla\firefox\profiles\afzz64bd.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\dad\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\dad\local settings\application data\huludesktop\instances\0.9.7.1\nphdplg.dll
FF - plugin: c:\program files\browsers\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\browsers\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\browsers\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\browsers\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\browsers\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-22 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-12-20 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-12-20 25160]
R1 GhPciScan;GhostPciScanner;c:\program files\utilities\symantec\norton ghost 2003\GhPciScan.sys [2003-12-17 5632]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\security utilities\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-22 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-22 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-22 55656]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\security utilities\comodo\comodo internet security\cmdagent.exe [2008-12-20 715392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-9-19 65536]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S2 gupdate1c99f64dd2e048;Google Update Service (gupdate1c99f64dd2e048);c:\program files\google\update\GoogleUpdate.exe [2009-3-7 133104]
S2 udpf;udpf;c:\windows\system32\drivers\tyab.sys --> c:\windows\system32\drivers\tyab.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-2-7 30192]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-09-04 11:50 <DIR> --dsh--- c:\documents and settings\dad\IETldCache
2009-09-04 11:30 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-09-04 11:30 <DIR> --d----- c:\windows\ie8updates
2009-09-04 11:30 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-09-04 11:30 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-09-04 11:29 <DIR> -cd-h--- c:\windows\ie8
2009-09-04 10:21 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-09-04 10:21 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-25 20:52 <DIR> --d----- c:\windows\War in the Pacific Admiral's Edition
2009-08-22 16:31 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-22 16:31 <DIR> --d----- c:\program files\Avira
2009-08-22 16:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-08-22 13:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-22 13:41 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-22 13:41 <DIR> --d----- c:\docume~1\dad\applic~1\SUPERAntiSpyware.com
2009-08-22 10:07 <DIR> --d----- c:\program files\Cobian Backup 8
2009-08-22 09:38 <DIR> --d----- c:\program files\Western Digital Technologies
2009-08-21 18:18 <DIR> --d----- c:\docume~1\dad\applic~1\Malwarebytes
2009-08-21 18:11 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 18:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-21 18:11 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-21 18:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-20 15:53 <DIR> --d----- c:\program files\KingsIsle Entertainment
2009-08-19 22:40 1,110,399 a------- c:\windows\system32\UACqcgmlutdcm.db
2009-08-19 22:27 784,630 a------- c:\windows\system32\xa.tmp

==================== Find3M ====================

2009-09-04 10:01 179,792 a------- c:\windows\system32\guard32.dll
2009-09-04 10:01 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-09-04 10:00 132,168 a------- c:\windows\system32\drivers\cmdguard.sys
2009-08-22 18:07 163,644 a------- c:\windows\system32\drivers\secdrv.sys
2009-08-21 21:34 98,304 a------- c:\windows\DUMP371d.tmp
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 00:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 00:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-27 20:49 281,760 a------- c:\windows\system32\drivers\atksgt.sys
2009-07-27 20:49 25,888 a------- c:\windows\system32\drivers\lirsgt.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-14 17:22 34 a------- c:\documents and settings\dad\jagex_runescape_preferences.dat
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-03-21 22:32 87,608 a------- c:\docume~1\dad\applic~1\inst.exe
2009-03-21 22:32 47,360 a------- c:\docume~1\dad\applic~1\pcouffin.sys

============= FINISH: 11:59:02.59 ===============

Attached Files



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 09 September 2009 - 06:10 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop. If you have already run ComboFix, delete your old copy and download a new one.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#6 Trant

Trant
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 09 September 2009 - 06:21 PM

As it has been 17 days since I originally posted I have made some changes to the system in a guided attempt to correct any issues. In general it appears to work fine now with a couple minor exceptions:

(1) my media center no longer works and I can't seem to fix it via downloading and installing the two packages recommended by Microsoft -- the second step fails and reboots my system
(2) I previously had a problem downloading microsoft security updates -- I am not sure if that is still a problem now however.

Running Combofix and gmer now ...

Update: The GMER was still running late last night, I had to got to work this morning but will post results this evening

Edited by Trant, 10 September 2009 - 07:43 AM.


#7 Trant

Trant
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 10 September 2009 - 07:33 PM

Here is the combofix log.... The GMER scan ran over night and it appears that my system rebooted overnight so I don't have the GMER log.... is it typically retrievable? or should I run it again?

ComboFix 09-09-09.04 - Dad 09/09/2009 19:36.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1292 [GMT -4:00]
Running from: c:\documents and settings\Dad\Desktop\MSTS Stuff\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dad\Application Data\inst.exe
c:\recycler\S-1-5-21-1335759700-1249103214-3450035350-500
c:\recycler\S-1-5-21-4168645308-683514227-3957530785-500
c:\recycler\S-1-5-21-583907252-1417001333-725345543-500
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Installer\6c350.msp
c:\windows\Installer\WinRMSrv.msi
c:\windows\setup.exe
c:\windows\system32\amohayuj.ini
c:\windows\system32\anikejef.ini
c:\windows\system32\ativanuh.ini
c:\windows\system32\olomiheg.ini
c:\windows\system32\UACqcgmlutdcm.db

.
((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-09 12:24 . 2009-09-09 12:24 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-09 04:57 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 21:11 . 2009-09-06 21:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-04 20:33 . 2009-09-04 20:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-04 19:34 . 2009-09-04 19:34 -------- d-----w- c:\program files\AutoHotkey
2009-09-04 16:45 . 2009-09-04 16:46 -------- dc-h--w- c:\windows\ie8
2009-09-04 15:50 . 2009-09-04 15:50 -------- d-sh--w- c:\documents and settings\Dad\IETldCache
2009-09-04 15:33 . 2009-09-04 15:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-04 15:32 . 2009-09-04 15:32 -------- d-sh--w- c:\documents and settings\Josh\IETldCache
2009-09-04 15:30 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-04 15:30 . 2009-09-09 07:00 -------- d-----w- c:\windows\ie8updates
2009-09-04 15:30 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-04 15:30 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-04 15:20 . 2009-09-04 15:20 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\Temp
2009-09-04 14:21 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-09-04 14:20 . 2009-09-04 14:20 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\Mozilla
2009-08-26 00:52 . 2009-08-26 00:52 -------- d-----w- c:\windows\War in the Pacific Admiral's Edition
2009-08-22 22:16 . 2009-08-22 22:16 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Nero
2009-08-22 20:31 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-22 20:31 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-22 20:31 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-22 20:31 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-22 20:31 . 2009-08-22 20:31 -------- d-----w- c:\program files\Avira
2009-08-22 20:31 . 2009-08-22 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-22 18:04 . 2009-08-22 18:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-08-22 17:46 . 2009-08-22 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-22 17:41 . 2009-08-22 19:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-22 17:41 . 2009-08-22 17:41 -------- d-----w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
2009-08-22 14:54 . 2009-08-22 14:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-08-22 14:53 . 2009-08-22 14:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-08-22 14:07 . 2009-08-22 14:07 -------- d-----w- c:\program files\Cobian Backup 8
2009-08-22 13:38 . 2009-08-22 13:38 -------- d-----w- c:\program files\Western Digital Technologies
2009-08-21 23:26 . 2009-08-21 23:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-21 22:18 . 2009-08-21 22:18 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2009-08-21 22:11 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 22:11 . 2009-08-21 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-21 22:11 . 2009-08-21 22:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-21 22:11 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 19:53 . 2009-08-20 19:53 -------- d-----w- c:\program files\KingsIsle Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 23:46 . 2009-05-02 01:40 -------- d-----w- c:\program files\Steam
2009-09-09 07:12 . 2009-03-01 01:32 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-06 04:00 . 2009-03-28 17:07 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-04 19:37 . 2009-04-25 16:23 -------- d-----w- c:\documents and settings\Dad\Application Data\EditPlus 3
2009-09-04 15:07 . 2008-12-20 01:24 -------- d-----w- c:\program files\Microsoft Works
2009-09-04 14:27 . 2008-12-20 03:43 -------- d-----w- c:\program files\Windows Desktop Search
2009-09-04 14:01 . 2008-12-20 19:18 179792 ----a-w- c:\windows\system32\guard32.dll
2009-09-04 14:01 . 2008-12-20 19:43 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-09-04 14:01 . 2008-12-20 19:43 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-09-04 14:00 . 2008-12-20 19:43 132168 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-08-26 13:02 . 2005-11-25 19:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-23 21:01 . 2005-11-26 00:18 -------- d-----w- c:\program files\Google
2009-08-23 20:55 . 2009-01-03 00:01 -------- d-----w- c:\documents and settings\Dad\Application Data\My Games
2009-08-22 22:07 . 2005-11-24 01:49 163644 ----a-w- c:\windows\system32\drivers\secdrv.sys
2009-08-22 20:13 . 2008-12-20 19:02 -------- d-----w- c:\program files\Security Utilities
2009-08-22 17:41 . 2008-12-20 19:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-22 02:44 . 2009-05-02 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-08-22 01:34 . 2008-12-20 03:04 98304 ----a-w- c:\windows\DUMP371d.tmp
2009-08-20 02:27 . 2009-08-20 02:27 784630 ----a-w- c:\windows\system32\xa.tmp
2009-08-17 22:25 . 2005-11-25 20:04 -------- d-----w- c:\program files\Java
2009-08-05 13:19 . 2009-02-08 00:41 -------- d-----w- c:\documents and settings\Dad\Application Data\U3
2009-08-05 09:01 . 2005-11-24 01:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2005-11-24 01:49 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2005-11-24 01:49 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-28 00:49 . 2009-07-28 00:49 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-07-28 00:49 . 2009-07-28 00:49 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-07-25 09:23 . 2008-12-20 20:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-20 01:04 . 2009-07-20 01:04 -------- d-----w- c:\program files\Safari
2009-07-20 01:03 . 2009-07-20 01:03 -------- d-----w- c:\program files\iTunes
2009-07-20 01:03 . 2009-07-20 01:03 -------- d-----w- c:\program files\iPod
2009-07-20 01:03 . 2009-01-01 15:15 -------- d-----w- c:\program files\Common Files\Apple
2009-07-17 19:01 . 2005-11-24 01:49 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2005-11-24 01:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2005-11-24 01:49 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2005-11-24 01:49 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-11-24 01:49 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-11-24 01:49 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-11-24 01:49 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-11-24 01:49 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-11-24 01:49 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-11-24 01:49 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-14 21:22 . 2009-06-14 19:07 34 ----a-w- c:\documents and settings\Dad\jagex_runescape_preferences.dat
2009-06-12 12:31 . 2005-11-24 01:49 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-11-24 01:49 76288 ----a-w- c:\windows\system32\telnet.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2009-06-11 1217784]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\something.exe" [2009-08-05 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"LgWDskTp"="c:\program files\Wireless Desktop\LgWDskTp.exe" [2004-10-27 65536]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"COMODO Internet Security"="c:\program files\Security Utilities\Comodo\COMODO Internet Security\cfp.exe" [2009-09-04 1796368]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\Logi_MwX.Exe [2004-10-18 19968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-18 1657376]

c:\documents and settings\Dad\Start Menu\Programs\Startup\
hott notes 4.lnk - c:\program files\hott notes 4\hottnotes.exe [2007-5-15 1249280]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Utilities\Productivity\Launchy\Launchy.exe [2008-12-21 286720]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-4-17 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Games\\Aspyr\\Guitar Hero III\\GH3.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Games\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\Program Files\\Sony\\VAIO Event Service\\VESMgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [12/20/2008 3:43 PM 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/20/2008 3:43 PM 25160]
R1 GhPciScan;GhostPciScanner;c:\program files\Utilities\Symantec\Norton Ghost 2003\GhPciScan.sys [12/17/2003 4:41 PM 5632]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/22/2009 4:31 PM 108289]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 3:03 AM 65536]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S2 gupdate1c99f64dd2e048;Google Update Service (gupdate1c99f64dd2e048);c:\program files\Google\Update\GoogleUpdate.exe [3/7/2009 4:34 PM 133104]
S2 udpf;udpf;c:\windows\system32\drivers\tyab.sys --> c:\windows\system32\drivers\tyab.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/7/2009 11:25 PM 30192]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-07 20:34]

2009-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-07 20:34]

2009-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-594924526-3202744468-122155450-1005Core.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-20 15:49]

2009-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-594924526-3202744468-122155450-1005UA.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-20 15:49]

2009-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-594924526-3202744468-122155450-1007Core.job
- c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-04 09:38]

2009-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-594924526-3202744468-122155450-1007UA.job
- c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-04 09:38]

2009-09-09 c:\windows\Tasks\NeroLiveEpgUpdate-DINGO_Dad.job
- c:\program files\Nero\Nero 9\Nero Live\NeroLive.exe [2008-10-27 14:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\afzz64bd.default\
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\afzz64bd.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll
FF - component: c:\program files\Browsers\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\afzz64bd.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Dad\Local Settings\Application Data\HuluDesktop\instances\0.9.7.1\nphdplg.dll
FF - plugin: c:\program files\Browsers\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 19:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1168)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(2624)
c:\windows\system32\WININET.dll
c:\program files\Wireless Desktop\LgWndHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Security Utilities\Comodo\COMODO Internet Security\cmdagent.exe
c:\program files\Security Utilities\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Demos\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Utilities\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\searchindexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-09 19:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-09 23:51

Pre-Run: 24,416,083,968 bytes free
Post-Run: 24,404,049,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

302 --- E O F --- 2009-09-09 07:06

Attached Files

  • Attached File  log.txt   22.01KB   2 downloads

Edited by PropagandaPanda, 11 September 2009 - 05:10 PM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 11 September 2009 - 05:12 PM

Hello.

GMER should not take that long. Please try RootRepeal.

Download and Run Scan with RootRepeal
  • Open RootRepeal.exe on your desktop. If you are using Windows Vista, right click RootRepeal.exe and select Run As Administrator.
  • Click the Report tab.
  • Click the Scan button.
  • Check all seven boxes.
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
With Regards,
The Panda

#9 Trant

Trant
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 11 September 2009 - 08:04 PM

When I run RootRepeal I get the following error as it starts: DeviceIoControlError! Error Code = 0x000009a

#10 Trant

Trant
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 11 September 2009 - 08:28 PM

Here are the results. I also saved the log of some errors that were reported by RootRepeal as rrlog.txt

Attached Files



#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 11 September 2009 - 08:33 PM

Hello.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\system32\xa.tmp
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    
    Driver::
    udpf
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image


    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

With Regards,
The Panda

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

#12 Trant

Trant
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 11 September 2009 - 09:07 PM

Here is the ComboFix log

ComboFix 09-09-11.01 - Dad 09/11/2009 21:47.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1151 [GMT -4:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point

FILE ::
"c:\windows\system32\xa.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\xa.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UDPF
-------\Service_udpf


((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.

2009-09-09 12:24 . 2009-09-09 12:24 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-09 04:57 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 21:11 . 2009-09-06 21:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-04 20:33 . 2009-09-04 20:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-04 19:34 . 2009-09-04 19:34 -------- d-----w- c:\program files\AutoHotkey
2009-09-04 16:45 . 2009-09-04 16:46 -------- dc-h--w- c:\windows\ie8
2009-09-04 15:50 . 2009-09-04 15:50 -------- d-sh--w- c:\documents and settings\Dad\IETldCache
2009-09-04 15:33 . 2009-09-04 15:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-04 15:32 . 2009-09-04 15:32 -------- d-sh--w- c:\documents and settings\Josh\IETldCache
2009-09-04 15:30 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-04 15:30 . 2009-09-09 07:00 -------- d-----w- c:\windows\ie8updates
2009-09-04 15:30 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-04 15:30 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-04 15:20 . 2009-09-04 15:20 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\Temp
2009-09-04 14:21 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-09-04 14:20 . 2009-09-04 14:20 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\Mozilla
2009-08-26 00:52 . 2009-08-26 00:52 -------- d-----w- c:\windows\War in the Pacific Admiral's Edition
2009-08-22 22:16 . 2009-08-22 22:16 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Nero
2009-08-22 20:31 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-22 20:31 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-22 20:31 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-22 20:31 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-22 20:31 . 2009-08-22 20:31 -------- d-----w- c:\program files\Avira
2009-08-22 20:31 . 2009-08-22 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-22 18:04 . 2009-08-22 18:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-08-22 17:46 . 2009-08-22 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-22 17:41 . 2009-08-22 19:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-22 17:41 . 2009-08-22 17:41 -------- d-----w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
2009-08-22 14:54 . 2009-08-22 14:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-08-22 14:53 . 2009-08-22 14:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-08-22 14:07 . 2009-08-22 14:07 -------- d-----w- c:\program files\Cobian Backup 8
2009-08-22 13:38 . 2009-08-22 13:38 -------- d-----w- c:\program files\Western Digital Technologies
2009-08-21 23:26 . 2009-08-21 23:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-21 22:18 . 2009-08-21 22:18 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2009-08-21 22:11 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-21 22:11 . 2009-08-21 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-21 22:11 . 2009-08-21 22:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-21 22:11 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 19:53 . 2009-08-20 19:53 -------- d-----w- c:\program files\KingsIsle Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 23:46 . 2009-05-02 01:40 -------- d-----w- c:\program files\Steam
2009-09-09 07:12 . 2009-03-01 01:32 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-06 04:00 . 2009-03-28 17:07 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-04 19:37 . 2009-04-25 16:23 -------- d-----w- c:\documents and settings\Dad\Application Data\EditPlus 3
2009-09-04 15:07 . 2008-12-20 01:24 -------- d-----w- c:\program files\Microsoft Works
2009-09-04 14:27 . 2008-12-20 03:43 -------- d-----w- c:\program files\Windows Desktop Search
2009-09-04 14:01 . 2008-12-20 19:18 179792 ----a-w- c:\windows\system32\guard32.dll
2009-09-04 14:01 . 2008-12-20 19:43 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-09-04 14:01 . 2008-12-20 19:43 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-09-04 14:00 . 2008-12-20 19:43 132168 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-08-26 13:02 . 2005-11-25 19:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-23 21:01 . 2005-11-26 00:18 -------- d-----w- c:\program files\Google
2009-08-23 20:55 . 2009-01-03 00:01 -------- d-----w- c:\documents and settings\Dad\Application Data\My Games
2009-08-22 22:07 . 2005-11-24 01:49 163644 ----a-w- c:\windows\system32\drivers\secdrv.sys
2009-08-22 20:13 . 2008-12-20 19:02 -------- d-----w- c:\program files\Security Utilities
2009-08-22 17:41 . 2008-12-20 19:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-22 02:44 . 2009-05-02 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-08-22 01:34 . 2008-12-20 03:04 98304 ----a-w- c:\windows\DUMP371d.tmp
2009-08-17 22:25 . 2005-11-25 20:04 -------- d-----w- c:\program files\Java
2009-08-05 13:19 . 2009-02-08 00:41 -------- d-----w- c:\documents and settings\Dad\Application Data\U3
2009-08-05 09:01 . 2005-11-24 01:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2005-11-24 01:49 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2005-11-24 01:49 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-28 00:49 . 2009-07-28 00:49 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-07-28 00:49 . 2009-07-28 00:49 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-07-25 09:23 . 2008-12-20 20:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-20 01:04 . 2009-07-20 01:04 -------- d-----w- c:\program files\Safari
2009-07-20 01:03 . 2009-07-20 01:03 -------- d-----w- c:\program files\iTunes
2009-07-20 01:03 . 2009-07-20 01:03 -------- d-----w- c:\program files\iPod
2009-07-20 01:03 . 2009-01-01 15:15 -------- d-----w- c:\program files\Common Files\Apple
2009-07-17 19:01 . 2005-11-24 01:49 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2005-11-24 01:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2005-11-24 01:49 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2005-11-24 01:49 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-11-24 01:49 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-11-24 01:49 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-11-24 01:49 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-11-24 01:49 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-11-24 01:49 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-11-24 01:49 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-14 21:22 . 2009-06-14 19:07 34 ----a-w- c:\documents and settings\Dad\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-09-09_23.47.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-12 01:59 . 2009-09-12 01:59 16384 c:\windows\Temp\Perflib_Perfdata_758.dat
+ 2009-09-12 02:00 . 2009-09-12 02:00 16384 c:\windows\Temp\Perflib_Perfdata_5ac.dat
+ 2009-09-12 02:00 . 2009-09-12 02:00 16384 c:\windows\Temp\Perflib_Perfdata_510.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2009-06-11 1217784]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\something.exe" [2009-08-05 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"LgWDskTp"="c:\program files\Wireless Desktop\LgWDskTp.exe" [2004-10-27 65536]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"COMODO Internet Security"="c:\program files\Security Utilities\Comodo\COMODO Internet Security\cfp.exe" [2009-09-04 1796368]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\Logi_MwX.Exe [2004-10-18 19968]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-18 1657376]

c:\documents and settings\Dad\Start Menu\Programs\Startup\
hott notes 4.lnk - c:\program files\hott notes 4\hottnotes.exe [2007-5-15 1249280]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Utilities\Productivity\Launchy\Launchy.exe [2008-12-21 286720]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-4-17 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Games\\Aspyr\\Guitar Hero III\\GH3.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Games\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\Program Files\\Sony\\VAIO Event Service\\VESMgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [12/20/2008 3:43 PM 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/20/2008 3:43 PM 25160]
R1 GhPciScan;GhostPciScanner;c:\program files\Utilities\Symantec\Norton Ghost 2003\GhPciScan.sys [12/17/2003 4:41 PM 5632]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/22/2009 4:31 PM 108289]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 3:03 AM 65536]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S2 gupdate1c99f64dd2e048;Google Update Service (gupdate1c99f64dd2e048);c:\program files\Google\Update\GoogleUpdate.exe [3/7/2009 4:34 PM 133104]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/7/2009 11:25 PM 30192]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-07 20:34]

2009-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-07 20:34]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-594924526-3202744468-122155450-1005Core.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-20 15:49]

2009-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-594924526-3202744468-122155450-1005UA.job
- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-20 15:49]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-594924526-3202744468-122155450-1007Core.job
- c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-04 09:38]

2009-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-594924526-3202744468-122155450-1007UA.job
- c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-04 09:38]

2009-09-11 c:\windows\Tasks\NeroLiveEpgUpdate-DINGO_Dad.job
- c:\program files\Nero\Nero 9\Nero Live\NeroLive.exe [2008-10-27 14:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\afzz64bd.default\
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\afzz64bd.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll
FF - component: c:\program files\Browsers\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\afzz64bd.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Dad\Local Settings\Application Data\HuluDesktop\instances\0.9.7.1\nphdplg.dll
FF - plugin: c:\program files\Browsers\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 22:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1168)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3140)
c:\windows\system32\WININET.dll
c:\program files\Wireless Desktop\LgWndHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Security Utilities\Comodo\COMODO Internet Security\cmdagent.exe
c:\program files\Security Utilities\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Demos\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Utilities\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\searchindexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\rundll32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-12 22:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-12 02:05
ComboFix2.txt 2009-09-09 23:51

Pre-Run: 24,341,540,864 bytes free
Post-Run: 24,304,992,256 bytes free

290 --- E O F --- 2009-09-09 07:06

Attached Files


Edited by PropagandaPanda, 12 September 2009 - 08:04 AM.


#13 Trant

Trant
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 11 September 2009 - 11:02 PM

Kaspersky log

Attached Files



#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 12 September 2009 - 08:06 AM

Hello.

That looks good. Unless there are any issues at the moment, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Please re-enable any antimalware programs that were disabled during the fix.

Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#15 Trant

Trant
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:37 AM

Posted 12 September 2009 - 09:15 AM

Panda,

Thanks for your assistance. So at this point you believe my system is clear of any root kits?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users