Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


win32k.sys infection

  • This topic is locked This topic is locked
28 replies to this topic

#1 jimworzala


  • Members
  • 94 posts
  • Local time:12:43 PM

Posted 25 October 2009 - 01:55 PM

This is referred by Rigel from the post Active Security infection.

Am currently using Windows XP and CA antivirus, antispyware and firewall.

Here is a summary of what I have done so far:

Was infected with rogue antispyware program called active security. Tried to stop and uninstall the program immediately Ran virus and spyware scans and was told that it was Alureon vw trojan. Quarantined virus, but it kept returning. Removed registry key for active security(with assistance from a knowledgable person). Downloaded and ran Malwarebytes and told it to remove the infected files (87) and registry key (1). Reran Malwarebytes and still had 80 infected files. Posted to Am I Infected Forum and was bing helped by Rigel. Posted Malwarebytes log. Reran malware bytes, no change. Ran ATF Cleaner and Super Antispyware with no threats detected. Ran RootRepeal and posted log. Ran Dr.Web CureIt with following log info - gtdownde_110.ocx;C:\WINDOWS\system32;Probably DLOADER.Trojan;Incurable.Moved.;. Ran GMER which stopped at Blue screen with message:


STOP:0X0000007A (0XE1B54004,0XC000009A,OXBF911783,0X03196860)


At this point, Rigel said we found the culprit, and told me to follow preparation instructions for HJT and to post here.

Also possibly of interest is the fact that my girlfriends computer, which was connected to mine through our home network, was also infected sometime during this process. Also whatever or whoever is infecting my machine seems to actually have pretty good control of the system, as they actually remotely restarted my machine. I disconnected it from everything, and since both of the computers in the house are infected, I am having to go to my parents house to post to the site. Also, the infection seems to have disabled my CD and DVD drives, so I am using a Flash drive to transfer logs and other information from site to site. I have run Flash disinfector on my parents computer with the flash drive installed. I hope that keeps the infection from spreading to them. Any other advice on how I can keep their computer clean would be appreciated.

I have run DDS.scr and Rootrepeal again per Rigel and the instruction post, and the logs are below and attached. When running RootRepeal, I got an error message that said could not open or create settings file, press OK to continue. I don't know if this resulted from trying to copy the downloaded files from my parents computer to the flash drive, but I suspect that may be the case. I pressed OK, and it seemed to run the same way it ran when I ran it for Rigel. At finish of run I also got an error message that said:

16:23:49: DeviceIoControl Error! Error Code = 0xc0000001
16:23:49: Could not read system registry! Please contact the author!

I also got this error when running RootRepeal for Rigel, and he said that he contacted the author.

Thanks in advance for your assistance, this may be a long process as there are 2 computers to disinfect.

The other logs were sent as attachments, with Attach.txt zipped. Here is the DDS.scr DDS.txt log:

DDS (Ver_09-10-24.01) - NTFSx86
Run by Jim at 15:39:51.42 on Sat 10/24/2009
Internet Explorer: 8.0.6001.18702

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bleepingcomputer.com/forums/index.php?act=Login&CODE=00
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Road Runner High Speed Online
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Sonic RecordNow!]
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CAVRID] "c:\program files\ca\etrust ez armor\etrust ez antivirus\CAVRID.exe"
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [medicsp2] c:\program files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
mRun: [Itiva Media Accelerator] c:\program files\itiva\itiva media accelerator\ItivaMediaAccelerator.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StrgSync.exe] c:\program files\storagesync\StrgSync.exe -w
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [CAPPActiveProtection] "c:\program files\ca\etrust ez armor\etrust pestpatrol\CAPPActiveProtection.exe"
mRun: [QOELOADER] "c:\program files\ca\etrust ez armor\etrust anti-spam\qsp-\QOELoader.exe"
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: intuit.com
Trusted Zone: turbotax.com
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} - hxxp://photo.walgreens.com/WalgreensOutlookImport.cab
DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175364445218
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175364437421
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5685/mcfscan.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: PFW - UmxWnp.Dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-10-21 11:48:45 0 d-----w- c:\documents and settings\jim\DoctorWeb
2009-10-18 23:13:11 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-18 23:12:28 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-18 23:12:27 0 d-----w- c:\docume~1\jim\applic~1\SUPERAntiSpyware.com
2009-10-18 23:11:34 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-18 22:15:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-18 22:15:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-18 22:15:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-15 14:36:51 0 d-----w- c:\docume~1\jim\applic~1\Malwarebytes
2009-10-15 14:36:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-12 16:42:36 0 d-----w- c:\windows\G5IF856789A30123
2009-10-08 22:34:55 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k7
2009-10-08 22:34:55 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k6
2009-10-08 22:34:55 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k5
2009-10-08 22:34:55 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k4
2009-10-08 22:34:55 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k3
2009-10-08 22:34:55 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k2
2009-10-08 22:34:55 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k1
2009-10-08 22:34:55 138 ----a-w- c:\windows\system32\drivers\kmxzone.u2k0
2009-10-08 22:14:35 0 d-----w- c:\windows\4XMJGT6BS5AN05Q3
2009-10-08 22:06:52 810572 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-10-08 22:06:52 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-10-08 22:06:52 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-10-08 22:06:52 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-10-08 22:06:52 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-10-08 22:06:52 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-10-08 22:06:52 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-10-08 22:06:52 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-10-08 21:48:58 0 d-----w- c:\program files\ISSThirdParty
2009-10-08 21:46:58 0 d-----w- c:\program files\common files\Scanner
2009-10-08 21:39:13 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys
2009-10-08 21:39:13 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys
2009-10-08 21:39:13 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys
2009-10-08 21:39:13 161008 ----a-w- c:\windows\system32\drivers\vetmonnt.sys
2009-10-08 21:39:13 111856 ----a-w- c:\windows\system32\isafprod.dll
2009-10-08 21:39:12 739752 ----a-w- c:\windows\system32\drivers\vetefile.sys
2009-10-08 21:39:12 133576 ----a-w- c:\windows\system32\drivers\veteboot.sys
2009-10-08 21:38:34 6552 ----a-w- c:\windows\system32\wbem\canvprov.mof
2009-10-08 21:38:34 111856 ----a-w- c:\windows\system32\wbem\canvprov.dll

==================== Find3M ====================

2009-09-23 01:45:12 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-23 01:45:11 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:52:22 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13:08 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-04-02 14:19:16 774144 ----a-w- c:\program files\RngInterstitial.dll
2002-09-11 14:26:52 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf

============= FINISH: 15:41:44.29 ===============

Attached Files

BC AdBot (Login to Remove)


#2 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:43 PM

Posted 25 October 2009 - 02:16 PM

Hello jimworzala,

My name is Syler and I will be helping you to solve your Malware issues.

Download and run Win32kDiag:
  • Download Win32kDiag from any of the following locations and save it to your Desktop.
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • Once it has finished, press any key to close the program.
  • It will create the file Win32kDiag.txt on your Desktop Copy and paste the contents in your next reply.


#3 jimworzala

  • Topic Starter

  • Members
  • 94 posts
  • Local time:12:43 PM

Posted 26 October 2009 - 10:04 AM

Ran Win32kDiag.exe. As you will see from the log file, the program gave a warning: could not get backup privileges. Does this mean I did something wrong or is that just because I ran it directly from the flash drive. Also please note that I have to drive across town to my parents' house to post, so anything you can do to save steps will be appreciated.

Here is the entire contents of the log:

Running from: F:\Win32kDiag.exe

Log file at : C:\Documents and Settings\Jim\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...


#4 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:43 PM

Posted 26 October 2009 - 10:43 AM

Win32kDiag.exe ran fine, but you need to make sure you follow my instruction exactly, So make sure save files where the instructions say, it
is important and can make a difference.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back here with the following logs:
  • Combofix.txt
  • MBAM log


#5 jimworzala

  • Topic Starter

  • Members
  • 94 posts
  • Local time:12:43 PM

Posted 26 October 2009 - 11:02 AM

I have my computer disconnected from the internet, and am transferring files via flash drive from another computer at a different location. Sorry if I am unsure of what to do but, do I just download to the flash drive and then copy from the flash drive to desktop of my computer before running?

#6 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:43 PM

Posted 26 October 2009 - 11:08 AM

Yes, once you have downloaded it to your flash drive you can just copy it across to your desktop.


#7 jimworzala

  • Topic Starter

  • Members
  • 94 posts
  • Local time:12:43 PM

Posted 26 October 2009 - 01:13 PM

I am trying to follow your instructions exactly. They said to disable the antivirus and antispyware, but it didn't say anything about the firewall. When I tried to run Comeofix the firewall kept popping up messages saying quote program is attempting to spawn another program, do you want to allow this? I assumed that this was Comeofix attempting to run and clicked allow. After several similar messages the program appeared to stop running. Should I turn the firewall off and try again.

#8 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:43 PM

Posted 26 October 2009 - 01:22 PM

Yes turn off the firewall temporarily as well :(


#9 jimworzala

  • Topic Starter

  • Members
  • 94 posts
  • Local time:12:43 PM

Posted 26 October 2009 - 05:16 PM

I turned off the firewall and tried to run Combofix again, the firewall messages continued to pop up, I suspect that the infection was actually keeping me from changing security settings. I clicked on allow on all messages, and after several, Combofix finally went into its routine. It asked me to connect to the Internet to install Microsoft Recovery Console. I did connect the internet cable, but the program did not find the connection. It gave me a message saying that it would continue with scan anyway. When the scan finished, I saved the file, and then proceeded to run Malwarebytes. When it was finished, I clicked remove all, and it removed and then restarted computer. When the computer restarted, I got a bunch of popups from the firewall again, saying that Malwarebytes was denied access to certain files. I went back into the firewall program and turned it off again, since I noticed in the Combofix info that win32k.sys was removed. Then I reran Malwarebytes. This time it went through the quick scan again, and showed no malicious programs! I hope that means that this computer is better. In any case here are the Combofix and Malwarebytes logs(including both runs of Malwarebytes):

Note that the Microsoft Recovery Console did not get installed.

Combofix Log:

ComboFix 09-10-25.02 - Jim 10/26/2009 13:52.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.148 [GMT -5:00]
Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))

2009-10-21 11:48 . 2009-10-21 12:11 -------- d-----w- c:\documents and settings\Jim\DoctorWeb
2009-10-18 23:13 . 2009-10-18 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-18 23:12 . 2009-10-18 23:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-18 23:12 . 2009-10-18 23:12 -------- d-----w- c:\documents and settings\Jim\Application Data\SUPERAntiSpyware.com
2009-10-18 23:11 . 2009-10-18 23:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-18 22:15 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-18 22:15 . 2009-10-18 22:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 22:15 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-16 19:03 . 2009-10-16 19:03 -------- d-----w- c:\documents and settings\Administrator.JIMSCOMPUTER\Local Settings\Application Data\Apple Computer
2009-10-16 18:56 . 2009-10-16 18:56 66360 ----a-w- c:\documents and settings\Administrator.JIMSCOMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 14:36 . 2009-10-15 14:36 -------- d-----w- c:\documents and settings\Jim\Application Data\Malwarebytes
2009-10-15 14:36 . 2009-10-15 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 10:51 . 2009-10-14 10:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2009-10-13 19:56 . 2009-10-13 19:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-12 16:42 . 2009-10-12 16:42 -------- d-----w- c:\windows\G5IF856789A30123
2009-10-12 03:45 . 2009-10-12 03:45 -------- d-sh--w- c:\documents and settings\Administrator.JIMSCOMPUTER\IETldCache
2009-10-08 22:14 . 2009-10-08 22:14 -------- d-----w- c:\windows\4XMJGT6BS5AN05Q3
2009-10-08 21:48 . 2009-10-08 21:49 -------- d-----w- c:\program files\ISSThirdParty
2009-10-08 21:46 . 2009-10-08 21:47 -------- d-----w- c:\program files\Common Files\Scanner
2009-10-08 21:39 . 2009-10-19 14:45 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys
2009-10-08 21:39 . 2009-10-19 14:45 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys
2009-10-08 21:39 . 2009-10-19 14:45 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys
2009-10-08 21:39 . 2009-10-19 14:45 161008 ----a-w- c:\windows\system32\drivers\vetmonnt.sys
2009-10-08 21:39 . 2009-07-16 23:11 111856 ----a-w- c:\windows\system32\isafprod.dll
2009-10-08 21:39 . 2009-10-15 07:01 739752 ----a-w- c:\windows\system32\drivers\vetefile.sys
2009-10-08 21:39 . 2009-10-15 07:01 133576 ----a-w- c:\windows\system32\drivers\veteboot.sys
2009-10-08 21:38 . 2009-07-30 14:37 111856 ----a-w- c:\windows\system32\wbem\canvprov.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-10-26 12:37 . 2008-08-05 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-15 22:16 . 2008-06-16 10:52 -------- d-----w- c:\program files\Exterminate It!
2009-10-12 16:32 . 2007-03-31 17:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-08 21:46 . 2007-03-31 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-09-23 01:46 . 2007-03-31 21:30 -------- d-----w- c:\program files\Common Files\Real
2009-09-23 01:45 . 2007-03-06 02:04 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-23 01:45 . 2007-03-06 02:04 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-18 05:15 . 2008-03-13 13:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:52 . 2009-08-05 00:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13 . 2003-07-16 20:39 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-04-02 14:19 . 2007-04-02 14:19 774144 ----a-w- c:\program files\RngInterstitial.dll
2002-09-11 14:26 . 2007-04-03 15:05 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-04-03 00:50 809864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-03 809864]


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-04-03 809864]


"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-04 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-06-24 245760]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"CAVRID"="c:\program files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2009-07-16 271600]
"cctray"="c:\program files\CA\CA Internet Security Suite\casc.exe" [2009-08-05 374000]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"medicsp2"="c:\program files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 198184]
"Itiva Media Accelerator"="c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-23 198160]
"CAPPActiveProtection"="c:\program files\CA\eTrust EZ Armor\eTrust PestPatrol\CAPPActiveProtection.exe" [2009-06-23 333040]
"QOELOADER"="c:\program files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-\QOELoader.exe" [2009-10-08 14064]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2009-07-16 636144]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2009-07-16 337136]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2009-03-27 21:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"EnableFirewall"= 0 (0x0)

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/8/2009 11:02 AM 108024]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [4/1/2009 10:45 AM 73720]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [4/28/2009 10:52 AM 55288]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/8/2009 11:02 AM 115704]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [10/8/2009 4:38 PM 128240]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [5/20/2009 12:59 PM 55152]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [12/9/2008 1:37 PM 13088]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/8/2009 11:02 AM 145912]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [3/27/2009 4:27 PM 58872]
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [12/6/2007 12:33 PM 202280]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [4/1/2009 10:45 AM 875000]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [6/15/2009 11:32 AM 760664]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [4/1/2009 10:45 AM 207352]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [4/1/2009 10:45 AM 205304]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe [10/8/2009 4:47 PM 222448]
S2 gupdate1c95c4e21185bbe;Google Update Service (gupdate1c95c4e21185bbe);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 6:38 AM 133104]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Contents of the 'Scheduled Tasks' folder

2009-10-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-02 04:05]

2009-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 18:36]

2009-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 18:36]

2009-10-26 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-04-03 00:50]

2009-10-26 c:\windows\Tasks\User_Feed_Synchronization-{3DF3C630-8BBF-41AD-91BB-B21CBECBF5A0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
------- Supplementary Scan -------
uStart Page = hxxp://www.bleepingcomputer.com/forums/index.php?act=Login&CODE=00
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: intuit.com
Trusted Zone: turbotax.com
DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 14:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


scan completed successfully
hidden files: 1

--------------------- LOCKED REGISTRY KEYS ---------------------

@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1688)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'explorer.exe'(2196)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
Completion time: 2009-10-26 14:19
ComboFix-quarantined-files.txt 2009-10-26 19:18

Pre-Run: 89,401,847,808 bytes free
Post-Run: 89,679,802,368 bytes free

- - End Of File - - BF9C7545FDAD5E5ADB13CF8D4A57A0B8

Malwarebytes 1st run log:

Malwarebytes' Anti-Malware 1.41
Database version: 2998
Windows 5.1.2600 Service Pack 3

10/26/2009 2:37:28 PM
mbam-log-2009-10-26 (14-37-28).txt

Scan type: Quick Scan
Objects scanned: 110161
Time elapsed: 7 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 80

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Config\6to4nt.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Config\firewall.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Config\htco.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Config\msch24.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Config\mswinsck.ocx (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Config\RealtekAC.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Config\sam10.log (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Config\sysrun.exe (Password.Stealer) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\application data\mcrupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\application data\pcant.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\application data\pkz.ini (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\application data\printer.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\cftmon.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\ftpdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\kufwin32.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Config\updater.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Config\Win.exe (IM.Worm) -> Delete on reboot.
C:\WINDOWS\repair\1sass.exe (Backdoor.Agent) -> Delete on reboot.
C:\WINDOWS\repair\kasutio (Rootkit.Rustock) -> Delete on reboot.
C:\WINDOWS\repair\loprt.cmd (Worm.AutoRun) -> Delete on reboot.
C:\WINDOWS\repair\Mirror.exe (Worm.AutoRun) -> Delete on reboot.
C:\WINDOWS\repair\sql.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\repair\whw.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Config\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Services.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Services.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\Services.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\Services.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\smss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\smss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\smss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\smss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\svchost*.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\svchost*.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\svchost*.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\svchost*.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\Userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\Userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\SystemProfile\Application Data\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\WINDOWS\system32\Config\Systemprofile\Start Menu\Programs\Startup\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.

Malwarebytes 2nd run log:

Malwarebytes' Anti-Malware 1.41
Database version: 2998
Windows 5.1.2600 Service Pack 3

10/26/2009 3:03:28 PM
mbam-log-2009-10-26 (15-03-28).txt

Scan type: Quick Scan
Objects scanned: 110182
Time elapsed: 6 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:43 PM

Posted 26 October 2009 - 06:02 PM

Can you tell me in your next reply if you are still having any problems.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the on screen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<

Please post back here with the following logs:
  • Kaspersky report
  • log.txt
  • info.txt


#11 jimworzala

  • Topic Starter

  • Members
  • 94 posts
  • Local time:12:43 PM

Posted 27 October 2009 - 11:37 AM

I have not been running anything unless instructed, so as not to spread the infection. I also had not been connected to the internet because the last time I was, the computer started running itself. It restarted itself just as I was walking back into the room from a restroom break. When it came back on, the 1st thing that happened was an alert from my firewall that a new network (IP address was found and did I want to put it in home zone or public zone. Since nothing new was connected to my computer in the time that I was in the bathroom, I didn't want to do either. I immediately started the firewall program and told it to block that address, and wrote the address down. Then I checked the firewall events log, and found at least 10 instances in a row of this address trying to gain access, and saying something about attempting to spawn malicious code. I immediately shut the computer down and disconnected it from both the internet and the power strip. Based on this , I am assuming that the malware in question had gained enough control of my computer to control it over the internet. If you think it is safe, I will reconnect. It would be easier for me, as I am now going halfway across town to my parents house to post. I am also wondering if I should reinstall my security software packages, as the infection seemed to be able to somewhat control them. I had CA Internet Security Suite installed.

#12 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:43 PM

Posted 27 October 2009 - 11:49 AM

You should be fine to reconnect to the internet, I am not seeing anything to worry about in your logs, it look like MBAM clean most of it.

I don't see any need for you to reinstall CA Internet Security Suite unless you are having any problems with it, it appears to be working fine to me.


#13 jimworzala

  • Topic Starter

  • Members
  • 94 posts
  • Local time:12:43 PM

Posted 27 October 2009 - 12:00 PM

My only concern is that when I was in the firewall program to check the firewall reports, I noticed that there were an awful lot of programs that were given permission to run, including seven or eight different instances of internet explorer. I thought maybe starting fresh might nip any problems in the bud.

#14 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:43 PM

Posted 27 October 2009 - 12:03 PM

If you want to do that go ahead.


#15 jimworzala

  • Topic Starter

  • Members
  • 94 posts
  • Local time:12:43 PM

Posted 28 October 2009 - 09:56 AM

Lots of things to report since last reply.

Downloaded Java, removed all old instances of Java, got firewall alert that Java Binary SE is attempting to access windows installer. Clicked allow and got many messages about accessing registry and other things, and allowed all. After whole process, latest Java was sucessfully installed . Restarted computer. While computer was shutting down, I reconnected the network cable.

On restart, I got a bunch of fire wall alerts again including that a new network was connected to, and asking if I wanted to put it in public or home zone (no other options). I put it in public, since I was still not sure of what is going on with that, and started the firewall to block internet access. I got screen shots of several of the alerts to send to you and copied them to my flash drive (I will include the text of some of them at end of post). I decided to skip the Kaspersky download until next post, and tried to run RSIT. A message came up saying something about needing internet access, so I decided to return to my parents' house to post and get more instructions. At that point, I had not yet read your post about going ahead with the security reinstall.

When I got there, I started to reply with the above information, but realized that I did not know how to post an image. I went to the forums and found a post about doing that, and followed the directions for ImageShack posting. In the process, I downloaded and installed Image Shack Uploader, in order to upload several images at once. Bad mistake :( now I may have 3 infected machines. I had immediate popups for Antivirus System Pro and Resident Shield telling me that I was infected with many viruses and asking if I wanted to remove them. I tried to do a couple of things to try to get rid of that, but was unable to remove it. Shut down their machine and returned home (I will have to wait until my problem is fixed first).

Since it had been a long day I decided to wait until morning to continue. At that time, I uninstalled and reinstalled CA Internet Security Suite. Ran a quick scan for with CA antispyware, it found what it called Win Antivirus Pro 2006, Win Spyware Protect and Bifrost Backdoor, and quarantined them. Ran a full CA Antivirus scan, which found what it called Win32/SillyDI.PRR in file on desktop called Combofix and deleted it. It seemed strange though that it only scanned about 390,000 files, I think it was well over 500,000 in previous scans. I hope this reinstall and these scans did not cause a major problem with your process, but you did okay the reinstall at least.

Should I continue with the other scans, Kaspersky and RSIT, or will what I did cause a problem?

Firewall alert messages:
  • Program:ntoskrnl.exe, Path:C:\WIndows\system32\ntoskrnl.exe, Access Denied, Program trying to access your computer over the Internet, Remote Address (port 68) from (port 67)
  • Program:WIndows Genuine Advantage Notification, Path:C:\Windows\system 32\WgaTray.exe, Access Denied, WIndows Genuine Advantage Notification is attempting to inject code\Device|Physical Memory
  • Program:Google Installer, Path:C;\Program Files...GoogleUpdate.exe, Access Denied, program trying to access the Internet local address *.*.*.* (port 1035) to (port 80)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users