Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vundo, Selace & Malagent


  • This topic is locked This topic is locked
20 replies to this topic

#1 VolleyFreak

VolleyFreak

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 13 December 2009 - 04:41 PM

The Family computer has been acting suspicious lately. Attempted to diagnose and clean problems with Super AntiSpyware, Malwarebyte's Anti-Malware & Microsoft Security Essentials. Full scans by each found & allegedly corrected many problems, however subsequent scans after restarting the computer continue to find problems. The last repetitive MSE scan found & supposedly removed the following:
Worm:Win32/Vundo.B
Trojan:Java/Selace.A
Trojan:Win32/Malagent
Exploit:Java/CVE-2008-5353.B
Trojan:Java/Selace.B
Trojan:Win32/Vundo.gen!G
Trojan:Win32/FakeSpyguard
Trojan:Win32/Vundo.MD

I'm assuming a virus is regenerating itself on start-up. I'm hoping you can help me bring this machine back to full health and then outline the steps to keep it safe & secure in the future.

Another issue I should mention. I planned on using some of the anti-malware software in Safe mode. Seemed like the thing to do when consulting other advice on dealing with infections. When booting up, I get to the screen where I select Safe Mode but when I hit enter it reboots the system again. Bottomline is that I can't get it into Safe mode. I can only get the computer to come up when starting Windows normally. Another symptom of my computer's ills?



DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 15:41:23.12 on Sun 12/13/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.112 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rr.com/
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
Trusted Zone: excite.com\www
Trusted Zone: rr.com\activation
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://activation.rr.com/install/download/tgctlcm.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {64D01C7F-810D-446E-A07E-365764235644} - hxxp://kraisoft.com/files/realone/atomaders.cab
DPF: {6F714D46-E4EF-11D4-93EF-00D0D7032099} - hxxp://www.christianrock2.net/amp3dj.cab
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
AppInit_DLLs: c:\windows\system32\sumonibe.dll c:\windows\system32\wezewugi.dll c:\windows\system32\jokilake.dll c:\windows\system32\fokivilo.dll c:\windows\system32\buhedina.dll c:\windows\system32\bupudofa.dll c:\windows\system32\kemuboti.dll c:\windows\system32\fekabota.dll c:\windows\system32\lolanayo.dll c:\windows\system32\gitadumi.dll c:\windows\system32\kilatape.dll,luruwono.dll
SSODL: wunusabew - {0a219e12-5f0e-4bae-8d94-9e096a5f1ceb} - No File
SSODL: nideloyop - {fb1bd32b-5782-4d31-81c9-a3f8b0abdeb1} - No File
SSODL: rufudasaf - {0364757b-39f0-4562-ba1a-49cf60b9e5c7} - No File
STS: {0a219e12-5f0e-4bae-8d94-9e096a5f1ceb} - No File
STS: {fb1bd32b-5782-4d31-81c9-a3f8b0abdeb1} - No File
STS: {0364757b-39f0-4562-ba1a-49cf60b9e5c7} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli zotemiso.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pjr79dpq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.rr.com/flash/index.cfm
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast -
============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [2002-11-11 417029]
S1 mnbseyzl;mnbseyzl;\??\c:\windows\system32\drivers\mnbseyzl.sys --> c:\windows\system32\drivers\mnbseyzl.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\drivers\SCR131C.sys [2002-11-7 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [2004-4-6 64088]
S4 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-3 182576]
S4 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [2002-11-11 53248]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-23 92296]

=============== Created Last 30 ================

2009-12-02 05:47:27 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-01 19:02:13 8192 --sha-w- c:\windows\Thumbs.db
2009-12-01 19:01:52 5632 --sha-w- c:\documents and settings\administrator\Thumbs.db
2009-11-30 20:38:39 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-30 20:38:39 215920 ----a-w- c:\windows\system32\muweb.dll
2009-11-30 20:38:39 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-11-29 01:01:44 0 d-----w- c:\program files\Defraggler
2009-11-29 00:47:04 0 d-----w- c:\program files\Foxit Software
2009-11-29 00:47:04 0 d-----w- c:\docume~1\admini~1\applic~1\Foxit
2009-11-29 00:45:09 0 d-----w- c:\program files\VS Revo Group
2009-11-28 23:36:02 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-28 23:33:41 0 d-----w- c:\program files\Microsoft Security Essentials
2009-11-28 23:28:07 0 d-----w- c:\program files\CCleaner
2009-11-28 20:59:06 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-11-28 20:58:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-28 20:58:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 20:58:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-28 20:58:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-28 20:12:38 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-28 20:12:21 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-28 20:12:21 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-11-28 20:11:32 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-28 18:41:27 266360 ----a-w- c:\windows\system32\TweakUI.exe
2009-11-28 18:41:27 160217 ----a-w- c:\windows\system32\PowerToysLicense.rtf

==================== Find3M ====================

2009-12-13 20:28:03 5632 -csha-w- c:\program files\Thumbs.db
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-29 18:07:01 34224 ---ha-w- c:\windows\system32\mlfcache.dat
2008-09-14 15:59:25 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 15:42:35.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 24 December 2009 - 09:51 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 29 December 2009 - 09:50 AM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 29 December 2009 - 02:32 PM

Hello.

Re-opened upon user's request.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 VolleyFreak

VolleyFreak
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 30 December 2009 - 07:22 AM

EB,


Sorry I didn't respond to your initial reply. Got bogged down with the holidays. I haven't really done anything to change the issues I had in my original post. Recent quick scans with Microsoft Security Essentials, Super Anti-Spyware and Malwarebytes have come back clean. Have not tried to start the computer in safe mode since my original post. Our bank shut down our access to our online banking just before Christmas because it detected a virus on our computer. We can't restart our online banking account until that is resolved. That's the latest update.

I've just run DDS & RootRepeal scans. See results below.

I'd really appreciate your help. Thanks.

VolleyFreak


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 11:36:28.31 on Tue 12/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.167 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rr.com/
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: excite.com\www
Trusted Zone: rr.com\activation
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://activation.rr.com/install/download/tgctlcm.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {64D01C7F-810D-446E-A07E-365764235644} - hxxp://kraisoft.com/files/realone/atomaders.cab
DPF: {6F714D46-E4EF-11D4-93EF-00D0D7032099} - hxxp://www.christianrock2.net/amp3dj.cab
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
AppInit_DLLs: c:\windows\system32\sumonibe.dll c:\windows\system32\wezewugi.dll c:\windows\system32\jokilake.dll c:\windows\system32\fokivilo.dll c:\windows\system32\buhedina.dll c:\windows\system32\bupudofa.dll c:\windows\system32\kemuboti.dll c:\windows\system32\fekabota.dll c:\windows\system32\lolanayo.dll c:\windows\system32\gitadumi.dll c:\windows\system32\kilatape.dll,luruwono.dll
SSODL: wunusabew - {0a219e12-5f0e-4bae-8d94-9e096a5f1ceb} - No File
SSODL: nideloyop - {fb1bd32b-5782-4d31-81c9-a3f8b0abdeb1} - No File
SSODL: rufudasaf - {0364757b-39f0-4562-ba1a-49cf60b9e5c7} - No File
STS: {0a219e12-5f0e-4bae-8d94-9e096a5f1ceb} - No File
STS: {fb1bd32b-5782-4d31-81c9-a3f8b0abdeb1} - No File
STS: {0364757b-39f0-4562-ba1a-49cf60b9e5c7} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli zotemiso.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pjr79dpq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.rr.com/flash/index.cfm
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [2002-11-11 417029]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S1 mnbseyzl;mnbseyzl;\??\c:\windows\system32\drivers\mnbseyzl.sys --> c:\windows\system32\drivers\mnbseyzl.sys [?]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\drivers\SCR131C.sys [2002-11-7 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [2004-4-6 64088]
S4 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-3 182576]
S4 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [2002-11-11 53248]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-23 92296]

=============== Created Last 30 ================

2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 00:32:04 0 d-----w- c:\docume~1\admini~1\applic~1\KeePass
2009-12-13 23:44:13 0 d-----w- c:\program files\KeePass Password Safe 2
2009-12-13 22:11:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2009-12-13 22:10:43 0 d-----w- c:\program files\Panda USB Vaccine
2009-12-02 05:47:27 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-01 19:02:13 8192 --sha-w- c:\windows\Thumbs.db
2009-12-01 19:01:52 5632 --sha-w- c:\documents and settings\administrator\Thumbs.db
2009-11-30 20:38:39 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-30 20:38:39 215920 ----a-w- c:\windows\system32\muweb.dll
2009-11-30 20:38:39 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

==================== Find3M ====================

2009-12-13 20:28:03 5632 -csha-w- c:\program files\Thumbs.db
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 22:57:16 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57:16 426496 ------w- c:\windows\system32\imapi2.dll
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2008-09-14 15:59:25 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 11:38:19.52 ===============

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 01 January 2010 - 01:00 PM

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 VolleyFreak

VolleyFreak
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 01 January 2010 - 10:02 PM

Hi EB. Happy New Year! Thanks for your assistance. Kaspersky scan results below:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, January 1, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, January 01, 2010 21:38:35
Records in database: 3400162
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
I:\

Scan statistics:
Objects scanned: 135607
Threats found: 4
Infected objects found: 22
Suspicious objects found: 60
Scan duration: 04:33:44


File name / Threat / Threats count
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\q6q2wwzs.slt\Mail\pop-server.neo.rr-3.com\Inbox Infected: Trojan-Spy.HTML.Bankfraud.em 1
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\q6q2wwzs.slt\Mail\pop-server.neo.rr-3.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 13
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\q6q2wwzs.slt\Mail\pop-server.neo.rr-3.com\Inbox Infected: Trojan-Spy.HTML.Chasfraud.q 4
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\q6q2wwzs.slt\Mail\pop-server.neo.rr-3.com\Sent Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\q6q2wwzs.slt\Mail\pop-server.neo.rr-4.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\10\1e0d858a-4b2f6666 Infected: Trojan-Downloader.Java.Agent.ab 1
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\vhc3c1g7.default\Mail\pop-server.neo.rr-4.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\vhc3c1g7.default\Mail\pop-server.neo.rr.com\Inbox Infected: Trojan-Spy.HTML.Bankfraud.em 1
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\vhc3c1g7.default\Mail\pop-server.neo.rr.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 13
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\vhc3c1g7.default\Mail\pop-server.neo.rr.com\Inbox Infected: Trojan-Spy.HTML.Chasfraud.q 4
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\vhc3c1g7.default\Mail\pop-server.neo.rr.com\Sent Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache30601.tmp Infected: Trojan-Downloader.Java.Agent.ab 1
C:\Documents and Settings\Safe User\Application Data\Mozilla\Profiles\default\q6q2wwzs.slt\Mail\pop-server.neo.rr-3.com\Inbox Infected: Trojan-Spy.HTML.Bankfraud.em 1
C:\Documents and Settings\Safe User\Application Data\Mozilla\Profiles\default\q6q2wwzs.slt\Mail\pop-server.neo.rr-3.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 13
C:\Documents and Settings\Safe User\Application Data\Mozilla\Profiles\default\q6q2wwzs.slt\Mail\pop-server.neo.rr-3.com\Inbox Infected: Trojan-Spy.HTML.Chasfraud.q 4
C:\Documents and Settings\Safe User\Application Data\Mozilla\Profiles\default\q6q2wwzs.slt\Mail\pop-server.neo.rr-3.com\Sent Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Safe User\Application Data\Mozilla\Profiles\default\q6q2wwzs.slt\Mail\pop-server.neo.rr-4.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Safe User\Application Data\Thunderbird\Profiles\vhc3c1g7.default\Mail\pop-server.neo.rr-4.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Safe User\Application Data\Thunderbird\Profiles\vhc3c1g7.default\Mail\pop-server.neo.rr.com\Inbox Infected: Trojan-Spy.HTML.Bankfraud.em 1
C:\Documents and Settings\Safe User\Application Data\Thunderbird\Profiles\vhc3c1g7.default\Mail\pop-server.neo.rr.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 13
C:\Documents and Settings\Safe User\Application Data\Thunderbird\Profiles\vhc3c1g7.default\Mail\pop-server.neo.rr.com\Inbox Infected: Trojan-Spy.HTML.Chasfraud.q 4
C:\Documents and Settings\Safe User\Application Data\Thunderbird\Profiles\vhc3c1g7.default\Mail\pop-server.neo.rr.com\Sent Suspicious: Trojan-Spy.HTML.Fraud.gen 1

Selected area has been scanned.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 02 January 2010 - 12:00 PM

We will deal with what Kaspersky detected, but please Take a new DDS run for me and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 VolleyFreak

VolleyFreak
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 02 January 2010 - 02:27 PM

Hi EB.

The only things of note are the inability to boot in safe mode (tried that again with no luck) and the bank removing our online access because of a detected virus. We've actually not used the computer much recently because of the suspected virus issues.

DDS log and attachment below. Let me know the next steps. Thanks again for your continued help.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 14:18:19.03 on Sat 01/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.201 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rr.com/
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: excite.com\www
Trusted Zone: rr.com\activation
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://activation.rr.com/install/download/tgctlcm.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {64D01C7F-810D-446E-A07E-365764235644} - hxxp://kraisoft.com/files/realone/atomaders.cab
DPF: {6F714D46-E4EF-11D4-93EF-00D0D7032099} - hxxp://www.christianrock2.net/amp3dj.cab
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
AppInit_DLLs: c:\windows\system32\sumonibe.dll c:\windows\system32\wezewugi.dll c:\windows\system32\jokilake.dll c:\windows\system32\fokivilo.dll c:\windows\system32\buhedina.dll c:\windows\system32\bupudofa.dll c:\windows\system32\kemuboti.dll c:\windows\system32\fekabota.dll c:\windows\system32\lolanayo.dll c:\windows\system32\gitadumi.dll c:\windows\system32\kilatape.dll,luruwono.dll
SSODL: wunusabew - {0a219e12-5f0e-4bae-8d94-9e096a5f1ceb} - No File
SSODL: nideloyop - {fb1bd32b-5782-4d31-81c9-a3f8b0abdeb1} - No File
SSODL: rufudasaf - {0364757b-39f0-4562-ba1a-49cf60b9e5c7} - No File
STS: {0a219e12-5f0e-4bae-8d94-9e096a5f1ceb} - No File
STS: {fb1bd32b-5782-4d31-81c9-a3f8b0abdeb1} - No File
STS: {0364757b-39f0-4562-ba1a-49cf60b9e5c7} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli zotemiso.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pjr79dpq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.rr.com/flash/index.cfm
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [2002-11-11 417029]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S1 mnbseyzl;mnbseyzl;\??\c:\windows\system32\drivers\mnbseyzl.sys --> c:\windows\system32\drivers\mnbseyzl.sys [?]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\drivers\SCR131C.sys [2002-11-7 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [2004-4-6 64088]
S4 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-3 182576]
S4 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [2002-11-11 53248]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-23 92296]

=============== Created Last 30 ================

2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 00:32:04 0 d-----w- c:\docume~1\admini~1\applic~1\KeePass
2009-12-13 23:44:13 0 d-----w- c:\program files\KeePass Password Safe 2
2009-12-13 22:11:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2009-12-13 22:10:43 0 d-----w- c:\program files\Panda USB Vaccine

==================== Find3M ====================

2009-12-13 20:28:03 5632 -csha-w- c:\program files\Thumbs.db
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 22:57:16 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57:16 426496 ------w- c:\windows\system32\imapi2.dll
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2008-09-14 15:59:25 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 14:21:16.78 ===============

Attached Files



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 02 January 2010 - 08:04 PM

Hello.

There seems to be still a few things on your system. We will start with Combofix.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

--
Combofix should restore your Safe Mode problem, if not we will do some diagnosing afterwards and try to resolve it.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 VolleyFreak

VolleyFreak
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 02 January 2010 - 11:10 PM

Hi EB.

Feels like we're making progress! Thanks for assistance. ComboFix scan complete. Log below.


ComboFix 10-01-02.01 - Administrator 01/02/2010 22:49:49.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.265 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Safe User\Desktop\mynewcamgirlpic1.jpg
c:\documents and settings\Safe User\Desktop\mynewcamgirlpic1.jpg
c:\program files\Common Files\download
c:\windows\system32\images
c:\windows\system32\images\ati_logo.jpg
c:\windows\system32\images\hvdkman.gif
c:\windows\system32\images\hvhtkeys.gif
c:\windows\system32\images\hvselect.gif
c:\windows\system32\images\hvstdins.gif
c:\windows\system32\images\hvsytry.gif
c:\windows\system32\images\mdesk.gif
c:\windows\system32\index.html
c:\windows\system32\open.ico
c:\windows\Tasks\jpgdrfoe.job
c:\windows\Temp\0008421259432933mcinst.exe
c:\windows\Temp\0162351257992699mcinst.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))
.

2009-12-24 20:43 . 2010-01-01 21:21 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-23 15:48 . 2009-12-23 15:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-12-23 15:37 . 2009-12-23 15:37 -------- d-----w- c:\documents and settings\Safe User\Local Settings\Application Data\Google
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 01:23 . 2009-12-23 19:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-12-14 01:22 . 2009-12-14 01:22 -------- d-----w- c:\program files\Google
2009-12-14 00:49 . 2009-12-14 00:56 -------- d-----w- c:\documents and settings\Safe User\Application Data\KeePass
2009-12-14 00:32 . 2009-12-14 01:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\KeePass
2009-12-13 23:44 . 2009-12-14 00:14 -------- d-----w- c:\program files\KeePass Password Safe 2
2009-12-13 22:11 . 2009-12-13 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2009-12-13 22:10 . 2009-12-13 22:10 -------- d-----w- c:\program files\Panda USB Vaccine
2009-12-05 18:01 . 2009-12-05 18:03 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-02 19:33 . 2009-09-27 17:03 -------- d-----w- c:\documents and settings\Safe User\Application Data\Dropbox
2010-01-01 21:21 . 2009-11-28 20:13 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-30 21:54 . 2008-09-21 14:25 -------- d-----w- c:\documents and settings\Safe User\Application Data\OpenOffice.org2
2009-12-29 17:31 . 2008-06-23 23:43 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-12-24 20:41 . 2009-11-28 20:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-14 01:01 . 2006-01-30 00:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2
2009-12-13 20:28 . 2008-05-31 19:16 5632 -csha-w- c:\program files\Thumbs.db
2009-12-09 02:04 . 2008-09-21 14:19 1924744 -c--a-w- c:\documents and settings\Safe User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-12-05 18:05 . 2009-11-28 20:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 21:14 . 2009-11-28 20:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-11-28 20:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 05:47 . 2009-12-02 05:47 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-29 15:53 . 2009-11-29 15:53 -------- d-----w- c:\documents and settings\Safe User\Application Data\Malwarebytes
2009-11-29 01:03 . 2009-11-28 23:28 -------- d-----w- c:\program files\CCleaner
2009-11-29 01:01 . 2009-11-29 01:01 -------- d-----w- c:\program files\Defraggler
2009-11-29 00:54 . 2004-12-24 00:46 -------- d-----w- c:\program files\ZipCentral
2009-11-29 00:50 . 2005-01-06 02:29 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-29 00:47 . 2009-11-29 00:47 -------- d-----w- c:\program files\Foxit Software
2009-11-29 00:47 . 2009-11-29 00:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Foxit
2009-11-29 00:45 . 2009-11-29 00:45 -------- d-----w- c:\program files\7-Zip
2009-11-29 00:45 . 2009-11-29 00:45 -------- d-----w- c:\program files\VS Revo Group
2009-11-28 23:33 . 2009-11-28 23:33 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-28 23:24 . 2004-12-30 20:13 -------- d-----w- c:\program files\Yahoo!
2009-11-28 23:23 . 2008-09-13 18:23 -------- d-----w- c:\program files\Panda Security
2009-11-28 20:59 . 2009-11-28 20:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-28 20:58 . 2009-11-28 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-28 20:12 . 2009-11-28 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-28 20:12 . 2009-11-28 20:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-11-28 20:11 . 2009-11-28 20:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-28 18:27 . 2009-01-23 23:15 -------- d-----w- c:\program files\McAfee
2009-11-13 22:57 . 2009-11-13 22:57 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57 . 2009-11-13 22:57 426496 ------w- c:\windows\system32\imapi2.dll
2009-11-03 01:42 . 2009-11-28 23:36 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45 . 2004-12-23 08:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-12-23 08:33 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-12-23 08:32 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 23:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-12-23 08:32 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-12-23 08:32 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-12-23 08:32 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-24 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-05-03 22:51 112640 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-05-03 22:51 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ActivClient Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ActivClient Agent.lnk
backup=c:\windows\pss\ActivClient Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\accrdsub]
2007-05-03 22:51 293168 ----a-w- c:\program files\ActivIdentity\ActivClient\accrdsub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2004-03-12 14:22 61440 ----a-w- c:\program files\RRIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
2006-09-29 00:09 700416 ------w- c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 09:04 59392 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
2002-10-30 18:20 507904 ----a-w- c:\windows\system32\Desk95.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionViewport]
2002-10-30 18:20 503808 ----a-w- c:\windows\system32\ViewPort.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 08:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-09-11 08:40 218032 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-07-19 22:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
2006-08-11 12:45 712704 ----a-w- c:\program files\Maxtor\ManagerApp\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2006-08-11 15:15 81920 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ------w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 00:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-12-14 23:06 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-08-26 18:34 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NTService1"=2 (0x2)
"nmservice"=2 (0x2)
"nmraapache"=3 (0x3)
"MaxBackServiceInt"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"FGLRXUtil"=2 (0x2)
"McAfee SiteAdvisor Service"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"accoca"=2 (0x2)
"a2free"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\RRIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\netmeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Temp\\eMule\\eMule0.48a\\emule.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Safe User\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [11/11/2002 3:53 PM 417029]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S1 mnbseyzl;mnbseyzl;\??\c:\windows\system32\drivers\mnbseyzl.sys --> c:\windows\system32\drivers\mnbseyzl.sys [?]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\drivers\SCR131C.sys [11/7/2002 3:04 AM 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [4/6/2004 3:24 AM 64088]
S4 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/3/2007 5:51 PM 182576]
S4 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [11/11/2002 3:54 PM 53248]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/23/2009 6:15 PM 92296]
.
Contents of the 'Scheduled Tasks' folder

2010-01-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]

2010-01-03 c:\windows\Tasks\PandaUSBVaccine.job
- c:\program files\Panda USB Vaccine\RunInteractiveWin.exe [2009-12-13 21:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: excite.com\www
Trusted Zone: rr.com\activation
DPF: {64D01C7F-810D-446E-A07E-365764235644} - hxxp://kraisoft.com/files/realone/atomaders.cab
DPF: {6F714D46-E4EF-11D4-93EF-00D0D7032099} - hxxp://www.christianrock2.net/amp3dj.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjr79dpq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.rr.com/flash/index.cfm
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - .
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
SharedTaskScheduler-{0a219e12-5f0e-4bae-8d94-9e096a5f1ceb} - (no file)
SharedTaskScheduler-{fb1bd32b-5782-4d31-81c9-a3f8b0abdeb1} - (no file)
SharedTaskScheduler-{0364757b-39f0-4562-ba1a-49cf60b9e5c7} - (no file)
SSODL-wunusabew-{0a219e12-5f0e-4bae-8d94-9e096a5f1ceb} - (no file)
SSODL-nideloyop-{fb1bd32b-5782-4d31-81c9-a3f8b0abdeb1} - (no file)
SSODL-rufudasaf-{0364757b-39f0-4562-ba1a-49cf60b9e5c7} - (no file)
MSConfigStartUp-nmapp - c:\program files\Pure Networks\Network Magic\nmapp.exe
MSConfigStartUp-nmctxth - c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-votusuwus - c:\windows\system32\kilatape.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-02 23:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-1957994488-839522115-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll

- - - - - - - > 'explorer.exe'(2544)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\System32\SCardSvr.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Panda USB Vaccine\USBVaccine.exe
.
**************************************************************************
.
Completion time: 2010-01-02 23:06:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-03 04:06

Pre-Run: 86,194,470,912 bytes free
Post-Run: 91,598,979,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 6BF45F531DBC246C96946FDD350BBD90

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 03 January 2010 - 03:20 PM

Is Safe Mode working now? Any other problems?

Kaspersky previously detected a few infected mails in your Inbox and Sent box of your Mozilla and ThunderBird profiles. I can't delete that file as that's where all your mails are stored. That doesn't distinguish which mails are bad so you will need to manually remove and empty out some of your mails. Be careful with mails that are from unknown senders and have attachments.

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 VolleyFreak

VolleyFreak
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 04 January 2010 - 11:23 AM

EB,

I'll check the Safe Mode function this evening and let you know. Cleaning out the emails will take a couple days.

So can you give me an overall diagnosis? Was my infestation too bad? Email the primary mode of infection?

JP

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 04 January 2010 - 04:22 PM

Can't exaclty specify where you got your infection from originally but overall I wouldn't say it's a sever and dangerous infection. Overall, I would say it was not severely infected or lightly infected. Let's remove this "dead" driver and get a new set of logs and see how things are going on your side.

Download and Run OTM
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :services
    mnbseyzl
    :files
    c:\windows\system32\drivers\mnbseyzl.sys
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • If OTM requires are reboot, please allow it to do so.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 AM

Posted 09 January 2010 - 01:22 PM

Are you still there?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users