Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crazy unknown Windows XP Infection Issue


  • This topic is locked This topic is locked
3 replies to this topic

#1 sh4rkbyt3

sh4rkbyt3

  • Members
  • 398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 AM

Posted 28 September 2009 - 08:42 PM

Working on a customer's computer I've scanned this thing several times with everything I normally rely on but still having issues.
Firstly I can't seem to be able to install ANY AV programs (AVG, Avira, or WinClam). I did manage to install HJT, Malwarebytes, Spybot S&D, SuperAntiSpyware, Ccleaner and Auslogic Disk Defrag.

I've cleaned out the registry as best and safely as possible but I am continuing to have some issues such as unable to remove Avira from HKLM/Software/Avira.
I know some AV programs are difficult to remove from regedit to purposely limit hacker removal, etc. But I've never had one that couldn't be erradicated through file shredding.
I'm also not sure that the previously mentioned programs are operating cleanly.

I've made the following logs: DDS (ATTACH), DDS (MAIN), ark.txt and would like to know where and how to post them here. I didn't want to inadvertenetly post a file that may cause an issue so I'll await instructions.

Thank you sincerely for your help!

BC AdBot (Login to Remove)

 


#2 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 AM

Posted 28 September 2009 - 08:58 PM

Here is my DDS main report:

DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 22:03:01.60 on Mon 09/28/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1022.690 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [F5D9050] c:\program files\belkin\f5d9050\Belkinwcui.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {F07C9E4F-AC95-43B8-B8EE-690E4BEEBEC1} = 208.67.222.222,208.67.220.222
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\9bv6kktb.default\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-9-28 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-9-28 45416]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R3 BKNDIS5;BKNDIS5 NDIS Protocol Driver;c:\progra~1\belkin\f5d9050\BKNDIS5.SYS [2009-9-15 15872]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [2009-9-15 19968]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\avira\antivir desktop\sched.exe" --> c:\program files\avira\antivir desktop\sched.exe [?]
S2 AntiVirService;Avira AntiVir Guard;"c:\program files\avira\antivir desktop\avguard.exe" --> c:\program files\avira\antivir desktop\avguard.exe [?]

=============== Created Last 30 ================

2009-09-28 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-28 20:13 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-28 20:13 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-09-28 20:12 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-28 19:46 <DIR> --ds---- c:\documents and settings\owner\UserData
2009-09-28 18:30 <DIR> --d----- c:\program files\Trend Micro
2009-09-28 17:46 <DIR> --d----- c:\docume~1\owner\applic~1\GlarySoft
2009-09-28 16:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-09-28 16:45 <DIR> --d----- c:\docume~1\owner\applic~1\Auslogics
2009-09-28 16:45 <DIR> --d----- c:\program files\Auslogics
2009-09-28 16:10 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-09-28 16:10 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-28 16:10 18,520 a------- c:\windows\system32\drivers\mbam.sys
2009-09-28 16:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-28 16:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-28 16:02 <DIR> --d----- c:\program files\CCleaner
2009-09-15 11:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-15 11:35 21,760 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-09-15 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-15 10:15 991,232 a------- c:\windows\system32\esent.dll
2009-09-15 10:10 <DIR> --d----- c:\windows\system32\bits
2009-09-15 10:09 <DIR> --d----- c:\windows\system32\PreInstall
2009-09-15 10:09 22,752 a------- c:\windows\system32\spupdsvc.exe
2009-09-15 10:09 <DIR> --d-h--- c:\windows\$hf_mig$
2009-09-15 09:56 17,408 ac------ c:\windows\system32\dllcache\qmgrprxy.dll
2009-09-15 09:56 17,408 a------- c:\windows\system32\qmgrprxy.dll
2009-09-15 09:56 7,680 -c------ c:\windows\system32\dllcache\bitsprx2.dll
2009-09-15 09:56 7,168 -c------ c:\windows\system32\dllcache\bitsprx3.dll
2009-09-15 09:56 7,680 -------- c:\windows\system32\bitsprx2.dll
2009-09-15 09:56 7,168 -------- c:\windows\system32\bitsprx3.dll
2009-09-15 09:56 361,984 ac------ c:\windows\system32\dllcache\qmgr.dll
2009-09-15 09:56 331,776 ac------ c:\windows\system32\dllcache\winhttp.dll
2009-09-15 09:56 331,776 a------- c:\windows\system32\winhttp.dll
2009-09-15 09:53 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-09-15 09:50 213,528 a------- c:\windows\system32\wuaucpl.cpl
2009-09-15 09:50 186,136 a------- c:\windows\system32\wuaueng1.dll
2009-09-15 09:50 167,704 a------- c:\windows\system32\wuauclt1.exe
2009-09-15 09:36 20,747 a------- c:\windows\system32\drivers\AegisP.sys
2009-09-15 09:36 245,248 a------- c:\windows\system32\drivers\rt73.sys
2009-09-15 09:36 40,960 a------- c:\windows\system32\F5D9050.dll
2009-09-15 09:36 36,864 a------- c:\windows\system32\ss.dll
2009-09-15 09:36 19,968 a------- c:\windows\system32\drivers\ss.sys
2009-09-15 09:36 <DIR> --d----- c:\program files\Belkin
2009-09-15 09:34 43,136 a----r-- c:\windows\system32\drivers\bcm4sbxp.sys
2009-09-15 09:34 <DIR> --d----- c:\program files\Broadcom
2009-09-15 09:21 151,552 a------- c:\windows\system32\igfxres.dll
2009-09-15 09:20 266,240 -------- c:\windows\system32\shpshftr.dll
2009-09-15 09:17 23,680 ac------ c:\windows\system32\dllcache\pciidex.sys
2009-09-15 09:14 5,888 ac------ c:\windows\system32\dllcache\splitter.sys
2009-09-15 09:14 <DIR> --d----- c:\program files\Analog Devices
2009-09-15 09:12 446,464 a----r-- c:\windows\system32\hhactivex.dll
2009-09-15 09:12 1,064,456 a------- c:\windows\system32\MSCOMCTL.OCX
2009-09-15 09:12 645,616 a------- c:\windows\system32\MSCOMCT2.OCX
2009-09-15 09:12 414,944 a------- c:\windows\system32\COMCT332.OCX
2009-09-15 09:12 176,128 a------- c:\windows\system32\RcdScan.dll
2009-09-15 09:12 328,480 a------- c:\windows\system32\ssa3d30.ocx
2009-09-15 09:12 171,967 a------- c:\windows\system32\Odbcjet.hlp
2009-09-15 09:12 7,348 a------- c:\windows\system32\Odbcjet.cnt
2009-09-15 09:12 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-09-15 09:12 13,632 -------- c:\windows\system32\drivers\omci.sys
2009-09-15 00:34 <DIR> --ds---- c:\windows\system32\Microsoft
2009-09-15 00:33 <DIR> --dsh--- c:\windows\Installer
2009-09-15 00:32 <DIR> --d----- c:\documents and settings\Owner
2009-09-15 00:30 150,016 ac------ c:\windows\system32\dllcache\winzm.ime
2009-09-15 00:30 150,016 ac------ c:\windows\system32\dllcache\winsp.ime
2009-09-15 00:30 150,016 ac------ c:\windows\system32\dllcache\winpy.ime
2009-09-15 00:30 61,952 ac------ c:\windows\system32\dllcache\winime.ime
2009-09-15 00:30 69,120 ac------ c:\windows\system32\dllcache\wingb.ime
2009-09-15 00:30 74,752 ac------ c:\windows\system32\dllcache\winar30.ime
2009-09-15 00:30 31,232 ac------ c:\windows\system32\dllcache\weitekp9.sys
2009-09-15 00:30 41,600 ac------ c:\windows\system32\dllcache\weitekp9.dll
2009-09-15 00:30 48,256 ac------ c:\windows\system32\dllcache\w32.dll
2009-09-15 00:30 426,042 ac------ c:\windows\system32\dllcache\voicepad.dll
2009-09-15 00:30 86,074 ac------ c:\windows\system32\dllcache\voicesub.dll
2009-09-15 00:28 131,584 ac------ c:\windows\system32\dllcache\pmxviceo.dll
2009-09-15 00:27 9,216 ac------ c:\windows\system32\dllcache\kbdnecat.dll
2009-09-15 00:26 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2009-09-15 00:25 74,752 ac------ c:\windows\system32\dllcache\dayi.ime
2009-09-15 00:24 208,896 ac------ c:\windows\system32\dllcache\fpmmcsat.dll
2009-09-15 00:22 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-09-15 00:20 <DIR> --d----- c:\program files\common files\MSSoap
2009-09-15 00:18 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-09-15 00:18 <DIR> --d----- c:\program files\Online Services
2009-09-15 00:18 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-09-15 00:17 <DIR> --d----- c:\program files\Windows NT
2009-09-14 19:42 <DIR> --d----- c:\program files\common files\ODBC
2009-09-14 19:42 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-09-14 19:42 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-09-15 00:23 2,678 a------- c:\windows\java\packages\data\CGW2CPVH.DAT
2009-09-15 00:23 558,142 a------- c:\windows\java\packages\WRR7L7XR.ZIP
2009-09-15 00:23 155,995 a------- c:\windows\java\packages\Q57R9ZNN.ZIP
2009-09-15 00:23 2,678 a------- c:\windows\java\packages\data\ZZL3LBR7.DAT
2009-09-15 00:23 2,678 a------- c:\windows\java\packages\data\ZRLF1VB5.DAT
2009-09-15 00:23 2,678 a------- c:\windows\java\packages\data\O9JV5NHV.DAT
2009-09-15 00:23 2,678 a------- c:\windows\java\packages\data\8ESQ5VZ7.DAT
2009-09-15 00:23 70,691 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-09-15 00:19 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 22:03:30.21 ===============

#3 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 AM

Posted 02 October 2009 - 12:46 AM

Resolved! Found two well hidden trojans as well as a Rogue worm file. Removed them and I am continuing to TRY to so Windows Updates. Apparently something has been leftover but I'll find it.

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:02 PM

Posted 05 October 2009 - 07:44 AM

Thanks for letting us know :(

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users