Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DSS and GMER Logs


  • This topic is locked This topic is locked
9 replies to this topic

#1 wildcat2000

wildcat2000

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 20 February 2010 - 08:07 PM

referred from here: http://www.bleepingcomputer.com/forums/t/294144/im-infected-and-nothing-worksliterally-nothing-works/ ~ OB

DSS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Jeremy at 16:48:47.14 on Sat 02/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.649 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\F5D7001v2000\Belkinwcui.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jeremy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SoundMan] SOUNDMAN.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d7001v2000\Belkinwcui.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Si&milar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2005-7-27 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2005-7-27 36352]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-1-25 200576]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2005-7-27 77056]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2009-5-19 20160]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2009-5-3 69692]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

=============== Created Last 30 ================

2010-02-20 23:47:59 0 ----a-w- c:\documents and settings\jeremy\defogger_reenable
2010-02-20 07:26:26 125694 ----a-w- c:\documents and settings\jeremy\.recently-used.xbel
2010-02-10 02:43:05 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-10 02:42:50 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-10 02:42:50 0 d-----w- c:\docume~1\jeremy\applic~1\SUPERAntiSpyware.com
2010-02-10 02:42:31 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-10 01:43:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 01:43:27 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-10 01:43:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 03:02:14 0 d-----w- c:\program files\MOV Player
2010-02-01 01:21:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-01 01:21:49 411368 ----a-w- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-20 03:35:08 389120 ----a-w- c:\windows\system32\CF26670.exe
2009-12-19 00:24:54 28160 ----a-w- c:\windows\system32\zlib.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-02 04:48:21 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-06-08 19:51:22 2012 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.InstallState
2009-06-08 19:51:17 124288 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.Updater.exe
2009-06-08 19:51:16 2237808 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.exe
2009-06-08 19:51:16 140656 ----a-w- c:\program files\DriversHQ.DriverDetective.Common.dll
2009-06-08 19:51:14 66968 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.ExceptionLogging.dll
2009-06-08 19:51:14 38280 ----a-w- c:\program files\DriversHQ.DriverDetective.ExceptionLogging.dll
2009-06-08 19:51:14 21944 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.ExceptionLogging.XmlSerializers.dll
2009-06-08 19:51:14 157104 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.Communication.XmlSerializers.dll
2009-06-08 19:51:14 120208 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.Communication.dll
2009-05-21 18:29:08 61440 ----a-w- c:\program files\Microsoft.ApplicationBlocks.Updater.ActivationProcessors.dll
2009-05-21 18:29:08 28672 ----a-w- c:\program files\Microsoft.ApplicationBlocks.Updater.Downloaders.dll
2009-05-21 18:29:06 36864 ----a-w- c:\program files\Interop.WindowsInstaller.dll
2009-05-21 18:29:04 118784 ----a-w- c:\program files\Microsoft.ApplicationBlocks.Updater.dll
2009-05-21 18:28:54 69632 ----a-w- c:\program files\Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.dll
2009-05-21 18:28:52 90112 ----a-w- c:\program files\Microsoft.Practices.EnterpriseLibrary.Common.dll
2009-05-21 18:28:44 8192 ----a-w- c:\program files\ISUninstall.exe
2009-05-21 18:28:42 57344 ----a-w- c:\program files\Microsoft.Practices.ObjectBuilder.dll
2009-05-21 18:28:20 3581 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.Updater.exe.config
2009-05-21 18:28:10 5294 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.exe.config
2009-05-21 18:28:10 49152 ----a-w- c:\program files\XPBurnComponent.dll
2009-05-21 16:32:14 55116 ----a-w- c:\program files\DriverDetective.chm
2009-04-30 17:01:42 113 ----a-w- c:\program files\DriversHQ.com Knowledge Base.url
2009-06-30 23:04:45 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 16:49:08.23 ===============

__________________________________________________________________________________________________________

Gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-20 17:53:37
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Jeremy\LOCALS~1\Temp\kfxyrkog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF28930B0]

---- Devices - GMER 1.0.15 ----

Device \Driver\ubohci \Device\UBOHCI0 UB1394.SYS (FireAPIŽ 1394 Class Driver (XP)/Unibrain S.A.)
Device \Driver\ubohci \Device\C1394 UB1394.SYS (FireAPIŽ 1394 Class Driver (XP)/Unibrain S.A.)

---- EOF - GMER 1.0.15 ----
______________________________________________________________________________________________________________

The second DSS log "Attach" said dont post unless requested and if yes, to zip it and attach it. I zipped it just in case but I dont know how to attach it.

Edited by Orange Blossom, 20 February 2010 - 09:17 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:40 PM

Posted 22 February 2010 - 02:12 AM

Hi wildcat2000,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions

You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can. I recommend this good free antivirus:

Avira
  • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
  • In the left pane click Status. In the right pane click Scan system now.
  • After the scan finished let it remove what it finds and then Click Report.
  • You can get the last report also by clicking on Reports on the left pane.
  • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
  • A window opens, click on Report file.
  • Copy and paste the content of the report to your reply.


#3 wildcat2000

wildcat2000
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 23 February 2010 - 12:47 AM

Heres the Avira scan log...



Avira AntiVir Personal
Report file date: Monday, February 22, 2010 21:52

Scanning for 1783685 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : YOUR-F326A8C66C

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 18:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 17:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 18:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 17:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 04:49:21
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 04:50:05
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 04:50:19
VBASE004.VDF : 7.10.3.76 2048 Bytes 1/26/2010 04:50:19
VBASE005.VDF : 7.10.3.77 2048 Bytes 1/26/2010 04:50:20
VBASE006.VDF : 7.10.3.78 2048 Bytes 1/26/2010 04:50:20
VBASE007.VDF : 7.10.3.79 2048 Bytes 1/26/2010 04:50:20
VBASE008.VDF : 7.10.3.80 2048 Bytes 1/26/2010 04:50:20
VBASE009.VDF : 7.10.3.81 2048 Bytes 1/26/2010 04:50:20
VBASE010.VDF : 7.10.3.82 2048 Bytes 1/26/2010 04:50:21
VBASE011.VDF : 7.10.3.83 2048 Bytes 1/26/2010 04:50:21
VBASE012.VDF : 7.10.3.84 2048 Bytes 1/26/2010 04:50:21
VBASE013.VDF : 7.10.3.85 2048 Bytes 1/26/2010 04:50:21
VBASE014.VDF : 7.10.3.122 172544 Bytes 1/29/2010 04:50:24
VBASE015.VDF : 7.10.3.149 79872 Bytes 2/1/2010 04:50:25
VBASE016.VDF : 7.10.3.174 68608 Bytes 2/3/2010 04:50:26
VBASE017.VDF : 7.10.3.199 76800 Bytes 2/4/2010 04:50:28
VBASE018.VDF : 7.10.3.222 64512 Bytes 2/5/2010 04:50:28
VBASE019.VDF : 7.10.3.243 75776 Bytes 2/8/2010 04:50:30
VBASE020.VDF : 7.10.4.6 81920 Bytes 2/9/2010 04:50:31
VBASE021.VDF : 7.10.4.30 78848 Bytes 2/11/2010 04:50:32
VBASE022.VDF : 7.10.4.50 107520 Bytes 2/15/2010 04:50:34
VBASE023.VDF : 7.10.4.62 105472 Bytes 2/15/2010 04:50:35
VBASE024.VDF : 7.10.4.85 111616 Bytes 2/17/2010 04:50:37
VBASE025.VDF : 7.10.4.109 122368 Bytes 2/21/2010 04:50:39
VBASE026.VDF : 7.10.4.110 2048 Bytes 2/21/2010 04:50:39
VBASE027.VDF : 7.10.4.111 2048 Bytes 2/21/2010 04:50:40
VBASE028.VDF : 7.10.4.112 2048 Bytes 2/21/2010 04:50:40
VBASE029.VDF : 7.10.4.113 2048 Bytes 2/21/2010 04:50:40
VBASE030.VDF : 7.10.4.114 2048 Bytes 2/21/2010 04:50:40
VBASE031.VDF : 7.10.4.122 95744 Bytes 2/22/2010 04:50:42
Engineversion : 8.2.1.172
AEVDF.DLL : 8.1.1.3 106868 Bytes 2/23/2010 04:51:17
AESCRIPT.DLL : 8.1.3.16 827771 Bytes 2/23/2010 04:51:16
AESCN.DLL : 8.1.4.0 127348 Bytes 2/23/2010 04:51:12
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 14:38:44
AERDL.DLL : 8.1.4.2 479602 Bytes 2/23/2010 04:51:11
AEPACK.DLL : 8.2.0.8 426357 Bytes 2/23/2010 04:51:07
AEOFFICE.DLL : 8.1.0.39 196987 Bytes 2/23/2010 04:51:04
AEHEUR.DLL : 8.1.1.7 2326902 Bytes 2/23/2010 04:51:02
AEHELP.DLL : 8.1.10.0 237942 Bytes 2/23/2010 04:50:48
AEGEN.DLL : 8.1.1.87 369013 Bytes 2/23/2010 04:50:46
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 14:38:26
AECORE.DLL : 8.1.11.1 184694 Bytes 2/23/2010 04:50:44
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 14:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 15:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 22:14:02
AVREP.DLL : 8.0.0.7 159784 Bytes 2/23/2010 04:51:18
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 17:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 22:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 17:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 22:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 15:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 17:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 22:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 19:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, February 22, 2010 21:52

Starting search for hidden objects.
'59909' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'wlcomm.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'Belkinwcui.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'btdna.exe' - '1' Module(s) have been scanned
Scan process 'soundman.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehRecvr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
45 processes with 45 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '56' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\2\64956e82-70233b21
[0] Archive type: ZIP
--> myf/y/AppletX.class
[DETECTION] Contains recognition pattern of the JAVA/OpenStrem.BN.2 Java virus
--> myf/y/LoaderX.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Age.nac.4 Java virus
--> myf/y/PayloadX.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Age.nad.4 Java virus
C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\32\e4681a0-3d0dc18f
[0] Archive type: ZIP
--> evilTook.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Ag.AB.1.F Java virus
C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\47\684cd2ef-3e2270d4
[0] Archive type: ZIP
--> myf/y/PayloadX.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Age.nad.1 Java virus
--> myf/y/LoaderX.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Age.nac.1 Java virus
C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\53\eb66a35-7f27eea2
[0] Archive type: ZIP
--> AppletX.class
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Agen.NA.1 Java virus
C:\Documents and Settings\Jeremy\My Documents\Virtual Stupidity\bbvs.exe

[0] Archive type: ACE SFX (self extracting)
--> BBAIRG\BBAIRG.000
[WARNING] Out of memory! The virus or unwanted program was not deleted!
--> BBANT\BBANT.000
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruipobuyavr.dll.vir
[DETECTION] Is the TR/Monder.4300.1 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hjgruixmijyidu.sys.vir
[DETECTION] Contains recognition pattern of the TR.Redol.C virus
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP172\A0024871.exe
[DETECTION] Is the TR/FraudPack.alzs Trojan
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP172\A0024881.exe
[DETECTION] Is the TR/FraudPack.akvz Trojan
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP173\A0025060.exe
[DETECTION] Is the TR/FraudPack.alzs Trojan
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP174\A0025275.exe
[DETECTION] Is the TR/FraudPack.alzs Trojan
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP174\A0025277.exe
[DETECTION] Is the TR/FraudPack.akvz Trojan

Beginning disinfection:
C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\2\64956e82-70233b21
[NOTE] The file was moved to '4bbc6b25.qua'!
C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\32\e4681a0-3d0dc18f
[NOTE] The file was moved to '4bb96b25.qua'!
C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\47\684cd2ef-3e2270d4
[NOTE] The file was moved to '4bb76b29.qua'!
C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\53\eb66a35-7f27eea2
[NOTE] The file was moved to '4bb96b53.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruipobuyavr.dll.vir
[DETECTION] Is the TR/Monder.4300.1 Trojan
[NOTE] The file was moved to '4bea6b5b.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hjgruixmijyidu.sys.vir
[DETECTION] Contains recognition pattern of the TR.Redol.C virus
[NOTE] The file was moved to '4a89c1a4.qua'!
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP172\A0024871.exe
[DETECTION] Is the TR/FraudPack.alzs Trojan
[NOTE] The file was moved to '4bb36b21.qua'!
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP172\A0024881.exe
[DETECTION] Is the TR/FraudPack.akvz Trojan
[NOTE] The file was moved to '4ad4a13a.qua'!
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP173\A0025060.exe
[DETECTION] Is the TR/FraudPack.alzs Trojan
[NOTE] The file was moved to '4ad6d1aa.qua'!
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP174\A0025275.exe
[DETECTION] Is the TR/FraudPack.alzs Trojan
[NOTE] The file was moved to '48738cd2.qua'!
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP174\A0025277.exe
[DETECTION] Is the TR/FraudPack.akvz Trojan
[NOTE] The file was moved to '48e23b2a.qua'!


End of the scan: Monday, February 22, 2010 22:43
Used time: 35:10 Minute(s)

The scan has been done completely.

4981 Scanned directories
160771 Files were scanned
14 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
11 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
160756 Files not concerned
6972 Archives were scanned
4 Warnings
12 Notes
59909 Objects were scanned with rootkit scan
0 Hidden objects were found
___________________________________________

Looks like it said some could not be removed because its out of memory? Thats odd. Should I do the scan again?

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:40 PM

Posted 23 February 2010 - 04:04 AM

Seems yo have run ComboFix.
  1. Please give me a detailed description of your current problems. No need for the history. We need to know what are the remaining issues now.

  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the wrong download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#5 wildcat2000

wildcat2000
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 23 February 2010 - 05:07 AM

ComboFix 10-02-22.04 - Jeremy 02/23/2010 2:42.14.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.568 [GMT -7:00]
Running from: c:\documents and settings\Jeremy\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-23 04:46 . 2010-02-23 04:46 -------- d-----w- c:\windows\LastGood
2010-02-23 04:46 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-23 04:46 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-23 04:46 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-02-23 04:46 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-02-23 04:46 . 2010-02-23 04:46 -------- d-----w- c:\program files\Avira
2010-02-23 04:46 . 2010-02-23 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-02-21 02:57 . 2010-02-21 02:57 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-10 02:43 . 2010-02-10 02:43 52224 ----a-w- c:\documents and settings\Jeremy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-10 02:43 . 2010-02-20 21:11 117760 ----a-w- c:\documents and settings\Jeremy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-10 02:43 . 2010-02-10 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-10 02:42 . 2010-02-10 02:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-10 02:42 . 2010-02-10 02:42 -------- d-----w- c:\documents and settings\Jeremy\Application Data\SUPERAntiSpyware.com
2010-02-10 02:42 . 2010-02-10 02:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-10 01:43 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 01:43 . 2010-02-10 01:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 01:43 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-04 07:24 . 2010-02-04 07:24 -------- d-----w- c:\windows\Sun
2010-02-02 04:58 . 2010-02-02 04:58 -------- d-----w- c:\documents and settings\Jeremy\Application Data\Apple Computer
2010-02-02 04:31 . 2010-02-02 04:31 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\Apple
2010-02-02 04:31 . 2010-02-02 04:31 -------- d-----w- c:\documents and settings\Jeremy\Local Settings\Application Data\Apple Computer
2010-02-01 03:02 . 2010-02-01 03:07 -------- d-----w- c:\program files\MOV Player
2010-02-01 01:21 . 2010-02-01 01:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-01 01:21 . 2010-02-01 01:21 -------- d-----w- c:\program files\Java
2010-02-01 01:21 . 2010-02-01 01:21 152576 ----a-w- c:\documents and settings\Jeremy\Application Data\Sun\Java\jre1.6.0_16\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 09:43 . 2009-06-10 22:43 -------- d-----w- c:\documents and settings\Jeremy\Application Data\DNA
2010-02-23 09:38 . 2009-06-10 22:43 -------- d-----w- c:\documents and settings\Jeremy\Application Data\BitTorrent
2010-02-23 05:52 . 2009-06-11 00:03 -------- d-----w- c:\documents and settings\Jeremy\Application Data\gtk-2.0
2010-02-22 23:02 . 2009-06-10 22:43 -------- d-----w- c:\program files\DNA
2010-02-22 06:13 . 2010-01-17 03:28 -------- d-----w- c:\documents and settings\Jeremy\Application Data\vlc
2010-02-08 01:21 . 2005-11-23 09:38 21264 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:50 . 2009-05-04 05:32 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2009-05-04 05:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-20 03:35 . 2009-12-20 03:35 389120 ----a-w- c:\windows\system32\CF26670.exe
2009-12-19 00:24 . 2009-12-19 00:24 28160 ----a-w- c:\windows\system32\zlib.dll
2009-12-16 18:43 . 2009-05-04 05:30 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2009-05-04 05:25 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2009-05-04 05:31 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2009-05-04 05:37 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2009-05-04 05:30 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-02 04:48 . 2009-12-02 04:48 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-11-27 17:11 . 2009-05-04 05:37 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2005-11-23 07:12 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2009-05-04 05:38 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2009-05-04 05:30 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2009-05-04 05:37 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2009-05-04 05:30 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2009-05-04 05:25 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-08 19:51 . 2009-06-04 22:46 2012 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.InstallState
2009-06-08 19:51 . 2009-05-21 16:32 124288 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.Updater.exe
2009-06-08 19:51 . 2009-05-21 16:32 140656 ----a-w- c:\program files\DriversHQ.DriverDetective.Common.dll
2009-06-08 19:51 . 2009-05-21 16:32 2237808 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.exe
2009-06-08 19:51 . 2009-05-21 16:32 120208 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.Communication.dll
2009-06-08 19:51 . 2009-05-21 16:32 38280 ----a-w- c:\program files\DriversHQ.DriverDetective.ExceptionLogging.dll
2009-06-08 19:51 . 2009-05-21 16:32 66968 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.ExceptionLogging.dll
2009-06-08 19:51 . 2009-05-21 16:32 21944 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.ExceptionLogging.XmlSerializers.dll
2009-06-08 19:51 . 2009-05-21 16:32 157104 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.Communication.XmlSerializers.dll
2009-05-21 18:29 . 2009-05-21 18:29 61440 ----a-w- c:\program files\Microsoft.ApplicationBlocks.Updater.ActivationProcessors.dll
2009-05-21 18:29 . 2009-05-21 18:29 28672 ----a-w- c:\program files\Microsoft.ApplicationBlocks.Updater.Downloaders.dll
2009-05-21 18:29 . 2009-05-21 18:29 36864 ----a-w- c:\program files\Interop.WindowsInstaller.dll
2009-05-21 18:29 . 2009-05-21 18:29 118784 ----a-w- c:\program files\Microsoft.ApplicationBlocks.Updater.dll
2009-05-21 18:28 . 2009-05-21 18:28 69632 ----a-w- c:\program files\Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.dll
2009-05-21 18:28 . 2009-05-21 18:28 90112 ----a-w- c:\program files\Microsoft.Practices.EnterpriseLibrary.Common.dll
2009-05-21 18:28 . 2009-05-21 18:28 8192 ----a-w- c:\program files\ISUninstall.exe
2009-05-21 18:28 . 2009-05-21 18:28 57344 ----a-w- c:\program files\Microsoft.Practices.ObjectBuilder.dll
2009-05-21 18:28 . 2009-05-21 18:28 3581 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.Updater.exe.config
2009-05-21 18:28 . 2009-05-21 18:28 5294 ----a-w- c:\program files\DriversHQ.DriverDetective.Client.exe.config
2009-05-21 18:28 . 2009-05-21 18:28 49152 ----a-w- c:\program files\XPBurnComponent.dll
2009-05-21 16:32 . 2009-05-21 16:32 55116 ----a-w- c:\program files\DriverDetective.chm
2009-04-30 17:01 . 2009-04-30 17:01 113 ----a-w- c:\program files\DriversHQ.com Knowledge Base.url
.

((((((((((((((((((((((((((((( SnapShot_2010-02-21_03.29.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 09:19 . 2007-11-07 09:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2010-02-22 23:02 . 2010-02-22 23:02 16384 c:\windows\temp\Perflib_Perfdata_670.dat
+ 2010-02-23 04:46 . 2009-05-11 16:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2008-07-29 15:05 . 2008-07-29 15:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 10:54 . 2008-07-29 10:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2010-02-23 04:45 . 2010-02-23 04:45 228352 c:\windows\Installer\13a9b04.msi
+ 2008-07-29 15:05 . 2008-07-29 15:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-14 323392]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-12 1282048]
"SoundMan"="SOUNDMAN.EXE" [2003-12-20 65024]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Utility.lnk - c:\program files\Belkin\F5D7001v2000\Belkinwcui.exe [2009-6-4 1572864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2003-12-20 00:53 65024 ----a-w- c:\windows\soundman.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/22/2010 9:46 PM 108289]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [7/27/2005 5:25 PM 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [7/27/2005 5:25 PM 36352]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [1/25/2005 2:26 PM 200576]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [7/27/2005 5:25 PM 77056]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [5/19/2009 1:05 PM 20160]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [5/3/2009 10:36 PM 69692]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ANTIVIRSCHEDULERSERVICE
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
*NewlyCreated* - SSMDRV
*Deregistered* - kfxyrkog
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-23 02:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(500)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2932)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-02-23 02:49:50
ComboFix-quarantined-files.txt 2010-02-23 09:49
ComboFix2.txt 2010-02-21 03:31
ComboFix3.txt 2010-01-10 06:50
ComboFix4.txt 2009-12-20 03:44
ComboFix5.txt 2010-02-23 09:40

Pre-Run: 68,846,886,912 bytes free
Post-Run: 68,842,647,552 bytes free

- - End Of File - - B407DE49CDA28D4CED7222524EF18827
_____________________________________________________

As far as my current problem goes nothing crazy is happening and everything is functional. I had saved the Rkill.com thing that I got while Boopme was helping me with my virus a few weeks ago and I kept it in case I ever needed it again and a few days ago I had one of the same pop-ups from before and nothing was working so I had to use rkill to stop the process and it worked but it also detected itself as a rouge process which I thought was strange so I came on here to ask about it and I was told to make those other logs and here we are.

Oh ya that GMER rootkit scan detects some files but I checked a few out on google and from what I can tell they are legitimate files so I dont what to think on that. Some have the letters SSDT by them. One example is 'SSDT F7BC9146 ZwCreate Key'. There are several like that starting with 'Zw'.

By the way thanks for helping out with this.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:40 PM

Posted 23 February 2010 - 04:19 PM

It looks good. thumbup2.gif
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 18 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.


  2. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.


Happy Surfing. smile.gif

#7 wildcat2000

wildcat2000
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 23 February 2010 - 07:49 PM

Thankyou for your help. I just did everything you said. Updated Java and uninstalled Combofix. Just a couple questions.

So Rkill.com detecting itself as a process that needs to be stopped is normal? It didnt do that the first time I used it.

Also what about the bad files that Avira didnt finish deleting? Is that ok?

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:40 PM

Posted 24 February 2010 - 03:57 AM

Rkill kills the rouge processes and probably ends its own process after that. You may remove it as there is no rogue on your system and you don't need it anymore. It will be updated according to the latest rogue programs and is of no use keeping it.

Avira found bad or suspicious files in 3 directories:
1. Java cache. This will be emptied when you uninstalled old Java.
2. Qoobox or Quarantine folder of ComboFix. This is removed by uninstalling ComboFix.
2. System Volume Information where the restore points are kept. By uninstalling ComboFix all the old content of that directory are removed.

#9 wildcat2000

wildcat2000
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 24 February 2010 - 04:13 AM

Oh ok, I see what you mean. Well alright then, thanks again. smile.gif

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:40 PM

Posted 24 February 2010 - 11:52 AM

You are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users