Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows antivirus pro and pc_antivirus2010 mess


  • This topic is locked This topic is locked
24 replies to this topic

#1 Auger

Auger

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, GA
  • Local time:05:47 PM

Posted 31 August 2009 - 05:15 PM

Hello all,

Just to set the background here, I have been hearing my neighbor talk about an infection she was fighting on his PC that was sounding kind of vicious.. She finally gave up and brought it over to me an MAN what a mess!

It appears to have been infected with both the above mentioned programs. I say appears because when I got my hands on the system there were only empty directories where the program files had been. She downloaded some instructions and manually deleted the program files.

We are now at a state where the system comes up with a blank screen and you can then get into task manager and run cmd to get a command prompt. Sometimes when you run from the prompt you get the "run as" screen.

Malwarebytes, Superspywareplus, root repeal will start running but will just exit with no message, when this happens the file that was run before will not longer be viable as it says "access is denied" If I never run the main exe and constantly copy it to a different file I can run it once.

I did get an instance of OTL and smitfraudfix to run and have attached the OTL log (I pushed the scan dates to 60 days as she had been working on this for over a month), hijackthis will not run because of the "run as" problem even if I rename it..

Another interesting twist is that My Computer icon is missing and if I try and enter system properties I get "rundll32.exe application not found" even though it is happily sitting there in system32. Explorer gets the same "access denied" message but I copied an explorer from another system and am constantly renaming it to explorer1, explorer2... because it will eventually catch on I am using it and render it to "access denied" state.

This has just about got me wanting to mow the lawn on the HD platter and start over but it seems you all work miracles, any help would be much appreciated!

Art

Attached Files

  • Attached File  OTL.zip   12.52KB   3 downloads


BC AdBot (Login to Remove)

 


#2 Auger

Auger
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, GA
  • Local time:05:47 PM

Posted 01 September 2009 - 08:43 AM

For anybody who is interested, I captured a procmon log of whatever this is killing Mbem then going out and disabling the file to "access denied" , the log is huge (100 meg) unzipped, do not know how well it will compress.... I can only see what it is doing, not HOW it is doing it. Art

#3 Auger

Auger
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, GA
  • Local time:05:47 PM

Posted 01 September 2009 - 09:38 PM

Ok, finally got it to run hijack this..

Scanned the system with Dr. Web standalone scanner and it discovered 2 major issues:

A file with csid of uncountable length - trojan.fakealert.4747

eventlog.dll with trojan.crot

Once Dr Web cleaned the files I was able to run Mbam, since the system was in safe mode with no networking support I could not update but it found numerous infections (27 I believe) I then rebooted and updated and ran it again where it found only 5 and then rebooted, ran again and ran a full scan with no errors.

I am still in the mode where it boots up to a blank screen but I can enter task manager and run most anything without the "run as" screen popping up, the my computer icon is still missing yet I can right click and enter properties. My explorer.exe is still "access denied" Internet explorer cannot run as yet.

<From a post edit: I have attached the rootrepeal log as I forgot to do it the first time, I have attached 2 rr logs, the first before the scans, I could run rootrepeal if I did them one at a time and left out the "files" scan. Only 3 items had data in them so I copied and pasted them into one text file. The regular arc.txt is after the scans. I am now turning this 'puter off and will patiently wait for guidance...>

Here are my logs (posted correctly this time)



DDS (Ver_09-07-30.01) - NTFSx86
Run by Karen Horton at 22:19:34.78 on Tue 09/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.333 [GMT -4:00]

AV: AT&T Internet Security Suite AT&T Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer12.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uWindows: load=D:\CDSETUP.EXE
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Network Ready Production Manager] RUNDLL32.EXE, TweakMeUp
mRun: [LXBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBXtime.dll,_RunDLLEntry@16
mRun: [lxbxmon.exe] "c:\program files\lexmark 7100 series\lxbxmon.exe"
mRun: [FaxCenterServer4_in_1] "c:\program files\lexmark 7100 series\fm3032.exe" /s
mRun: [<NO NAME>]
mRun: [EzPrint] "c:\program files\lexmark 7100 series\ezprint.exe"
mRun: [QuickFinder Scheduler] "c:\program files\wordperfect office x3\programs\QFSCHD130.EXE"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [AT&T Internet Security Suite] "c:\program files\at&t\at&t internet security suite\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\at&t\at&t internet security suite\ZkRunOnceR.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\mm\mbam.exe" /runcleanupscript
mRunOnce: [AOLRebootNeeded] regsvr32.exe /s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\documents and settings\karen horton\my documents\my pictures\kodak photos\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171130318593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/html - {61203230-ab2d-49ec-963e-ce4eff95e450} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
S2 Par1284;Par1284;\??\c:\program files\flexisign\program\par1284.sys --> c:\program files\flexisign\program\Par1284.sys [?]
S3 Radialpoint Security Services;AT&T Internet Security Suite;c:\windows\system32\DLLHOST.EXE [2004-8-4 5120]
S3 rootrepeal;rootrepeal;c:\windows\system32\drivers\rootrepeal.sys [2009-9-1 34816]
S3 rr.pif;rr.pif;\??\c:\windows\system32\drivers\rr.pif.sys --> c:\windows\system32\drivers\rr.pif.sys [?]
S3 rr1.pif;rr1.pif;\??\c:\windows\system32\drivers\rr1.pif.sys --> c:\windows\system32\drivers\rr1.pif.sys [?]
S3 rr2.pif;rr2.pif;\??\c:\windows\system32\drivers\rr2.pif.sys --> c:\windows\system32\drivers\rr2.pif.sys [?]
S3 rr3.pif;rr3.pif;\??\c:\windows\system32\drivers\rr3.pif.sys --> c:\windows\system32\drivers\rr3.pif.sys [?]
S3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [2006-12-25 182528]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2005-8-21 10880]

=============== Created Last 30 ================

2009-09-01 22:10 155,648 a------- c:\windows\system32\igfxtray.exe
2009-09-01 21:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-01 21:00 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-01 21:00 <DIR> --d----- c:\docume~1\karenh~1\applic~1\SUPERAntiSpyware.com
2009-09-01 20:22 2 a------- c:\windows\msoffice.ini
2009-09-01 17:36 55,808 a------- c:\windows\system32\EVENTLOG.DLL
2009-09-01 14:00 <DIR> --dshr-- C:\cmdcons
2009-09-01 13:59 <DIR> --d----- c:\windows\setupupd
2009-09-01 13:57 <DIR> --d----- c:\windows\setup.pss
2009-09-01 13:35 2,855 a------- c:\windows\explorer.PIF
2009-09-01 11:44 46,080 a------- c:\windows\w32kdiag.pif
2009-09-01 10:00 34,816 a------- c:\windows\system32\drivers\rootrepeal.sys
2009-08-31 21:37 47,466,131 a------- C:\Logfile.CSV
2009-08-31 19:48 1,033,728 a------- c:\windows\explorer21.exe
2009-08-31 17:37 1,033,728 a------- c:\windows\explorer12.exe
2009-08-31 16:22 <DIR> --d----- c:\program files\mm
2009-08-31 11:07 0 a------- c:\windows\TempFile
2009-08-30 22:05 288,417 a------- c:\windows\system32\SrchSTS.exe
2009-08-30 22:05 82,944 a------- c:\windows\system32\IEDFix.C.exe
2009-08-30 22:05 80,384 a------- c:\windows\system32\o4Patch.exe
2009-08-30 22:05 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2009-08-30 22:05 53,248 a------- c:\windows\system32\Process.exe
2009-08-30 22:03 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-30 19:34 2,977,128 a------- C:\Procmon.exe
2009-08-30 19:34 60,652 a------- C:\procmon.chm
2009-08-30 17:39 <DIR> --d----- c:\program files\m
2009-08-30 17:08 3,942,048 a------- C:\mbam-setup.exe
2009-08-30 14:27 <DIR> --d----- c:\docume~1\karenh~1\applic~1\Malwarebytes
2009-08-30 14:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-30 14:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-30 14:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-24 20:49 <DIR> a-d----- c:\windows\system32\images
2009-08-24 20:22 46 a------- C:\p2hhr.bat
2009-08-24 20:21 2 a--sh--- C:\-925222893
2009-08-19 21:25 <DIR> --d----- c:\program files\Shared
2009-08-11 21:37 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-11 21:13 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-08-11 21:09 <DIR> --d----- c:\windows\system32\LogFiles
2009-08-04 12:04 <DIR> --d----- c:\docume~1\karenh~1\applic~1\VTExtra

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:11 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 09:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:55 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:42 1,315,328 a------- c:\windows\system32\dllcache\msoe.dll
2009-06-29 07:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35 634,632 -------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-06-25 04:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 04:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:44 56,320 a------- c:\windows\system32\secur32.dll
2009-06-25 04:44 724,480 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 04:44 298,496 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 04:44 168,448 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 04:44 133,632 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 04:44 59,392 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-25 04:44 56,320 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-22 07:34 92,544 a------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 07:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 07:50 76,288 a------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:21 84,992 a------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 10:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 02:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 02:32 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-05 03:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-05 03:42 655,872 a------- c:\windows\system32\dllcache\mstscax.dll
2004-10-01 16:00 40,960 ac------ c:\program files\Uninstall_CDS.exe

============= FINISH: 22:19:54.51 ===============

Attached Files


Edited by Art Guffin, 02 September 2009 - 08:04 AM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:47 PM

Posted 15 September 2009 - 03:00 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Auger

Auger
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, GA
  • Local time:05:47 PM

Posted 16 September 2009 - 08:04 AM

Thank you for replying! I do realize your group is very busy... Right now I am enjoying the beautiful beaches in St. Lucia and will get the logs after I return next Saturday evening. I should have them posted on Sunday if that is OK. I appreciate what you guys do and thanks again!

Art

#6 Auger

Auger
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, GA
  • Local time:05:47 PM

Posted 20 September 2009 - 09:38 AM

OK, have returned and have the logs:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Karen Horton at 10:23:29.70 on Sun 09/20/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.332 [GMT -4:00]

AV: AT&T Internet Security Suite AT&T Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer12.exe
C:\Documents and Settings\Karen Horton\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uWindows: load=D:\CDSETUP.EXE
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Network Ready Production Manager] RUNDLL32.EXE, TweakMeUp
mRun: [LXBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBXtime.dll,_RunDLLEntry@16
mRun: [lxbxmon.exe] "c:\program files\lexmark 7100 series\lxbxmon.exe"
mRun: [FaxCenterServer4_in_1] "c:\program files\lexmark 7100 series\fm3032.exe" /s
mRun: [<NO NAME>]
mRun: [EzPrint] "c:\program files\lexmark 7100 series\ezprint.exe"
mRun: [QuickFinder Scheduler] "c:\program files\wordperfect office x3\programs\QFSCHD130.EXE"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [AT&T Internet Security Suite] "c:\program files\at&t\at&t internet security suite\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\at&t\at&t internet security suite\ZkRunOnceR.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\mm\mbam.exe" /runcleanupscript
mRunOnce: [AOLRebootNeeded] regsvr32.exe /s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\documents and settings\karen horton\my documents\my pictures\kodak photos\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171130318593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/html - {61203230-ab2d-49ec-963e-ce4eff95e450} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
S2 Par1284;Par1284;\??\c:\program files\flexisign\program\par1284.sys --> c:\program files\flexisign\program\Par1284.sys [?]
S3 Radialpoint Security Services;AT&T Internet Security Suite;c:\windows\system32\DLLHOST.EXE [2004-8-4 5120]
S3 rr.pif;rr.pif;\??\c:\windows\system32\drivers\rr.pif.sys --> c:\windows\system32\drivers\rr.pif.sys [?]
S3 rr1.pif;rr1.pif;\??\c:\windows\system32\drivers\rr1.pif.sys --> c:\windows\system32\drivers\rr1.pif.sys [?]
S3 rr2.pif;rr2.pif;\??\c:\windows\system32\drivers\rr2.pif.sys --> c:\windows\system32\drivers\rr2.pif.sys [?]
S3 rr3.pif;rr3.pif;\??\c:\windows\system32\drivers\rr3.pif.sys --> c:\windows\system32\drivers\rr3.pif.sys [?]
S3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [2006-12-25 182528]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2005-8-21 10880]

=============== Created Last 30 ================

2009-09-01 22:10 155,648 a------- c:\windows\system32\igfxtray.exe
2009-09-01 21:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-01 21:00 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-01 21:00 <DIR> --d----- c:\docume~1\karenh~1\applic~1\SUPERAntiSpyware.com
2009-09-01 20:22 2 a------- c:\windows\msoffice.ini
2009-09-01 17:36 55,808 a------- c:\windows\system32\EVENTLOG.DLL
2009-09-01 14:00 <DIR> --dshr-- C:\cmdcons
2009-09-01 13:59 <DIR> --d----- c:\windows\setupupd
2009-09-01 13:57 <DIR> --d----- c:\windows\setup.pss
2009-09-01 13:35 2,855 a------- c:\windows\explorer.PIF
2009-09-01 11:44 46,080 a------- c:\windows\w32kdiag.pif
2009-08-31 21:37 47,466,131 a------- C:\Logfile.CSV
2009-08-31 19:48 1,033,728 a------- c:\windows\explorer21.exe
2009-08-31 17:37 1,033,728 a------- c:\windows\explorer12.exe
2009-08-31 16:22 <DIR> --d----- c:\program files\mm
2009-08-31 11:07 0 a------- c:\windows\TempFile
2009-08-30 22:05 288,417 a------- c:\windows\system32\SrchSTS.exe
2009-08-30 22:05 82,944 a------- c:\windows\system32\IEDFix.C.exe
2009-08-30 22:05 80,384 a------- c:\windows\system32\o4Patch.exe
2009-08-30 22:05 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2009-08-30 22:05 53,248 a------- c:\windows\system32\Process.exe
2009-08-30 22:03 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-30 19:34 2,977,128 a------- C:\Procmon.exe
2009-08-30 19:34 60,652 a------- C:\procmon.chm
2009-08-30 17:39 <DIR> --d----- c:\program files\m
2009-08-30 17:08 3,942,048 a------- C:\mbam-setup.exe
2009-08-30 14:27 <DIR> --d----- c:\docume~1\karenh~1\applic~1\Malwarebytes
2009-08-30 14:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-30 14:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-30 14:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-24 20:49 <DIR> a-d----- c:\windows\system32\images
2009-08-24 20:22 46 a------- C:\p2hhr.bat
2009-08-24 20:21 2 a--sh--- C:\-925222893

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:11 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 09:33 3,597,824 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:55 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:42 1,315,328 a------- c:\windows\system32\dllcache\msoe.dll
2009-06-29 07:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35 634,632 -------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-06-25 04:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 04:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:44 56,320 a------- c:\windows\system32\secur32.dll
2009-06-25 04:44 724,480 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 04:44 298,496 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 04:44 168,448 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 04:44 133,632 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 04:44 59,392 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-25 04:44 56,320 -------- c:\windows\system32\dllcache\secur32.dll
2004-10-01 16:00 40,960 ac------ c:\program files\Uninstall_CDS.exe

============= FINISH: 10:23:49.72 ===============




Most of the issues are as described above but I will hit the highlights of where the system stands now.

Upon bootup the system appears normal, the user login screen (it has fast user switching) appears and the login seems to work fine.

After login the screen is nothing but a blank screen with a cursor.

In order to run anything I have to go to task manager and do the run task, I had copied explorer.exe over from an uninfected system but earlier before the Dr Web scans it would render it unusable with the "access denied" message I kept copying explorer as explorer1, explorer2,... I am currently successfully using explorer12.

The "my computer" icon is the Internet Explorer (Big E) icon.

A quick edit here, I see the rr1, rr2 and rr3 pif files in the log, it was when the infection would render rootrepeal unusable as well...

Let me know what else you need and again THANK YOU for your help!

Art

Attached Files


Edited by Art Guffin, 20 September 2009 - 10:04 AM.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:47 PM

Posted 21 September 2009 - 05:24 PM

Hi Art,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

This sounds like a new rootkit which very helpfully terminates any program that searches for it and removes privileges.

Firstly we must check that this is indeed what we are dealing with.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
Posted Image
m0le is a proud member of UNITE

#8 Auger

Auger
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, GA
  • Local time:05:47 PM

Posted 21 September 2009 - 05:56 PM

Thanks m0le,

Here is the log:

Running from: C:\Documents and Settings\Karen Horton\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Karen Horton\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\ASSEMBLY\TEMP\TEMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ASSEMBLY\TEMP\TEMP

Found mount point : C:\WINDOWS\ASSEMBLY\TMP\TMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ASSEMBLY\TMP\TMP

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Desktop\Desktop

Cannot access: C:\WINDOWS\explorer.exe

Attempting to restore permissions of : C:\WINDOWS\explorer.exe

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\SHARED\RES\RES

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D9F3ECA14ADC93F4695033C43FA75197\4.94.4\4.94.4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D9F3ECA14ADC93F4695033C43FA75197\4.94.4\4.94.4

Found mount point : C:\WINDOWS\JAVA\CLASSES\CLASSES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\JAVA\CLASSES\CLASSES

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\MUI\MUI

Found mount point : C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\UserDumps

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HelpSvc.exe

Attempting to restore permissions of : C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HelpSvc.exe

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\News\News

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Prefetch\Prefetch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Prefetch\Prefetch

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SYSTEM32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1025\1025

Found mount point : C:\WINDOWS\SYSTEM32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1028\1028

Found mount point : C:\WINDOWS\SYSTEM32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1031\1031

Found mount point : C:\WINDOWS\SYSTEM32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1037\1037

Found mount point : C:\WINDOWS\SYSTEM32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1041\1041

Found mount point : C:\WINDOWS\SYSTEM32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1042\1042

Found mount point : C:\WINDOWS\SYSTEM32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1054\1054

Found mount point : C:\WINDOWS\SYSTEM32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\2052\2052

Found mount point : C:\WINDOWS\SYSTEM32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\3076\3076

Found mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI

Found mount point : C:\WINDOWS\SYSTEM32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CatRoot_bak\CatRoot_bak

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Jasc Software Inc\Paint Shop Pro Studio\Paint Shop Pro Studio

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Jasc Software Inc\Paint Shop Pro Studio\Paint Shop Pro Studio

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2881193888-4136277973-715489735-1003\S-1-5-21-2881193888-4136277973-715489735-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2881193888-4136277973-715489735-1003\S-1-5-21-2881193888-4136277973-715489735-1003

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2881193888-4136277973-715489735-1003\S-1-5-21-2881193888-4136277973-715489735-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2881193888-4136277973-715489735-1003\S-1-5-21-2881193888-4136277973-715489735-1003

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Symantec\Symantec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Symantec\Symantec

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2881193888-4136277973-715489735-1003\S-1-5-21-2881193888-4136277973-715489735-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2881193888-4136277973-715489735-1003\S-1-5-21-2881193888-4136277973-715489735-1003

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\Temp

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\CCWin\Address Book\Address Book

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\CCWin\Address Book\Address Book

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP

Found mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN

Found mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT

Found mount point : C:\WINDOWS\SYSTEM32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\FxsTmp\FxsTmp

Cannot access: C:\WINDOWS\SYSTEM32\hkcmd.exe

Attempting to restore permissions of : C:\WINDOWS\SYSTEM32\hkcmd.exe

Found mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\SYSTEM32\INETSRV\INETSRV

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\INETSRV\INETSRV

Found mount point : C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDF

Cannot access: C:\WINDOWS\SYSTEM32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\SYSTEM32\MRT.exe

Found mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE

Found mount point : C:\WINDOWS\SYSTEM32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\GOOD\GOOD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\GOOD\GOOD

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\SNMP\SNMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\WBEM\SNMP\SNMP

Found mount point : C:\WINDOWS\SYSTEM32\WINS\WINS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\WINS\WINS

Found mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM

Found mount point : C:\WINDOWS\Temp\Adobe\Acrobat\6.0\6.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Adobe\Acrobat\6.0\6.0

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Found mount point : C:\WINDOWS\Temp\minreq\minreq

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\minreq\minreq

Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Found mount point : C:\WINDOWS\Temp\vtid501524\vtid501524

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\vtid501524\vtid501524

Found mount point : C:\WINDOWS\TWAIN_32\ScanWiz\data\data

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TWAIN_32\ScanWiz\data\data

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

One thing to remember is right now I do not have a desktop so I just copied this file to the desktop folder using my explorer12 and used task manager to execute the command. Do not know if this makes a difference...

Thanks again,

Art

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:47 PM

Posted 21 September 2009 - 06:24 PM

Okay, we're going to run a removal tool now. I think that the real issues in this PC are system problems but let's see what else there may be.

NB: For desktop read desktop folder :(

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Edited by m0le, 21 September 2009 - 06:25 PM.

Posted Image
m0le is a proud member of UNITE

#10 Auger

Auger
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, GA
  • Local time:05:47 PM

Posted 22 September 2009 - 08:00 AM

m0le,

Booted up system this morning to run combofix and lo and behold I had a desktop!!!!

I had not rebooted or anything after last step I had just shut down to await further steps.

There was a error message on the desktop that probably means nothing but here it is:

"Cannot run D:\CDSetup.exe as specified in registry" (maybe not exact wording)

Then a "Freedom activation" box popped up but it was blank. I do know Freedom is related to the AT&T security Suite software that is no longer on the system. When I got the system it had Symantec, Macafee, and ATT directories on it. Right now I do not believe there is a single working antivirus program on it.

Anyway, here is the combofix log:


ComboFix 09-09-21.01 - Karen Horton 09/22/2009 8:29.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.190 [GMT -4:00]
Running from: c:\documents and settings\Karen Horton\Desktop\Combo-Fix.exe
AV: AT&T Internet Security Suite AT&T Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\p2hhr.bat
c:\program files\Shared
c:\windows\desktop
c:\windows\Installer\22a375.msp
c:\windows\Installer\22a37e.msp
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\drivers\fad.sys
c:\windows\system32\eventmgr.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FAD
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.

2009-09-02 02:10 . 2005-01-23 15:36 155648 ----a-w- c:\windows\system32\igfxtray.exe
2009-09-02 01:00 . 2009-09-02 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-02 01:00 . 2009-09-02 01:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-02 01:00 . 2009-09-02 01:00 -------- d-----w- c:\documents and settings\Karen Horton\Application Data\SUPERAntiSpyware.com
2009-09-01 21:36 . 2004-08-04 10:00 55808 ----a-w- c:\windows\system32\EVENTLOG.DLL
2009-09-01 17:56 . 2009-09-01 17:56 -------- d-----w- c:\documents and settings\Administrator.D92YSZ71\Local Settings\Application Data\Help
2009-09-01 17:35 . 2009-09-01 17:35 2855 ----a-w- c:\windows\explorer.PIF
2009-09-01 15:44 . 2009-09-01 15:41 46080 ----a-w- c:\windows\w32kdiag.pif
2009-08-31 23:48 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\explorer21.exe
2009-08-31 21:37 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\explorer12.exe
2009-08-31 20:22 . 2009-09-01 21:51 -------- d-----w- c:\program files\mm
2009-08-31 02:03 . 2009-08-31 02:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-30 23:34 . 2009-08-12 13:28 2977128 ----a-w- C:\Procmon.exe
2009-08-30 21:39 . 2009-08-30 21:39 -------- d-----w- c:\documents and settings\Administrator.D92YSZ71\Application Data\Malwarebytes
2009-08-30 21:39 . 2009-09-01 22:21 -------- d-----w- c:\program files\m
2009-08-30 21:08 . 2009-08-30 16:09 3942048 ----a-w- C:\mbam-setup.exe
2009-08-30 18:27 . 2009-08-30 18:27 -------- d-----w- c:\documents and settings\Karen Horton\Application Data\Malwarebytes
2009-08-30 18:27 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-30 18:27 . 2009-08-30 18:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 18:27 . 2009-08-30 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-30 18:27 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 12:23 . 2008-05-05 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\temp
2009-09-02 00:32 . 2008-05-07 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-02 00:31 . 2005-07-26 01:18 -------- d-----w- c:\program files\Common Files\AOL
2009-09-02 00:27 . 2005-07-26 01:11 -------- d-----w- c:\program files\Java
2009-09-02 00:25 . 2005-07-26 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-02 00:24 . 2005-07-26 01:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-02 00:24 . 2005-07-26 01:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-02 00:23 . 2005-07-26 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-09-02 00:23 . 2006-05-12 01:47 -------- d-----w- c:\documents and settings\Karen Horton\Application Data\AOL
2009-09-02 00:20 . 2006-08-14 23:38 -------- d-----w- c:\program files\Yahoo!
2009-09-02 00:19 . 2005-07-26 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-02 00:16 . 2008-08-06 00:10 -------- d-----w- c:\program files\Google
2009-08-31 16:11 . 2005-08-29 01:54 -------- d-----w- c:\program files\Common Files\Motive
2009-08-25 00:58 . 2008-07-31 23:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-21 03:03 . 2006-07-04 02:28 -------- d-----w- c:\program files\Lx_cats
2009-08-12 01:13 . 2009-08-12 01:13 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-05 09:11 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 16:05 . 2009-08-04 16:04 -------- d-----w- c:\documents and settings\Karen Horton\Application Data\VTExtra
2009-07-24 17:59 . 2005-08-23 01:30 -------- d-----w- c:\documents and settings\Karen Horton\Application Data\AdobeUM
2009-07-17 18:55 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-04 10:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 08:44 . 2004-08-04 10:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-04 10:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-04 10:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-04 10:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2004-08-04 10:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-04 10:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2004-10-01 20:00 . 2006-12-26 21:21 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
2006-11-09 03:59 . 2005-08-23 02:24 56 -csh--r- c:\windows\SYSTEM32\C927442292.sys
2006-11-11 15:17 . 2005-08-23 02:24 3350 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-07-26 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"LXBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 69632]
"lxbxmon.exe"="c:\program files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 196608]
"FaxCenterServer4_in_1"="c:\program files\Lexmark 7100 Series\fm3032.exe" [2004-12-06 286720]
"EzPrint"="c:\program files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 61440]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2005-12-01 77892]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-24 155648]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"AT&T Internet Security Suite"="c:\program files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 310000]
"-FreedomNeedsReboot"="c:\program files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" [2007-06-28 13552]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Network Ready Production Manager"="RUNDLL32.EXE" - c:\windows\SYSTEM32\RUNDLL32.EXE [2004-08-04 33280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\documents and settings\Karen Horton\My Documents\My Pictures\Kodak Photos\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-9-4 118784]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\system32\onhelp.htm
FriendlyName= tets

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rr1.pif.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rr2.pif.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rr3.pif.sys]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Documents and Settings\\Karen Horton\\My Documents\\My Pictures\\Kodak Photos\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
S3 Radialpoint Security Services;AT&T Internet Security Suite;c:\windows\SYSTEM32\DLLHOST.EXE [8/4/2004 6:00 AM 5120]
S3 rr.pif;rr.pif;\??\c:\windows\system32\drivers\rr.pif.sys --> c:\windows\system32\drivers\rr.pif.sys [?]
S3 rr1.pif;rr1.pif;\??\c:\windows\system32\drivers\rr1.pif.sys --> c:\windows\system32\drivers\rr1.pif.sys [?]
S3 rr2.pif;rr2.pif;\??\c:\windows\system32\drivers\rr2.pif.sys --> c:\windows\system32\drivers\rr2.pif.sys [?]
S3 rr3.pif;rr3.pif;\??\c:\windows\system32\drivers\rr3.pif.sys --> c:\windows\system32\drivers\rr3.pif.sys [?]
S3 SaiH0461;SaiH0461;c:\windows\SYSTEM32\DRIVERS\SaiH0461.sys [12/25/2006 1:43 PM 182528]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 scsiscan;SCSI Scanner Driver;c:\windows\SYSTEM32\DRIVERS\scsiscan.sys [8/21/2005 3:13 PM 10880]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
AddRemove-FlexiLETTER Uninstall - c:\fl55\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 08:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2881193888-4136277973-715489735-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2068)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\windows\SYSTEM32\lxbxcoms.exe
c:\program files\AT&T\AT&T Internet Security Suite\NetCnMnR.exe
.
**************************************************************************
.
Completion time: 2009-09-22 8:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-22 12:45

Pre-Run: 24,959,012,864 bytes free
Post-Run: 24,915,476,480 bytes free

249 --- E O F --- 2009-08-26 22:48




Thanks again,

Art

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:47 PM

Posted 22 September 2009 - 04:24 PM

Okay, we need to rerun Combofix to remove the rest. We can also shift out the AT&T security suite (or what's left of it)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\explorer21.exe
c:\windows\explorer12.exe
c:\windows\system32\drivers\rr.pif.sys
c:\windows\system32\drivers\rr1.pif.sys
c:\windows\system32\drivers\rr2.pif.sys
c:\windows\system32\drivers\rr3.pif.sys

Folder::
c:\program files\AT&T

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AT&T Internet Security Suite"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"-FreedomNeedsReboot"=-

Driver::
rr.pif
rr1.pif
rr2.pif
rr3.pif


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#12 Auger

Auger
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, GA
  • Local time:05:47 PM

Posted 22 September 2009 - 05:43 PM

Thanks m0le,

Here is the log:

ComboFix 09-09-21.01 - Karen Horton 09/22/2009 18:26.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.265 [GMT -4:00]
Running from: c:\documents and settings\Karen Horton\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Karen Horton\Desktop\cfscript.txt
AV: AT&T Internet Security Suite AT&T Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}

FILE ::
"c:\windows\explorer12.exe"
"c:\windows\explorer21.exe"
"c:\windows\system32\drivers\rr.pif.sys"
"c:\windows\system32\drivers\rr1.pif.sys"
"c:\windows\system32\drivers\rr2.pif.sys"
"c:\windows\system32\drivers\rr3.pif.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AT&T
c:\program files\AT&T\AT&T Internet Security Suite\ActDtcR.dll
c:\program files\AT&T\AT&T Internet Security Suite\AdblockR.dll
c:\program files\AT&T\AT&T Internet Security Suite\AntiFR.dll
c:\program files\AT&T\AT&T Internet Security Suite\AppR.exe
c:\program files\AT&T\AT&T Internet Security Suite\AVCntxtR.dll
c:\program files\AT&T\AT&T Internet Security Suite\BckUpR.dll
c:\program files\AT&T\AT&T Internet Security Suite\BsLR.dll
c:\program files\AT&T\AT&T Internet Security Suite\BsnsLgcR.dll
c:\program files\AT&T\AT&T Internet Security Suite\BsR.dll
c:\program files\AT&T\AT&T Internet Security Suite\clbr.dll
c:\program files\AT&T\AT&T Internet Security Suite\CleanerR.dll
c:\program files\AT&T\AT&T Internet Security Suite\ClntpR.dll
c:\program files\AT&T\AT&T Internet Security Suite\CookieR.dll
c:\program files\AT&T\AT&T Internet Security Suite\CstmUIR.dll
c:\program files\AT&T\AT&T Internet Security Suite\dbghelp.dll
c:\program files\AT&T\AT&T Internet Security Suite\DgR.exe
c:\program files\AT&T\AT&T Internet Security Suite\DInetR.dll
c:\program files\AT&T\AT&T Internet Security Suite\dlgr.dll
c:\program files\AT&T\AT&T Internet Security Suite\FileScannerR.dll
c:\program files\AT&T\AT&T Internet Security Suite\FireR.dll
c:\program files\AT&T\AT&T Internet Security Suite\FreeSCR.dll
c:\program files\AT&T\AT&T Internet Security Suite\Fws.exe
c:\program files\AT&T\AT&T Internet Security Suite\gdiplus.dll
c:\program files\AT&T\AT&T Internet Security Suite\GUIR.dll
c:\program files\AT&T\AT&T Internet Security Suite\IdxClnR.exe
c:\program files\AT&T\AT&T Internet Security Suite\inhR.dll
c:\program files\AT&T\AT&T Internet Security Suite\LbZkTstR.dll
c:\program files\AT&T\AT&T Internet Security Suite\libbz2R.dll
c:\program files\AT&T\AT&T Internet Security Suite\LibZkR.dll
c:\program files\AT&T\AT&T Internet Security Suite\NetCnMnR.exe
c:\program files\AT&T\AT&T Internet Security Suite\OemLibR.dll
c:\program files\AT&T\AT&T Internet Security Suite\OemRepair.exe
c:\program files\AT&T\AT&T Internet Security Suite\PacketR.dll
c:\program files\AT&T\AT&T Internet Security Suite\ParntalR.dll
c:\program files\AT&T\AT&T Internet Security Suite\patch15729MfcUI.exe
c:\program files\AT&T\AT&T Internet Security Suite\PersistR.dll
c:\program files\AT&T\AT&T Internet Security Suite\pkR.dll
c:\program files\AT&T\AT&T Internet Security Suite\PktShimR.dll
c:\program files\AT&T\AT&T Internet Security Suite\Product.ico
c:\program files\AT&T\AT&T Internet Security Suite\ProxiesR.dll
c:\program files\AT&T\AT&T Internet Security Suite\PrtlAgt.exe
c:\program files\AT&T\AT&T Internet Security Suite\QuaranR.dll
c:\program files\AT&T\AT&T Internet Security Suite\ReportR.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\App_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\ATl_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\BsL_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\BTl_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\Backup.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\Diagnostics.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\EmailScanFrame1.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\EmailScanFrame2.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\EmailScanFrame3.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\EmailScanFrame4.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\parental.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\parental_biz.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\Parental_buddy.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\Parental_buddy_config.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\Parental_buddy_info.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\parental_warning.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\Parental_Warning_BIZ.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\Performance.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\product.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\Setup.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\spyware.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ckit\ProductUi\Virus.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\ClB_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Dg_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Dlg_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\FTl_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Fws_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\GUI_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\htl_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\inh_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Perftl_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Ptl_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\RPS_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\ScnClean_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\sm.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Stl_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\TCg_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\TGN_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\virus.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Vtl_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\warning.ico
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\Wtl_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\resources\zk_en_US\ZKU_Rsrc.dll
c:\program files\AT&T\AT&T Internet Security Suite\RPS.exe
c:\program files\AT&T\AT&T Internet Security Suite\rpsupdaterr.exe
c:\program files\AT&T\AT&T Internet Security Suite\SchedR.dll
c:\program files\AT&T\AT&T Internet Security Suite\ScnClean.exe
c:\program files\AT&T\AT&T Internet Security Suite\SecurityAwareCOM.dll
c:\program files\AT&T\AT&T Internet Security Suite\SecurityAwareCOMInstaller.exe
c:\program files\AT&T\AT&T Internet Security Suite\SecurityAwareCOMPS.dll
c:\program files\AT&T\AT&T Internet Security Suite\SecurityAwareLIBR.dll
c:\program files\AT&T\AT&T Internet Security Suite\ServiceR.dll
c:\program files\AT&T\AT&T Internet Security Suite\Setup.cfg
c:\program files\AT&T\AT&T Internet Security Suite\SktShimR.dll
c:\program files\AT&T\AT&T Internet Security Suite\spywareR.dll
c:\program files\AT&T\AT&T Internet Security Suite\SrvcModR.dll
c:\program files\AT&T\AT&T Internet Security Suite\StarBurn.dll
c:\program files\AT&T\AT&T Internet Security Suite\SwchMonR.exe
c:\program files\AT&T\AT&T Internet Security Suite\TCgR.dll
c:\program files\AT&T\AT&T Internet Security Suite\TGNR.dll
c:\program files\AT&T\AT&T Internet Security Suite\Tool\ATlR.dll
c:\program files\AT&T\AT&T Internet Security Suite\Tool\BTlR.dll
c:\program files\AT&T\AT&T Internet Security Suite\Tool\FTlR.dll
c:\program files\AT&T\AT&T Internet Security Suite\Tool\HTlR.dll
c:\program files\AT&T\AT&T Internet Security Suite\Tool\PerfTlR.dll
c:\program files\AT&T\AT&T Internet Security Suite\Tool\PTlR.dll
c:\program files\AT&T\AT&T Internet Security Suite\Tool\STlR.dll
c:\program files\AT&T\AT&T Internet Security Suite\Tool\VTlR.dll
c:\program files\AT&T\AT&T Internet Security Suite\Tool\WTlR.dll
c:\program files\AT&T\AT&T Internet Security Suite\TTInfoR.dll
c:\program files\AT&T\AT&T Internet Security Suite\UpdMgrR.dll
c:\program files\AT&T\AT&T Internet Security Suite\VirusR.dll
c:\program files\AT&T\AT&T Internet Security Suite\WordScnR.dll
c:\program files\AT&T\AT&T Internet Security Suite\XceedZip.dll
c:\program files\AT&T\AT&T Internet Security Suite\zkrunoncer.exe
c:\program files\AT&T\AT&T Internet Security Suite\ZKUR.dll
c:\program files\AT&T\Internet Security Wizard\ISW.exe
c:\program files\AT&T\Internet Security Wizard\ISWComHandler.exe
c:\program files\AT&T\Internet Security Wizard\log4cplus.properties
c:\program files\AT&T\Internet Security Wizard\resources\application.ico
c:\program files\AT&T\Internet Security Wizard\RpSpaWshComAgent.dll
c:\program files\AT&T\Internet Security Wizard\StopATTInternetSecurityWizard.exe
c:\program files\AT&T\Internet Security Wizard\unins000.exe
c:\windows\explorer12.exe
c:\windows\explorer21.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RR.PIF
-------\Legacy_RR1.PIF
-------\Legacy_RR2.PIF
-------\Legacy_RR3.PIF
-------\Service_rr.pif
-------\Service_rr1.pif
-------\Service_rr2.pif
-------\Service_rr3.pif
-------\Legacy_RP_FWS
-------\Legacy_RPSUpdaterR
-------\Service_RP_FWS
-------\Service_RPSUpdaterR


((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.

2009-09-02 02:10 . 2005-01-23 15:36 155648 ----a-w- c:\windows\system32\igfxtray.exe
2009-09-02 01:00 . 2009-09-02 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-02 01:00 . 2009-09-02 01:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-02 01:00 . 2009-09-02 01:00 -------- d-----w- c:\documents and settings\Karen Horton\Application Data\SUPERAntiSpyware.com
2009-09-01 21:36 . 2004-08-04 10:00 55808 ------w- c:\windows\system32\EVENTLOG.DLL
2009-09-01 17:56 . 2009-09-01 17:56 -------- d-----w- c:\documents and settings\Administrator.D92YSZ71\Local Settings\Application Data\Help
2009-09-01 17:35 . 2009-09-01 17:35 2855 ----a-w- c:\windows\explorer.PIF
2009-09-01 15:44 . 2009-09-01 15:41 46080 ----a-w- c:\windows\w32kdiag.pif
2009-08-31 20:22 . 2009-09-01 21:51 -------- d-----w- c:\program files\mm
2009-08-31 02:03 . 2009-08-31 02:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-30 23:34 . 2009-08-12 13:28 2977128 ----a-w- C:\Procmon.exe
2009-08-30 21:39 . 2009-08-30 21:39 -------- d-----w- c:\documents and settings\Administrator.D92YSZ71\Application Data\Malwarebytes
2009-08-30 21:39 . 2009-09-01 22:21 -------- d-----w- c:\program files\m
2009-08-30 21:08 . 2009-08-30 16:09 3942048 ----a-w- C:\mbam-setup.exe
2009-08-30 18:27 . 2009-08-30 18:27 -------- d-----w- c:\documents and settings\Karen Horton\Application Data\Malwarebytes
2009-08-30 18:27 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-30 18:27 . 2009-08-30 18:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 18:27 . 2009-08-30 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-30 18:27 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 22:21 . 2008-05-05 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\temp
2009-09-02 00:32 . 2008-05-07 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-02 00:31 . 2005-07-26 01:18 -------- d-----w- c:\program files\Common Files\AOL
2009-09-02 00:27 . 2005-07-26 01:11 -------- d-----w- c:\program files\Java
2009-09-02 00:25 . 2005-07-26 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-02 00:24 . 2005-07-26 01:24 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-02 00:24 . 2005-07-26 01:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-02 00:23 . 2005-07-26 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-09-02 00:23 . 2006-05-12 01:47 -------- d-----w- c:\documents and settings\Karen Horton\Application Data\AOL
2009-09-02 00:20 . 2006-08-14 23:38 -------- d-----w- c:\program files\Yahoo!
2009-09-02 00:19 . 2005-07-26 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-02 00:16 . 2008-08-06 00:10 -------- d-----w- c:\program files\Google
2009-08-31 16:11 . 2005-08-29 01:54 -------- d-----w- c:\program files\Common Files\Motive
2009-08-25 00:58 . 2008-07-31 23:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-21 03:03 . 2006-07-04 02:28 -------- d-----w- c:\program files\Lx_cats
2009-08-12 01:13 . 2009-08-12 01:13 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-05 09:11 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 16:05 . 2009-08-04 16:04 -------- d-----w- c:\documents and settings\Karen Horton\Application Data\VTExtra
2009-07-17 18:55 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-04 10:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 08:44 . 2004-08-04 10:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-04 10:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-04 10:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-04 10:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2004-08-04 10:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-04 10:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2004-10-01 20:00 . 2006-12-26 21:21 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
2006-11-09 03:59 . 2005-08-23 02:24 56 -csh--r- c:\windows\SYSTEM32\C927442292.sys
2006-11-11 15:17 . 2005-08-23 02:24 3350 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-07-26 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"LXBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 69632]
"lxbxmon.exe"="c:\program files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 196608]
"FaxCenterServer4_in_1"="c:\program files\Lexmark 7100 Series\fm3032.exe" [2004-12-06 286720]
"EzPrint"="c:\program files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 61440]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2005-12-01 77892]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-24 155648]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Network Ready Production Manager"="RUNDLL32.EXE" - c:\windows\SYSTEM32\RUNDLL32.EXE [2004-08-04 33280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\documents and settings\Karen Horton\My Documents\My Pictures\Kodak Photos\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-9-4 118784]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\system32\onhelp.htm
FriendlyName= tets

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rr1.pif.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rr2.pif.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rr3.pif.sys]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Documents and Settings\\Karen Horton\\My Documents\\My Pictures\\Kodak Photos\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
S3 Radialpoint Security Services;AT&T Internet Security Suite;c:\windows\SYSTEM32\DLLHOST.EXE [8/4/2004 6:00 AM 5120]
S3 SaiH0461;SaiH0461;c:\windows\SYSTEM32\DRIVERS\SaiH0461.sys [12/25/2006 1:43 PM 182528]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S3 scsiscan;SCSI Scanner Driver;c:\windows\SYSTEM32\DRIVERS\scsiscan.sys [8/21/2005 3:13 PM 10880]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISW.exe - c:\program files\AT&T\Internet Security Wizard\ISW.exe
AddRemove-RadialpointClientGateway_is1 - c:\program files\AT&T\Internet Security Wizard\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 18:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2881193888-4136277973-715489735-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1400)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\windows\SYSTEM32\lxbxcoms.exe
.
**************************************************************************
.
Completion time: 2009-09-22 18:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-22 22:39
ComboFix2.txt 2009-09-22 12:45

Pre-Run: 24,917,278,720 bytes free
Post-Run: 24,844,451,840 bytes free

346 --- E O F --- 2009-08-26 22:48


Art

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:47 PM

Posted 22 September 2009 - 06:13 PM

Okay, that's good so far. :(

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to your desktop (click file, save as) as fixit.reg In the same open notepad, at the bottom select:(filetype = any).

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rr1.pif.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rr2.pif.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rr3.pif.sys]

NOTICE: This file was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly.


Now let's run MBAM

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#14 Auger

Auger
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, GA
  • Local time:05:47 PM

Posted 22 September 2009 - 08:05 PM

OK m0le,

Registry backed up successfully

Registry keys merged

Malwarebytes ran and found 1 trojan downloader, reboot required to remove.

Mwb log:

Malwarebytes' Anti-Malware 1.41
Database version: 2845
Windows 5.1.2600 Service Pack 2

9/22/2009 8:46:22 PM
mbam-log-2009-09-22 (20-46-22).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 144151
Time elapsed: 35 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{8DFCCBD8-C59E-4FBB-B6D9-1D8356D0FBFA}\RP1012\A0090289.nfo (Trojan.Downloader) -> Quarantined and deleted successfully.


I might be getting ahead of ourselves here but I did notice that there were a few directories that still had "locked" files in there. They were the directories that I was using to remove the original infection and used to run dds, rootrepeal and malwarebytes. I noticed it when I tried to run Malwarebytes and it is installed in 3 directories, disabled in 2 of them.

The directories are:

C:\program files\malwarebytes' anti-malware (access denied)
C:\program files\m (access denied)
C:\program files\mm (malwarebytes runs but other locked files in there)

Anyway, not doing anything on my own here, just thought I'd bring that up...

Thanks again!

Art

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:47 PM

Posted 23 September 2009 - 05:07 PM

The directories are:

C:\program files\malwarebytes' anti-malware (access denied)
C:\program files\m (access denied)
C:\program files\mm (malwarebytes runs but other locked files in there)


Are the "m" or "mm" folders known to you? Might be worth checking what's there.


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :Dir
    C:\program files\m 
    C:\program files\mm
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


In the meantime let's continue with the clean-up

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Thanks :(
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users