Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent sdra64.exe infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 Brawgates

Brawgates

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:34 AM

Posted 26 January 2010 - 08:53 PM

Hi

My XP Pro SP2 system appears to be infected by sdra64.exe - and its invisible friend? The problem began a couple of days back after Wndows Firewall reported an infection from worm.win32.netsky. MBAM at first appeared to have fixed the problem. But it soon became clear that all was not well. I kept getting misdirected and redirected within IE7. Selecting Google hits almost invariably took me to an unwanted site.

After these misdirections/redirections:
  • I usually found (and deleted) cookies from one or more of the following sites:-
    • 64.111.212.229
    • 66.230.188.67
    • feed.ndot.com
    • www2.shopodo.co.uk
  • MBAM scans always:-
    • found and disinfected srda64.exe. A typical log is attached at the end of this post.
    • left no trace of sdra64.exe by filename or registry entry.
But as soon as I start to navigate on the web sdra64.exe reappears and the clean up cycle starts again.

So at the moment, I'm stuck with an unwelcome intruder and would appreciate any help you can offer in finding and removing him!!

Many thanks

______________________________________________________________________________________________

Update at 22:45 GMT on 27 Jan 2010

Sdra64.exe attacks continue. Followed by MBAM cleanup. More ominously other infections are occurring. Today, MBAM has found and removed PDFUPD.EXE (Spyware.Zbot), and SAS has found and removed an SVCHOST.EXE virus. Both strangely had File Modification dates of 26 Jan 2010 - yesterday.

The plot thickens!! mad.gif
______________________________________________________________________________________________


Malwarebytes' Anti-Malware 1.44

Database version: 3639

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

26/01/2010 22:50:54

mbam-log-2010-01-26 (22-50-54).txt

Scan type: Quick Scan

Objects scanned: 122821

Time elapsed: 7 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.


Edited by Brawgates, 27 January 2010 - 06:17 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:34 AM

Posted 02 February 2010 - 02:52 PM

Hi Brawgates,

Once again welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum and apologies for the delay. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is likely compromised. Some experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine. If you decide to remove the infection please go on with the following steps.


Removal Instructions
  1. Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Click Run Scan button.
    • Two reports will open, copy and paste them to your reply:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized

  2. Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (this one also should be unchecked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.


#3 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:34 AM

Posted 02 February 2010 - 09:51 PM

Hello Farbar

Many thanks for your response. Much appreciated. I can confirm that I'd like to attempt to clean the machine.

QUOTE
refrain from making any changes to your system


Agreed. May I assume that I can still make changes to my own data files on my F: drive?

OTL

Downloaded and Ran Scan as instructed. Only OTL.TXT report created. Ran scan a second time in case I'd messed up. Still only OTL.TXT. Search on C: for Extra.TXT found nothing. First of the two OTL.TXT reports below:

OTL logfile created on: 03/02/2010 00:22:52 - Run 5
OTL by OldTimer - Version 3.1.27.1 Folder = C:\Documents and Settings\Peter Field\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 316.00 Mb Available Physical Memory | 62.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 26.43 Gb Free Space | 70.94% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 113.11 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 58.59 Gb Total Space | 39.83 Gb Free Space | 67.98% Space Free | Partition Type: NTFS
Drive G: | 55.90 Gb Total Space | 55.73 Gb Free Space | 99.71% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HP-PAVILION
Current User Name: Peter Field
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/03 00:20:35 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peter Field\Desktop\OTL.exe
PRC - [2009/05/14 14:21:58 | 001,830,128 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/02/28 04:54:41 | 000,636,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2007/06/13 10:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/04/18 04:00:00 | 000,102,400 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
PRC - [2005/04/27 13:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe
PRC - [2004/07/09 15:07:20 | 001,249,280 | ---- | M] (D-Link) -- C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
PRC - [2004/04/14 11:54:38 | 000,045,056 | ---- | M] (Alpha Networks Inc.) -- C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
PRC - [2003/07/28 14:19:00 | 000,077,824 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [1998/04/07 00:00:00 | 000,111,376 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\FINDFAST.EXE


========== Modules (SafeList) ==========

MOD - [2010/02/03 00:20:35 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peter Field\Desktop\OTL.exe
MOD - [2006/08/25 15:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/03/09 23:07:10 | 000,133,104 | ---- | M] (Google Inc.) [Disabled | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9a10bd7cc5f7f) Google Update Service (gupdate1c9a10bd7cc5f7f)
SRV - [2006/04/18 04:00:00 | 000,102,400 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)
SRV - [2005/04/27 13:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)
SRV - [2003/07/28 14:19:00 | 000,077,824 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)


========== Driver Services (SafeList) ==========

DRV - [2009/10/20 18:00:08 | 000,090,192 | ---- | M] (High Criteria inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TotRec8.sys -- (TotRec8)
DRV - [2009/10/20 18:00:02 | 000,131,152 | ---- | M] (High Criteria inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TotRec7.sys -- (TotRec7)
DRV - [2009/05/14 14:22:02 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/05/14 14:22:00 | 000,072,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/05/14 14:22:00 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2008/09/16 00:14:18 | 000,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/06/19 16:24:30 | 000,028,544 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2007/11/13 10:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/08/22 12:51:38 | 000,097,152 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2004/08/03 23:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/05/07 13:47:10 | 000,079,616 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2500usb.sys -- (rt2500usb) DWL-G122(rev.cool.gif
DRV - [2003/07/28 14:19:00 | 001,341,339 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/05/05 18:25:48 | 000,028,205 | ---- | M] (Alpha Networks Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\ANIO.sys -- (ANIO)
DRV - [2002/06/03 11:18:32 | 000,040,832 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\es1371mp.sys -- (es1371) Creative AudioPCI (ES1371,ES1373) (WDM)
DRV - [2001/08/23 03:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/18 08:00:00 | 000,098,176 | R--- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\NBF.SYS -- (Nbf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-854245398-920026266-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKU\S-1-5-21-854245398-920026266-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-854245398-920026266-1343024091-1003\S-1-5-21-854245398-920026266-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2009/10/06 20:45:19 | 000,000,056 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-854245398-920026266-1343024091-1003\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Alpha Networks Inc.)
O4 - HKLM..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe (D-Link)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKU\S-1-5-21-854245398-920026266-1343024091-1003..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-854245398-920026266-1343024091-1003..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKU\S-1-5-21-854245398-920026266-1343024091-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-854245398-920026266-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-854245398-920026266-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-854245398-920026266-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKU\.DEFAULT\..Trusted Domains: 44 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 44 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
http://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}
http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5}
http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913}
http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/07 21:15:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/10/12 07:05:35 | 000,000,000 | ---D | M] - C:\Autoruns -- [ NTFS ]
O32 - AutoRun File - [2001/12/08 14:13:10 | 000,017,557 | R--- | M] () - E:\autorun.apm -- [ UDF ]
O32 - AutoRun File - [1999/04/07 01:04:00 | 000,167,936 | R--- | M] (Indigo Rose Corporation) - E:\autorun.exe -- [ UDF ]
O32 - AutoRun File - [2001/12/08 14:13:10 | 000,000,029 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/03 00:20:29 | 000,548,864 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Peter Field\Desktop\OTL.exe
[2010/02/02 01:01:10 | 000,439,808 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Peter Field\Desktop\TFC.exe
[2010/01/25 23:10:26 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/01/25 15:29:41 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/01/25 09:33:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/01/19 10:36:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Peter Field\Application Data\TotalRecorder
[2010/01/19 10:29:47 | 000,090,192 | ---- | C] (High Criteria inc.) -- C:\WINDOWS\System32\drivers\TotRec8.sys
[2010/01/19 10:29:36 | 000,131,152 | ---- | C] (High Criteria inc.) -- C:\WINDOWS\System32\drivers\TotRec7.sys
[2010/01/19 09:50:58 | 000,106,496 | ---- | C] (High Criteria inc.) -- C:\WINDOWS\System32\DrvTrNTl.dll
[2010/01/19 09:50:58 | 000,061,520 | ---- | C] (High Criteria inc.) -- C:\WINDOWS\System32\DrvTrNTm.dll
[2010/01/19 09:50:58 | 000,000,000 | ---D | C] -- C:\Program Files\HighCriteria
[2010/01/17 13:10:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2010/01/14 08:13:12 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/14 08:13:08 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/14 08:13:08 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/12 08:26:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Peter Field\Application Data\SUPERAntiSpyware.com
[2010/01/11 22:55:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/11 22:54:25 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/01/08 00:11:40 | 000,000,000 | ---D | C] -- C:\Program Files\filedatech
[2009/12/21 09:33:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/12/21 09:33:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/12/21 09:22:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/12/21 09:22:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/03/10 00:24:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/03/09 23:07:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

========== Files - Modified Within 30 Days ==========

[2010/02/03 00:20:35 | 000,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peter Field\Desktop\OTL.exe
[2010/02/02 23:56:42 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/02 23:55:48 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/02 23:55:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/02 23:55:39 | 536,379,392 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/02 23:53:45 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\Peter Field\NTUSER.DAT
[2010/02/02 23:53:45 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Peter Field\ntuser.ini
[2010/02/02 23:53:04 | 000,004,750 | ---- | M] () -- C:\WINDOWS\ORG2.INI
[2010/02/02 23:29:49 | 000,001,073 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/02 18:51:22 | 000,008,536 | ---- | M] () -- C:\WINDOWS\Peter Field8.xlb
[2010/02/02 13:28:07 | 000,095,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2010/02/02 01:01:16 | 000,439,808 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peter Field\Desktop\TFC.exe
[2010/01/29 09:54:37 | 000,000,054 | ---- | M] () -- C:\WINDOWS\MFC9050.ini
[2010/01/28 12:23:34 | 000,000,498 | ---- | M] () -- C:\WINDOWS\tasks\MBAM Quickscan.job
[2010/01/28 11:16:09 | 000,000,500 | ---- | M] () -- C:\WINDOWS\tasks\MBAM Update.job
[2010/01/27 14:24:50 | 000,000,250 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/26 10:39:17 | 000,000,211 | ---- | M] () -- C:\Documents and Settings\Peter Field\Desktop\Bleeping Computer Topic.url
[2010/01/25 18:00:36 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/01/25 15:50:08 | 005,296,520 | -H-- | M] () -- C:\Documents and Settings\Peter Field\Local Settings\Application Data\IconCache.db
[2010/01/25 09:34:11 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Peter Field\Desktop\Spybot - Search & Destroy.lnk
[2010/01/19 10:32:06 | 000,000,881 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Total Recorder.LNK
[2010/01/14 08:52:02 | 000,000,386 | ---- | M] () -- C:\WINDOWS\tasks\MBAM Fullscan.job
[2010/01/14 08:13:15 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/11 22:54:43 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Professional.lnk
[2010/01/11 19:28:56 | 000,008,536 | ---- | M] () -- C:\WINDOWS\Admin8.xlb
[2010/01/07 16:07:14 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 000,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2010/01/29 09:53:32 | 000,000,054 | ---- | C] () -- C:\WINDOWS\MFC9050.ini
[2010/01/26 10:38:43 | 000,000,211 | ---- | C] () -- C:\Documents and Settings\Peter Field\Desktop\Bleeping Computer Topic.url
[2010/01/25 09:34:11 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Peter Field\Desktop\Spybot - Search & Destroy.lnk
[2010/01/19 09:50:59 | 000,000,881 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Total Recorder.LNK
[2010/01/14 08:50:26 | 000,000,386 | ---- | C] () -- C:\WINDOWS\tasks\MBAM Fullscan.job
[2010/01/14 08:45:11 | 000,000,498 | ---- | C] () -- C:\WINDOWS\tasks\MBAM Quickscan.job
[2010/01/14 08:17:50 | 000,000,500 | ---- | C] () -- C:\WINDOWS\tasks\MBAM Update.job
[2010/01/14 08:13:15 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/11 22:54:43 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Professional.lnk
[2010/01/06 23:56:23 | 000,008,536 | ---- | C] () -- C:\WINDOWS\Admin8.xlb
[2009/10/17 10:48:50 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\nser.dll
[2008/10/04 20:56:57 | 000,000,208 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2008/10/04 20:56:57 | 000,000,126 | ---- | C] () -- C:\WINDOWS\cap_pi.ini
[2008/10/04 20:56:31 | 000,001,392 | ---- | C] () -- C:\WINDOWS\ACROCAT.INI
[2008/10/04 20:56:06 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2008/10/04 20:56:02 | 000,002,902 | ---- | C] () -- C:\WINDOWS\ACROEXCH.INI
[2008/09/16 00:14:24 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/09/16 00:12:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/09/16 00:12:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/09/16 00:11:10 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/08/13 07:03:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2008/08/05 09:44:47 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\QTUninst.dll
[2007/11/14 00:44:58 | 000,000,482 | ---- | C] () -- C:\WINDOWS\lotus.ini
[2007/11/14 00:44:56 | 000,004,750 | ---- | C] () -- C:\WINDOWS\ORG2.INI
[2007/11/14 00:13:04 | 000,000,061 | ---- | C] () -- C:\WINDOWS\fpstart.ini
[2007/11/14 00:10:51 | 000,000,120 | ---- | C] () -- C:\WINDOWS\MSMAIL32.INI
[2007/11/13 08:48:36 | 000,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
[2007/11/13 08:48:35 | 000,000,611 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/08 13:35:25 | 000,138,896 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2004/08/18 13:00:00 | 000,035,328 | -H-- | C] () -- C:\WINDOWS\System32\msls50.dll
[1998/04/07 00:00:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\ODBCMON.DLL
[1996/11/21 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1996/11/21 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/11/21 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
[1996/02/22 12:34:18 | 000,222,928 | ---- | C] () -- C:\WINDOWS\System32\lobas09.dll
[1996/01/19 12:36:18 | 000,000,002 | ---- | C] () -- C:\WINDOWS\System32\lodbc09.dll
[1996/01/15 12:12:12 | 000,334,016 | ---- | C] () -- C:\WINDOWS\System32\loflt09.dll
[1995/09/25 16:41:38 | 000,014,928 | ---- | C] () -- C:\WINDOWS\System32\wingen.drv
[1994/04/07 01:23:00 | 000,000,462 | ---- | C] () -- C:\WINDOWS\lodbf09.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\dllcache\wscui.cpl:SummaryInformation
< End of report >



GMER

Downloaded (pseudonym), ran and scanned with settings as instructed. Log file follows:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-03 02:17:24
Windows 5.1.2600 Service Pack 2
Running: k55hmilq.exe; Driver: C:\DOCUME~1\PETERF~1\LOCALS~1\Temp\uxtiipoc.sys



---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEF565DF0]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xED4096D0]


---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 82EDC856

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ----


busy.gif




#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:34 AM

Posted 03 February 2010 - 02:31 AM

Hi Brawgates,

OTL makes the Extra.txt the first run. For subsequent runs it does not make the Extra.txt unless you we run it with special settings. If OTL is removed properly it will make the Extra.txt again. You have run OTL before 4 times, because the log you posted was the 5th run. But we don't need it now as we get what we need from ComboFix.
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

  2. Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

    "C:\Qoobox\Add-Remove Programs.txt"

    A text file opens up, copy and paste the content to your reply.


EDIT: Since logs are posted, I moved this topic to the HJT/Malware removal forum ~ Elise

Edited by elise025, 03 February 2010 - 03:01 AM.


#5 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:34 AM

Posted 03 February 2010 - 05:39 AM

Good Morning Fabar

Many thanks for your instant response. Don't you guys ever sleep??

5th OTL Run

I puzzled over this when I saw the first log file last night. I can only imagine that I failed to completely remove OTL after you kindly helped me out last October. poster_oops.gif

ComboFix
  • Downloaded to desktop from Link2.
  • Microsoft Windows Recovery Console already installed.
  • Disabled MS Firewall and exited SAS. Set IE offline and physically disconnected from the net.
  • Started ComboFix.
  • After a while the following ComboFix message was displayed:
QUOTE
Combofix has detected the presence of Rootkit activity and needs to reboot the machine.


  • On auto reboot, ComboFix continued to Stage 50.
  • At about this point, an MS Report Error Popup appeared. It had the following heading:
QUOTE
PEV.Exe has encountered a problem and needs to close. We are sorry for the inconvenience.


  • I took no action with the popup. ComboFix continued on to the Deleting Files stage.
  • After a few minutes, the MS Report Error Popup suddenly disappeared.
  • Shortly thereafter, and withoug warning, the sytem rebooted.
  • ComboFix reappeared with the Desktop in the Preparing Log Report stage.
  • ComboFix then closed.
  • The saved log is attached in blue below:

Qoobox
  • Ran as instructed
  • The saved text file is attached in red below:

Regards

Peter


ComboFix 10-02-02.02 - Peter Field 03/02/2010 8:46.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.362 [GMT 0:00]
Running from: c:\documents and settings\Peter Field\Desktop\ComboFix.exe
.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\DEL.bat

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-01-03 to 2010-02-03 )))))))))))))))))))))))))))))))
.


2010-01-25 15:29 . 2010-01-25 15:29 -------- d-----w- c:\program files\Lavasoft
2010-01-25 09:33 . 2010-01-25 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-19 10:36 . 2010-01-19 10:47 -------- d-----w- c:\documents and settings\Peter Field\Application Data\TotalRecorder
2010-01-19 10:29 . 2009-10-20 18:00 90192 ----a-w- c:\windows\system32\drivers\TotRec8.sys
2010-01-19 10:29 . 2009-10-20 18:00 131152 ----a-w- c:\windows\system32\drivers\TotRec7.sys
2010-01-19 09:50 . 2010-01-19 09:50 -------- d-----w- c:\program files\HighCriteria
2010-01-19 09:50 . 2009-10-20 17:59 61520 ----a-w- c:\windows\system32\DrvTrNTm.dll
2010-01-19 09:50 . 2009-10-20 10:17 106496 ----a-w- c:\windows\system32\DrvTrNTl.dll
2010-01-17 13:10 . 2010-01-17 13:10 -------- dc----w- c:\windows\system32\DRVSTORE
2010-01-14 08:13 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 08:13 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 08:26 . 2010-01-12 08:26 -------- d-----w- c:\documents and settings\Peter Field\Application Data\SUPERAntiSpyware.com
2010-01-11 22:55 . 2010-01-11 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-11 22:54 . 2010-01-11 22:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-11 22:54 . 2010-01-11 22:54 -------- d-----w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com
2010-01-08 00:11 . 2010-01-08 00:11 -------- d-----w- c:\program files\filedatech
2010-01-07 00:06 . 2010-01-07 00:06 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\WMTools Downloaded Files
2010-01-06 23:39 . 2010-01-06 23:39 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Identities


.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 08:56 . 2010-01-12 08:27 117760 ----a-w- c:\documents and settings\Peter Field\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-02 13:28 . 2004-08-03 21:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-01 11:22 . 2007-11-14 01:53 -------- d-----w- c:\documents and settings\Peter Field\Application Data\AdobeUM
2010-01-25 23:11 . 2008-08-28 09:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-25 09:40 . 2008-08-28 07:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-17 13:09 . 2007-11-13 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-01-16 17:03 . 2010-01-14 09:59 52224 ----a-w- c:\documents and settings\Peter Field\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-14 08:39 . 2010-01-11 22:59 52224 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-14 08:39 . 2010-01-11 22:57 117760 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-29 22:01 . 2009-12-29 22:01 20544 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 09:38 . 2009-12-21 09:38 -------- d-----w- c:\documents and settings\Admin\Application Data\AdobeUM
2009-12-21 09:32 . 2009-10-10 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-12-17 22:31 . 2009-12-17 22:31 -------- d-----w- c:\documents and settings\Admin\Application Data\AVG8
2009-12-15 09:29 . 2009-12-15 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-12-15 08:36 . 2009-12-15 08:36 -------- d-----w- c:\program files\ANI
2009-12-15 08:36 . 2009-12-15 08:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-15 08:36 . 2007-11-08 09:01 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-15 08:36 . 2009-12-15 08:36 -------- d-----w- c:\program files\D-Link
2009-11-26 09:18 . 2009-12-11 09:47 2063640 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-26 09:18 . 2009-12-11 09:47 3514648 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-26 09:18 . 2009-12-11 09:47 2029336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
.


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-14 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2004-07-09 1249280]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-04-14 45056]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]


c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1998-4-7 111376]


[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Distiller Assistant 3.01.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Distiller Assistant 3.01.lnk
backup=c:\windows\pss\Distiller Assistant 3.01.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-06 22:53 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avgfws8"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"gupdate1c9a10bd7cc5f7f"=2 (0x2)


[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=


R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [25/09/2009 15:55 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [19/01/2010 10:29 131152]
R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [19/01/2010 10:29 90192]
S4 gupdate1c9a10bd7cc5f7f;Google Update Service (gupdate1c9a10bd7cc5f7f);c:\program files\Google\Update\GoogleUpdate.exe [09/03/2009 23:07 133104]


--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder


2010-01-14 c:\windows\Tasks\MBAM Fullscan.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-14 16:07]


2010-01-28 c:\windows\Tasks\MBAM Quickscan.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-14 16:07]


2010-01-28 c:\windows\Tasks\MBAM Update.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-14 16:07]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = about:blank
.
- - - - ORPHANS REMOVED - - - -


WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-PopRock - c:\docume~1\PETERF~1\LOCALS~1\Temp\b.exe


[/color]

[color="#0000ff"]**************************************************************************


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-03 08:56
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------


[HKEY_USERS\S-1-5-21-854245398-920026266-1343024091-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------


- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.dll


- - - - - - - > 'explorer.exe'(2596)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-02-03 09:03:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-03 09:03


Pre-Run: 28,248,920,064 bytes free
Post-Run: 28,238,807,040 bytes free
- - End Of File - - 8DE5BAC154E28E2EE8A6B1B911D93047


Adobe Acrobat 3.01
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe PageMill 3.0
Adobe Reader 6.0.1
AirPlus G
ANIO Service
ANIWZCS2 Service
Apple Software Update
AutoUpdate
BBC iPlayer Desktop
Cable-Mate 3.7
COM port over TCP/IP driver
Critical Update for Windows Media Player 11 (KB959772)
DivX Codec
DivX Converter
DivX Player
DivX Web Player
EPSON Printer Software
ESET Online Scanner v3
Google Earth
Google Update Helper
Heatmiser PCLink Lite
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Interactive Repair Manuals
Java™ 6 Update 16
KeyCAD Deluxe 3.0
Lotus SmartSuite 97
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Professional Edition
Microsoft Project 98
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows XP Video Decoder Checkup Utility
MSXML 6 Service Pack 2 (KB954459)
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan 2.0
QuickTime
QuickTime 3.0
Rawl Design Guide 3
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
System Requirements Lab
The DVD-ROM Guide to All the Birds of Europe
ToolBook II 6.1 Runtime Files
Total Recorder 8.0
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
User Profile Hive Cleanup Service
WebFldrs XP
WinCAPS 2008.01.27 UK
WinCAPS 7.90.16 UK
WinDirStat 1.1.2
Windows Communication Foundation
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
XML Paper Specification Shared Components Pack 1.0


End of Reports



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:34 AM

Posted 03 February 2010 - 06:36 AM

Hi Peter,

Well done and thanks for the detailed feedback. thumbup2.gif

Elise was kind to move the topic to this forum, I didn't noticed it was posted to Am I Infected forum. That was probably the reason you didn't posted the logs before.

ComboFix did the job and removed the rootkit and it looks all good. thumbup2.gif
  1. You may update your Java to the latest version (6 update 18).
    To do that go to start =>Control Panel => Java => under Update tab update Java. Check Add/Remove programs and uninstall old Java if the older version is not automatically removed.

  2. You Adobe Acrobat is outdated. I strongly recommend you to update your Adobe Acrobat to the latest version to avoid being infected through its security holes.

  3. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  4. Please run OTL.
    • Click Clean Up button.
    • Accept any prompts.
    • This will remove OTL, and will require a reboot.

Unless you have any question I wish you happy surfing Peter. smile.gif





#7 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:34 AM

Posted 03 February 2010 - 07:31 AM

Hi Farbar

That's great news. thumbup.gif


Many thanks for your involvement. Short and sweet it may have been. But very effective!!

I've removed ComboFix and OTL as you indicated and will tackle both Java and Adobe Reader during a quiet moment this evening.

I rather suspect it was Adobe that allowed the attack. I'd seen some odd PDF references before I noticed I was infected. Does the intruder have a name?

From my, albeit limited, contacts with Malware forums, I place Bleeping Computing and its team of dedicated, courteous and friendly professionals on the top table. Hats off!

Best wishes

Peter

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:34 AM

Posted 03 February 2010 - 10:25 AM

You are most welcome Peter and thanks for your kind words. smile.gif

The intruder has indeed a name. The rootkit ComboFix removed is TDL3/TDSS variant. It had patched atapi.sys, an essential Windows driver, and was loading into the memory from there. The rest including the one you named before have also names and you can find the names on the Malwarebyte's logs (located under Logs tab).

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

Regards,

Farbar






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users