Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Annoying infection. Cryptographic services won't run.


  • This topic is locked This topic is locked
20 replies to this topic

#1 MisterBad

MisterBad

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 26 January 2010 - 07:54 PM

I am helping a friend disinfect his computer and I am having troubles being successful. I've installed Avast antivirus and removed a few superfluous programs. Can't seem to get windows updates to run. Get the error "wuauclt.exe has encountered a problem and needs to close." when I try. Windows update site won't work because, despite IE's settings, I get an error screen saying that ActiveX has been disabled, which it hasn't. Root repeal immediately blue screened the machine upon clicking the exe file. Malwarebytes' Anti-Malware managed to snag this:

Registry Keys Infected:
HKEY_CURENT_USER\SOFTWARE\ErrorSmart (Rogue.ErrorSmart) -> Quarantined and deleted successfully

Luckily, I was able to run DDS, so here are the results.



-----------------------------------------------------------------





DDS (Ver_09-12-01.01) - NTFSx86
Run by DAVID NELSON at 18:34:38.01 on Tue 01/26/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191.61 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\DAVID NELSON\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sotecglobal.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: att.net
Trusted Zone: internet
Trusted Zone: magicjack.com\my
Trusted Zone: magicjack.com\www.my
Trusted Zone: mcafee.com
Trusted Zone: sbcglobal.net
Trusted Zone: talk4free.com\reg
Trusted Zone: yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162700872363
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210793771804
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37498.4243518518
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davidn~1\applic~1\mozilla\firefox\profiles\hoyqqxnj.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-17 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-12-27 394904]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-17 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 SiS630;SiS630;c:\windows\system32\drivers\sis630p.sys [2005-1-13 162048]
R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [2008-5-19 27904]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-17 20560]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-17 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-17 352920]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2009-12-27 67424]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2003-1-30 18864]
S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [2009-12-26 53888]
S3 NUVision;NUVision Video Service;c:\windows\system32\drivers\NUVvid2.sys [2005-1-14 153824]
S3 PRISM;GemTek Wireless LAN Driver;c:\windows\system32\drivers\PRISMNDS.sys [2002-8-27 50688]

=============== Created Last 30 ================

2010-01-21 00:21:35 0 d-----w- C:\ComboFix
2010-01-17 23:00:11 98816 ----a-w- c:\windows\sed.exe
2010-01-17 23:00:11 77312 ----a-w- c:\windows\MBR.exe
2010-01-17 23:00:11 261632 ----a-w- c:\windows\PEV.exe
2010-01-17 23:00:11 161792 ----a-w- c:\windows\SWREG.exe
2010-01-17 22:30:37 15 ----a-w- c:\documents and settings\david nelson\settings.dat
2010-01-17 22:28:36 33792 ----a-w- c:\windows\system32\drivers\disk.sys
2010-01-16 00:26:51 2 ------w- C:\.windows-serial
2010-01-13 00:46:24 2 ----a-w- c:\windows\msoffice.ini
2010-01-13 00:09:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 00:07:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 04:35:00 5632 ---ha-w- c:\windows\system32\wuauclt2.suo
2009-12-28 04:34:59 437 ----a-w- c:\windows\system32\wuauclt2.sln
2009-12-28 04:06:47 0 d-----w- c:\windows\system32\ZoneLabs
2009-12-28 04:06:47 0 d-----w- c:\program files\Zone Labs
2009-12-28 04:06:44 48877 ---ha-w- c:\windows\system32\vsconfig.xml
2009-12-28 03:25:48 63 ----a-w- c:\windows\st_affiliate.ini
2009-12-28 03:12:19 53 ----a-w- c:\windows\av_affiliate.ini
2009-12-28 03:12:14 53 ----a-w- c:\windows\as_affiliate.ini
2009-12-28 03:10:23 67424 ----a-w- c:\windows\system32\drivers\CDAVFS.sys
2009-12-28 03:06:40 0 d-----w- c:\program files\MSN Toolbar Installer
2009-12-28 02:29:22 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-12-28 02:29:22 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-12-28 02:29:22 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-12-28 02:29:22 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-12-28 02:29:22 153088 ----a-w- c:\windows\system32\unrar3.dll
2009-12-28 01:50:09 0 d-----w- c:\program files\Trojan Remover
2009-12-28 01:50:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-12-28 01:01:49 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-28 01:01:48 0 d-----w- c:\docume~1\davidn~1\applic~1\SUPERAntiSpyware.com
2009-12-28 01:01:09 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-28 00:39:26 0 d-----w- c:\windows\pss

==================== Find3M ====================

2010-01-20 23:59:04 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-12-30 19:32:54 1956 ----a-w- c:\windows\system32\d3d8caps.dat

============= FINISH: 18:35:22.92 ===============




Got persistent. Root Repeal managed to run. Got error "Error - invalid PE image found!" when RootRepeal started though. Was able to run the tool anyway. Results are attached.

FYI, infected computer is banished from network/internet access and in fact will remain turned off until you reply with instructions. I'm running these tools using a flash drive as a ferry between it and my Linux laptop, which is operating this forum. Thanks.

-MisterBad


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Attached Files


Edited by MisterBad, 27 January 2010 - 09:00 AM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 02 February 2010 - 06:21 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 MisterBad

MisterBad
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 03 February 2010 - 02:29 PM

Hello and thanks for helping me out.

The computer was turned off and removed from power after I ran the last logs and has not been powered on since. Would you like me to still start it up and run new logs?

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 04 February 2010 - 08:07 PM

Yes and please give me an update of the condition of your machine and letting me know if the existing problem still exists.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 MisterBad

MisterBad
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 07 February 2010 - 07:28 PM

Computer runs slowly, but I attribute that to it being very old and having slow hardware so I'm not concerned with that. However, I still cannot install any windows updates whatsoever using either automatic updates (get wuauclt.exe error) or via the windows update site. (Says active X is configured not to run in IE6, even though it is set to run in the settings) Tried installing SP3 via the redistribution .exe from the windows update catalog (filename WindowsXP-KB936929-SP3-x86-ENU.exe, 316.4Mb). All files extracted to the root C: drive but got "Setup Error; The system cannot find the file specified", and upon clicking OK, "Setup Error; installation did not complete". I'm sorry but I don't have any virus names or obvious indicators as to what kind of infection or problem this computer has.




Root repeal again gives the following when clicking on the .exe file to run, "Error - invalid PE image found!". However, the tool ran as expected anyway.


-----------------------------------------------------


DDS (Ver_09-12-01.01) - NTFSx86
Run by DAVID NELSON at 17:14:42.10 on Sun 02/07/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191.82 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\DAVID NELSON\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sotecglobal.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: att.net
Trusted Zone: internet
Trusted Zone: magicjack.com\my
Trusted Zone: magicjack.com\www.my
Trusted Zone: mcafee.com
Trusted Zone: sbcglobal.net
Trusted Zone: talk4free.com\reg
Trusted Zone: yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162700872363
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210793771804
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37498.4243518518
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davidn~1\applic~1\mozilla\firefox\profiles\hoyqqxnj.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-17 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-12-27 394904]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-17 138680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-17 254040]
R3 SiS630;SiS630;c:\windows\system32\drivers\sis630p.sys [2005-1-13 162048]
R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [2008-5-19 27904]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-17 20560]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-17 352920]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2009-12-27 67424]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2003-1-30 18864]
S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [2009-12-26 53888]
S3 NUVision;NUVision Video Service;c:\windows\system32\drivers\NUVvid2.sys [2005-1-14 153824]
S3 PRISM;GemTek Wireless LAN Driver;c:\windows\system32\drivers\PRISMNDS.sys [2002-8-27 50688]

=============== Created Last 30 ================

2010-01-21 00:21:35 0 d-----w- C:\ComboFix
2010-01-17 23:00:11 98816 ----a-w- c:\windows\sed.exe
2010-01-17 23:00:11 77312 ----a-w- c:\windows\MBR.exe
2010-01-17 23:00:11 261632 ----a-w- c:\windows\PEV.exe
2010-01-17 23:00:11 161792 ----a-w- c:\windows\SWREG.exe
2010-01-17 22:30:37 15 ----a-w- c:\documents and settings\david nelson\settings.dat
2010-01-17 22:28:36 33792 ----a-w- c:\windows\system32\drivers\disk.sys
2010-01-16 00:26:51 2 ------w- C:\.windows-serial
2010-01-13 00:46:24 2 ----a-w- c:\windows\msoffice.ini
2010-01-13 00:09:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 00:07:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

==================== Find3M ====================

2010-01-20 23:59:04 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-12-30 19:32:54 1956 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-28 03:09:13 67424 ----a-w- c:\windows\system32\drivers\CDAVFS.sys

============= FINISH: 17:15:51.42 ===============







Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 08 February 2010 - 08:45 PM

Hello.

You appear to ran Combofix before. Do you have the C:\Combofix.txt log? If so, please post it.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 MisterBad

MisterBad
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 09 February 2010 - 10:21 PM

Here's the combofix log:

----------------------------------------

ComboFix 10-01-16.04 - DAVID NELSON 01/20/2010 18:26:40.2.1 - x86
Running from: c:\documents and settings\DAVID NELSON\Desktop\ComboFix.exe
Command switches used :: /u

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-12-21 to 2010-01-21 )))))))))))))))))))))))))))))))
.

2010-01-21 00:17 . 2010-01-21 00:17 -------- d-----w- c:\windows\LastGood
2010-01-18 01:18 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-18 01:18 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-18 01:18 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-18 01:18 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-01-18 01:17 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-18 01:17 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-18 01:15 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-18 01:15 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-18 01:15 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-18 01:15 . 2010-01-18 01:15 -------- d-----w- c:\program files\Alwil Software
2010-01-17 22:30 . 2010-01-17 22:31 15 ----a-w- c:\documents and settings\DAVID NELSON\settings.dat
2010-01-17 22:28 . 2002-08-29 07:27 33792 ----a-w- c:\windows\system32\drivers\disk.sys
2010-01-13 00:09 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 00:07 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 04:07 . 2006-06-11 19:41 71672 ----a-w- c:\windows\system32\zlcommdb.dll
2009-12-28 04:07 . 2006-06-11 19:41 83960 ----a-w- c:\windows\system32\zlcomm.dll
2009-12-28 04:06 . 2009-12-30 20:47 -------- d-----w- c:\windows\system32\ZoneLabs
2009-12-28 04:06 . 2009-12-28 04:06 -------- d-----w- c:\program files\Zone Labs
2009-12-28 03:10 . 2009-12-28 03:09 67424 ----a-w- c:\windows\system32\drivers\CDAVFS.sys
2009-12-28 03:06 . 2009-12-28 03:09 -------- d-----w- c:\program files\MSN Toolbar Installer
2009-12-28 02:29 . 2006-06-19 19:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-12-28 02:29 . 2006-05-25 21:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-12-28 02:29 . 2005-08-26 07:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-12-28 02:29 . 2003-02-03 02:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2009-12-28 02:29 . 2002-03-06 07:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-12-28 01:50 . 2010-01-13 01:03 -------- d-----w- c:\program files\Trojan Remover
2009-12-28 01:50 . 2009-12-28 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-12-28 01:01 . 2010-01-15 23:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-28 01:01 . 2009-12-28 01:01 -------- d-----w- c:\documents and settings\DAVID NELSON\Application Data\SUPERAntiSpyware.com
2009-12-28 01:01 . 2010-01-15 23:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-28 00:32 . 2009-12-28 00:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2009-12-28 00:31 . 2009-12-28 04:14 -------- d-----w- c:\windows\LMI1.tmp
2009-12-27 22:51 . 2009-12-27 22:51 -------- d-----w- c:\documents and settings\DAVID NELSON\Application Data\Malwarebytes
2009-12-27 22:03 . 2009-12-27 22:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-27 22:03 . 2009-12-27 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-27 22:03 . 2010-01-13 00:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-27 02:53 . 2009-12-27 23:36 -------- d-----w- c:\documents and settings\DAVID NELSON\Local Settings\Application Data\Google
2009-12-27 02:24 . 2009-12-27 02:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-12-27 01:18 . 2009-12-27 01:18 -------- d-----w- c:\documents and settings\DAVID NELSON\Local Settings\Application Data\VS Revo Group
2009-12-27 01:17 . 2009-12-27 01:17 -------- d-----w- c:\program files\VS Revo Group
2009-12-27 01:07 . 2009-12-27 01:07 -------- d-----w- c:\documents and settings\DAVID NELSON\Local Settings\Application Data\Mozilla
2009-12-26 22:57 . 2009-12-26 22:58 -------- d-----w- C:\MyCleanPC
2009-12-26 22:49 . 2008-05-19 22:01 53888 ----a-w- c:\windows\system32\drivers\evserial.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 23:59 . 2005-01-14 04:50 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-01-17 23:37 . 2010-01-17 23:51 334848 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-01-13 00:50 . 2006-11-05 03:12 -------- d-----w- c:\program files\Yahoo!
2010-01-13 00:50 . 2007-04-18 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-13 00:49 . 2007-04-18 02:46 -------- d-----w- c:\program files\Common Files\Scanner
2010-01-13 00:48 . 2008-07-25 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-01-13 00:47 . 2008-07-25 02:57 -------- d-----w- c:\documents and settings\DAVID NELSON\Application Data\AOL
2009-12-30 20:46 . 2008-07-25 04:11 -------- d-----w- c:\documents and settings\DAVID NELSON\Application Data\MSN6
2009-12-30 19:32 . 2006-11-05 04:57 1956 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-30 18:58 . 2009-12-30 18:58 33949 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_12_27_22_22_33_small.dmp.zip
2009-12-30 18:58 . 2009-12-30 18:58 111133 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_12_27_22_21_37_small.dmp.zip
2009-12-28 05:44 . 2008-04-26 19:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-27 02:03 . 2006-11-05 04:02 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-27 01:54 . 2006-11-25 05:14 24384 ----a-w- c:\documents and settings\DAVID NELSON\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-26 22:54 . 2002-08-27 23:02 -------- d--h--w- c:\program files\InstallShield Installation Information
.

------- Sigcheck -------

Cryptography Services Error !!

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-31 196608]
"HPHmon03"="c:\windows\System32\hphmon03.exe" [2003-01-31 311296]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-08-01 07:14 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2008-12-17 18:36 50520 ----a-w- c:\documents and settings\DAVID NELSON\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-29 10:41 1511453 ----a-w- c:\program files\Messenger\msmsgs.exe

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/17/2010 7:17 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R3 SiS630;SiS630;c:\windows\system32\drivers\sis630p.sys [1/13/2005 11:00 PM 162048]
R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [5/19/2008 4:01 PM 27904]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/17/2010 7:17 PM 20560]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [12/27/2009 9:10 PM 67424]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [1/30/2003 6:55 PM 18864]
S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [12/26/2009 4:49 PM 53888]
S3 NUVision;NUVision Video Service;c:\windows\system32\drivers\NUVvid2.sys [1/14/2005 2:24 PM 153824]
S3 PRISM;GemTek Wireless LAN Driver;c:\windows\system32\drivers\PRISMNDS.sys [8/27/2002 5:01 PM 50688]
.
Contents of the 'Scheduled Tasks' folder

2008-12-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sotecglobal.com
Trusted Zone: att.net
Trusted Zone: internet
Trusted Zone: magicjack.com\my
Trusted Zone: magicjack.com\www.my
Trusted Zone: mcafee.com
Trusted Zone: sbcglobal.net
Trusted Zone: talk4free.com\reg
Trusted Zone: yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\DAVID NELSON\Application Data\Mozilla\Firefox\Profiles\hoyqqxnj.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 18:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(612)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(1780)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
Completion time: 2010-01-20 19:01:02
ComboFix-quarantined-files.txt 2010-01-17 23:32
ComboFix2.txt 2010-01-17 23:32

Pre-Run: 12,117,409,792 bytes free
Post-Run: 12,097,810,432 bytes free

- - End Of File - - 6FCF550B32D8DCD771057A79E482E4A0


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 10 February 2010 - 04:05 PM

Delete the Combofix you have and re-download and run it.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 MisterBad

MisterBad
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 10 February 2010 - 08:24 PM

New log;

ComboFix 10-02-10.04 - DAVID NELSON 02/10/2010 18:53:25.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191.81 [GMT -6:00]
Running from: c:\documents and settings\DAVID NELSON\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-01-11 to 2010-02-11 )))))))))))))))))))))))))))))))
.

2010-01-18 01:18 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-18 01:18 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-18 01:18 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-18 01:18 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-01-18 01:17 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-18 01:17 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-18 01:15 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-18 01:15 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-18 01:15 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-18 01:15 . 2010-01-18 01:15 -------- d-----w- c:\program files\Alwil Software
2010-01-17 22:30 . 2010-01-17 22:31 15 ----a-w- c:\documents and settings\DAVID NELSON\settings.dat
2010-01-17 22:28 . 2002-08-29 07:27 33792 ----a-w- c:\windows\system32\drivers\disk.sys
2010-01-13 00:09 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 00:07 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 00:37 . 2010-01-27 00:40 1735168 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-01-27 00:37 . 2010-01-27 00:40 30720 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-01-21 02:09 . 2010-01-26 00:10 1722368 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-01-21 02:09 . 2010-01-26 00:10 289792 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-01-20 23:59 . 2005-01-14 04:50 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-01-17 23:37 . 2010-01-17 23:51 334848 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-01-15 23:53 . 2009-12-28 01:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-15 23:52 . 2009-12-28 01:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-13 01:03 . 2009-12-28 01:50 -------- d-----w- c:\program files\Trojan Remover
2010-01-13 00:50 . 2006-11-05 03:12 -------- d-----w- c:\program files\Yahoo!
2010-01-13 00:50 . 2007-04-18 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-01-13 00:49 . 2007-04-18 02:46 -------- d-----w- c:\program files\Common Files\Scanner
2010-01-13 00:48 . 2008-07-25 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-01-13 00:47 . 2008-07-25 02:57 -------- d-----w- c:\documents and settings\DAVID NELSON\Application Data\AOL
2010-01-13 00:10 . 2009-12-27 22:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 20:46 . 2008-07-25 04:11 -------- d-----w- c:\documents and settings\DAVID NELSON\Application Data\MSN6
2009-12-30 19:32 . 2006-11-05 04:57 1956 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-30 18:58 . 2009-12-30 18:58 33949 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_12_27_22_22_33_small.dmp.zip
2009-12-30 18:58 . 2009-12-30 18:58 111133 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_12_27_22_21_37_small.dmp.zip
2009-12-28 05:44 . 2008-04-26 19:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-28 04:06 . 2009-12-28 04:06 -------- d-----w- c:\program files\Zone Labs
2009-12-28 03:09 . 2009-12-28 03:06 -------- d-----w- c:\program files\MSN Toolbar Installer
2009-12-28 03:09 . 2009-12-28 03:10 67424 ----a-w- c:\windows\system32\drivers\CDAVFS.sys
2009-12-28 01:50 . 2009-12-28 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-12-28 01:01 . 2009-12-28 01:01 -------- d-----w- c:\documents and settings\DAVID NELSON\Application Data\SUPERAntiSpyware.com
2009-12-27 22:51 . 2009-12-27 22:51 -------- d-----w- c:\documents and settings\DAVID NELSON\Application Data\Malwarebytes
2009-12-27 22:03 . 2009-12-27 22:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-27 22:03 . 2009-12-27 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-27 02:03 . 2006-11-05 04:02 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-27 01:54 . 2006-11-25 05:14 24384 ----a-w- c:\documents and settings\DAVID NELSON\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-27 01:17 . 2009-12-27 01:17 -------- d-----w- c:\program files\VS Revo Group
2009-12-26 22:54 . 2002-08-27 23:02 -------- d--h--w- c:\program files\InstallShield Installation Information
.

------- Sigcheck -------

Cryptography Services Error !!

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-31 196608]
"HPHmon03"="c:\windows\System32\hphmon03.exe" [2003-01-31 311296]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-08-01 07:14 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2008-12-17 18:36 50520 ----a-w- c:\documents and settings\DAVID NELSON\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-29 10:41 1511453 ----a-w- c:\program files\Messenger\msmsgs.exe

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/17/2010 7:17 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R3 SiS630;SiS630;c:\windows\system32\drivers\sis630p.sys [1/13/2005 11:00 PM 162048]
R3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [5/19/2008 4:01 PM 27904]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/17/2010 7:17 PM 20560]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [12/27/2009 9:10 PM 67424]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [1/30/2003 6:55 PM 18864]
S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [12/26/2009 4:49 PM 53888]
S3 NUVision;NUVision Video Service;c:\windows\system32\drivers\NUVvid2.sys [1/14/2005 2:24 PM 153824]
S3 PRISM;GemTek Wireless LAN Driver;c:\windows\system32\drivers\PRISMNDS.sys [8/27/2002 5:01 PM 50688]
.
Contents of the 'Scheduled Tasks' folder

2008-12-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sotecglobal.com
Trusted Zone: att.net
Trusted Zone: internet
Trusted Zone: magicjack.com\my
Trusted Zone: magicjack.com\www.my
Trusted Zone: mcafee.com
Trusted Zone: sbcglobal.net
Trusted Zone: talk4free.com\reg
Trusted Zone: yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\DAVID NELSON\Application Data\Mozilla\Firefox\Profiles\hoyqqxnj.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 19:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(588)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(1564)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
Completion time: 2010-02-10 19:10:13
ComboFix-quarantined-files.txt 2010-02-11 01:10
ComboFix2.txt 2010-01-21 01:01
ComboFix3.txt 2010-01-17 23:32

Pre-Run: 10,658,746,368 bytes free
Post-Run: 10,640,805,888 bytes free

- - End Of File - - AC1B6BD7DE6C4949E5117E692949F96C


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 12 February 2010 - 04:10 PM

Hello again.

Please download CCSkeys to your desktop
  • Double click CCSkeys.exe to run the program, it will be very quick.
  • When complete a Notepad file will open, please copy and paste the entire contents into your next reply
Note: A copy of the Notepad file can be found at C:\export.txt. You can delete it, along with the CCSkeys.exe after posting the contents here.

Download and Run GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click or on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 MisterBad

MisterBad
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 14 February 2010 - 03:39 AM

CCScheck.exe
SWreg.exe courtesy of Bobbi Flekman
Run at: 13:26:24.21
On Sat 02/13/2010

Run from C:\Documents and Settings\DAVID NELSON\Desktop\CCSkeys




SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\cryptsvc
DependOnService REG_MULTI_SZ RpcSs\0\0
Description REG_SZ Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
DisplayName REG_SZ CryptSvc
ErrorControl REG_DWORD 1 (0x1)
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k netsvcs
ObjectName REG_SZ LocalSystem
Start REG_DWORD 2 (0x2)
Type REG_DWORD 32 (0x20)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\cryptsvc\Parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\cryptsvc.dll
ServiceMain REG_SZ CryptServiceMain

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\cryptsvc\Security
Security REG_BINARY 00000e0001

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\cryptsvc\Enum
0 REG_SZ Root\LEGACY_CRYPTSVC\0000
Count REG_DWORD 1 (0x1)
NextInstance REG_DWORD 1 (0x1)

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\seclogon
Description REG_SZ Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
DisplayName REG_SZ Secondary Logon
ErrorControl REG_DWORD 0 (0x0)
ImagePath REG_EXPAND_SZ %SystemRoot%\System32\svchost.exe -k netsvcs
Objectname REG_SZ LocalSystem
Start REG_DWORD 2 (0x2)
Type REG_DWORD 288 (0x120)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\seclogon\Parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\seclogon.dll
ServiceMain REG_SZ SvcEntry_Seclogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\seclogon\Security
Security REG_BINARY 010014807800000084000000140000003000000002001c000100000002801400ff010f000101000000000001000000000200480003000000000014008d01020001010000000000050b00000000001800ff010f000102000000000005200000002002000000001400fd010200010100000000000512000000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\seclogon\Enum
0 REG_SZ Root\LEGACY_SECLOGON\0000
Count REG_DWORD 1 (0x1)
NextInstance REG_DWORD 1 (0x1)

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\spooler
DependOnService REG_MULTI_SZ RPCSS\0\0
Description REG_SZ Loads files to memory for later printing.
DisplayName REG_SZ Print Spooler
ErrorControl REG_DWORD 1 (0x1)
Group REG_SZ SpoolerGroup
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\spoolsv.exe
ObjectName REG_SZ LocalSystem
Start REG_DWORD 2 (0x2)
Type REG_DWORD 272 (0x110)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\spooler\Parameters

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\spooler\Performance
Close REG_SZ PerfClose
Collect REG_SZ PerfCollect
Collect Timeout REG_DWORD 2000 (0x7d0)
Library REG_SZ winspool.drv
Object List REG_SZ 1450
Open REG_SZ PerfOpen
Open Timeout REG_DWORD 4000 (0xfa0)
WbemAdapFileSignature REG_BINARY bd83aba61e8accc8d9ffb869f29418ce00
WbemAdapFileTime REG_BINARY 002952e37a79c401
WbemAdapFileSize REG_DWORD 146432 (0x23c00)
WbemAdapStatus REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\spooler\Security
Security REG_BINARY 010014807800000084000000140000003000000002001c000100000002801400ff010f000101000000000001000000000200480003000000000014008d01020001010000000000050b00000000001800ff010f000102000000000005200000002002000000001400fd010200010100000000000512000000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\spooler\Enum
0 REG_SZ Root\LEGACY_SPOOLER\0000
Count REG_DWORD 1 (0x1)
NextInstance REG_DWORD 1 (0x1)

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\wscsvc
Type REG_DWORD 32 (0x20)
Start REG_DWORD 2 (0x2)
ErrorControl REG_DWORD 1 (0x1)
ImagePath REG_EXPAND_SZ %SystemRoot%\System32\svchost.exe -k netsvcs
DisplayName REG_SZ Security Center
DependOnService REG_MULTI_SZ RpcSs\0winmgmt\0\0
ObjectName REG_SZ LocalSystem
Description REG_SZ Monitors system security settings and configurations.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\wscsvc\Parameters
ServiceDll REG_EXPAND_SZ %SYSTEMROOT%\system32\wscsvc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\wscsvc\Security
Security REG_BINARY 01001480900000009c000000140000003000000002001c000100000002801400ff010f00010100000000000100000000020060000400000000001400fd01020001010000000000051200000000001800ff010f0001020000000000052000000020020000000014008d01020001010000000000050b00000000001800fd01020001020000000000052000000023020000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\wscsvc\Enum
0 REG_SZ Root\LEGACY_WSCSVC\0000
Count REG_DWORD 1 (0x1)
NextInstance REG_DWORD 1 (0x1)


-----------------EOF-----------------





Attached Files



#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 14 February 2010 - 01:35 PM

Hello.

Let's get an online scan.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Then, download and install Service Pack 3: http://www.microsoft.com/downloads/details...;displaylang=en More information here: http://www.bleepingcomputer.com/forums/t/146857/windows-xp-service-pack-3-sp3-information/

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 MisterBad

MisterBad
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 14 February 2010 - 06:09 PM

I'm afraid we hit a brick wall on this one. I tried to run Kaspersky online scan. Well, it turns out there is no java installed. Went to the Java install site, downloaded the installer just fine, but when I tried to run it, I kept getting a popup that says "The installer cannot proceed with the current Internet Connection settings. Please visit the following web site for more information. http://java.com/en/download/help....... Well, I went to the site and it's simply a generic help site dealing with all possible instructions and fixes for installing java except for required IE6 settings. I went into the advanced settings tab inside IE and enabled Java console enabled and Java loggiing enabled. Both didn't change the installation results when I tried again after.

Then I tried simply installing SP3 from the network redistribution file downloaded from the windoes catalog. That didn't work either. Upon clicking the .exe file, it extracted a large amount of files to a folder on the root C drive, then threw up the error message "The system cannot find the file specified".
I tried it twice just to be sure and the results were the same each time. What next? Please also understand that I really appreciate you wracking your brain trying to figure this thing out.



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 15 February 2010 - 12:47 PM

Hello.

Let's take it one step at a time here.

Can you try ESET first for me.

Run ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
You can refer to this animation by neomage if needed.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 MisterBad

MisterBad
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 17 February 2010 - 10:28 PM

Eset results:



C:\Documents and Settings\DAVID NELSON\My Documents\downlods-exe\setupxv.exe multiple threats deleted - quarantined







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users