Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with backdor.win32.agen.ich trojan


  • This topic is locked This topic is locked
7 replies to this topic

#1 REIDS

REIDS

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 14 January 2010 - 05:54 PM

my computer seems to have been taken over and it keeps warning me that it is infected with backdor.win32.agen.ich trojan.

DDS (Ver_09-12-01.01) - NTFSx86
Run by user at 10:21:48.73 on Tue 01/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.584 [GMT -8:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\program files\repAd\repAd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\DOCUME~1\user\LOCALS~1\Temp\settdebugx.exe
C:\Program Files\Malware Defense\mdefense.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\DOCUME~1\user\LOCALS~1\Temp\wscsvc32.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.searchslate.com/wp.ashx?ref=home&id=134
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: MessengerUpdate Class: {5948a52a-ba3a-49a8-bcaf-d578502bda9d} - c:\documents and settings\user\application data\messenger\drivers\MsgUpdate.dll
BHO: adHlpr Object: {5e5fd140-c9b9-47a8-9ac8-d1cfbb005b2c} - c:\windows\system32\rsbpuunp.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\norton antivirus\engine\16.8.0.38\IPSBHO.DLL
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {C53FE659-316A-4F56-A194-A5BE491BE866} - No File
TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IgfxSys] rundll32.exe "c:\documents and settings\user\application data\messenger\drivers\IgfxSys.dll",StartProtector
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [settdebugx.exe] c:\docume~1\user\locals~1\temp\settdebugx.exe
uRun: [Malware Defense] "c:\program files\malware defense\mdefense.exe" -noscan
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; FunWebProducts; GTB6; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.playhub.com/sports-games/152/Downhill-Jam.html"
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [repAd] c:\program files\repad\repAd.exe
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [DT LGE] c:\program files\common files\portrait displays\shared\DT_startup.exe -LGE
mRun: [TkBellExe] "c:\program files\real alternative\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [wcmdmgr] c:\windows\wt\updater\wcmdmgrl.exe -launch
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm399MVUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} - hxxp://zone.msn.com/bingame/mosi/default/msi.1.0.0.9.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 192.168.1.4 HP000D9D1A37DB

============= SERVICES / DRIVERS ===============

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091230.004\IDSXpx86.sys [2010-1-4 329592]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1007020.00b\symefa.sys --> c:\windows\system32\drivers\nav\1007020.00b\SYMEFA.SYS [?]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.026\BHDrvx86.sys [2010-1-6 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.026\cchpx86.sys [2010-1-6 482432]
S2 gupdate1c9df5863291657;Google Update Service (gupdate1c9df5863291657);c:\program files\google\update\GoogleUpdate.exe [2009-5-27 133104]
S2 Norton AntiVirus;Norton AntiVirus;"c:\program files\norton antivirus\norton antivirus\engine\16.7.2.11\ccsvchst.exe" /s "norton antivirus" /m "c:\program files\norton antivirus\norton antivirus\engine\16.7.2.11\dimaster.dll" /prefetch:1 --> c:\program files\norton antivirus\norton antivirus\engine\16.7.2.11\ccSvcHst.exe [?]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100107.024\NAVENG.SYS [2010-1-7 84912]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100107.024\NAVEX15.SYS [2010-1-7 1323568]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2010-01-09 06:37:53 0 d-----w- c:\program files\Malware Defense
2010-01-07 05:58:24 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-07 05:58:14 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-07 05:58:14 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-01-07 05:57:38 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-19 20:12:38 0 d-----w- c:\docume~1\user\applic~1\ezLife
2009-12-19 20:12:30 0 d-----w- c:\docume~1\user\applic~1\Smart-Ads-Solutions
2009-12-19 20:12:27 0 d-----w- c:\docume~1\user\applic~1\Messenger
2009-12-19 20:12:26 0 d-----w- c:\program files\Smart-Ads-Solutions
2009-12-19 20:12:26 0 d-----w- c:\program files\ezLife

==================== Find3M ====================

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2007-07-27 12:00:00 73728 --sha-w- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe
2008-07-14 15:33:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071420080715\index.dat
2009-07-22 18:20:01 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-07-22 18:20:01 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-07-22 18:20:01 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 10:22:51.85 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/12 10:35
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xEB2B8000 Size: 872448 File Visible: No Signed: -
Status: -

Name: H8SRTkxxsyntjuw.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTkxxsyntjuw.sys
Address: 0xEB050000 Size: 118784 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9B3F000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\H8SRTjauapfdwnk.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\h8srtkrl32mainweq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTlalqkodwju.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTnrhcasfgkr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTrsnvqyekny.dll
Status: Invisible to the Windows API!

Path: \\?\C:\WINDOWS\Tasks\*
Status: Could not enumerate files with the Windows API (0x00000570)!


Path: C:\WINDOWS\Tasks\desktop.ini
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Tasks\OGALogon.job
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Tasks\SA.DAT
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\H8SRTkxxsyntjuw.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\user\local settings\temp\~df9ac9.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\user\Local Settings\Temp\H8SRTc6d1.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\user\local settings\temp\~df70fe.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Stealth Objects
-------------------
Object: Hidden Module [Name: H8SRTlalqkodwju.dll]
Process: svchost.exe (PID: 1200) Address: 0x008a0000 Size: 65536

Object: Hidden Module [Name: H8SRTnrhcasfgkr.dll]
Process: svchost.exe (PID: 1200) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTnrhcasfgkr.dll]
Process: svchost.exe (PID: 1312) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTnrhcasfgkr.dll]
Process: svchost.exe (PID: 1356) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTnrhcasfgkr.dll]
Process: svchost.exe (PID: 1468) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTnrhcasfgkr.dll]
Process: svchost.exe (PID: 1508) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTnrhcasfgkr.dll]
Process: svchost.exe (PID: 1744) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTnrhcasfgkr.dll]
Process: Explorer.EXE (PID: 284) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTrsnvqyekny.dll]
Process: IEXPLORE.EXE (PID: 760) Address: 0x00c10000 Size: 151552

Object: Hidden Module [Name: H8SRTnrhcasfgkr.dll]
Process: IEXPLORE.EXE (PID: 760) Address: 0x10000000 Size: 69632

Object: Hidden Module [Name: H8SRTnrhcasfgkr.dll]
Process: svchost.exe (PID: 2376) Address: 0x10000000 Size: 69632

Hidden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTkxxsyntjuw.sys

Shadow SSDT
-------------------
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x85e18c58

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:14 AM

Posted 15 January 2010 - 06:30 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Do NOT post the log yet, but allow mbam to reboot.
  • After reboot, immediately rescan with malwarebytes, let it perform another scan, select to remove and reboot once again.
  • It's important that these steps are performed immediately after eachother (scan > select to remove > reboot > right after reboot, another scan > select to remove > reboot).
Then when done, post the LATEST malwarebytes log in your next reply. Only post that log AFTER the second reboot.

Extra note.. In case Malwarebytes won't install or run, rename the installer (in case it won't install) to Firefox.exe
In case the main program won't run, navigate to the C:\Program Files\malwarebytes anti-malware folder, locate the mbam.exe file there and rename it to firefox.exe as well. Then launch the renamed file in order to make mbam run.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 REIDS

REIDS
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 16 January 2010 - 03:59 PM

My system seems to be working much better now. However, after I rebooted my computer for the 2nd time after I ran the malwarebytes scan (I ran the full system scan the 2nd time) during the startup (before windows) the monitor specified that the Computer was "Checking the file system" (a 3 step process). Step 1 was checking for file errors and then corrected 2 file errors (unfortunately I did not write down the file names/numbers). Then step 2 started (verifying indexes). The process stopped at 21% complete then the screen went black and the computer rebooted and started the process all over. This time it did not find any file errors, however the process stopped again at 21% through step 2 (verifying indexes) and the computer automatically rebooted and started the process again. The computer then would stop @ 22% complete of step 2 (verifying indexes) and reboot automatically until I stopped the process and booted into Windows (I let it try approximately 5-6 more times). The following is the log information that you requested from your post:

Malwarebytes' Anti-Malware 1.44
Database version: 3579
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/16/2010 12:30:08 PM
mbam-log-2010-01-16 (12-30-08).txt

Scan type: Full Scan (C:\|D:\|I:\|)
Objects scanned: 303259
Time elapsed: 35 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\AliveMedia\Video Converter\Tutorial.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP716\A0105983.exe (P2P.Dropper.A) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP718\A0106179.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP718\A0106182.DLL (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP723\A0106311.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP723\A0106313.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP727\A0106436.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP727\A0106446.DLL (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP727\A0106447.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP727\A0106452.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP727\A0106453.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP727\A0106454.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP727\A0106455.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP727\A0106457.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP727\A0106458.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP727\A0106459.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP727\A0106460.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP727\A0106461.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F2DC6586-C904-4114-A98F-2FC5CA73F96E}\RP727\A0106462.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:14 AM

Posted 16 January 2010 - 04:11 PM

Hi,
It looks like you are dealing with a buggy version of the infection here, which explains the reboot problems and why malwarebytes can't deal with it properly.

Anyway, let's try something else instead....

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.



AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 REIDS

REIDS
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 16 January 2010 - 05:15 PM

I downloaded combofix and ran the installation (for your information I have, or had, Norton Antivirus installed on my computer, however, since this malware attack I still have the start menu shortcut and files on my computer but I can not get this program to load up). I do not have the Norton icon in the system tray and the windows taskmanager does not show any Norton functions running on my computer (at least none that I am familiar with). All this being said I couldn't find how to stop the antivirus from autochecking my computer (I don't know that it actually was). When I ran the combofix file it stopped before I ran the program and let me know that Norton Antivirus was running and that I needed to shut it down before I finished running the program. I opted to continue running the program anyway and nothing seemed to stop the program during its function. After the program finished and rebooted the computer it started the same disk checking program for the C: drive. It made it completely through the 3 steps this time, but it had to recover some files on step 3. The following are the files that it recovered (I didn't have enought time to write them all down completely): desktop.ini, ogalogon.job, and 4-5 google*.* files. Anyways, the following is the log report from combofix, as requested. Let me know if you think I need to contact Norton and download/reinstall the software onto my computer, or if this program should be recovered with your help somehow.


ComboFix 10-01-16.02 - user 01/16/2010 13:55:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.544 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\Messenger
c:\program files\Internet Explorer\msimg32.dll
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\drivers\H8SRTkxxsyntjuw.sys
c:\windows\system32\H8SRTjauapfdwnk.dat
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTlalqkodwju.dll
c:\windows\system32\H8SRTmliqpfwbwu.dll
c:\windows\system32\H8SRTnrhcasfgkr.dll
c:\windows\system32\H8SRTrsnvqyekny.dll
c:\windows\Temp\tmp3.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_H8SRTd.sys
-------\Service_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-16 22:04 . 2010-01-16 22:04 -------- d-----w- C:\found.000
2010-01-16 19:37 . 2010-01-16 19:37 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-01-16 19:31 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-16 19:31 . 2010-01-16 19:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-16 19:31 . 2010-01-16 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-16 19:31 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-16 19:22 . 2010-01-16 19:22 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-16 19:08 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 06:21 . 2010-01-09 06:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-08 01:22 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.024\CCERASER.DLL
2010-01-08 01:22 . 2009-09-22 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.024\ECMSVR32.DLL
2010-01-08 01:22 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.024\EECTRL.SYS
2010-01-08 01:22 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.024\ERASER.SYS
2010-01-08 01:22 . 2009-08-25 08:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.024\NAVENG.SYS
2010-01-08 01:22 . 2009-08-25 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.024\NAVENG32.DLL
2010-01-08 01:22 . 2009-08-25 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.024\NAVEX32A.DLL
2010-01-08 01:22 . 2009-08-25 08:00 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.024\NAVEX15.SYS
2010-01-07 05:58 . 2010-01-07 05:58 52224 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-07 05:58 . 2010-01-16 21:41 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-07 05:58 . 2010-01-07 05:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-07 05:58 . 2010-01-07 05:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-07 05:58 . 2010-01-07 05:58 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2010-01-07 05:57 . 2010-01-07 05:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-05 03:23 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091230.004\IDSvix86.sys
2010-01-05 03:23 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091230.004\IDSXpx86.sys
2010-01-05 03:23 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091230.004\Scxpx86.dll
2010-01-05 03:23 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091230.004\IDSxpx86.dll
2010-01-05 03:23 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091230.004\IDSviA64.sys
2009-12-18 20:51 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSvix86.sys
2009-12-18 20:51 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSXpx86.sys
2009-12-18 20:51 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\Scxpx86.dll
2009-12-18 20:51 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSxpx86.dll
2009-12-18 20:51 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSviA64.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 19:09 . 2009-09-08 23:34 -------- d-----w- c:\program files\ChickenInvadersROTYXmas
2010-01-06 04:05 . 2008-01-16 01:13 -------- d-----w- c:\program files\Symantec
2009-12-23 19:35 . 2009-06-01 21:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-20 08:20 . 2008-01-27 04:31 -------- d-----w- c:\program files\Google
2009-12-19 20:24 . 2008-01-14 22:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-16 16:03 . 2008-02-17 02:38 -------- d-----w- c:\program files\Winamp
2009-12-08 02:48 . 2009-01-18 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-07 17:09 . 2009-12-07 17:09 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-01 07:48 . 2008-06-25 01:52 -------- d-----w- c:\program files\BlackBerry
2009-11-29 05:11 . 2008-09-26 01:29 -------- d-----w- c:\documents and settings\user\Application Data\Move Networks
2009-11-22 04:17 . 2009-11-22 04:17 143976 ----a-w- c:\documents and settings\user\Application Data\Move Networks\uninstall.exe
2009-11-22 04:17 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\user\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-11-21 15:51 . 2007-07-27 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2007-07-27 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 13:36 . 2008-02-18 02:20 107936 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 05:38 . 2007-07-27 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2007-07-27 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2007-07-27 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2007-07-27 12:00 . 2008-02-23 05:09 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-04-09 7081984]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-03-09 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2003-07-13 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"repAd"="c:\program files\repAd\repAd.exe" [2008-02-23 6656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"DT LGE"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-11 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2002-09-27 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-4-7 217190]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\temp\\HP_WebRelease\\Setup\\HPZnet01.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\user\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\BROOD\\StarCraft.exe"=

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091230.004\IDSXpx86.sys [1/4/2010 7:23 PM 329592]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1007020.00B\SYMEFA.SYS --> c:\windows\system32\drivers\NAV\1007020.00B\SYMEFA.SYS [?]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.026\BHDrvx86.sys [1/6/2010 2:27 PM 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.026\cchpx86.sys [1/6/2010 2:27 PM 482432]
S2 gupdate1c9df5863291657;Google Update Service (gupdate1c9df5863291657);c:\program files\Google\Update\GoogleUpdate.exe [5/27/2009 9:51 PM 133104]
S2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\diMaster.dll" /prefetch:1 --> c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-28 05:51]

2010-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-28 05:51]

2010-01-16 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.searchslate.com/wp.ashx?ref=home&id=134
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{C53FE659-316A-4F56-A194-A5BE491BE866} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-TkBellExe - c:\program files\Real Alternative\Update_OB\realsched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 14:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2988)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\wt\updater\wcmdmgr.exe
c:\program files\Portrait Displays\forteManager\DTHtml.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2010-01-16 14:10:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-16 22:10

Pre-Run: 27,763,630,080 bytes free
Post-Run: 34,138,562,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C9F1EDECB8D141DA4399280512A649F6

Attached Files



#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:14 AM

Posted 17 January 2010 - 03:36 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

For your Norton, I suggest you redownload their program and reinstall it again, because it looks like some parts got corrupted here.

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:14 AM

Posted 22 January 2010 - 08:53 AM

Still with us?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:14 AM

Posted 26 January 2010 - 09:40 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users