Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vundo trojan variant


  • This topic is locked This topic is locked
11 replies to this topic

#1 Brandeylaptop

Brandeylaptop

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 25 December 2009 - 10:14 AM

Boopme was helping in this thread here http://www.bleepingcomputer.com/forums/top...ml#entry1550324

He the refered me to this section.

DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Admin at 9:54:25.65 on Fri 12/25/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1490 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = google.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: {348FE907-249E-4C65-A838-F34A193FE1D1} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [PtiuPbmd] "c:\windows\system32\Rundll32.exe" ptipbm.dll,SetWriteBack
mRun: [CHotkey] "c:\windows\mHotkey.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [HPHUPD05] c:\program files\hewlett-packard\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HPHmon05] "c:\windows\system32\hphmon05.exe"
mRun: [HPDJ Taskbar Utility] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5841/mcfscan.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: nnnmnoND - nnnmnoND.dll
Notify: WB - c:\program files\alienguise\fastload.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 91.212.127.227 awareremover2009.microsoft.com
Hosts: 91.212.127.227 awareremover2009.com
Hosts: 91.212.127.227 www.awareremover2009.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\e69t8qag.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-10 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-10 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-10 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-10 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-10 297752]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\sldrv\slazldrv.sys [2005-5-5 230448]
S2 EPICDBEngine50;EPICenter 5.0 Database Engine;c:\program files\extreme networks\epicenter 5.0\database\dbsrv9.exe -hvepicdbengine50 --> c:\program files\extreme networks\epicenter 5.0\database\dbsrv9.exe -hvEPICDBEngine50 [?]
S2 EPICServer50;EPICenter 5.0 Server;c:\program files\extreme networks\epicenter 5.0\tomcat\bin\eservice.exe --> c:\program files\extreme networks\epicenter 5.0\tomcat\bin\eservice.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-2 135664]

=============== Created Last 30 ================

2009-12-24 17:17:55 0 d-----w- c:\program files\mIRC
2009-12-24 17:17:55 0 d-----w- c:\docume~1\admin\applic~1\mIRC
2009-12-24 00:18:25 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-12-24 00:18:23 0 d-----w- c:\windows\Logs
2009-12-23 23:26:02 0 d-----w- c:\program files\CCP
2009-12-23 23:26:02 0 d-----w- c:\docume~1\alluse~1\applic~1\CCP
2009-12-23 22:12:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-23 22:12:08 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-23 22:12:08 0 d-----w- c:\docume~1\admin\applic~1\SUPERAntiSpyware.com
2009-12-23 22:11:47 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-23 21:50:06 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2009-12-23 21:50:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-23 21:50:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-23 21:50:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-23 21:50:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-23 20:40:22 156672 ----a-w- c:\windows\system32\RTLCPAPI.dll
2009-12-23 19:41:37 0 d-----w- c:\windows\McAfee.com
2009-12-23 19:20:14 38 ----a-w- C:\BdUninstallTool2009.12.23-02.20.14.reg
2009-12-23 19:06:24 0 dc-h--w- c:\windows\ie8
2009-12-23 18:57:50 24861 ----a-w- C:\BdUninstallTool2009.12.23-01.57.50.reg
2009-12-07 03:40:46 8 --sh--r- c:\windows\system32\4A21D00F43.sys

==================== Find3M ====================

2009-12-07 03:40:47 4128 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2007-10-28 22:09:27 88 --sh--r- c:\windows\system32\5B9093BA55.sys

============= FINISH: 9:54:55.29 ===============


Root repeal gave a error on start up

"Error - invalid PE image found!" x2

Program seemed to run with no problems afterwards. Might be super or avg protection script?

Attach zip included.

Mbytes and Super aren't detecting anything after the initial sweeps. When I start a program AVG flags the process as a trojan.

c:\WINDOWS\system32\winlogon.exe trojan horse PSW.Generic7.AUBW object is white listed

Merry Chrtismass :(

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 26 December 2009 - 01:14 AM

Visit below website. Understand on how to use ComboFix >> download and run the program >> post the log here :(

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Brandeylaptop

Brandeylaptop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 26 December 2009 - 04:18 PM

ComboFix 09-12-26.01 - Admin 12/26/2009 15:55:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1479 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\mcroso~1.net
c:\program files\racle~1
c:\recycler\S-1-5-21-57989841-1390067357-682003330-500
c:\windows\sembly~1
c:\windows\system32\bmtqmxxd.ini
c:\windows\system32\htdxsctp.ini
c:\windows\system32\icroso~1
c:\windows\system32\iwkbnohg.ini
c:\windows\system32\jrseefjo.ini
c:\windows\system32\lketvtkq.ini
c:\windows\system32\mtossvtb.ini
c:\windows\system32\myujjupa.ini
c:\windows\system32\qckphmxg.ini
c:\windows\system32\tkyaytqj.ini
c:\windows\system32\xdejbytt.ini

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.

2009-12-25 14:55 . 2009-12-25 14:55 0 ----a-w- c:\documents and settings\Admin\settings.dat
2009-12-24 17:17 . 2009-12-25 23:00 -------- d-----w- c:\documents and settings\Admin\Application Data\mIRC
2009-12-24 17:17 . 2009-12-25 15:22 -------- d-----w- c:\program files\mIRC
2009-12-24 14:30 . 2009-12-24 14:30 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\CCP
2009-12-24 00:18 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-12-24 00:18 . 2009-12-24 00:18 -------- d-----w- c:\windows\Logs
2009-12-23 23:26 . 2009-12-23 23:26 -------- d-----w- c:\program files\CCP
2009-12-23 23:26 . 2009-12-23 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\CCP
2009-12-23 22:12 . 2009-12-23 22:12 52224 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-23 22:12 . 2009-12-23 22:12 117760 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-23 22:12 . 2009-12-23 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-23 22:12 . 2009-12-23 22:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-23 22:12 . 2009-12-23 22:12 -------- d-----w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com
2009-12-23 22:11 . 2009-12-23 22:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-23 21:50 . 2009-12-23 21:50 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-12-23 21:50 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-23 21:50 . 2009-12-23 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-23 21:50 . 2009-12-23 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-23 21:50 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-23 20:40 . 2005-04-29 07:58 156672 ----a-w- c:\windows\system32\RTLCPAPI.dll
2009-12-23 19:41 . 2009-12-23 19:41 -------- d-----w- c:\windows\McAfee.com
2009-12-23 19:20 . 2009-12-23 19:21 38 ----a-w- C:\BdUninstallTool2009.12.23-02.20.14.reg
2009-12-23 19:06 . 2009-12-23 19:06 -------- dc-h--w- c:\windows\ie8
2009-12-23 18:57 . 2009-12-23 18:59 24861 ----a-w- C:\BdUninstallTool2009.12.23-01.57.50.reg
2009-12-23 18:22 . 2009-12-02 21:16 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-23 18:22 . 2009-12-02 21:16 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-12-23 18:22 . 2009-12-02 21:16 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-12-23 18:19 . 2009-12-23 18:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2009-12-07 03:40 . 2009-12-07 03:40 8 --sh--r- c:\windows\system32\4A21D00F43.sys
2009-12-06 08:29 . 2009-12-06 08:29 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Mozilla
2009-12-06 08:28 . 2009-12-06 15:17 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Google
2009-12-03 04:36 . 2009-12-03 04:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 20:44 . 2009-09-10 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-07 03:40 . 2007-06-29 22:21 4128 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-03 04:33 . 2006-10-15 21:49 -------- d-----w- c:\program files\Google
2009-11-11 14:35 . 2009-11-11 14:34 -------- d-----w- c:\documents and settings\Admin\Application Data\Gtek
2009-11-11 13:46 . 2009-09-10 19:54 -------- d-----w- c:\documents and settings\NOVA\Application Data\Spyware Terminator
2009-11-07 16:40 . 2007-06-30 16:46 -------- d-----w- c:\documents and settings\NOVA\Application Data\Corel
2009-11-03 01:42 . 2009-10-03 11:27 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 13:51 . 2006-11-16 23:59 -------- d--h--r- c:\documents and settings\NOVA\Application Data\yahoo!
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2007-10-28 22:09 . 2007-06-29 22:21 88 --sh--r- c:\windows\system32\5B9093BA55.sys
.

------- Sigcheck -------

[-] 2008-10-17 . 63999D0ABD8DABFD76A9C07F6E104868 . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
[7] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PtiuPbmd"="ptipbm.dll" [2005-05-05 24576]
"CHotkey"="c:\windows\mHotkey.exe" [2001-12-26 472576]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-08 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-05-06 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-06 708698]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-23 2043160]
"SoundMan"="SOUNDMAN.EXE" [2005-04-29 77824]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-29 2748928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-10 18:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/10/2009 1:57 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/10/2009 1:57 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/10/2009 1:57 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/10/2009 1:57 PM 297752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\SLDRV\slazldrv.sys [5/5/2005 8:33 PM 230448]
S2 EPICDBEngine50;EPICenter 5.0 Database Engine;c:\program files\Extreme Networks\EPICenter 5.0\database\dbsrv9.exe -hvEPICDBEngine50 --> c:\program files\Extreme Networks\EPICenter 5.0\database\dbsrv9.exe -hvEPICDBEngine50 [?]
S2 EPICServer50;EPICenter 5.0 Server;c:\program files\Extreme Networks\EPICenter 5.0\tomcat\bin\eservice.exe --> c:\program files\Extreme Networks\EPICenter 5.0\tomcat\bin\eservice.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/2/2009 11:31 PM 135664]
.
------- Supplementary Scan -------
.
uStart Page = google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\e69t8qag.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
Notify-nnnmnoND - nnnmnoND.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 16:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'explorer.exe'(3640)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\crypserv.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\slserv.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-12-26 16:13:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-26 21:13

Pre-Run: 43,430,371,328 bytes free
Post-Run: 43,380,486,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=OptIn /fastdetect

- - End Of File - - 65CE0BA4B43FE924A6F18717BFE5B540

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 26 December 2009 - 05:47 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

FCopy::
c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\system32\termsrv.dll

SkipFix::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.



Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Brandeylaptop

Brandeylaptop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 26 December 2009 - 07:25 PM

ComboFix 09-12-26.01 - Admin 12/26/2009 18:52:27.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1426 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\termsrv.dll --> c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-25 14:55 . 2009-12-25 14:55 0 ----a-w- c:\documents and settings\Admin\settings.dat
2009-12-24 17:17 . 2009-12-25 23:00 -------- d-----w- c:\documents and settings\Admin\Application Data\mIRC
2009-12-24 17:17 . 2009-12-25 15:22 -------- d-----w- c:\program files\mIRC
2009-12-24 14:30 . 2009-12-24 14:30 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\CCP
2009-12-24 00:18 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-12-24 00:18 . 2009-12-24 00:18 -------- d-----w- c:\windows\Logs
2009-12-23 23:26 . 2009-12-23 23:26 -------- d-----w- c:\program files\CCP
2009-12-23 23:26 . 2009-12-23 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\CCP
2009-12-23 22:12 . 2009-12-23 22:12 52224 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-23 22:12 . 2009-12-23 22:12 117760 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-23 22:12 . 2009-12-23 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-23 22:12 . 2009-12-23 22:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-23 22:12 . 2009-12-23 22:12 -------- d-----w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com
2009-12-23 22:11 . 2009-12-23 22:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-23 21:50 . 2009-12-23 21:50 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-12-23 21:50 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-23 21:50 . 2009-12-23 21:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-23 21:50 . 2009-12-23 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-23 21:50 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-23 20:40 . 2005-04-29 07:58 156672 ----a-w- c:\windows\system32\RTLCPAPI.dll
2009-12-23 19:41 . 2009-12-23 19:41 -------- d-----w- c:\windows\McAfee.com
2009-12-23 19:20 . 2009-12-23 19:21 38 ----a-w- C:\BdUninstallTool2009.12.23-02.20.14.reg
2009-12-23 19:06 . 2009-12-23 19:06 -------- dc-h--w- c:\windows\ie8
2009-12-23 18:57 . 2009-12-23 18:59 24861 ----a-w- C:\BdUninstallTool2009.12.23-01.57.50.reg
2009-12-23 18:22 . 2009-12-02 21:16 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-23 18:22 . 2009-12-02 21:16 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-12-23 18:22 . 2009-12-02 21:16 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-12-23 18:19 . 2009-12-23 18:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2009-12-07 03:40 . 2009-12-07 03:40 8 --sh--r- c:\windows\system32\4A21D00F43.sys
2009-12-06 08:29 . 2009-12-06 08:29 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Mozilla
2009-12-06 08:28 . 2009-12-06 15:17 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Google
2009-12-03 04:36 . 2009-12-03 04:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 20:44 . 2009-09-10 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-07 03:40 . 2007-06-29 22:21 4128 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-03 04:33 . 2006-10-15 21:49 -------- d-----w- c:\program files\Google
2009-11-11 14:35 . 2009-11-11 14:34 -------- d-----w- c:\documents and settings\Admin\Application Data\Gtek
2009-11-11 13:46 . 2009-09-10 19:54 -------- d-----w- c:\documents and settings\NOVA\Application Data\Spyware Terminator
2009-11-07 16:40 . 2007-06-30 16:46 -------- d-----w- c:\documents and settings\NOVA\Application Data\Corel
2009-11-03 01:42 . 2009-10-03 11:27 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 13:51 . 2006-11-16 23:59 -------- d--h--r- c:\documents and settings\NOVA\Application Data\yahoo!
2009-10-29 07:45 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2007-10-28 22:09 . 2007-06-29 22:21 88 --sh--r- c:\windows\system32\5B9093BA55.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PtiuPbmd"="ptipbm.dll" [2005-05-05 24576]
"CHotkey"="c:\windows\mHotkey.exe" [2001-12-26 472576]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-08 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-05-06 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-06 708698]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-23 2043160]
"SoundMan"="SOUNDMAN.EXE" [2005-04-29 77824]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-29 2748928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-10 18:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/10/2009 1:57 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/10/2009 1:57 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/10/2009 1:57 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/10/2009 1:57 PM 297752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
R3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\drivers\SLDRV\slazldrv.sys [5/5/2005 8:33 PM 230448]
S2 EPICDBEngine50;EPICenter 5.0 Database Engine;c:\program files\Extreme Networks\EPICenter 5.0\database\dbsrv9.exe -hvEPICDBEngine50 --> c:\program files\Extreme Networks\EPICenter 5.0\database\dbsrv9.exe -hvEPICDBEngine50 [?]
S2 EPICServer50;EPICenter 5.0 Server;c:\program files\Extreme Networks\EPICenter 5.0\tomcat\bin\eservice.exe --> c:\program files\Extreme Networks\EPICenter 5.0\tomcat\bin\eservice.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/2/2009 11:31 PM 135664]
.
------- Supplementary Scan -------
.
uStart Page = google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\e69t8qag.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 19:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'explorer.exe'(3356)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\crypserv.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\slserv.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-12-26 19:15:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-27 00:15
ComboFix2.txt 2009-12-26 21:13

Pre-Run: 43,388,100,608 bytes free
Post-Run: 43,348,819,968 bytes free

- - End Of File - - 2489BA1E0DB5E43261C497E706BACF27

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:29 PM, on 12/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [PtiuPbmd] "C:\WINDOWS\system32\Rundll32.exe" ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [CHotkey] "C:\WINDOWS\mHotkey.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] "C:\WINDOWS\system32\hphmon05.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...841/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPICenter 5.0 Database Engine (EPICDBEngine50) - Unknown owner - C:\Program Files\Extreme Networks\EPICenter 5.0\database\dbsrv9.exe (file missing)
O23 - Service: EPICenter 5.0 Server (EPICServer50) - Unknown owner - C:\Program Files\Extreme Networks\EPICenter 5.0\tomcat\bin\eservice.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 7348 bytes


running scans now eith eset,mwarebytes and super.

Was looking good, avg was quite. Then while I was running the scans I opened up Mirc and firefox. Shortly after that AVG flagged the scanners as infected and the scanners them selves are finding infectionss.

Should I repeat the precess again but not open up IRC or firefox?

Edited by Brandeylaptop, 26 December 2009 - 07:48 PM.


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 26 December 2009 - 07:27 PM

So basically the trojan was residing in memory and had corrupted some of the system files?


Sort of.. I'll wait for the scan results before I satisfied to let you go :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Brandeylaptop

Brandeylaptop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 26 December 2009 - 08:27 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/26/2009 at 08:15 PM

Application Version : 4.32.1000

Core Rules Database Version : 4406
Trace Rules Database Version: 2239

Scan type : Complete Scan
Total Scan Time : 00:58:12

Memory items scanned : 444
Memory threats detected : 0
Registry items scanned : 4661
Registry threats detected : 0
File items scanned : 46168
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Admin\Cookies\admin@ehg-eset.hitbox[2].txt
C:\Documents and Settings\Admin\Cookies\admin@hitbox[2].txt
C:\Documents and Settings\Admin\Cookies\admin@ehg-eset.hitbox[1].txt

Malwarebytes' Anti-Malware 1.42
Database version: 3418
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/26/2009 8:21:33 PM
mbam-log-2009-12-26 (20-21-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 184467
Time elapsed: 1 hour(s), 2 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{0A4E59F9-A2B8-4656-B917-371D0F96146C}\RP1\A0000108.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{0A4E59F9-A2B8-4656-B917-371D0F96146C}\RP1\A0001168.sys (Rootkit.Agent) -> No action taken.


is this a root kit?

Edited by Brandeylaptop, 26 December 2009 - 08:31 PM.


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 26 December 2009 - 08:52 PM

Shortly after that AVG flagged the scanners as infected and the scanners them selves are finding infectionss.


Oh AVG.. Posted Image

What Malwarebytes' detected is in your System Restore, so don't worry about it..


How's the computer now? :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Brandeylaptop

Brandeylaptop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 26 December 2009 - 10:52 PM

The eset scan was clear.

Rerunning Super and malwarebytes. I noticed the avg flags were in the system restore files too. Should I just delete that system restore point once we are done?

Everything looks good so far.

Edited by Brandeylaptop, 26 December 2009 - 10:57 PM.


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 26 December 2009 - 11:56 PM

Yes, lets clear the System Restore..

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous Restore Points which are likely to be infected)
To create a new Restore Point.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK. This will flush your old System Restore.
  • Then please UNCHECK the Turn off System Restore.
  • Click again on Apply, and then click OK. This will create a new Restore Point
System Restore will now be active again

If you are using Windows Vista, please go HERE for tutorial on how to use, disable and enable System Restore

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Brandeylaptop

Brandeylaptop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 27 December 2009 - 09:44 AM

done!

Thanks a lot. Opened it up today and no errors etc.

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 27 December 2009 - 10:13 AM

You are very welcome, I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users