Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sygate Personal Firewall disabled and sent to spurious sites via search engine


  • This topic is locked This topic is locked
16 replies to this topic

#1 spree

spree

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 28 August 2009 - 09:57 AM

Hi there, title says it all really. Upon startup recieve the standard Windows message that the Sygate program encountered a problem etc.

When using Google, and clicking on hyperlinks, I am sent to hxxp://cliccker.cn/ and sites of that ilk, I've removed a lot of extra code from that link, suffice to say the site never works.

Also I have been recieving messages that my virtual memory is nearing capacity.

In a more immediate development, I cannot post the dds.scr results as the tool did not work for me, rather than the black screen described in the "how to" topic I was presented with a notepad filled with random symbols and letters.

The ark.txt should be included.

Thanks in advance

Dan

Attached Files

  • Attached File  ark.txt   4.12KB   12 downloads

Edited by Orange Blossom, 28 August 2009 - 12:17 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 spree

spree
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 04 September 2009 - 04:43 AM

further information

After running Malwarebytes' Anti Malware, I've found that it constantly picks up Trojan.Agent and Rootkit.TDSS

Please help!

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 04 September 2009 - 12:33 PM.


#3 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 AM

Posted 12 September 2009 - 02:12 AM

Hello and :( to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:(

#4 spree

spree
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 12 September 2009 - 08:57 AM

Thanks Net Surfer

The DDS.txt is attached

Is the Attach.txt also required?

Attached Files

  • Attached File  DDS.txt   10.28KB   18 downloads


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:37 PM

Posted 14 September 2009 - 12:57 PM

Hi spree,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

This time we want to run ComboFix. This is a major step. Please be precise and make sure rename and save it on your desktop and let it download install the Recovery Console.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)

Double click on Combo-Fix.exe & follow the prompts. If ComboFix needed to reboot please allow it.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


#6 spree

spree
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 14 September 2009 - 03:32 PM

Thanks Farbar

.txt attached

Attached Files



#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:37 PM

Posted 14 September 2009 - 04:19 PM

Hi spree,

Well done.

Please copy and paste the logs instead of attaching them. Thanks.
  • Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/253140/sygate-personal-firewall-disabled-and-sent-to-spurious-sites-via-search-engine/
    
    Collect::
    c:\windows\system32\drivers\fteixvvrtfpmttbv.sys
    e:\ezinstall\EzInstall.sys
    Driver::
    EzInstall
    File::
    c:\windows\system32\drivers\gexylqibcrtsppet.sys
    c:\windows\system32\drivers\ncyexxnqvtapshee.sys
    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\
    00,00

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

    "C:\Qoobox\Add-Remove Programs.txt"

    A text file opens up, copy and paste the content to your reply.


#8 spree

spree
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 16 September 2009 - 05:23 PM

Combofix Log

ComboFix 09-09-16.01 - Dan Stevenson 16/09/2009 23:11.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3583.3041 [GMT 1:00]
Running from: c:\documents and settings\Dan Stevenson\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Dan Stevenson\Desktop\CFScript.txt
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point

FILE ::
"c:\windows\system32\drivers\gexylqibcrtsppet.sys"
"c:\windows\system32\drivers\ncyexxnqvtapshee.sys"

file zipped: c:\windows\system32\drivers\fteixvvrtfpmttbv.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\fteixvvrtfpmttbv.sys
c:\windows\system32\drivers\gexylqibcrtsppet.sys
c:\windows\system32\drivers\ncyexxnqvtapshee.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EZINSTALL
-------\Service_EzInstall


((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.

2009-09-09 15:38 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-05 22:39 . 2009-09-05 22:39 -------- d-----w- c:\program files\Microsoft Works
2009-08-28 00:01 . 2009-08-28 00:01 -------- d-----w- c:\documents and settings\Dan Stevenson\Application Data\Windows Search
2009-08-28 00:00 . 2009-08-28 00:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-08-27 23:59 . 2009-09-02 14:50 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-27 23:59 . 2009-08-27 23:59 -------- d-----w- c:\windows\system32\GroupPolicy
2009-08-27 23:58 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-08-27 23:58 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-08-27 23:58 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-08-27 19:38 . 2009-08-27 19:38 -------- d-----w- c:\documents and settings\Dan Stevenson\Application Data\Malwarebytes
2009-08-27 19:38 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 19:38 . 2009-09-12 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 19:38 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-27 19:38 . 2009-08-27 19:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-26 15:38 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-08-26 15:38 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-08-26 15:38 . 2009-06-25 08:25 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-26 15:38 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-26 10:20 . 2009-08-26 10:20 -------- dc----w- C:\spoolerlogs
2009-08-24 14:26 . 2009-08-24 14:26 -------- d-----w- c:\documents and settings\Dan Stevenson\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-24 14:19 . 2009-08-24 14:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 15:22 . 2008-07-03 19:36 -------- d-----w- c:\documents and settings\Dan Stevenson\Application Data\Canon
2009-08-28 13:13 . 2007-09-02 13:33 -------- d-----w- c:\documents and settings\Dan Stevenson\Application Data\U3
2009-08-26 14:59 . 2005-01-09 15:52 63592 -c--a-w- c:\documents and settings\Dan Stevenson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 14:24 . 2004-10-02 17:20 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-09 09:52 . 2009-08-09 09:52 -------- d-----w- c:\program files\MSBuild
2009-08-09 09:52 . 2009-08-09 09:52 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2001-08-23 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 09:08 . 2005-01-09 15:38 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2002-08-29 06:14 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-01-09 15:38 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2001-08-23 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2001-08-23 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2001-08-23 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2001-08-23 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2001-08-23 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2001-08-23 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-14_20.23.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-23 12:00 . 2008-04-14 00:12 18944 c:\windows\system32\dllcache\version.dll
+ 2001-08-23 12:00 . 2008-04-14 00:12 250368 c:\windows\system32\dllcache\sptip.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FRYMXINS"="c:\program files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-07 344064]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="G:\iTunesHelper.exe" [2009-03-12 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-11-17 577536]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="h:\device manager\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
Microsoft Office.lnk - d:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\SASSEH.DLL" [2008-11-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-07 16:02 548352 ----a-w- D:\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"Pctspk"=2 (0x2)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"stisvc"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"h:\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"d:\\Program Files\\realplay.exe"=
"d:\\Program Files\\SolidWorks\\SLDWORKS.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"g:\\iTunes.exe"=
"%windir%\\system32\\lsass.exe"=

R1 SASDIFSV;SASDIFSV;D:\SASDIFSV.SYS [10/10/2006 13:53 9968]
R1 SASKUTIL;SASKUTIL;D:\SASKUTIL.SYS [27/02/2007 12:39 74480]
S3 OpenDrv;OpenDrv;\??\c:\program files\AOpen\SilentTek\OpenDrv.sys --> c:\program files\AOpen\SilentTek\OpenDrv.sys [?]
S3 PRODIGY;PRODIGY;c:\windows\system32\drivers\prodigy.sys [21/08/2007 14:56 32377]
S3 SASENUM;SASENUM;D:\SASENUM.SYS [16/02/2006 17:51 4096]
.
Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 12:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 23:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FRYMXINS"="\"c:\\Program Files\\ATI Technologies\\Fire GL 3D Studio Max\\atiimxgl\""
"ATIPTA"="c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SoundMan"="SOUNDMAN.EXE"
"vptray"="c:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"SmcService"="c:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"QuickTime Task"="\"d:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AppleSyncNotifier"="c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleSyncNotifier.exe"
"iTunesHelper"="\"g:\\iTunesHelper.exe\""
"Adobe Reader Speed Launcher"="\"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\\P*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"f\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
D:\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(344)
c:\windows\system32\WININET.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Sygate\SPF\Smc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
c:\program files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wdfmgr.exe
g:\ipod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-16 23:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-16 22:21
ComboFix2.txt 2009-09-14 20:26

Pre-Run: 4,312,043,520 bytes free
Post-Run: 4,303,151,104 bytes free

214 --- E O F --- 2009-09-09 15:46

#9 spree

spree
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 16 September 2009 - 05:31 PM

MBAM Log

Malwarebytes' Anti-Malware 1.41
Database version: 2813
Windows 5.1.2600 Service Pack 3

16/09/2009 23:31:08
mbam-log-2009-09-16 (23-31-08).txt

Scan type: Quick Scan
Objects scanned: 106064
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 spree

spree
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 16 September 2009 - 05:33 PM

Hope I've added these correctly Farbar

When I did step 3. there was nothing in the text box?

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:37 PM

Posted 16 September 2009 - 05:43 PM

You did well. How is the computer running?

#12 spree

spree
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 18 September 2009 - 03:16 PM

Running OK, less spoolsrv being caught by Sygate

MBAM still finding rootkits though and Symantec is picking up tidserv!exe

MBAM log

Malwarebytes' Anti-Malware 1.41
Database version: 2821
Windows 5.1.2600 Service Pack 3

18/09/2009 21:11:55
mbam-log-2009-09-18 (21-11-55).txt

Scan type: Full Scan (C:\|D:\|G:\|H:\|)
Objects scanned: 197811
Time elapsed: 43 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\DOCUME~1\DANSTE~1\LOCALS~1\Temp\gasfkyxbyduktqxo.tmp.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gexylqibcrtsppet.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ncyexxnqvtapshee.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D972DFB0-F4B7-4780-ADFE-DDD450E005FA}\RP248\A0078551.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D972DFB0-F4B7-4780-ADFE-DDD450E005FA}\RP248\A0078552.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:37 PM

Posted 18 September 2009 - 05:07 PM

The files MBAM is detecting are in two folders, some are are are already removed and quarantined by ComboFix and are located in ComboFix quarantine Folder (C:\Qoobox\Quarantine) and some of them are in System Volume Information folder where the restore points are kept. When we uninstall Combofix both folders will be emptied. Symantec might detect the same harmless files.
  • Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /u

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  • Click here to download HijackThis Installer.
  • Save HJTInstall.exe to your Desktop.
  • Double click on the HJTInstall.exe icon to start the installation.
  • When a window pops up asking you the directory to install the program please accept the proposed default directory.
  • The program will automatically place a shortcut on your desktop and if further use of the program is required, you can click on the shortcut to run the program.
  • Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.

Edited by farbar, 18 September 2009 - 05:09 PM.


#14 spree

spree
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 19 September 2009 - 12:24 PM

Thanks Farbar

Ran MBAM again after uninstalling Combofix and it was all clear

HijackThis log below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:23:01, on 19/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\rundll32.exe
G:\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
G:\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] H:\Device Manager\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aqa.webex.com/client/T23L/webex/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - D:\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - G:\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7633 bytes

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:37 PM

Posted 19 September 2009 - 01:41 PM

Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Everything looks good and you are good to go now.

Happy Surfing. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users