Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pervasive Root Kit Infection


  • Please log in to reply
16 replies to this topic

#1 JohnK2374

JohnK2374

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 15 September 2009 - 11:11 PM

Was told told by a BP moderator that I have a root kit and I would need to post the DDS and RootRepeal Logs in this forum to get help removing this malware.

I ran the DDS logs, which are attached below, but RootRepeal would start to run, then sinply disappear. Here are the DDS Log and attachment file:


DDS (Ver_09-07-30.01) - NTFSx86
Run by John at 23:28:38.51 on Tue 09/15/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer provided by Comcast
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: c:\windows\system32\ygsuhdf83id.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\ygsuhdf83id.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ComcastAntispyClient] "c:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hide
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [<NO NAME>]
mRun: [VAIO Recovery] "c:\windows\sonysys\vaio recovery\PartSeal.exe"
mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office 2002\programs\QFSCHD100.EXE"
mRun: [BJCFD] "c:\program files\broadjump\client foundation\CFD.exe"
mRun: [ROVATray] "c:\program files\rova\rovatray.exe"
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [braviax] c:\windows\system32\braviax.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
dRun: [PopRock] c:\windows\temp\b.exe
dRun: [braviax] c:\windows\system32\braviax.exe
dRun: [Login Software 2009] c:\windows\temp\hx0fl2q2x.exe
dRun: [Windows System Recover!] c:\windows\temp\win.exe
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: <NO NAME> =
dPolicies-explorer: EditLevel = 0 (0x0)
dPolicies-explorer: NoCommonGroups = 0 (0x0)
dPolicies-explorer: NoActiveDesktop = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxps://qds1.qdsremote.com/cabs/ActiveXViewer.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: cbXNFywv - cbXNFywv.dll
Notify: igfxcui - igfxsrvc.dll
Notify: qoMfgDtU - qoMfgDtU.dll
Notify: qomnmll - qomnmll.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\ygsuhdf83id.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\ygsuhdf83id.dll
{e23136a1-1ac4-4d1b-926f-5d537cfff359}
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll, mcenspc.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-09-15 10:16 15,000 a------- c:\windows\system32\ygsuhdf83id.dll
2009-09-15 10:11 224,772 a------- c:\windows\system32\msxml71.dll
2009-09-13 00:24 389,120 a------- c:\windows\system32\cmd.execf
2009-09-11 00:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2009-09-11 00:56 <DIR> --d----- c:\program files\PC Drivers HeadQuarters
2009-09-08 18:17 25,088 a------- c:\windows\system32\tapi.nfo
2009-09-08 18:16 0 a------- c:\windows\system32\drivers\724c29a6.sys
2009-09-08 18:16 46 ac------ C:\p2hhr.bat
2009-09-08 18:15 <DIR> --dsh--- c:\windows\system32\lowsec
2009-09-08 18:15 15,000 a------- c:\windows\system32\tajf83ikdmf.dll
2009-09-08 18:15 22,016 ac------ C:\udtcnn.exe
2009-09-08 18:15 17,920 ac------ C:\fjmpqp.exe
2009-09-08 18:15 68,608 ac------ C:\scmhux.exe
2009-09-08 18:15 9,728 ac------ C:\kqbvc.exe
2009-09-08 18:15 182,896 a------- c:\windows\system32\wisdstr.exe
2009-09-08 18:15 4,224 ac------ c:\windows\system32\dllcache\beep.sys
2009-09-08 18:15 4,224 a------- c:\windows\system32\drivers\beep.sys
2009-09-08 18:15 11,776 a------- c:\windows\system32\braviax.exe
2009-09-08 18:15 76,288 a------- c:\windows\system32\~.exe
2009-09-08 17:55 4 a------- c:\windows\system32\bincd32.dat
2009-09-08 17:37 1,382 a------- c:\windows\system32\onhelp.htm
2009-09-08 17:23 4 a------- c:\windows\ppp3.dat
2009-09-08 17:23 87 a------- c:\windows\system32\sonhelp.htm

==================== Find3M ====================

2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-12 21:11 389,120 a------- c:\windows\system32\CF16640.exe
2009-08-11 23:49 389,120 a------- c:\windows\system32\CF27573.exe
2009-08-09 23:18 56 ac-sh--- C:\redir.sys
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-30 00:23 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-05-26 23:20 120,104 ac------ c:\docume~1\john\applic~1\GDIPFONTCACHEV1.DAT
2008-10-21 01:06 18,342 a------- c:\program files\common files\gusuh.pif
2008-10-21 01:06 13,161 a------- c:\program files\common files\wocim.dl
2008-10-21 01:06 11,894 a------- c:\program files\common files\woba.com
2008-10-21 01:06 11,422 a------- c:\docume~1\john\applic~1\ajemopuzy.dat
2008-10-21 01:06 10,177 a------- c:\program files\common files\tihupoc._dl
2008-10-21 00:52 18,311 a------- c:\docume~1\alluse~1\applic~1\ijyqaw.com
2008-10-21 00:52 17,152 a------- c:\program files\common files\ibucacy.dll
2008-10-21 00:52 14,701 a------- c:\docume~1\john\applic~1\ovyko.sys
2008-10-21 00:52 11,768 a------- c:\docume~1\john\applic~1\dolymyhab.bat
2008-10-21 00:52 11,750 a------- c:\program files\common files\ofaf.sys
2008-10-21 00:52 11,738 a------- c:\program files\common files\ezuvuhot.vbs
2008-10-21 00:52 10,541 a------- c:\docume~1\john\applic~1\topame.vbs
2008-10-19 22:17 19,835 a------- c:\docume~1\alluse~1\applic~1\vizejy.reg
2008-10-19 22:17 19,833 a------- c:\docume~1\alluse~1\applic~1\ugywuwyg.scr
2008-10-19 22:17 19,794 a------- c:\program files\common files\idurova.scr
2008-10-19 22:17 17,154 a------- c:\docume~1\john\applic~1\ylikoxi.vbs
2008-10-19 22:17 16,159 a------- c:\docume~1\john\applic~1\emofyba.dat
2008-10-19 22:17 15,819 a------- c:\docume~1\alluse~1\applic~1\bisogu.sys
2008-10-19 22:17 12,908 a------- c:\docume~1\alluse~1\applic~1\qiqyxed.sys
2008-10-19 22:17 11,018 a------- c:\docume~1\alluse~1\applic~1\awypu.com
2008-10-19 22:17 10,855 a------- c:\docume~1\john\applic~1\sabafices.scr
2008-03-13 00:01 87,608 ac------ c:\docume~1\john\applic~1\inst.exe
2008-03-13 00:01 47,360 ac------ c:\docume~1\john\applic~1\pcouffin.sys
2007-04-05 18:41 87,608 ac------ c:\docume~1\john\applic~1\ezpinst.exe
2005-09-20 18:05 9,516,504 a------- c:\documents and settings\john\DesktopDoctor1.0.exe
2001-06-23 08:29 11,776 ac------ c:\program files\OfficeXP30daysTrialActivatorV10.exe

============= FINISH: 23:36:05.48 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/19/2003 11:08:18 AM
System Uptime: 9/14/2009 6:05:32 PM (29 hours ago)

Motherboard: ASUSTeK Computer INC. | | KIRIN-V
Processor: Intel® Pentium® 4 CPU 2.53GHz | PGA 478 | 2545/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 15 GiB total, 2.199 GiB free.
D: is FIXED (NTFS) - 92 GiB total, 17.933 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is CDROM (CDFS)
J: is FIXED (FAT32) - 233 GiB total, 137.138 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\16C27FB8004603
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\16C27FB8004603
Service: NIC1394

==== Installed Programs ======================


Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.9
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
Azureus
Bonjour
BroadJump Client Foundation
CA Pest Patrol Realtime Protection
Camera Support Core Library
Camera Window
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon PIXMA iP4000
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
Citrix XenApp Web Plugin
Comcast Toolbar 3.0
ComcastSUPPORT
DAO
Desktop Doctor
Driver Detective
DVD Decrypter (Remove Only)
DVD Identifier
DVDFab Platinum 4.1.1.6 Beta
DVgate
Easy-WebPrint
EasyRecovery Professional
Experience VAIO
Help and Support
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB970653-v3)
Image Station Demo
ImagXpress
Installer Service
Intel® Extreme Graphics Driver
iPod for Windows 2006-01-10
iTunes
Java™ 6 Update 13
Java™ 6 Update 5
Java™ 6 Update 7
Juniper Networks Network Connect 5.2.0
Kazaa Media Desktop 2.1.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Picture It! Photo Premium 9
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MovieEdit Task
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Music Visualizer Library 1.4.00
Nero ControlCenter
Nero Vision
neroxml
OpenMG Secure Module 3.1
PhotoStitch
QuickTime
RAW Image Task 1.1
RealPlayer
Recover My Files
RemoteCapture Task 1.0.3
ROVA
ROVA Update
RSA ACE/Agent for Windows
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Shockwave
Sonic RecordNow!
Sonic Update Manager
SonicStage 1.5.00
Sony Certificate PCH
Sony DV Shared Library
SoundTrax
SUPERAntiSpyware Free Edition
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wpaiper
TurboTax 2008 wrapper
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VAIO Media 2.0
VAIO Media Installer 2.0
VAIO Media Music Server 2.0
VAIO Media Photo Server 2.0
VAIO Media Platform 2.0
VAIO Registration
VAIO Serenus Wallpaper
VAIO Survey Standalone
VAIO System Information
Viewpoint Media Player
WebFldrs XP
WebIQ Client Software
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip
WordPerfect Office 2002

==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 AM

Posted 16 September 2009 - 06:50 AM

I actually wanted you to post the Win32kDiag.txt abd Log.txt reports from your original topic here. But that's ok since I have time to continue assisting you.

Please print out and follow these instructions: A guide and tutorial on using ComboFix.
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!

Download Combofix from one of the mirrors below and save to your desktop. Important: Some types of malware will disable ComboFix and other security tools so you must rename the file before downloading and saving.

Posted Image


Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • Double-click on Combo-Fix.exe and follow the prompts, instructions you printed out earlier.
  • If using Windows Vista and you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • When finished, please copy and paste the contents of C:\ComboFix.txt in your next reply.
  • Be sure to re-enable your anti-virus and other security programs after the scan is complete.
  • If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier.
-- Do not touch your mouse/keyboard until the Combofix scan has completed, as this may cause the process to stall or the computer to lock.
-- Combofix will temporarily disable your desktop, and if interrupted may leave it disabled. If this occurs, please reboot to restore it.
-- Combofix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.


Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.


-- If ComboFix did not run successfully stop here and advise me so I can modify the fix strategy. If it did, then continue as follows.

We need to run Win32kDiag.exe again but this time with a specific command to fix some malware related changes.
  • Make sure Win32kDiag.exe is still on the Desktop. <- Important!
  • Go to Posted Image > Run..., then copy and paste this command into the open box:
"%userprofile%\desktop\win32kdiag.exe" -f -r
  • Click OK.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the contents in your next reply.
Please download Malwarebytes Anti-Malware (v1.40) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Reports/logs to post in your next reply:
* ComboFix.txt
* Win32kDiag.txt
* MBAM report log
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 JohnK2374

JohnK2374
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 16 September 2009 - 06:23 PM

I started ComboFix, but it's telling me that AVG Anti-Virus Free is still running and I need to disable the scanner before proceding.

How do I disable the AVG scanner if I can't open any programs, nor have access to the start menu, toolbar, etc.?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 AM

Posted 17 September 2009 - 06:19 AM

Can you use Task Manager to end all your anti-virus related processes? There are several ways to access it.
  • Use your mouse to right click an open area in the task bar.
  • Press Ctrl+Alt+Delete keys simultaneously.
  • Go to Posted Image > Run... and in the open box, type: taskmgr
Another option is to download and use AnVir Task Manager Free Portable which shows all running processes and enables you to terminate those related to your anti-virus. This tool also includes a built in start-up manager which will allow you to temporarily disable the anti-virus from starting up by unchecking the box next to the start-up entry. Afterwards, just recheck to resume normal startup.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 JohnK2374

JohnK2374
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 22 September 2009 - 10:38 PM

Thanks for sticking with me Quietman.

I ran CombFix and it first listed a report of the Rootkits it found. I was instructed to write them all down, which I did. Here are the file names:

C: Windows\System 32\drivers\Skynetvog.xcr (I think...can't read the last three letters)
Windows\System 32\Skynetexujwoye.dll
Windows\System 32\Skynetdvjmdxvu.dll
Windows\System 32\Skynetcdcqapsa.dll
Windows\System 32\Skynetivcrewax.dat
Windows\System 32\Skynetxmbpmaon.dll
Windows\System 32\drivers\tdssmalt.sys
C: Windows\System 32\TDSSoiqh.dll
Windows\System 32\TDSSosud.dat
Windows\System 32\TDSSbrsr.dll
Windows\System 32\TDSSriqp.dll
Windows\System 32\TDSSxfum.dll
Windows\System 32\TDSSlxwp.dll
Windows\System 32\TDSSnmxh.log
Windows\System 32\TDSSsihc.dll
Windows\System 32\TDSSrhym.dll
Windows\System 32\TDSSpaxt.log
Windows\System 32\TDSSoexh.log
C: Windows\System 32\Drivers\TDSSpxqt.sys
Windows\System 32\TDSSosun.dll
Windows\System 32\TDSSmqlt.dat
Windows\System 32\TDSSosvd.dll
Windows\System 32\TDSSnmxh.dll
Windows\System 32\TDSStkdu.dll
Windows\System 32\TDSSbubx.log
Windows\System 32\TDSSvvbj.dll
Windows\System 32\TDSSdivk.dll
Windows\System 32\TDSSkpjp.log
Windows\System 32\TDSSvyfh.log

After I wrote these down and hit OK, my system automatically rebooted. Once my profile was loaded, only my wallpaper appeared (again). So, I re-ran ComboFix and it scanned the system, but then automatically rebooted and started autochk, which went through successfully.

When my profile was loaded again, the only thing there was my wallpaper....still. Also, I have no idea where the ComboFix logs are being saved....they aren't on my desktop.

Does this help at all?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 AM

Posted 23 September 2009 - 07:46 AM

The CF log is located at C:\ComboFix.txt. Open Windows Explorer, navigate there and double-click on that .txt file to open it in notepad. Copy and paste the contents in your next reply.

You need to run Win32kDiag.exe with the switch as instructed in Post #2 followed by a scan with Malwarebytes Anti-Malware. Post both of those logs along with the CF log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 JohnK2374

JohnK2374
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 23 September 2009 - 10:39 PM

Looks like we're almost there. I have my icons back along with the start menu and everything. Here are the logs. For some reason, I can't seem to fing the win32diag.txt file though. Let me know if I should re-run.

Also, what would protection software would you recommend so I don't run in to the issue again? I do A LOT of file Sharing.

ComboFix Log:

ComboFix 09-09-22.02 - John 09/22/2009 21:40.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.110 [GMT -4:00]
Running from: G:\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\icudace.inf
c:\documents and settings\All Users\Application Data\vizejy.reg
c:\documents and settings\All Users\Documents\jezaz.bat
c:\documents and settings\All Users\Documents\nufune.bat
c:\documents and settings\John\Application Data\agagoleqem.inf
c:\documents and settings\John\Application Data\dolymyhab.bat
c:\documents and settings\John\Application Data\inst.exe
c:\documents and settings\John\Application Data\topame.vbs
c:\documents and settings\John\Application Data\ylikoxi.vbs
c:\documents and settings\John\Local Settings\Application Data\tawise.inf
c:\documents and settings\John\Local Settings\Application Data\ytaz.bat
C:\p2hhr.bat
c:\program files\Common Files\ezuvuhot.vbs
C:\scmhux.exe
C:\udtcnn.exe
c:\windows\76ccfa25.ocx
c:\windows\Installer\1592a3.msi
c:\windows\Installer\98d6f7.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\jalelehiwe.bat
c:\windows\kesadizuv.bat
c:\windows\ONSPCLCK.exe
c:\windows\system\SYSRegC.dll
c:\windows\system32\~.exe
c:\windows\system32\20f85f92.ocx
c:\windows\system32\axoqelexy.inf
c:\windows\system32\b0b1819b.ocx
c:\windows\system32\bvfnvcgm.dll
c:\windows\system32\bxowpuym.ini
c:\windows\system32\cmxepoan.ini
c:\windows\system32\cpkqhhuw.ini
c:\windows\system32\drivers\SKYNETvocyxcba.sys
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\drivers\TDSSpqxt.sys
c:\windows\system32\evsxvtqx.dll
c:\windows\system32\fkiloawb.ini
c:\windows\system32\hakqgvdy.ini
c:\windows\system32\kkhpsvhk.ini
c:\windows\system32\krklggmj.dll
c:\windows\system32\lglvvfpo.ini
c:\windows\system32\nfbypkye.ini
c:\windows\system32\nGpxx16
c:\windows\system32\nhakevnd.ini
c:\windows\system32\NqtsBcfe.ini
c:\windows\system32\ofhpmuhi.ini
c:\windows\system32\pokasu.reg
c:\windows\system32\pydyhuwe.inf
c:\windows\system32\qaioqyyo.ini
c:\windows\system32\qhqjvwrh.dll
c:\windows\system32\quvelcbr.dll
c:\windows\system32\SKYNETcdcqapsa.dll
c:\windows\system32\SKYNETcxujwoye.dll
c:\windows\system32\SKYNETdvjmdxvu.dat
c:\windows\system32\SKYNETivcrewax.dat
c:\windows\system32\SKYNETxmbpmaon.dll
c:\windows\system32\spvakuvn.dll
c:\windows\system32\tajf83ikdmf.dll
c:\windows\system32\TDSSbivk.dll
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSSbubx.log
c:\windows\system32\TDSSkpjp.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSmqlt.dat
c:\windows\system32\TDSSnmxh.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoexh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSosvd.dll
c:\windows\system32\TDSSosvn.dll
c:\windows\system32\TDSSpaxt.log
c:\windows\system32\TDSSrhym.dll
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.dll
c:\windows\system32\TDSSuyfh.log
c:\windows\system32\TDSSvvbj.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\tdsyqfrn.dll
c:\windows\system32\teuofiyf.ini
c:\windows\system32\tmp0_111858471153.bk
c:\windows\system32\tmp0_120665595682.bk
c:\windows\system32\tmp0_238660462131.bk
c:\windows\system32\tmp0_442801345882.bk
c:\windows\system32\tmp1_311182764886.bk
c:\windows\system32\tmp1_69090537610.bk
c:\windows\system32\tmp1_738653738067.bk
c:\windows\system32\tmp2_108654707694.bk
c:\windows\system32\tmp2_338931777706.bk
c:\windows\system32\tmp3_523379790449.bk
c:\windows\system32\tmp3_540060302370.bk
c:\windows\system32\tmp4_48281491775.bk
c:\windows\system32\tmp4_642872833166.bk
c:\windows\system32\tqlqjoed.ini
c:\windows\system32\tqvsowut.ini
c:\windows\system32\vklwmoau.ini
c:\windows\system32\wxsevbgx.ini
c:\windows\system32\ygsuhdf83id.dll
c:\windows\wemaky.dll
C:\WRT10.tmp
C:\WRT11F.tmp
C:\WRT120.tmp
C:\WRT121.tmp
C:\WRT122.tmp
C:\WRT125.tmp
C:\WRT126.tmp
C:\WRT132.tmp
C:\WRT133.tmp
C:\WRT134.tmp
C:\WRT135.tmp
C:\WRT138.tmp
C:\WRT139.tmp
C:\WRT4.tmp
C:\WRT7.tmp
C:\WRTD.tmp
C:\WRTE.tmp
C:\WRTF.tmp
.
---- Previous Run -------
.
c:\recycler\S-1-5-21-1390774377-2385200199-1500318138-1003
c:\recycler\S-1-5-21-1390774377-2385200199-1500318138-1003\desktop.ini
c:\recycler\S-1-5-21-1390774377-2385200199-1500318138-1003\INFO2
c:\recycler\S-1-5-21-1801674531-764733703-725345543-1003
c:\recycler\S-1-5-21-1801674531-764733703-725345543-1003\desktop.ini
c:\recycler\S-1-5-21-1801674531-764733703-725345543-1003\INFO2
c:\recycler\S-1-5-21-2558430661-1340648803-2597014688-1003
c:\recycler\S-1-5-21-2558430661-1340648803-2597014688-1003\desktop.ini
c:\recycler\S-1-5-21-2558430661-1340648803-2597014688-1003\INFO2
c:\recycler\S-1-5-21-3728447159-2152579179-162068669-1003
c:\recycler\S-1-5-21-3728447159-2152579179-162068669-1003\desktop.ini
c:\recycler\S-1-5-21-3728447159-2152579179-162068669-1003\INFO2
c:\recycler\S-1-5-21-3818769647-1456451836-867213556-1003
c:\recycler\S-1-5-21-3818769647-1456451836-867213556-1003\desktop.ini
c:\recycler\S-1-5-21-3818769647-1456451836-867213556-1003\INFO2
c:\recycler\S-1-5-21-81932072-2099459701-3103979217-1003
c:\recycler\S-1-5-21-81932072-2099459701-3103979217-1003\desktop.ini
c:\recycler\S-1-5-21-81932072-2099459701-3103979217-1003\INFO2
c:\recycler\S-1-5-21-823864489-1945211297-4234179203-1003
c:\recycler\S-1-5-21-823864489-1945211297-4234179203-1003\desktop.ini
c:\recycler\S-1-5-21-823864489-1945211297-4234179203-1003\INFO2
c:\windows\DRIVERS\beep.sys
c:\windows\Install.txt
c:\windows\ppp3.dat
c:\windows\Readme.txt
c:\windows\system32\bincd32.dat
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\logs
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\msxml71.dll
c:\windows\system32\onhelp.htm
c:\windows\system32\sdra64.exe
c:\windows\system32\sonhelp.htm
c:\windows\system32\tapi.nfo
c:\windows\system32\uninstall.exe
c:\windows\system32\wisdstr.exe

-- Previous Run --

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\system32\dllcache\proquota.exe

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_MABIDWE
-------\Legacy_MACIDWE
-------\Legacy_NOXTCYR
-------\Legacy_NOYTCYR
-------\Legacy_PERFMONS
-------\Legacy_PERFS
-------\Legacy_ROXTCTM
-------\Legacy_ROYTCTM
-------\Legacy_SKYNETnhtpaiyl
-------\Legacy_SOTPECA
-------\Legacy_SOXPECA
-------\Legacy_TDSSSERV
-------\Legacy_TDSSserv.sys)
-------\Legacy_TDYDOWKC
-------\Legacy_WSERVING
-------\Legacy_WSLDOEKD
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_SKYNETnhtpaiyl
-------\Service_TDSSserv
-------\Service_TDSSserv.sys)


((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))
.

2009-09-22 04:01 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-22 03:20 . 2009-09-23 01:08 -------- dc----w- C:\Combo-Fix2211C
2009-09-17 03:12 . 2009-09-17 03:14 -------- dc----w- C:\Combo-Fix
2009-09-11 04:57 . 2009-09-11 04:57 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\PC_Drivers_Headquarters
2009-09-11 04:56 . 2009-09-11 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-09-11 04:56 . 2009-09-11 04:56 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2009-09-08 22:16 . 2009-09-12 23:32 0 ----a-w- c:\windows\system32\drivers\724c29a6.sys
2009-09-08 22:15 . 2002-08-29 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-08 22:15 . 2002-08-29 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 02:59 . 2009-08-13 01:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 02:38 . 2008-05-24 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-11 05:05 . 2005-05-03 03:25 -------- d-----w- c:\documents and settings\John\Application Data\Azureus
2009-09-11 05:01 . 2009-05-04 03:52 -------- d-----w- c:\documents and settings\John\Application Data\CallingID
2009-09-10 18:54 . 2009-08-13 01:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-08-13 01:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 21:24 . 2009-05-04 03:50 -------- d-----w- c:\documents and settings\John\Application Data\comcasttb
2009-08-24 04:34 . 2007-04-05 22:41 -------- d-----w- c:\documents and settings\John\Application Data\Vso
2009-08-22 18:20 . 2009-08-12 03:35 -------- d-----w- c:\documents and settings\John\Application Data\GetRightToGo
2009-08-20 03:49 . 2009-08-02 20:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-20 03:49 . 2009-08-02 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-14 15:41 . 2009-08-14 11:53 -------- d-----w- c:\documents and settings\John\Application Data\ICAClient
2009-08-13 02:20 . 2009-08-13 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-13 02:20 . 2009-08-13 02:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-13 02:20 . 2009-08-13 02:20 -------- d-----w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com
2009-08-13 02:19 . 2008-10-25 15:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-10 03:18 . 2009-08-10 03:13 -------- d-----w- c:\documents and settings\John\Application Data\Sonic
2009-08-10 03:18 . 2009-08-10 03:18 56 -csha-w- C:\redir.sys
2009-08-10 03:18 . 2009-08-10 03:18 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2009-08-10 03:18 . 2009-08-10 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-08-10 03:13 . 2009-08-10 03:13 -------- d-----w- c:\program files\Common Files\Sonic
2009-08-10 03:12 . 2009-08-10 03:12 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-08-10 03:12 . 2009-08-10 03:12 -------- d-----w- c:\program files\Sonic
2009-08-08 19:16 . 2009-07-25 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-06 03:49 . 2009-07-25 01:41 -------- d-----w- c:\program files\Windows Sidebar
2009-08-06 02:52 . 2003-01-16 18:55 -------- d-----w- c:\program files\Yahoo!
2009-08-05 09:01 . 2003-01-15 22:43 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 22:10 . 2003-12-18 02:27 120104 -c--a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-02 20:33 . 2009-08-02 20:33 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-08-02 20:33 . 2009-08-02 20:33 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-02 18:49 . 2009-08-02 18:49 -------- d-----w- c:\program files\MSBuild
2009-08-02 18:49 . 2009-08-02 18:49 -------- d-----w- c:\program files\Reference Assemblies
2009-07-30 04:31 . 2009-07-30 04:31 -------- d-----w- c:\program files\Alcohol Soft
2009-07-30 04:23 . 2009-07-30 04:23 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-28 03:57 . 2005-05-04 03:36 -------- d-----w- c:\program files\Azureus
2009-07-17 19:01 . 2003-01-15 22:43 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-05-12 02:23 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-02-06 22:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-01-15 22:43 17408 ----a-w- c:\windows\system32\corpol.dll
2008-10-21 05:06 . 2008-10-21 05:06 18342 ----a-w- c:\program files\Common Files\gusuh.pif
2008-10-21 05:06 . 2008-10-21 05:06 13161 ----a-w- c:\program files\Common Files\wocim.dl
2008-10-21 05:06 . 2008-10-21 05:06 11894 ----a-w- c:\program files\Common Files\woba.com
2008-10-21 05:06 . 2008-10-21 05:06 10177 ----a-w- c:\program files\Common Files\tihupoc._dl
2008-10-21 04:52 . 2008-10-21 04:52 17152 ----a-w- c:\program files\Common Files\ibucacy.dll
2008-10-21 04:52 . 2008-10-21 04:52 11750 ----a-w- c:\program files\Common Files\ofaf.sys
2008-10-20 02:17 . 2008-10-20 02:17 19794 ----a-w- c:\program files\Common Files\idurova.scr
2001-06-23 12:29 . 2003-08-20 02:47 11776 -c--a-w- c:\program files\OfficeXP30daysTrialActivatorV10.exe
2008-05-20 03:17 . 2008-05-20 03:17 0 --sh--w- c:\windows\S363DDCF6.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-06-17 1587672]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2002-11-15 28672]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2002-08-15 77887]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2001-12-17 483394]
"ROVATray"="c:\program files\ROVA\rovatray.exe" [2007-02-09 143360]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2007-12-23 50688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-31 1601304]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-07-04 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2007-02-18 335872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-31 23:52 10520 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tdxdowkc"=2 (0x2)
"sobicyt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6889:UDP"= 6889:UDP:BitTorrent
"6887:UDP"= 6887:UDP:Bittorrent
"6886:UDP"= 6886:UDP:BitTorrent
"6885:UDP"= 6885:UDP:BitTorrent
"6884:UDP"= 6884:UDP:BitTorrent
"6883:UDP"= 6883:UDP:BitTorrent
"6882:UDP"= 6882:UDP:BitTorrent
"6881:UDP"= 6881:UDP:BitTorrent
"6888:UDP"= 6888:UDP:BitTorrent

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/24/2008 10:15 PM 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/24/2008 10:15 PM 107272]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [3/3/2008 1:00 AM 218504]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [5/25/2003 12:23 PM 13824]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S1 724c29a6;724c29a6;c:\windows\system32\drivers\724c29a6.sys [9/8/2009 6:16 PM 0]
S3 GearAspiWDM_BackUp;GEARAspiWDM;c:\windows\system32\drivers\GEARAspiWDM.sys [1/29/2008 12:01 PM 23400]
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2003-04-19 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-01-15 00:12]

2003-04-30 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-01-15 00:12]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = www.yahoo.com
mStart Page = hxxp://www.google.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxps://qds1.qdsremote.com/cabs/ActiveXViewer.cab
.
- - - - ORPHANS REMOVED - - - -

Notify-cbXNFywv - cbXNFywv.dll
Notify-qoMfgDtU - qoMfgDtU.dll
Notify-qomnmll - qomnmll.dll
SafeBoot-TDSSmqlt.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-23 23:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2111998232-1178579903-1736132178-1005\Software\Zepter Software\RegLib*94db84a8\AnyDVD/1]
"1"=dword:445009f8
"2"=dword:445151eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(660)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3108)
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\AVG\AVG8\avgwdsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Neoteris\Installer Service\NeoterisSetupService.exe
c:\program files\Quintech\ROVAUpdate\rovasrvc.exe
c:\program files\Sony\VAIO Media Music Server\SSSvr.exe
c:\program files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
c:\progra~1\AVG\AVG8\avgemc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-09-24 23:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-24 03:28

Pre-Run: 2,285,211,648 bytes free
Post-Run: 1,986,052,096 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=2,3,4,5
468 --- E O F --- 2009-09-23 04:13


MBAM Log:

Malwarebytes' Anti-Malware 1.41
Database version: 2854
Windows 5.1.2600 Service Pack 3

9/23/2009 11:08:30 PM
mbam-log-2009-09-23 (23-08-30).txt

Scan type: Quick Scan
Objects scanned: 115728
Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

#8 JohnK2374

JohnK2374
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 23 September 2009 - 10:42 PM

FOUND THE Win32kDiag Log:

Running from: C:\Documents and Settings\John\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\John\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx

Cannot access: C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll

Cannot access: C:\WINDOWS\explorer.exe

Attempting to restore permissions of : C:\WINDOWS\explorer.exe



Finished!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 AM

Posted 24 September 2009 - 09:52 AM

Also, what would protection software would you recommend so I don't run in to the issue again? I do A LOT of file Sharing.

I will provide prevention tips when we are done. Using any peer-to-peer (P2P) or file sharing program (i.e. Limewire, eMule, Kontiki, BitTorrent, uTorrent) is a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, and exposure of personal information.

The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge. Even if you change the risky default settings to a safer configuration, downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat. Many malicious worms and Trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities. In some instances the infection may cause so much damage to your system that recovery is not possible and a Repair Install will NOT help!. In those cases, the only option is to wipe your drive, reformat and reinstall the OS.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The best way to eliminate these risks is to avoid using P2P applications.Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please perform an online scan with Kaspersky Online Virus Scanner.
(Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.)
  • Click on the Posted Image ...button.
  • The program will launch and fill in the Information section ... on the left.
  • Read the "Requirements and Limitations" then press... the Posted Image ...button.
  • The program will begin downloading the latest program and definition files.
    It takes a while... please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image ...button, if you made any changes.
  • Now under the Scan section on the left:Select My Computer
  • The program will start and scan your system. This will run for a while, be patient... let it run.
    Once the scan is complete, it will display if your system has been infected.
  • Save the scan results as a Text file ... save it to your desktop.
  • Copy and paste the saved scan results file in your next reply.
IMPORTANT NOTE: One or more of the identified infections was related to a nasty variant of the TDSSSERV rootkit component also known as Backdoor.Tidserv. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 JohnK2374

JohnK2374
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 25 September 2009 - 07:37 AM

OK. Here are the two logs:

MBAM:

Malwarebytes' Anti-Malware 1.41
Database version: 2854
Windows 5.1.2600 Service Pack 3

9/24/2009 9:39:37 PM
mbam-log-2009-09-24 (21-39-36).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|H:\|J:\|)
Objects scanned: 248443
Time elapsed: 2 hour(s), 43 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{0768B94C-A9C5-4980-AAC7-F2FA66E33BB8}\RP1\A0000238.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sdra64.exe.vir (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.


Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, September 25, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, September 25, 2009 02:55:45
Records in database: 2916599
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
J:\

Scan statistics:
Objects scanned: 116101
Threats found: 5
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 05:38:27


File name / Threat / Threats count
C:\Program Files\Support.com\backup\ho\hosts\3233_5efd1a223_ Infected: Trojan.Win32.Qhost.ahq 1
C:\WINDOWS\system32\asck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.ay 1
C:\WINDOWS\system32\fduvfct.sys Infected: Trojan-Clicker.Win32.VB.bzm 1
C:\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.dlw 1
J:\Music\Alt. Rock\Beck - Modern Guilt 2008\06 - Walls.mp3 Infected: Trojan-Downloader.WMA.GetCodec.i 1

Selected area has been scanned.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 AM

Posted 25 September 2009 - 08:33 AM

Do you recognize the Support.com folder in Program Files? I'm not finding much information on it except for complaints that it takes up a lot of space.

Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before continuing. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click this link to see a list of such programs and how to disable them.

Open Notepad by clicking Posted Image > Run... and in the open box type: Notepad.exe
Press Ok, then copy and paste everything in the code box below into it.

KILLALL::

File::
C:\Program Files\Support.com\backup\ho\hosts\3233_5efd1a223_
C:\WINDOWS\system32\asck.exe 
C:\WINDOWS\system32\fduvfct.sys
C:\WINDOWS\system32\stsycod.sys
J:\Music\Alt. Rock\Beck - Modern Guilt 2008\06 - Walls.mp3

Reboot::
  • Save the file as CFScript.txt by choosing Save As... in the File Menu, and save it to your Desktop where the ComboFix icon is also located.
  • Close your browser and disconnect from the Internet.
  • Now use your mouse to drag, then drop the CFScript.txt file on top of ComboFix.exe as seen in the image below.
Posted Image

This will start ComboFix and launch the script.
  • ComboFix may reboot your system when it finishes. This is normal.
  • A log with automatically be created and saved to C:\ComboFix.txt. Please copy and paste the contents of ComboFix.txt in your next reply.
  • Be sure to re-enable your anti-virus and other security programs after the scan is complete.
-- Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
-- Combofix will temporarily disable your desktop, and if interrupted may leave it disabled. If this occurs, please reboot to restore it.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 JohnK2374

JohnK2374
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 25 September 2009 - 10:01 PM

Ok. Here is the latest ComboFix Log:

ComboFix 09-09-22.02 - John 09/25/2009 21:03.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.247 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\program files\Support.com\backup\ho\hosts\3233_5efd1a223_"
"c:\windows\system32\asck.exe"
"c:\windows\system32\fduvfct.sys"
"c:\windows\system32\stsycod.sys"
"j:\music\Alt. Rock\Beck - Modern Guilt 2008\06 - Walls.mp3"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Support.com\backup\ho\hosts\3233_5efd1a223_
c:\windows\system32\asck.exe
c:\windows\system32\fduvfct.sys
c:\windows\system32\stsycod.sys

.
((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.

2009-09-22 04:01 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-22 03:20 . 2009-09-23 01:08 -------- dc----w- C:\Combo-Fix2211C
2009-09-17 03:12 . 2009-09-25 06:03 -------- dc----w- C:\Combo-Fix
2009-09-11 04:56 . 2009-09-11 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-09-08 22:16 . 2009-09-12 23:32 0 ----a-w- c:\windows\system32\drivers\724c29a6.sys
2009-09-08 22:15 . 2002-08-29 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-08 22:15 . 2002-08-29 12:00 4224 ------w- c:\windows\system32\drivers\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 02:42 . 2009-05-04 03:52 -------- d-----w- c:\documents and settings\John\Application Data\CallingID
2009-09-25 02:35 . 2005-05-03 03:05 -------- d-----w- c:\program files\Java
2009-09-24 02:59 . 2009-08-13 01:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 02:38 . 2008-05-24 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-11 05:05 . 2005-05-03 03:25 -------- d-----w- c:\documents and settings\John\Application Data\Azureus
2009-09-10 18:54 . 2009-08-13 01:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-08-13 01:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 21:24 . 2009-05-04 03:50 -------- d-----w- c:\documents and settings\John\Application Data\comcasttb
2009-08-24 04:34 . 2007-04-05 22:41 -------- d-----w- c:\documents and settings\John\Application Data\Vso
2009-08-22 18:20 . 2009-08-12 03:35 -------- d-----w- c:\documents and settings\John\Application Data\GetRightToGo
2009-08-20 03:49 . 2009-08-02 20:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-20 03:49 . 2009-08-02 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-14 15:41 . 2009-08-14 11:53 -------- d-----w- c:\documents and settings\John\Application Data\ICAClient
2009-08-13 02:20 . 2009-08-13 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-13 02:20 . 2009-08-13 02:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-13 02:20 . 2009-08-13 02:20 -------- d-----w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com
2009-08-13 02:19 . 2008-10-25 15:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-10 03:18 . 2009-08-10 03:13 -------- d-----w- c:\documents and settings\John\Application Data\Sonic
2009-08-10 03:18 . 2009-08-10 03:18 56 -csha-w- C:\redir.sys
2009-08-10 03:18 . 2009-08-10 03:18 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2009-08-10 03:18 . 2009-08-10 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-08-10 03:13 . 2009-08-10 03:13 -------- d-----w- c:\program files\Common Files\Sonic
2009-08-10 03:12 . 2009-08-10 03:12 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-08-10 03:12 . 2009-08-10 03:12 -------- d-----w- c:\program files\Sonic
2009-08-08 19:16 . 2009-07-25 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-06 03:49 . 2009-07-25 01:41 -------- d-----w- c:\program files\Windows Sidebar
2009-08-06 02:52 . 2003-01-16 18:55 -------- d-----w- c:\program files\Yahoo!
2009-08-05 09:01 . 2003-01-15 22:43 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 22:10 . 2003-12-18 02:27 120104 -c--a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-02 20:33 . 2009-08-02 20:33 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-08-02 20:33 . 2009-08-02 20:33 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-02 18:49 . 2009-08-02 18:49 -------- d-----w- c:\program files\MSBuild
2009-08-02 18:49 . 2009-08-02 18:49 -------- d-----w- c:\program files\Reference Assemblies
2009-07-31 19:23 . 2009-03-02 03:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-30 04:31 . 2009-07-30 04:31 -------- d-----w- c:\program files\Alcohol Soft
2009-07-30 04:23 . 2009-07-30 04:23 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-28 03:57 . 2005-05-04 03:36 -------- d-----w- c:\program files\Azureus
2009-07-17 19:01 . 2003-01-15 22:43 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-05-12 02:23 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-02-06 22:05 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-01-15 22:43 17408 ----a-w- c:\windows\system32\corpol.dll
2008-10-21 05:06 . 2008-10-21 05:06 18342 ----a-w- c:\program files\Common Files\gusuh.pif
2008-10-21 05:06 . 2008-10-21 05:06 13161 ----a-w- c:\program files\Common Files\wocim.dl
2008-10-21 05:06 . 2008-10-21 05:06 11894 ----a-w- c:\program files\Common Files\woba.com
2008-10-21 05:06 . 2008-10-21 05:06 10177 ----a-w- c:\program files\Common Files\tihupoc._dl
2008-10-21 04:52 . 2008-10-21 04:52 17152 ----a-w- c:\program files\Common Files\ibucacy.dll
2008-10-21 04:52 . 2008-10-21 04:52 11750 ----a-w- c:\program files\Common Files\ofaf.sys
2008-10-20 02:17 . 2008-10-20 02:17 19794 ----a-w- c:\program files\Common Files\idurova.scr
2001-06-23 12:29 . 2003-08-20 02:47 11776 -c--a-w- c:\program files\OfficeXP30daysTrialActivatorV10.exe
2008-05-20 03:17 . 2008-05-20 03:17 0 --sh--w- c:\windows\S363DDCF6.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-09-24_03.13.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-26 01:19 . 2009-09-26 01:19 16384 c:\windows\temp\Perflib_Perfdata_490.dat
+ 2009-09-25 02:35 . 2009-07-31 19:23 149280 c:\windows\system32\javaws.exe
+ 2009-09-25 02:35 . 2009-07-31 19:23 145184 c:\windows\system32\javaw.exe
+ 2009-09-25 02:35 . 2009-07-31 19:23 145184 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-06-17 1587672]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2002-11-15 28672]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2002-08-15 77887]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2001-12-17 483394]
"ROVATray"="c:\program files\ROVA\rovatray.exe" [2007-02-09 143360]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2007-12-23 50688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-31 1601304]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-07-04 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2007-02-18 335872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-31 23:52 10520 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tdxdowkc"=2 (0x2)
"sobicyt"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6889:UDP"= 6889:UDP:BitTorrent
"6887:UDP"= 6887:UDP:Bittorrent
"6886:UDP"= 6886:UDP:BitTorrent
"6885:UDP"= 6885:UDP:BitTorrent
"6884:UDP"= 6884:UDP:BitTorrent
"6883:UDP"= 6883:UDP:BitTorrent
"6882:UDP"= 6882:UDP:BitTorrent
"6881:UDP"= 6881:UDP:BitTorrent
"6888:UDP"= 6888:UDP:BitTorrent

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/24/2008 10:15 PM 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/24/2008 10:15 PM 107272]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [3/3/2008 1:00 AM 218504]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 1:49 PM 616408]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/31/2009 7:52 PM 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/31/2009 7:52 PM 298264]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [5/25/2003 12:23 PM 13824]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S1 724c29a6;724c29a6;c:\windows\system32\drivers\724c29a6.sys [9/8/2009 6:16 PM 0]
S2 GEARSecurity_BackUp;GEARSecurity_BackUp;system32\gearsec.exe --> system32\gearsec.exe [?]
S3 GearAspiWDM_BackUp;GEARAspiWDM;c:\windows\system32\drivers\GEARAspiWDM.sys [1/29/2008 12:01 PM 23400]
S4 Age9la;Age9la; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2003-04-19 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-01-15 00:12]

2003-04-30 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-01-15 00:12]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = www.yahoo.com
mStart Page = hxxp://www.google.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxps://qds1.qdsremote.com/cabs/ActiveXViewer.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-25 21:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2111998232-1178579903-1736132178-1005\Software\Zepter Software\RegLib*94db84a8\AnyDVD/1]
"1"=dword:445009f8
"2"=dword:445151eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(664)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3700)
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Neoteris\Installer Service\NeoterisSetupService.exe
c:\program files\Quintech\ROVAUpdate\rovasrvc.exe
c:\program files\Sony\VAIO Media Music Server\SSSvr.exe
c:\program files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-26 21:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-26 01:36
ComboFix2.txt 2009-09-24 03:29

Pre-Run: 1,706,082,304 bytes free
Post-Run: 1,869,946,880 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=2,3,4,5
270 --- E O F --- 2009-09-23 04:13

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 AM

Posted 25 September 2009 - 11:01 PM

Open Notepad by clicking Posted Image > Run... and in the open box type: Notepad.exe
Press Ok, then copy and paste everything in the code box below into it.

KILLALL::

File::
c:\program files\Common Files\gusuh.pif
c:\program files\Common Files\wocim.dl
c:\program files\Common Files\woba.com
c:\program files\Common Files\tihupoc._dl
c:\program files\Common Files\ibucacy.dll
c:\program files\Common Files\ofaf.sys
c:\program files\Common Files\idurova.scr

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tdxdowkc"=-
"sobicyt"=-

Reboot::
  • Save the file as CFScript.txt by choosing Save As... in the File Menu, and save it to your Desktop where the ComboFix icon is also located.
  • Close your browser and disconnect from the Internet.
  • Now use your mouse to drag, then drop the CFScript.txt file on top of ComboFix.exe as seen in the image below.
Posted Image

This will start ComboFix and launch the script.
  • ComboFix may reboot your system when it finishes. This is normal.
  • A log with automatically be created and saved to C:\ComboFix.txt. Please copy and paste the contents of ComboFix.txt in your next reply.
  • Be sure to re-enable your anti-virus and other security programs after the scan is complete.
Also let me know how your computer is running and if there are any more reports/signs of infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 JohnK2374

JohnK2374
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 26 September 2009 - 07:17 PM

OK. Here's the ComboFix Log from today:

ComboFix 09-09-22.02 - John 09/26/2009 18:37.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.177 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\program files\Common Files\gusuh.pif"
"c:\program files\Common Files\ibucacy.dll"
"c:\program files\Common Files\idurova.scr"
"c:\program files\Common Files\ofaf.sys"
"c:\program files\Common Files\tihupoc._dl"
"c:\program files\Common Files\woba.com"
"c:\program files\Common Files\wocim.dl"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\gusuh.pif
c:\program files\Common Files\ibucacy.dll
c:\program files\Common Files\idurova.scr
c:\program files\Common Files\ofaf.sys
c:\program files\Common Files\tihupoc._dl
c:\program files\Common Files\woba.com
c:\program files\Common Files\wocim.dl

.
((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.

2009-09-26 22:52 . 2009-09-26 22:52 -------- d-----w- c:\windows\LastGood
2009-09-22 04:01 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-22 03:20 . 2009-09-23 01:08 -------- dc----w- C:\Combo-Fix2211C
2009-09-17 03:12 . 2009-09-25 06:03 -------- dc----w- C:\Combo-Fix
2009-09-11 04:56 . 2009-09-11 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-09-08 22:16 . 2009-09-12 23:32 0 ----a-w- c:\windows\system32\drivers\724c29a6.sys
2009-09-08 22:15 . 2002-08-29 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-08 22:15 . 2002-08-29 12:00 4224 ------w- c:\windows\system32\drivers\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-26 20:58 . 2009-05-04 03:52 -------- d-----w- c:\documents and settings\John\Application Data\CallingID
2009-09-25 02:35 . 2005-05-03 03:05 -------- d-----w- c:\program files\Java
2009-09-24 02:59 . 2009-08-13 01:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 02:38 . 2008-05-24 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-11 05:05 . 2005-05-03 03:25 -------- d-----w- c:\documents and settings\John\Application Data\Azureus
2009-09-10 18:54 . 2009-08-13 01:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-08-13 01:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 21:24 . 2009-05-04 03:50 -------- d-----w- c:\documents and settings\John\Application Data\comcasttb
2009-08-24 04:34 . 2007-04-05 22:41 -------- d-----w- c:\documents and settings\John\Application Data\Vso
2009-08-22 18:20 . 2009-08-12 03:35 -------- d-----w- c:\documents and settings\John\Application Data\GetRightToGo
2009-08-20 03:49 . 2009-08-02 20:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-20 03:49 . 2009-08-02 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-14 15:41 . 2009-08-14 11:53 -------- d-----w- c:\documents and settings\John\Application Data\ICAClient
2009-08-13 02:20 . 2009-08-13 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-13 02:20 . 2009-08-13 02:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-13 02:20 . 2009-08-13 02:20 -------- d-----w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com
2009-08-13 02:19 . 2008-10-25 15:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-10 03:18 . 2009-08-10 03:13 -------- d-----w- c:\documents and settings\John\Application Data\Sonic
2009-08-10 03:18 . 2009-08-10 03:18 56 -csha-w- C:\redir.sys
2009-08-10 03:18 . 2009-08-10 03:18 -------- d-----w- c:\program files\Common Files\PACE Anti-Piracy
2009-08-10 03:18 . 2009-08-10 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-08-10 03:13 . 2009-08-10 03:13 -------- d-----w- c:\program files\Common Files\Sonic
2009-08-10 03:12 . 2009-08-10 03:12 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-08-10 03:12 . 2009-08-10 03:12 -------- d-----w- c:\program files\Sonic
2009-08-08 19:16 . 2009-07-25 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-06 03:49 . 2009-07-25 01:41 -------- d-----w- c:\program files\Windows Sidebar
2009-08-06 02:52 . 2003-01-16 18:55 -------- d-----w- c:\program files\Yahoo!
2009-08-05 09:01 . 2003-01-15 22:43 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 22:10 . 2003-12-18 02:27 120104 -c--a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-02 20:33 . 2009-08-02 20:33 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-08-02 20:33 . 2009-08-02 20:33 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-02 18:49 . 2009-08-02 18:49 -------- d-----w- c:\program files\MSBuild
2009-08-02 18:49 . 2009-08-02 18:49 -------- d-----w- c:\program files\Reference Assemblies
2009-07-31 19:23 . 2009-03-02 03:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-30 04:31 . 2009-07-30 04:31 -------- d-----w- c:\program files\Alcohol Soft
2009-07-30 04:23 . 2009-07-30 04:23 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-17 19:01 . 2003-01-15 22:43 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-05-12 02:23 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-02-06 22:05 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-01-15 22:43 17408 ----a-w- c:\windows\system32\corpol.dll
2001-06-23 12:29 . 2003-08-20 02:47 11776 -c--a-w- c:\program files\OfficeXP30daysTrialActivatorV10.exe
2008-05-20 03:17 . 2008-05-20 03:17 0 --sh--w- c:\windows\S363DDCF6.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-09-24_03.13.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-26 22:50 . 2009-09-26 22:50 16384 c:\windows\temp\Perflib_Perfdata_4a0.dat
+ 2009-09-25 02:35 . 2009-07-31 19:23 149280 c:\windows\system32\javaws.exe
+ 2009-09-25 02:35 . 2009-07-31 19:23 145184 c:\windows\system32\javaw.exe
+ 2009-09-25 02:35 . 2009-07-31 19:23 145184 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-06-17 1587672]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2002-11-15 28672]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2002-08-15 77887]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2001-12-17 483394]
"ROVATray"="c:\program files\ROVA\rovatray.exe" [2007-02-09 143360]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2007-12-23 50688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-31 1601304]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-07-04 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2007-02-18 335872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-31 23:52 10520 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6889:UDP"= 6889:UDP:BitTorrent
"6887:UDP"= 6887:UDP:Bittorrent
"6886:UDP"= 6886:UDP:BitTorrent
"6885:UDP"= 6885:UDP:BitTorrent
"6884:UDP"= 6884:UDP:BitTorrent
"6883:UDP"= 6883:UDP:BitTorrent
"6882:UDP"= 6882:UDP:BitTorrent
"6881:UDP"= 6881:UDP:BitTorrent
"6888:UDP"= 6888:UDP:BitTorrent

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/24/2008 10:15 PM 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/24/2008 10:15 PM 107272]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [3/3/2008 1:00 AM 218504]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 TTDec;ATI WDM Teletext Decoder;c:\windows\system32\drivers\atinttxx.sys [5/25/2003 12:23 PM 13824]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S1 724c29a6;724c29a6;c:\windows\system32\drivers\724c29a6.sys [9/8/2009 6:16 PM 0]
S3 GearAspiWDM_BackUp;GEARAspiWDM;c:\windows\system32\drivers\GEARAspiWDM.sys [1/29/2008 12:01 PM 23400]
.
Contents of the 'Scheduled Tasks' folder

2009-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2003-04-19 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-01-15 00:12]

2003-04-30 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-01-15 00:12]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = www.yahoo.com
mStart Page = hxxp://www.google.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxps://qds1.qdsremote.com/cabs/ActiveXViewer.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 19:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2111998232-1178579903-1736132178-1005\Software\Zepter Software\RegLib*94db84a8\AnyDVD/1]
"1"=dword:445009f8
"2"=dword:445151eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(664)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

- - - - - - - > 'explorer.exe'(2372)
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\AVG\AVG8\avgwdsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Neoteris\Installer Service\NeoterisSetupService.exe
c:\program files\Quintech\ROVAUpdate\rovasrvc.exe
c:\program files\Sony\VAIO Media Music Server\SSSvr.exe
c:\program files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
c:\progra~1\AVG\AVG8\avgemc.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\program files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-26 19:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-26 23:55
ComboFix2.txt 2009-09-26 01:37
ComboFix3.txt 2009-09-24 03:29

Pre-Run: 1,849,311,232 bytes free
Post-Run: 1,827,303,424 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=2,3,4,5
263 --- E O F --- 2009-09-23 04:13

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 AM

Posted 26 September 2009 - 10:52 PM

Go to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, click the "browse" button and locate the following file:
C:\redir.sys <- this file
Click "Open", then click the "Submit" button.
-- Post back with the results of the file analysis in your next reply.

Also let me know how your computer is running.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users