Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti-Virus Pro 2010 + Rootkit


  • This topic is locked This topic is locked
14 replies to this topic

#1 DnDer

DnDer

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 12 October 2009 - 11:55 AM

Win32kDiag

Running from: J:\Win32kDiag.exe

Log file at : C:\Documents and Settings\Len\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehCIR\ehCIR

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehcommon\ehcommon

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepgdat\ehepgdat

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtCOM\ehExtCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtHost\ehExtHost

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtCOM\ehiExtCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtens\ehiExtens

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiMsgr\ehiMsgr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiUserXp\ehiUserXp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiVidCtl\ehiVidCtl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiwmp\ehiwmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiWUapi\ehiWUapi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\Microsoft.MediaCenter

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP134.tmp\ZAP134.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DA.tmp\ZAP1DA.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BC.tmp\ZAP2BC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF.tmp\ZAP2DF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAE.tmp\ZAPAE.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\90A2CC5A3D9ECE9429D33078B4DBC4C2\1.20.0\1.20.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-10 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\CTZAPXX\Drivers\Drivers

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCQTFILE00000\MCQTFILE00000

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\TempRec\TempSBE\TempSBE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{169F8893-C1C5-4847-972C-EA1E008112AC}\{169F8893-C1C5-4847-972C-EA1E008112AC}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\{435E969D-867E-4364-8E74-3DC8A69C5BDB}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{67AEFC4C-69E4-11D7-85F4-00E018013273}\{67AEFC4C-69E4-11D7-85F4-00E018013273}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{7201B853-5833-11D6-A285-00A0CC51B2FE}\{7201B853-5833-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{7A900EAB-DA37-4554-AF19-9C337476D05D}\{7A900EAB-DA37-4554-AF19-9C337476D05D}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{9154ED7C-926E-49CC-B677-0CF3C5267457}\{9154ED7C-926E-49CC-B677-0CF3C5267457}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{9E2514D9-DC24-4634-B348-61F3EF0F1628}\{9E2514D9-DC24-4634-B348-61F3EF0F1628}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{A1185190-514F-11D6-A285-00A0CC51B2FE}\{A1185190-514F-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{AC157741-3285-4D6A-B934-9174587A3493}\{AC157741-3285-4D6A-B934-9174587A3493}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{B3549608-69D3-11D7-AB2D-0090271A23A2}\{B3549608-69D3-11D7-AB2D-0090271A23A2}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{FD851F7E-F887-405D-9E1C-488811113EF3}\{FD851F7E-F887-405D-9E1C-488811113EF3}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 12 October 2009 - 12:16 PM

Hello DnDer,
  • Welcome to Bleeping Computer.
  • Sorry for delayed response. Forums have been really busy.
  • My name is fireman4it and I will be helping you with your Malware problem.
  • As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.
Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 13 October 2009 - 09:21 PM

Hello DnDer,

1.
  • Click on Start then Run
  • Type cmd in to the area to the right of Open:
  • Click OK
  • In the Command Prompt window that opens, copy and paste the Bold text below:
    • "%userprofile%\desktop\win32kdiag.exe" -f -r
  • Press the Enter key on your keyboard.
  • When it's finished, there will be a log called Win32kDiag.txt on your desktop.
  • Exit the Command Prompt window.
  • Please copy and paste the contents of this log in a reply to this topic.
2.
Please run the following command from the Command Prompt
  • Click on Start then Run
  • Type cmd in to the area to the right of Open:
  • Click OK
  • In the Command Prompt window that opens, copy and paste the Bold text below:
    • copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
  • Press the Enter key on your keyboard.
  • If successful, you should receive the following message within the Command Prompt window:
    • 1 file(s) copied
  • Exit the Command Prompt window.
  • Note: If you did not get the above message, then stop and post a reply back here telling me so. Do NOT continue with the instructions for using The Avenger
3.
Please download The Avenger by Swandog46 and save it to your desktop
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits does have a tick in it.
  • Make sure that the box next to Automatically disable any rootkits found does NOT have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button
  • You will be asked, "Are you sure you want to execute the current script?"
  • Click Yes
  • You will now be asked "First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?"
  • Click Yes
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, the log: avenger.txt should automatically open.
  • If avenger.txt does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please copy and paste the contents of this log in a reply to this topic.
4.
Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

5.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.


Things to include in your next reply:
Win32kDiag.txt
avenger.txt
Combofix.txt
DDS.txt
Attach.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 13 October 2009 - 11:50 PM

Thank you. I should have your results by this time tomorrow, or earlier.

#5 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 14 October 2009 - 11:41 AM

1. win32kdiag
C:\Documents and Settings\Len>"%userprofile%\desktop\win32kdiag.exe" -f -r
'"C:\Documents and Settings\Len\desktop\win32kdiag.exe"' is not recognized as an
 internal or external command,
operable program or batch file.

C:\Documents and Settings\Len>

2. copy command
Successful.

3. Avenger
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

4. ComboFix
ComboFix 09-10-13.04 - Len 10/14/2009 10:55.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.571 [GMT -5:00]
Running from: c:\documents and settings\Len\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\aset.pif
c:\documents and settings\All Users\Application Data\rukizezav.sys
c:\documents and settings\All Users\Documents\zopytusope.reg
c:\documents and settings\Carrington\Desktop\Security Tool.lnk
c:\documents and settings\Carrington\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\Carrington\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Len\Application Data\5067167582
c:\documents and settings\Len\Application Data\5067167582\5067167582.bat
c:\documents and settings\Len\Application Data\5067167582\5067167582.cfg
c:\documents and settings\Len\Application Data\5067167582\5067167582.exe
c:\documents and settings\Len\Application Data\egifiga.pif
c:\documents and settings\Len\Application Data\iniasd.txt
c:\documents and settings\Len\Application Data\kuru.dl
c:\documents and settings\Len\Application Data\lizkavd.exe
c:\documents and settings\Len\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Len\Application Data\seres.exe
c:\documents and settings\Len\Application Data\svcst.exe
c:\documents and settings\Len\Application Data\usixahofos.sys
c:\documents and settings\Len\Application Data\WinAntiSpyware 2006
c:\documents and settings\Len\Application Data\WinAntiSpyware 2006\activator_info.txt
c:\documents and settings\Len\Application Data\WinAntiSpyware 2006\Logs\Activate.log
c:\documents and settings\Len\Application Data\WinAntiSpyware 2006\Logs\update.log
c:\documents and settings\Len\Cookies\axijycy.bat
c:\documents and settings\Len\Cookies\ejuzula.com
c:\documents and settings\Len\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Len\Desktop\Security Tool.lnk
c:\documents and settings\Len\err.log
c:\documents and settings\Len\Favorites\Online Security Guide.lnk
c:\documents and settings\Len\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Len\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Len\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Len\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\Len\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Len\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Lisa\Desktop\Security Tool.lnk
c:\documents and settings\Lisa\Start Menu\Programs\Security Tool.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\Common Files\hulu.bat
c:\program files\Common Files\hyfuv.inf
c:\program files\Common Files\qohewaryz.vbs
c:\program files\Common Files\vywydaz.reg
c:\program files\Common Files\WinAntiSpyware 2006
c:\program files\Common Files\WinAntiSpyware 2006\err.log
c:\program files\Common Files\WinAntiSpyware 2006\was6chk.dll
c:\program files\QdrDrive
c:\windows\dera.sys
c:\windows\emowarajys._dl
c:\windows\iryqes.dl
c:\windows\kb913800.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\biserano.exe
c:\windows\system32\bszip.dll
c:\windows\system32\ehkmp.ini
c:\windows\system32\ehkmp.ini2
c:\windows\system32\fhfoxpbz.dllbox
c:\windows\system32\hhhkj.ini
c:\windows\system32\hhhkj.ini2
c:\windows\system32\jvdbcigs.ini
c:\windows\system32\lesohufu.dll
c:\windows\system32\nnnmp.ini
c:\windows\system32\nnnmp.ini2
c:\windows\system32\senekalog.dat
c:\windows\system32\stera.log
c:\windows\system32\ttvwa.bak1
c:\windows\system32\ttvwa.bak2
c:\windows\system32\ttvwa.ini
c:\windows\system32\vvvwa.ini
c:\windows\system32\vvvwa.ini2
c:\windows\system32\winhelper.dll
c:\windows\system32\xyjuvugak.dll
c:\windows\system32\ynydyfydym.scr
c:\windows\system32\zorotahi.exe
c:\windows\system32\zotokohu.exe
c:\windows\telabojig.vbs
c:\windows\towyt.bat
c:\windows\win32k.sys
c:\windows\ypezegelim.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WASFSD
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))
.

2009-10-11 00:48 . 2009-10-11 00:48 -------- d-----w- c:\documents and settings\Len\Application Data\Malwarebytes
2009-10-11 00:48 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-11 00:48 . 2009-10-11 00:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-11 00:48 . 2009-10-11 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-11 00:48 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-11 00:43 . 2009-10-11 00:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-11 00:30 . 2009-10-11 00:30 -------- d-----w- C:\OEMSettings
2009-10-11 00:29 . 2009-10-11 00:29 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-11 00:29 . 2009-10-11 00:29 -------- d-----w- c:\program files\NETGEAR
2009-10-04 01:28 . 2009-10-04 01:28 187376 ----a-w- C:\hufa.exe
2009-10-04 01:28 . 2009-10-04 01:28 43520 ----a-w- C:\vsoq.exe
2009-10-04 01:28 . 2009-10-04 01:28 39936 ----a-w- C:\anlqrvl.exe
2009-10-04 01:28 . 2009-10-04 01:28 5632 ----a-w- C:\efbcmkj.exe
2009-10-04 01:28 . 2009-10-04 01:28 51200 ----a-w- C:\ehrrg.exe
2009-10-04 01:28 . 2009-10-04 01:28 19456 ----a-w- C:\erupquii.exe
2009-10-03 01:30 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 00:34 . 2008-03-10 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-10-11 00:30 . 2005-10-10 04:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-07 16:02 . 2006-12-06 14:22 -------- d-----w- c:\program files\Incomplete
2009-10-07 01:59 . 2008-07-10 03:21 0 ----a-w- c:\documents and settings\Cennedy\Local Settings\Application Data\prvlcl.dat
2009-10-04 16:52 . 2009-07-04 16:52 52736 --sha-w- c:\windows\system32\tipigola.dll
2009-10-04 16:52 . 2009-07-04 16:52 38912 --sha-w- c:\windows\system32\latuwusa.dll
2009-10-04 01:34 . 2009-07-04 01:34 38912 --sha-w- c:\windows\system32\hebedogu.dll
2009-10-04 01:34 . 2009-07-04 01:34 27648 --sha-w- c:\windows\system32\soyabodu.dll
2009-09-30 12:56 . 2008-05-19 21:53 56 --sh--r- c:\windows\system32\1FBD0724DF.sys
2009-09-30 12:56 . 2007-02-04 19:14 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-10 15:02 . 2008-03-10 17:18 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-16 03:33 . 2008-03-21 02:05 52064 ----a-w- c:\documents and settings\Lisa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 03:29 . 2008-03-20 16:54 52064 ----a-w- c:\documents and settings\Cennedy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 03:16 . 2008-03-19 21:14 52064 ----a-w- c:\documents and settings\Carrington\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 16:42 . 2006-01-14 02:52 52064 ----a-w- c:\documents and settings\Len\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-19 20:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-19 20:49 58880 ----a-w- c:\windows\system32\atl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-30 339968]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpsvc.exe"=

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [4/23/2007 2:11 PM 224896]
S3 w600bus;Sony Ericsson W600 driver (WDM);c:\windows\system32\drivers\w600bus.sys [1/13/2006 9:41 PM 60928]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;c:\windows\system32\drivers\w600mdfl.sys [1/13/2006 9:43 PM 8336]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;c:\windows\system32\drivers\w600mdm.sys [1/13/2006 9:43 PM 96672]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;c:\windows\system32\drivers\w600mgmt.sys [1/13/2006 9:45 PM 88080]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\w600obex.sys [1/13/2006 9:45 PM 85952]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-10-14 c:\windows\Tasks\User_Feed_Synchronization-{B0ED56F3-D500-40C7-89C2-CEBC39A129F9}.job
- c:\windows\system32\msfeedssync.exe [2006-11-10 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

BHO-{4207BDD9-8543-4CE0-8942-32F81C959C88} - c:\windows\system32\pmkhe.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-josiruyew - c:\windows\system32\lesohufu.dll
HKLM-Run-5067167582 - c:\documents and settings\Len\Application Data\5067167582\5067167582.exe
SharedTaskScheduler-{0df224aa-9416-4ae9-a0cd-e312507bd594} - c:\windows\system32\fetokuze.dll
SharedTaskScheduler-{c40d8968-c562-438b-9e5e-23cb656466d9} - c:\windows\system32\lesohufu.dll
SSODL-kulotiwoj-{0df224aa-9416-4ae9-a0cd-e312507bd594} - c:\windows\system32\fetokuze.dll
SSODL-vutokuzel-{c40d8968-c562-438b-9e5e-23cb656466d9} - c:\windows\system32\lesohufu.dll
Notify-awvtt - c:\windows\system32\awvtt.dll
AddRemove-HijackThis - J:\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 11:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2276)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-14 11:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-14 16:16

Pre-Run: 130,144,940,032 bytes free
Post-Run: 131,341,885,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

254 --- E O F --- 2009-10-03 01:30

5. DDS

DDS (Ver_09-10-12.01) - NTFSx86
Run by Len at 11:19:24.28 on Wed 10/14/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.651 [GMT -5:00]

FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Documents and Settings\Len\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205166936062
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S3 w600bus;Sony Ericsson W600 driver (WDM);c:\windows\system32\drivers\w600bus.sys [2006-1-13 60928]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;c:\windows\system32\drivers\w600mdfl.sys [2006-1-13 8336]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;c:\windows\system32\drivers\w600mdm.sys [2006-1-13 96672]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;c:\windows\system32\drivers\w600mgmt.sys [2006-1-13 88080]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\w600obex.sys [2006-1-13 85952]

=============== Created Last 30 ================

2009-10-14 10:51 <DIR> a-dshr-- C:\cmdcons
2009-10-14 10:49 236,544 a------- c:\windows\PEV.exe
2009-10-14 10:49 161,792 a------- c:\windows\SWREG.exe
2009-10-14 10:49 98,816 a------- c:\windows\sed.exe
2009-10-14 10:34 19,643 a------- c:\windows\uwukulupa.db
2009-10-14 10:34 13,032 a------- c:\windows\ihivy.db
2009-10-10 19:48 <DIR> --d----- c:\docume~1\len\applic~1\Malwarebytes
2009-10-10 19:48 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-10 19:48 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-10 19:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-10 19:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-10 19:43 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-10 19:30 <DIR> --d----- C:\OEMSettings
2009-10-10 19:29 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2009-10-10 19:29 <DIR> --d----- c:\program files\NETGEAR
2009-10-03 20:28 187,376 a------- C:\hufa.exe
2009-10-03 20:28 51,200 a------- C:\ehrrg.exe
2009-10-03 20:28 43,520 a------- C:\vsoq.exe
2009-10-03 20:28 39,936 a------- C:\anlqrvl.exe
2009-10-03 20:28 19,456 a------- C:\erupquii.exe
2009-10-03 20:28 5,632 a------- C:\efbcmkj.exe
2009-10-02 20:30 195,440 -------- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-10-04 11:52 52,736 a--sh--- c:\windows\system32\tipigola.dll
2009-10-04 11:52 38,912 a--sh--- c:\windows\system32\latuwusa.dll
2009-10-03 20:34 38,912 a--sh--- c:\windows\system32\hebedogu.dll
2009-10-03 20:34 27,648 a--sh--- c:\windows\system32\soyabodu.dll
2009-09-30 07:56 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 08:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2007-04-23 14:21 269,824 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 14:11 224,896 a------- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 11:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30 66,048 a------- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 11:30 28,672 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 11:19:32.06 ===============

6. How is the computer running?
Better. I'm not getting any errors like I was when selecting a profile to log in to. MBAM is showing as a broken link on the desktop, still. Same for Root Reveal. The inital symptoms have disappeared, and I no longer see anti-virus pro 2010 in the taskbar.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 16 October 2009 - 06:49 PM

Nice work and thanks for the logs. We have more work to do though. :(

1.
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\erupquii.exe
C:\hufa.exe
C:\efbcmkj.exe
c:\windows\uwukulupa.db
c:\windows\ihivy.db
C:\ehrrg.exe
C:\vsoq.exe
C:\anlqrvl.exe
c:\windows\system32\tipigola.dll
c:\windows\system32\latuwusa.dll
c:\windows\system32\hebedogu.dll
c:\windows\system32\soyabodu.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
4.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Things to include in your next reply:
Combofix.txt
Eset log
Gmer.log

How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 17 October 2009 - 11:13 PM

ComboFix 09-10-13.04 - Len 10/17/2009 19:32.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.622 [GMT -5:00]
Running from: c:\documents and settings\Len\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Len\Desktop\CFScript.txt
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"C:\anlqrvl.exe"
"C:\efbcmkj.exe"
"C:\ehrrg.exe"
"C:\erupquii.exe"
"C:\hufa.exe"
"C:\vsoq.exe"
"c:\windows\ihivy.db"
"c:\windows\system32\hebedogu.dll"
"c:\windows\system32\latuwusa.dll"
"c:\windows\system32\soyabodu.dll"
"c:\windows\system32\tipigola.dll"
"c:\windows\uwukulupa.db"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\anlqrvl.exe
C:\efbcmkj.exe
C:\ehrrg.exe
C:\erupquii.exe
C:\hufa.exe
C:\vsoq.exe
c:\windows\ihivy.db
c:\windows\system32\hebedogu.dll
c:\windows\system32\latuwusa.dll
c:\windows\system32\soyabodu.dll
c:\windows\system32\tipigola.dll
c:\windows\uwukulupa.db

.
((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-18 00:42 . 2009-10-18 00:42 -------- d-----w- c:\documents and settings\Len\Local Settings\Application Data\SupportSoft
2009-10-11 00:48 . 2009-10-11 00:48 -------- d-----w- c:\documents and settings\Len\Application Data\Malwarebytes
2009-10-11 00:48 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-11 00:48 . 2009-10-11 00:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-11 00:48 . 2009-10-11 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-11 00:48 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-11 00:43 . 2009-10-11 00:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-11 00:30 . 2009-10-11 00:30 -------- d-----w- C:\OEMSettings
2009-10-11 00:29 . 2009-10-11 00:29 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-10-11 00:29 . 2009-10-11 00:29 -------- d-----w- c:\program files\NETGEAR
2009-10-03 01:30 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 00:19 . 2008-03-19 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2009-10-11 00:34 . 2008-03-10 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-10-11 00:30 . 2005-10-10 04:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-07 16:02 . 2006-12-06 14:22 -------- d-----w- c:\program files\Incomplete
2009-10-07 01:59 . 2008-07-10 03:21 0 ----a-w- c:\documents and settings\Cennedy\Local Settings\Application Data\prvlcl.dat
2009-09-30 12:56 . 2008-05-19 21:53 56 --sh--r- c:\windows\system32\1FBD0724DF.sys
2009-09-30 12:56 . 2007-02-04 19:14 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-10 15:02 . 2008-03-10 17:18 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-16 03:33 . 2008-03-21 02:05 52064 ----a-w- c:\documents and settings\Lisa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 03:29 . 2008-03-20 16:54 52064 ----a-w- c:\documents and settings\Cennedy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 03:16 . 2008-03-19 21:14 52064 ----a-w- c:\documents and settings\Carrington\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 16:42 . 2006-01-14 02:52 52064 ----a-w- c:\documents and settings\Len\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-19 20:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-14_16.13.36 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-27 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-30 339968]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpsvc.exe"=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [4/23/2007 2:11 PM 224896]
S3 w600bus;Sony Ericsson W600 driver (WDM);c:\windows\system32\drivers\w600bus.sys [1/13/2006 9:41 PM 60928]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;c:\windows\system32\drivers\w600mdfl.sys [1/13/2006 9:43 PM 8336]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;c:\windows\system32\drivers\w600mdm.sys [1/13/2006 9:43 PM 96672]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;c:\windows\system32\drivers\w600mgmt.sys [1/13/2006 9:45 PM 88080]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\w600obex.sys [1/13/2006 9:45 PM 85952]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-10-18 c:\windows\Tasks\User_Feed_Synchronization-{B0ED56F3-D500-40C7-89C2-CEBC39A129F9}.job
- c:\windows\system32\msfeedssync.exe [2006-11-10 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-17 19:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Len\LOCALS~1\Temp\logup.xml 326 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1576)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-18 19:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-18 00:46
ComboFix2.txt 2009-10-14 16:16

Pre-Run: 131,193,536,512 bytes free
Post-Run: 131,128,311,808 bytes free

175 --- E O F --- 2009-10-18 00:23




C:\Qoobox\Quarantine\[4]-Submit_2009-10-17_19.32.04.zip multiple threats deleted - quarantined
C:\Qoobox\Quarantine\C\anlqrvl.exe.vir a variant of Win32/Kryptik.AMD trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Len\Application Data\lizkavd.exe.vir a variant of Win32/Kryptik.APO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Len\Application Data\seres.exe.vir a variant of Win32/Kryptik.ASB trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Len\Application Data\svcst.exe.vir a variant of Win32/Kryptik.ASB trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Len\Application Data\5067167582\5067167582.exe.vir a variant of Win32/Kryptik.ARV trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir a variant of Win32/Kryptik.APO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ehkmp.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ehkmp.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\hhhkj.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\hhhkj.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\jvdbcigs.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\nnnmp.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\nnnmp.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ttvwa.bak1.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ttvwa.bak2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ttvwa.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\vvvwa.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\vvvwa.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\zotokohu.exe.vir a variant of Win32/Kryptik.ARV trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000110.exe a variant of Win32/Kryptik.ARV trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000112.exe a variant of Win32/Kryptik.APO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000114.exe a variant of Win32/Kryptik.ASB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000115.exe a variant of Win32/Kryptik.ASB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000127.exe a variant of Win32/Kryptik.APO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000138.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000139.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000140.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000142.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000143.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000144.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1\A0000149.exe a variant of Win32/Kryptik.ARV trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\A0000275.exe a variant of Win32/Kryptik.AMD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\A0000276.exe a variant of Win32/Kryptik.APO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\A0000277.exe a variant of Win32/Kryptik.ARR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\A0000278.exe Win32/TrojanDownloader.Small.NTQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\A0000280.exe Win32/TrojanDownloader.FakeAlert.AED trojan cleaned by deleting - quarantined



GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-17 23:08:15
Windows 5.1.2600 Service Pack 3
Running: hqi6driv.exe; Driver: C:\DOCUME~1\Len\LOCALS~1\Temp\fxtdapog.sys


---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----



I'll let you know how the system's

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 18 October 2009 - 01:42 PM

Hello DnDer,

Very good job with those tools and logs thanks! :(

1.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

2.
Hello DnDer,.
Congratulations! You now appear clean! :(

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Uninstall ComboFix
  • Remove Combofix now that we're done with it.

  • Click on your Start Menu, then Run....
  • Now type combofix /Uninstall in the runbox and click OK. Notice the space between the "x" and "/".
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.


We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Reset System Restore
Windows' "System Restore" feature can cause malware files to be cached and retained by your system. Resetting System Restore will clean these files from your system, and will allow you to use System Restore without fear of reinfection.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 18 October 2009 - 08:32 PM

I put Avira and Comodo on my computer at home. It works well for me, but the people I'm returning the computer to aren't as literate as I am... Is there a "Simpler" firewall that's just as effective? (I've personally never felt safe or effective when using just the Windows firewall.)

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 18 October 2009 - 09:58 PM

Hello DnDer,

put Avira and Comodo on my computer at home. It works well for me, but the people I'm returning the computer to aren't as literate as I am... Is there a "Simpler" firewall that's just as effective? (I've personally never felt safe or effective when using just the Windows firewall.)


Yes there is some free Firewalls that are efffective.
For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Does this answer your question? Any other questions or concerns?

Edited by fireman4it, 18 October 2009 - 09:58 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 18 October 2009 - 10:39 PM

"combofix /Uninstall" caused CF to run, not uninstall...


EDIT: Never mind. It disappeared after running OTC and rebooting.

EDIT 2: Root Repeal won't delete from the desktop, though... Do it through safe mode instead?

EDIT 3: Attempted to delete it in safe mode... No dice. It's one of those "write-protected or in use" errors.

Edited by DnDer, 18 October 2009 - 11:24 PM.


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 19 October 2009 - 10:14 PM

Hello DnDer,

Restore Permissions for RootRepeal

Please download Inherit by sUBs to your Desktop
  • Drag and drop RootRepeal onto Inherit
  • This shall restore permissions to the application
  • You should now be able to delete RootRepeal
Please indicate in your next post if this was successful.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 21 October 2009 - 06:53 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :(

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 22 October 2009 - 08:31 AM

I thought I had replied. Guess it didn't take.

Yes, the fix worked. Thanks!

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:14 AM

Posted 23 October 2009 - 07:00 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :(

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users