Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible "svchost.exe Trojan-PSW.win32.Sagic.15 Virus"


  • Please log in to reply
53 replies to this topic

#1 weggie

weggie

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 10 November 2009 - 06:55 PM

I've had this problem for several weeks now.

Symptoms ... something runs, often every few minutes but sometimes not for an hour or so. It opens a succession of windows for various things (Start Menu is often the first), frequently causing PC to crash completely so that all I can do is switch off and restart. I play World of Warcraft a lot and it plays havoc with that.

I have run various malware etc. programs but the only one which found anything was AdvancedSystemCare, which reported "svchost.exe Trojan-PSW.win32.Sagic.15 Virus".


DDS (Ver_09-10-26.01) - NTFSx86
Run by ADMIN at 23:28:57.70 on Tue 11/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.630 [GMT 0:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\SRNMIC~1\SOLOSENT.EXE
C:\SRNMIC~1\SOLOCFG.EXE
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\ADMIN\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} -
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SoloSentry] c:\srnmic~1\SOLOSENT.EXE
mRun: [SoloSchedule] c:\srnmic~1\SOLOCFG.EXE
mRun: [SoloSysCheck] c:\srnmic~1\SYSCHECK.COM
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\n75zzgyo.default\
FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\n75zzgyo.default\extensions\{31c7d459-9cc3-44f2-9dca-fc11795309b4}\components\FFExternalAlert.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S4 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-10-30 464264]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-11-06 16:32:38 0 d-----w- c:\program files\Trend Micro
2009-11-05 17:01:11 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-05 17:01:05 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-05 17:00:56 0 d-----w- c:\docume~1\admin\applic~1\IObit
2009-11-05 17:00:55 0 d-----w- c:\windows\SxsCaPendDel
2009-11-05 16:02:19 38 ----a-w- c:\windows\SOLOSCAN.BAT
2009-11-05 16:02:13 0 d-----w- C:\SRN Micro
2009-11-05 14:51:03 0 d-----w- c:\program files\ESET
2009-11-04 23:33:38 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-04 23:33:38 0 d-----w- c:\docume~1\admin\applic~1\SUPERAntiSpyware.com
2009-11-04 23:28:46 0 d-----w- c:\program files\IObit
2009-11-04 22:35:40 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2009-11-04 22:35:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 22:35:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 22:35:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 22:35:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-03 14:42:54 0 d--h--w- C:\$AVG
2009-11-03 14:41:30 0 d-----w- c:\program files\AVG
2009-11-03 14:41:27 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-10-31 08:02:12 0 d-sh--w- c:\documents and settings\admin\PrivacIE
2009-10-31 08:00:55 0 d-sh--w- c:\documents and settings\admin\IETldCache
2009-10-31 07:59:38 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-31 07:59:23 0 d-----w- c:\windows\ie8updates
2009-10-31 07:59:00 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-31 07:59:00 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-31 07:59:00 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-31 07:59:00 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-31 07:59:00 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-31 07:59:00 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-31 07:57:23 0 dc-h--w- c:\windows\ie8
2009-10-30 19:16:48 0 d-----w- c:\program files\AskBarDis
2009-10-30 19:16:28 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-30 19:16:16 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-10-30 19:16:15 0 d-----w- c:\windows\system32\ZoneLabs
2009-10-30 19:16:15 0 d-----w- c:\program files\Zone Labs
2009-10-30 19:16:14 350192 ----a-w- c:\windows\system32\vsconfig.xml
2009-10-30 19:13:58 0 d-----w- c:\windows\Internet Logs
2009-10-29 19:30:37 0 d-----w- c:\windows\system32\appmgmt
2009-10-27 20:39:20 0 d-----w- c:\docume~1\alluse~1\applic~1\UAB
2009-10-27 20:38:52 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2009-10-27 14:02:32 0 d-----w- c:\windows\Logs
2009-10-26 17:21:49 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-10-26 17:20:34 0 d-----w- C:\ATI
2009-10-26 17:16:04 10 ----a-w- c:\windows\WININIT.INI

==================== Find3M ====================

2009-09-14 22:26:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 18:05:10 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll

============= FINISH: 23:29:20.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:36 AM

Posted 17 November 2009 - 08:22 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 weggie

weggie
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 22 November 2009 - 07:25 PM

Thanks for your reply. Here is the new DDS log:-


DDS (Ver_09-10-26.01) - NTFSx86
Run by ADMIN at 23:17:06.76 on Sun 11/22/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.633 [GMT 0:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\SRNMIC~1\SOLOSENT.EXE
C:\SRNMIC~1\SOLOCFG.EXE
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\ADMIN\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} -
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /S
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SoloSentry] c:\srnmic~1\SOLOSENT.EXE
mRun: [SoloSchedule] c:\srnmic~1\SOLOCFG.EXE
mRun: [SoloSysCheck] c:\srnmic~1\SYSCHECK.COM
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\n75zzgyo.default\
FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\n75zzgyo.default\extensions\{31c7d459-9cc3-44f2-9dca-fc11795309b4}\components\FFExternalAlert.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-11-12 312592]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2009-11-15 583640]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S4 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-10-30 464264]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-11-15 17:34:07 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2009-11-15 17:34:07 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2009-11-15 17:34:07 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2009-11-15 17:34:07 1081616 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2009-11-15 17:34:06 0 d-----w- c:\program files\common files\PC Tools
2009-11-12 23:31:53 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2009-11-06 16:32:38 0 d-----w- c:\program files\Trend Micro
2009-11-05 17:01:11 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-05 17:01:05 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-05 17:00:56 0 d-----w- c:\docume~1\admin\applic~1\IObit
2009-11-05 17:00:55 0 d-----w- c:\windows\SxsCaPendDel
2009-11-05 16:02:19 38 ----a-w- c:\windows\SOLOSCAN.BAT
2009-11-05 16:02:13 0 d-----w- C:\SRN Micro
2009-11-05 14:51:03 0 d-----w- c:\program files\ESET
2009-11-04 23:33:38 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-04 23:33:38 0 d-----w- c:\docume~1\admin\applic~1\SUPERAntiSpyware.com
2009-11-04 23:28:46 0 d-----w- c:\program files\IObit
2009-11-04 22:35:40 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2009-11-04 22:35:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 22:35:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 22:35:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 22:35:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-03 14:42:54 0 d--h--w- C:\$AVG
2009-11-03 14:41:30 0 d-----w- c:\program files\AVG
2009-11-03 14:41:27 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-10-31 08:02:12 0 d-sh--w- c:\documents and settings\admin\PrivacIE
2009-10-31 08:00:55 0 d-sh--w- c:\documents and settings\admin\IETldCache
2009-10-31 07:59:38 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-31 07:59:23 0 d-----w- c:\windows\ie8updates
2009-10-31 07:59:00 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-31 07:59:00 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-31 07:59:00 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-31 07:59:00 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-31 07:59:00 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-31 07:59:00 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-31 07:57:23 0 dc-h--w- c:\windows\ie8
2009-10-30 19:16:48 0 d-----w- c:\program files\AskBarDis
2009-10-30 19:16:28 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-30 19:16:16 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-10-30 19:16:15 0 d-----w- c:\windows\system32\ZoneLabs
2009-10-30 19:16:15 0 d-----w- c:\program files\Zone Labs
2009-10-30 19:16:14 350192 ----a-w- c:\windows\system32\vsconfig.xml
2009-10-30 19:13:58 0 d-----w- c:\windows\Internet Logs
2009-10-29 19:30:37 0 d-----w- c:\windows\system32\appmgmt
2009-10-27 20:39:20 0 d-----w- c:\docume~1\alluse~1\applic~1\UAB
2009-10-27 20:38:52 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2009-10-27 14:02:32 0 d-----w- c:\windows\Logs
2009-10-26 17:21:49 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-10-26 17:20:34 0 d-----w- C:\ATI
2009-10-26 17:16:04 10 ----a-w- c:\windows\WININIT.INI

==================== Find3M ====================

2009-09-14 22:26:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 18:05:10 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll

============= FINISH: 23:17:34.65 ===============

Hope this is enough. I was going to attach a zipped "Attach" file but for some reason I was unable to zip it.

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:36 AM

Posted 23 November 2009 - 10:39 PM

Hello weggie :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries










Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 weggie

weggie
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 27 November 2009 - 11:56 AM

Thanks for helping, thewall!

I ran the scan all the way through using the settings given. Here is the file:-

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-27 16:39:47
Windows 5.1.2600 Service Pack 3
Running: mbjgsmov.exe; Driver: C:\DOCUME~1\ADMIN\LOCALS~1\Temp\pgldqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xEEE2CFC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xEEE29C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xEEE44170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xEEE2D580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xEEE41900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xEEE41B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xEEE45B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xEEE2D670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xEEE2A210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xEEE449F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xEEE447A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xEEE41280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xEEE44F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xEEE44F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xEEE2A070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xEEE43180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xEEE42F40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xEEE456F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xEEE45150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xEEE2CBE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xEEE45540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xEEE2D190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xEEE2A440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xEEE444E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xEEE42200]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEEDCD0B0]

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.15 ----

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:36 AM

Posted 27 November 2009 - 12:28 PM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 weggie

weggie
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 28 November 2009 - 05:42 PM

I did need to download the Recovery Console.

After about 8 attempts I got ComboFix to complete its scan. I kept getting message boxes saying "PVE.exe [or was it PEV?] has encountered a problem and needs to close" but eventually I found that I could click on "Close" and continue the scan.

Here is the file ....

ComboFix 09-11-28.01 - ADMIN 11/28/2009 22:04.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.647 [GMT 0:00]
Running from: c:\documents and settings\ADMIN\My Documents\Downloads\ComboFix.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-23 00:01 . 2009-02-16 00:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-11-23 00:01 . 2009-02-16 00:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-11-23 00:01 . 2009-11-23 00:01 -------- d-----w- c:\windows\system32\ZoneLabs
2009-11-23 00:01 . 2009-02-16 00:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-11-22 23:23 . 2009-11-22 23:23 -------- d-----w- c:\documents and settings\ADMIN\Application Data\AVG8
2009-11-12 23:31 . 2009-11-12 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-11-10 16:36 . 2009-11-10 16:36 -------- d-----w- c:\documents and settings\ADMIN\Local Settings\Application Data\Blizzard Entertainment
2009-11-10 11:54 . 2009-11-04 16:49 635664 ----a-w- c:\documents and settings\ADMIN\Application Data\IObit\Common\TB_Helper.exe
2009-11-10 11:54 . 2009-10-21 19:01 52224 ----a-w- c:\documents and settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\n75zzgyo.default\extensions\{31c7d459-9cc3-44f2-9dca-fc11795309b4}\components\FFExternalAlert.dll
2009-11-10 11:54 . 2009-10-21 19:01 114688 ----a-w- c:\documents and settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\n75zzgyo.default\extensions\{31c7d459-9cc3-44f2-9dca-fc11795309b4}\components\npmozax.dll
2009-11-06 17:05 . 2009-11-06 17:05 0 ----a-w- c:\windows\nsreg.dat
2009-11-06 17:05 . 2009-11-06 17:05 -------- d-----w- c:\documents and settings\ADMIN\Local Settings\Application Data\Mozilla
2009-11-06 16:32 . 2009-11-06 16:32 -------- d-----w- c:\program files\Trend Micro
2009-11-06 14:24 . 2009-11-06 14:24 -------- d-----w- c:\documents and settings\ADMIN\Local Settings\Application Data\Identities
2009-11-05 17:01 . 2009-11-05 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-05 17:01 . 2009-11-05 17:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-05 17:00 . 2009-11-10 11:54 -------- d-----w- c:\documents and settings\ADMIN\Application Data\IObit
2009-11-05 17:00 . 2009-11-05 17:00 -------- d-----w- c:\windows\SxsCaPendDel
2009-11-05 14:51 . 2009-11-05 14:51 -------- d-----w- c:\program files\ESET
2009-11-04 23:36 . 2009-11-04 23:36 117760 ----a-w- c:\documents and settings\ADMIN\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-04 23:33 . 2009-11-25 10:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-04 23:33 . 2009-11-04 23:33 -------- d-----w- c:\documents and settings\ADMIN\Application Data\SUPERAntiSpyware.com
2009-11-04 23:28 . 2009-11-12 23:31 -------- d-----w- c:\program files\IObit
2009-11-04 22:35 . 2009-11-04 22:35 -------- d-----w- c:\documents and settings\ADMIN\Application Data\Malwarebytes
2009-11-04 22:35 . 2009-11-04 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-03 14:42 . 2009-11-03 14:43 -------- d-----w- C:\$AVG
2009-11-03 14:41 . 2009-11-03 14:41 -------- d-----w- c:\program files\AVG
2009-11-03 14:41 . 2009-11-22 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-03 14:32 . 2009-11-03 14:32 -------- d-----w- c:\documents and settings\ADMIN\Local Settings\Application Data\Threat Expert
2009-11-03 14:18 . 2009-11-24 17:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-31 08:02 . 2009-10-31 08:02 -------- d-sh--w- c:\documents and settings\ADMIN\PrivacIE
2009-10-31 08:02 . 2009-10-31 08:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-31 08:00 . 2009-10-31 08:00 -------- d-sh--w- c:\documents and settings\ADMIN\IETldCache
2009-10-31 07:59 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-31 07:59 . 2009-11-04 13:20 -------- d-----w- c:\windows\ie8updates
2009-10-31 07:59 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-31 07:59 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-31 07:59 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-31 07:59 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-31 07:59 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-31 07:59 . 2009-08-29 08:08 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-10-31 07:57 . 2009-10-31 07:58 -------- dc-h--w- c:\windows\ie8
2009-10-30 19:16 . 2009-11-23 00:02 -------- d-----w- c:\program files\AskBarDis
2009-10-30 19:16 . 2009-11-23 00:01 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-30 19:16 . 2009-10-30 19:16 -------- d-----w- c:\program files\Zone Labs
2009-10-30 19:13 . 2009-11-28 22:09 -------- d-----w- c:\windows\Internet Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 22:27 . 2009-11-25 22:28 1389568 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-11-25 22:27 . 2009-11-25 22:28 349184 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-11-24 20:53 . 2009-09-15 15:33 -------- d-----w- c:\program files\World of Warcraft
2009-11-24 17:26 . 2009-11-24 17:27 1380864 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-11-24 17:26 . 2009-11-24 17:27 407040 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-11-20 23:51 . 2009-11-11 14:10 1807001 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-11-05 17:00 . 2009-09-14 22:27 -------- d-----w- c:\program files\OpenOffice.org 3
2009-11-04 15:01 . 2009-09-15 18:39 1 ----a-w- c:\documents and settings\ADMIN\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-30 19:13 . 2009-09-14 15:43 -------- d-----w- c:\program files\COMODO
2009-10-27 20:39 . 2009-10-27 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\UAB
2009-10-27 20:38 . 2009-10-27 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-10-26 17:25 . 2009-10-26 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-10-26 17:23 . 2009-09-14 14:21 -------- d-----w- c:\program files\ATI Technologies
2009-10-26 17:21 . 2009-09-14 14:21 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-16 10:17 . 2009-09-14 15:05 17280 ----a-w- c:\documents and settings\ADMIN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 22:26 . 2009-09-14 22:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-14 15:40 . 2009-09-14 15:40 0 ----a-w- c:\windows\ativpsrm.bin
2009-09-14 15:21 . 2009-09-11 18:06 86327 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-09-11 18:05 . 2009-09-11 18:05 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-11 14:18 . 2001-08-18 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2001-08-18 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 18:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-11-04 2334856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-25 2001648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe MSRun" [X]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 15:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enGB-downloader.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [10/30/2009 7:16 PM 464264]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [11/12/2009 11:31 PM 312592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-11-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-09-16 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath - c:\documents and settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\n75zzgyo.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 22:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,62,ea,d7,ce,4e,3a,4f,9e,8d,17,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,62,ea,d7,ce,4e,3a,4f,9e,8d,17,\

[HKEY_USERS\S-1-5-21-1409082233-1958367476-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(376)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-11-28 22:19
ComboFix-quarantined-files.txt 2009-11-28 22:19

Pre-Run: 44,981,239,808 bytes free
Post-Run: 45,199,884,288 bytes free

- - End Of File - - 40CBD617C3F05D3D2CD3AFDE48D10176

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:36 AM

Posted 28 November 2009 - 07:50 PM

Good job.

ComboFix is showing that it ran a total of five times so the trouble you were having still should have resulted in some more texts being created. I am going to need to see those so what I would like you to do is to go to the following location and see if you can copy the log. Since there is so many let's see if we can start with #5 which should actually be the first run and see what it shows. If I need any others we can go from there.


The one I am looking for first is located at:


C:\Qoobox\ComboFix5.txt


If you have any questions or I am not being clear please stop and ask.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 weggie

weggie
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 29 November 2009 - 12:57 PM

I can find the Qoobox folder but there are no text files in it

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:36 AM

Posted 29 November 2009 - 02:46 PM

Is there anything in it?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 weggie

weggie
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 30 November 2009 - 06:15 PM

Yes,

[1] A folder called 'BackEnv' which contains Add-Remove Programs (text doc), Combo-Fix_quarantined-files (text doc) and SnapShot @ 2009-11-28_22.17 (data file)

[2] A folder called 'Quarantine' containing ...

(a) a folder called 'C', which is empty
(:( a folder called 'Registry-backups' which contains HKLM-Run-Malwarebytes Anti-Malware (reboot). reg, tcpip Registration Entries, and WebBrowser...etc data file

[3] 'catchme', a text doc

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:36 AM

Posted 30 November 2009 - 08:53 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ComboFix1.txt
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 weggie

weggie
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 01 December 2009 - 08:08 PM

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 01:05 on 02/12/2009 by ADMIN (Administrator - Elevation successful)

========== filefind ==========

Searching for "ComboFix1.txt"
No files found.

-=End Of File=-

#14 weggie

weggie
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 01 December 2009 - 08:13 PM

By the way, this is what the Qoobox\catchme text file contained ...

-------- 2009-11-28 - 21:35:24 -------------


-------- 2009-11-28 - 21:46:50 -------------


-------- 2009-11-28 - 21:50:49 -------------


-------- 2009-11-28 - 21:57:54 -------------


-------- 2009-11-28 - 22:01:51 -------------

... doesn't seem to help much :(

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:36 AM

Posted 01 December 2009 - 10:46 PM

OK, let's try something else:


It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users