Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown, recurring infection


  • This topic is locked This topic is locked
29 replies to this topic

#1 XxJxX1337

XxJxX1337

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 26 November 2009 - 05:21 AM

About a few months ago my desktop started experiencing strange problems. The first issue was that Google no longer went to the sites that it was linking to. I originally thought this to be an isolated incident but as I continued to search I realized that almost all search results would take me to strange, random webpages unless I repeatedly clicked the link to access the correct website. I also noticed a noticable slowdown in CPU performance. I did a scan with AVG and considered the issued closed. Well it wasn't, and the problem kept coming back. I used Spybot, Adaware, and Windows Defender all in vain to get this problem removed. I did research and found SUPERantispyware and Malwarebytes and used both of those. They both found problems but after a restart the issue was back with a vengance, and a repeat scan showed the same problem. I have come to the conclusion that this needs to somehow be removed carefully beyond my skills so I would very much appreciate your assistance.


DDS (Ver_09-11-24.02) - NTFSx86
Run by Joe at 2:30:25.15 on Thu 11/26/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.264 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [GetModule36] c:\program files\getmodule\GetModule36.exe
mRun: [LaunchApp]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: efcAQGyx - efcAQGyx.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\geBqNfFV
LSA: Notification Packages = scecli c:\windows\system32\zukuzibi.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-1 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-10 335240]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
S1 soqwx32;soqwx32;\??\c:\windows\system32\drivers\soqwx32.sys --> c:\windows\system32\drivers\soqwx32.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

=============== Created Last 30 ================


==================== Find3M ====================

2009-09-04 07:51:30 2450 ----a-w- c:\windows\system32\tmp.reg
2009-08-28 14:18:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-09 16:55:22 2713 --sh--w- c:\windows\system32\kuvudoyu.dll
2009-04-25 15:12:00 2713 --sh--w- c:\windows\system32\pupuzuno.exe
2009-05-10 22:56:38 2713 --sh--w- c:\windows\system32\zewemije.exe
2008-08-22 21:40:14 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-11-10 05:02:18 16384 -csha-w- c:\windows\temp\cookies\index.dat
2008-11-10 05:02:18 16384 -csha-w- c:\windows\temp\history\history.ie5\index.dat

============= FINISH: 2:32:21.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:31 AM

Posted 26 November 2009 - 05:41 PM

Hi XxJxX1337,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Either uninstall uTorrent for now or configure it not to run at start up and avoid using it as log as we are not done.

  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.


  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Edited by farbar, 26 November 2009 - 05:45 PM.


#3 XxJxX1337

XxJxX1337
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 26 November 2009 - 06:40 PM

Hi farbar, thank you very much for your assistance

Since my last post I did perform a SB S&S scan and I removed several items that the program found. I have also since then disabled uTorrent from Windows startup and I also disabled TeaTimer per your instruction.

Because I ran SB S&D I have created a new DDS and ark file for you so that things may be as accurate as possible. I have also updated and did a quick scan with Malwarebytes, which did find a rootkit and trojan, and I did a restart. I will include all of these logs in my post. Thank you again for your assistance.



DDS (Ver_09-11-24.02) - NTFSx86
Run by Joe at 16:14:16.31 on Thu 11/26/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.308 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [GetModule36] c:\program files\getmodule\GetModule36.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [LaunchApp]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: efcAQGyx - efcAQGyx.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\geBqNfFV
LSA: Notification Packages = scecli c:\windows\system32\zukuzibi.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-1 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-10 335240]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1028432]
S1 soqwx32;soqwx32;\??\c:\windows\system32\drivers\soqwx32.sys --> c:\windows\system32\drivers\soqwx32.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

=============== Created Last 30 ================

2009-11-26 22:55:16 0 d-----w- c:\documents and settings\joe\Tracing
2009-11-26 22:54:27 0 d-----w- c:\program files\Microsoft
2009-11-26 22:54:08 0 d-----w- c:\program files\Windows Live SkyDrive
2009-11-26 22:48:27 0 d-----w- c:\program files\common files\Windows Live
2009-11-26 10:28:49 215 ----a-w- c:\windows\system32\MRT.INI
2009-11-26 10:28:48 0 d-----w- c:\windows\system32\MpEngineStore

==================== Find3M ====================

2009-11-26 21:53:01 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 07:51:30 2450 ----a-w- c:\windows\system32\tmp.reg
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 16:55:22 2713 --sh--w- c:\windows\system32\kuvudoyu.dll
2009-04-25 15:12:00 2713 --sh--w- c:\windows\system32\pupuzuno.exe
2009-05-10 22:56:38 2713 --sh--w- c:\windows\system32\zewemije.exe
2008-08-22 21:40:14 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-11-10 05:02:18 16384 -csha-w- c:\windows\temp\cookies\index.dat
2008-11-10 05:02:18 16384 -csha-w- c:\windows\temp\history\history.ie5\index.dat
2008-11-10 05:02:18 16384 -csha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:15:01.75 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:31 AM

Posted 26 November 2009 - 06:53 PM

I would like your feedback about my request from my first post:

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.



#5 XxJxX1337

XxJxX1337
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 26 November 2009 - 07:36 PM

I would like your feedback about my request from my first post:

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.


Hello

You were given my feedback.

Since my last post I did perform a SB S&S scan and I removed several items that the program found. I have also since then disabled uTorrent from Windows startup and I also disabled TeaTimer per your instruction.



These actions were performed before you made your post. I was trying to make progress on the problem myself. I realize that you are helping me without compensation but you seem to be hinting that you want an apology or admission of guilt/wrongdoing. As I have said before I did these actions before you even made your post, therefore I was unaware of your "policy". I do, however, agree with your policy and no modifications to the system will be made without your instruction.

Thanks again

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:31 AM

Posted 26 November 2009 - 08:52 PM

Hi again,

You didn't do anything wrong and I didn't needed your confession or apology. I'm sorry to see how you have misunderstood me.

Please let me know in your next reply if you agree with this.

You were given my feedback.

You gave me feedback about the changes after posting the log but prior to seeing my post (I really appreciate that), no mention of if you were agree or not about not making changes to system while we are disinfecting the system. The least I needed was any mentioning so that at least I would know you have read the whole post. By that I want to get the job done as quick as possible without the need for redoing or getting into unneeded trouble.

Please copy and paste the logs instead of attaching them unless they are too large to fit a reply. Thanks.

From the MBAM log:

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetejwggjfu (Rootkit.TDSS) -> No action taken.

No action taken means MBAM doesn't do anything. We want the program to remove what it finds. Now please follow the instruction on MBAM once more.

#7 XxJxX1337

XxJxX1337
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 27 November 2009 - 05:10 AM

I did follow instructions during my initial scan in MBAM and it prompted me to restart. I was assuming that it removed the items during the restart. I just finished another scan (I also updated again to the most current version) and it seems to have found nothing now.

Am I clean now?

Malwarebytes' Anti-Malware 1.41
Database version: 3242
Windows 5.1.2600 Service Pack 3

11/27/2009 3:08:51 AM
mbam-log-2009-11-27 (03-08-51).txt

Scan type: Quick Scan
Objects scanned: 112839
Time elapsed: 6 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:31 AM

Posted 27 November 2009 - 06:40 AM

I was assuming that it removed the items during the restart.

It produces an initial log, removes items that the user has selected to remove then produces a log mentioning which items were deleted and on which items no action was taken.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (See the end of this post and information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

****
Ho to Disable AVG Resident Shield:
  • Double click AVG system tray icon to open AVG.
  • In Overview section double click Resident Shield.
  • Uncheck Resident Shield Active.
  • Press Save Changes.

    Note: It is important to activate the resident shield immediately after ComboFix produced its log.


#9 XxJxX1337

XxJxX1337
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 02 December 2009 - 04:17 AM

Hello, sir.

Combofix.exe ran as directed.

ComboFix 09-12-02.01 - Joe 12/02/2009 2:03.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.422 [GMT -7:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1314201555-3785290187-2462946864-1006
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\jyaecxhj.ini
c:\windows\system32\lacvqtuh.ini
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\pupuzuno.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\SvxEKnpo.ini
c:\windows\system32\tmp.reg
c:\windows\system32\twain_32.dll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\system32\zewemije.exe
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-11-27 13:00 . 2009-11-27 13:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-11-27 06:46 . 2009-08-07 02:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-11-27 06:46 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-26 23:22 . 2009-11-26 23:22 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-26 22:55 . 2009-12-02 09:10 -------- d-----w- c:\documents and settings\Joe\Tracing
2009-11-26 22:54 . 2009-11-26 22:54 -------- d-----w- c:\program files\Microsoft
2009-11-26 22:54 . 2009-11-26 22:54 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-26 22:53 . 2009-11-26 22:54 -------- d-----w- c:\program files\Windows Live
2009-11-26 22:48 . 2009-11-26 22:48 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-26 21:52 . 2009-11-26 21:52 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-11-26 21:52 . 2009-11-26 21:52 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-26 10:28 . 2009-11-26 10:28 -------- d-----w- c:\windows\system32\MpEngineStore
2009-11-26 09:50 . 2009-11-27 10:53 -------- d-----w- c:\documents and settings\Joe\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 08:53 . 2008-08-21 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-02 08:53 . 2008-11-10 06:12 93536 -c--a-w- c:\documents and settings\Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-02 08:49 . 2008-08-21 22:41 -------- d-----w- c:\program files\Microsoft Works
2009-11-26 23:23 . 2009-08-31 09:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 23:05 . 2008-11-10 09:48 -------- d-----w- c:\documents and settings\Joe\Application Data\uTorrent
2009-11-26 21:53 . 2009-06-22 03:40 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-11-26 21:53 . 2009-06-22 03:40 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-11-26 21:53 . 2009-06-02 03:40 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-26 21:53 . 2009-02-02 06:22 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-26 21:53 . 2009-06-22 03:40 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-11-26 10:29 . 2009-02-02 00:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-27 07:17 . 2009-08-31 09:21 117760 ----a-w- c:\documents and settings\Joe\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54 . 2009-08-31 09:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-08-31 09:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 15:05 . 2009-09-04 14:29 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-09 16:55 . 2009-05-09 16:55 2713 --sh--w- c:\windows\system32\kuvudoyu.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-26 2029336]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-11-26 520024]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-02-25 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 14:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:War3 1
"6112:UDP"= 6112:UDP:War 3 2
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/1/2009 9:40 PM 64160]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/23/2008 4:14 AM 717296]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/10/2008 4:11 AM 335240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 9:26 AM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 1028432]
S1 soqwx32;soqwx32;\??\c:\windows\system32\drivers\soqwx32.sys --> c:\windows\system32\drivers\soqwx32.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:52]

2009-10-05 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-25 15:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-LaunchApp - (no file)
Notify-efcAQGyx - efcAQGyx.dll
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-OT32CD12 - c:\program files\oregon trail\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 02:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys splm.sys >>UNKNOWN [0x8509F938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf7246cb8
\Driver\atapi -> atapi.sys @ 0xf7201b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
NDIS: NVIDIA nForce 10/100/1000 Mbps Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf710abb0
PacketIndicateHandler -> NDIS.sys @ 0xf7117a21
SendHandler -> NDIS.sys @ 0xf70f587b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|•€|•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2752)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-02 02:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-02 09:15

Pre-Run: 46,183,510,016 bytes free
Post-Run: 46,126,563,328 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 6D88EB0042BA79E2AFC2C396675F29E0





What is next on the list? Thank you again for your help.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:31 AM

Posted 02 December 2009 - 12:00 PM

Hello XxJxX1337,
  • Open notepad and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/274103/unknown-recurring-infection/
    Driver::
    soqwx32
    DDS::
    uInternet Connection Wizard,ShellNext = iexplore
    IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
    IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
    
    Collect::
    C:\WINDOWS\system32\drivers\nunrfrpsbfanhl.sys
    c:\windows\system32\drivers\soqwx32.sys
    c:\windows\system32\kuvudoyu.dll
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"=dword:00000001

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • We need to go into registry and I'm sure you are good at it.

    Go to Start => Run copy/paste regedit in the run box and click OK.

    Navigate to the following key:

    HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components

    Expand it. There are other keys. But there is one with a weird name. It is probably the last key under Components key.

    If you on the left pane select the key with the weird name, on the right panel you will see: AB141C35E9F4BF344B9FC010BB17F68A

    While the wired key is selected, right-click and delete the key then close the registey.

  • Tell me also if you have access to another computer or have friends with Windows XP SP3 installed. What we need is a clean copy of atapi.sys to copy it to the infected computer.


#11 XxJxX1337

XxJxX1337
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 03 December 2009 - 05:09 AM

Hello, sir.

Ran Combofix with CFScript.txt


ComboFix 09-12-02.05 - Joe 12/03/2009 0:08.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.387 [GMT -7:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\system32\kuvudoyu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\kuvudoyu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_soqwx32


((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2009-11-27 13:00 . 2009-11-27 13:00 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-11-27 06:46 . 2009-08-07 02:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-11-27 06:46 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-26 23:22 . 2009-11-26 23:22 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-26 22:55 . 2009-12-03 07:15 -------- d-----w- c:\documents and settings\Joe\Tracing
2009-11-26 22:54 . 2009-11-26 22:54 -------- d-----w- c:\program files\Microsoft
2009-11-26 22:54 . 2009-11-26 22:54 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-26 22:53 . 2009-11-26 22:54 -------- d-----w- c:\program files\Windows Live
2009-11-26 22:48 . 2009-11-26 22:48 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-26 21:52 . 2009-11-26 21:52 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-11-26 21:52 . 2009-11-26 21:52 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-26 10:28 . 2009-11-26 10:28 -------- d-----w- c:\windows\system32\MpEngineStore
2009-11-26 09:50 . 2009-12-02 10:03 -------- d-----w- c:\documents and settings\Joe\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 13:05 . 2008-08-21 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-02 08:53 . 2008-11-10 06:12 93536 -c--a-w- c:\documents and settings\Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-02 08:49 . 2008-08-21 22:41 -------- d-----w- c:\program files\Microsoft Works
2009-11-26 23:23 . 2009-08-31 09:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 23:05 . 2008-11-10 09:48 -------- d-----w- c:\documents and settings\Joe\Application Data\uTorrent
2009-11-26 21:53 . 2009-06-22 03:40 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-11-26 21:53 . 2009-06-22 03:40 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-11-26 21:53 . 2009-06-02 03:40 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-26 21:53 . 2009-02-02 06:22 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-26 21:53 . 2009-06-22 03:40 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-11-26 10:29 . 2009-02-02 00:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-27 07:17 . 2009-08-31 09:21 117760 ----a-w- c:\documents and settings\Joe\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 21:54 . 2009-08-31 09:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-08-31 09:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 15:05 . 2009-09-04 14:29 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
.

((((((((((((((((((((((((((((( SnapShot@2009-12-02_09.10.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-22 22:13 . 2009-12-02 09:11 71732 c:\windows\system32\perfc009.dat
+ 2008-08-22 22:13 . 2009-12-03 06:58 71732 c:\windows\system32\perfc009.dat
+ 2009-01-29 03:43 . 2009-12-02 13:05 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-01-29 03:43 . 2009-12-02 08:51 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-29 03:43 . 2009-12-02 13:05 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-01-29 03:43 . 2009-12-02 08:51 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-29 03:43 . 2009-12-02 13:05 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-01-29 03:43 . 2009-12-02 08:51 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-04-02 21:23 . 2009-04-02 21:23 10104 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\XLCALL32.DLL
+ 2009-04-04 01:01 . 2009-04-04 01:01 71504 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\XL12CNVP.DLL
+ 2009-04-04 00:57 . 2009-04-04 00:57 21320 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\WRD12EXE.EXE
+ 2009-03-05 00:24 . 2009-03-05 00:24 54088 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\SCANOST.EXE
+ 2009-03-05 00:24 . 2009-03-05 00:24 75608 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\RM.DLL
+ 2009-03-05 00:24 . 2009-03-05 00:24 38240 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\RECALL.DLL
+ 2009-01-07 04:31 . 2009-01-07 04:31 48512 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PUBTRAP.DLL
+ 2009-03-05 00:24 . 2009-03-05 00:24 52072 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\OUTLVBA.DLL
+ 2008-11-25 05:32 . 2008-11-25 05:32 46928 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\OUTLRPC.DLL
+ 2008-10-31 04:24 . 2008-10-31 04:24 21368 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\MLSHEXT.DLL
+ 2009-03-05 00:24 . 2009-03-05 00:24 34192 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\DUMPSTER.DLL
+ 2009-03-05 00:24 . 2009-03-05 00:24 87392 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\DLGSETP.DLL
+ 2006-10-27 05:58 . 2006-10-27 05:58 33080 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\VPREVIEW.EXE
- 2008-08-22 22:13 . 2009-12-02 09:11 442466 c:\windows\system32\perfh009.dat
+ 2008-08-22 22:13 . 2009-12-03 06:58 442466 c:\windows\system32\perfh009.dat
+ 2009-05-27 01:53 . 2009-05-27 01:53 579072 c:\windows\Installer\d42f97.msp
- 2009-01-29 03:43 . 2009-12-02 08:51 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-29 03:43 . 2009-12-02 13:05 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-29 03:43 . 2009-12-02 13:05 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-01-29 03:43 . 2009-12-02 08:51 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-01-29 03:43 . 2009-12-02 13:05 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2009-01-29 03:43 . 2009-12-02 08:51 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2009-01-29 03:43 . 2009-12-02 08:51 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-01-29 03:43 . 2009-12-02 13:05 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-01-29 03:43 . 2009-12-02 08:51 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-29 03:43 . 2009-12-02 13:05 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-29 03:43 . 2009-12-02 13:05 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-01-29 03:43 . 2009-12-02 08:51 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-01-29 03:43 . 2009-12-02 13:05 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2009-01-29 03:43 . 2009-12-02 08:51 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-04-04 01:11 . 2009-04-04 01:11 408424 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\WINWORD.EXE
+ 2009-03-05 00:24 . 2009-03-05 00:24 282032 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\SCNPST64.DLL
+ 2009-03-05 00:24 . 2009-03-05 00:24 273320 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\SCNPST32.DLL
+ 2009-03-06 09:06 . 2009-03-06 09:06 407904 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\RTFHTML.DLL
+ 2009-03-06 10:41 . 2009-03-06 10:41 589704 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PUBCONV.DLL
+ 2009-01-08 17:59 . 2009-01-08 17:59 624520 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PTXT9.DLL
+ 2009-03-05 00:24 . 2009-03-05 00:24 420696 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PSTPRX32.DLL
+ 2008-10-25 13:21 . 2008-10-25 13:21 136072 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PRTF9.DLL
+ 2009-12-02 08:51 . 2009-12-02 08:51 350064 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PPTPIA.DLL
+ 2009-04-04 01:04 . 2009-04-04 01:04 521064 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\POWERPNT.EXE
+ 2008-11-21 07:49 . 2008-11-21 07:49 169360 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\OUTLPH.DLL
+ 2009-03-06 09:05 . 2009-03-06 09:05 593288 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\OUTLMIME.DLL
+ 2008-10-31 04:24 . 2008-10-31 04:24 137552 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\OUTLCTL.DLL
+ 2009-03-06 11:55 . 2009-03-06 11:55 194448 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\OMSXP32.DLL
+ 2009-03-06 11:55 . 2009-03-06 11:55 661888 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\OMSMAIN.DLL
+ 2009-03-05 00:24 . 2009-03-05 00:24 253808 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\OLKFSTUB.DLL
+ 2008-11-04 07:04 . 2008-11-04 07:04 498072 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\MORPH9.DLL
+ 2009-03-05 00:24 . 2009-03-05 00:24 340304 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\MIMEDIR.DLL
+ 2009-03-05 00:24 . 2009-03-05 00:24 138072 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\IMPMAIL.DLL
+ 2008-11-21 07:48 . 2008-11-21 07:48 155016 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\ENVELOPE.DLL
+ 2008-11-21 07:48 . 2008-11-21 07:48 116600 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\EMABLT32.DLL
+ 2009-03-06 09:05 . 2009-03-06 09:05 127336 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\CONTAB32.DLL
- 2009-12-02 08:51 . 2009-12-02 08:51 350064 c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
+ 2009-12-02 13:04 . 2009-12-02 13:04 350064 c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
+ 2009-08-18 06:33 . 2009-08-18 06:33 1193832 c:\windows\system32\FM20.DLL
+ 2009-05-27 01:54 . 2009-05-27 01:54 4192768 c:\windows\Installer\d43045.msp
+ 2009-08-18 19:58 . 2009-08-18 19:58 8301056 c:\windows\Installer\d43029.msp
+ 2009-04-24 19:30 . 2009-04-24 19:30 2583552 c:\windows\Installer\d43011.msp
+ 2009-08-05 14:49 . 2009-08-05 14:49 3457024 c:\windows\Installer\d42ff8.msp
+ 2009-04-24 19:28 . 2009-04-24 19:28 4450816 c:\windows\Installer\d42fdf.msp
+ 2009-07-27 11:31 . 2009-07-27 11:31 3738624 c:\windows\Installer\d42fc6.msp
+ 2009-08-18 19:57 . 2009-08-18 19:57 9122304 c:\windows\Installer\d42faf.msp
+ 2009-08-18 20:08 . 2009-08-18 20:08 1373696 c:\windows\Installer\d42f81.msp
+ 2009-04-24 19:29 . 2009-04-24 19:29 9013760 c:\windows\Installer\d42f2e.msp
+ 2009-01-29 03:43 . 2009-12-02 13:05 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-01-29 03:43 . 2009-12-02 08:51 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-01-29 03:43 . 2009-12-02 08:51 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-01-29 03:43 . 2009-12-02 13:05 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-04-04 00:57 . 2009-04-04 00:57 4671320 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\WRD12CNV.DLL
+ 2008-11-21 10:12 . 2008-11-21 10:12 3750256 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\VVIEWER.DLL
+ 2008-10-25 16:35 . 2008-10-25 16:35 1847160 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\VVIEWDWG.DLL
+ 2009-04-04 01:04 . 2009-04-04 01:04 8468840 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\PPCORE.DLL
+ 2009-03-06 09:05 . 2009-03-06 09:05 2964336 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\OLMAPI32.DLL
+ 2009-02-05 18:36 . 2009-02-05 18:36 1640800 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\OGL.DLL
+ 2009-03-06 10:41 . 2009-03-06 10:41 9589096 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\MSPUB.EXE
+ 2008-11-21 06:06 . 2008-11-21 06:06 1194848 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\FM20.DLL
+ 2009-08-18 19:50 . 2009-08-18 19:50 12022272 c:\windows\Installer\d42f6a.msp
+ 2009-04-04 01:01 . 2009-04-04 01:01 15108448 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\XL12CNV.EXE
+ 2009-04-04 01:11 . 2009-04-04 01:11 17740136 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\WWLIB.DLL
+ 2009-03-06 09:06 . 2009-03-06 09:06 12707696 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\OUTLOOK.EXE
+ 2009-04-04 01:11 . 2009-04-04 01:11 18330984 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\EXCEL.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-26 2029336]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-11-26 520024]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-02-25 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 14:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:War3 1
"6112:UDP"= 6112:UDP:War 3 2
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/1/2009 9:40 PM 64160]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/23/2008 4:14 AM 717296]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/10/2008 4:11 AM 335240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/1/2009 9:26 AM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 1028432]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 00:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sppg.sys >>UNKNOWN [0x8509F938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf7246cb8
\Driver\atapi -> atapi.sys @ 0xf7201b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
NDIS: NVIDIA nForce 10/100/1000 Mbps Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf710abb0
PacketIndicateHandler -> NDIS.sys @ 0xf7117a21
SendHandler -> NDIS.sys @ 0xf70f587b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|•€|•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3576)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-12-03 00:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-03 07:19
ComboFix2.txt 2009-12-02 09:15

Pre-Run: 45,976,805,376 bytes free
Post-Run: 45,941,157,888 bytes free

- - End Of File - - F64F02823161E4112D2148B16495BC32


Also deleted strange registry key. I do not know anyone with XP and my two laptops are both Vista.

Awaiting further instruction, thank you again.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:31 AM

Posted 03 December 2009 - 05:38 AM

So we try to find a clean copy on your computer. It is not that all the copies are patched, but with this particular rootkit it would have been easier to replace it with a copy from another computer.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    atapi.sy*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#13 XxJxX1337

XxJxX1337
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 03 December 2009 - 05:53 AM

Hello, sir.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 03:51 on 03/12/2009 by Joe (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sy*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [05:59 04/08/2004] [05:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\I386\ATAPI.SY_ --a--c 50028 bytes [12:00 14/04/2008] [12:00 14/04/2008] C32657CE5311711A42CD6ECBC728FB0B
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [09:13 02/12/2009] [12:00 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [12:00 14/04/2008] [12:00 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

Awaiting your assistance, thank you.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:31 AM

Posted 03 December 2009 - 08:54 AM

Hi,

Please go to Start =>Run and copy/paste the following line in the run box and click OK.

cmd /c expand C:\I386\ATAPI.SY_ c:\atapi.sys&dir c:\atapi.sys >log.txt&start log.txt

A log file opens. Please post the content to your reply.

#15 XxJxX1337

XxJxX1337
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 05 December 2009 - 02:54 AM

Hello, sir.

Volume in drive C is OS
Volume Serial Number is 240D-D91A

Directory of c:\

04/14/2008 00:10 96,512 atapi.sys
1 File(s) 96,512 bytes
0 Dir(s) 45,973,995,520 bytes free


Thank you again, awaiting instruction.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users