Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with rootkit agent


  • This topic is locked This topic is locked
11 replies to this topic

#1 geofade

geofade

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 AM

Posted 20 February 2010 - 09:13 PM

Topic referenced is here: http://www.bleepingcomputer.com/forums/t/295382/cwindowssystem32driverseceuhsys-rootkitagent-no-action-taken/ ~ OB

Hi,
I have been working with Quitman7 to clean my computer and we were unable to remove this rootkit that doesnt want to go away!..... when I run a scan with mbam or stopzilla, it marks it as a virus but the programs are unable to delete it....
Please help to purge my computer! Here are three logs.
Thanks!
Geo mellow.gif


DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 16:58:18.60 on Sat 02/20/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.277 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - No File
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [RECGUARD] c:\windows\sminst\RECGUARD.EXE
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F02} - {878137C3-9DAC-4a48-9625-78A054E86C1E}
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F03} - {A7FC740A-AC46-46d2-9262-E368D619AD17}
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F04} - {C459289E-2150-486b-8556-12C706799CAC}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: cainternetsecurity.net
Trusted Zone: yahoo.com\www
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
Notify: !SASWinLogon - c:\program files\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\SASSEH.DLL
LSA: Notification Packages = scecli mubodigi.dll wkmsnf.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\o4dwkt3h.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\o4dwkt3h.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2008-12-24 33920]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2006-4-25 15172]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-1-27 167312]
R1 SASDIFSV;SASDIFSV;c:\program files\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SASKUTIL.SYS [2009-4-28 74480]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-2-19 18816]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S3 FSORSPClient;F-Secure ORSP Client;"c:\program files\charter security suite\orsp client\fsorsp.exe" --> c:\program files\charter security suite\orsp client\fsorsp.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\15.tmp --> c:\windows\system32\15.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SASENUM.SYS [2009-4-28 7408]

=============== Created Last 30 ================

2010-02-20 18:37:49 1104 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-19 21:33:03 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-02-19 20:56:44 0 -c--a-w- c:\documents and settings\hp_administrator\defogger_reenable
2010-02-19 07:31:55 0 d-----w- c:\program files\STOPzilla!
2010-02-19 05:47:17 0 d-----w- c:\program files\Sophos
2010-02-12 21:06:52 0 d-----w- c:\program files\AVG
2010-02-12 21:00:36 2002160 ----a-w- c:\program files\a3587819-0979-4c47-bf86-bf503d0a2e56.exe
2010-02-12 06:28:39 2002160 ----a-w- c:\program files\cfc0efa2-ccab-40cd-b588-51fe45f4f11b.exe
2010-02-12 05:55:48 217088 -c-ha-w- C:\SZKGFS.dat
2010-02-12 04:49:59 0 dc----w- c:\docume~1\hp_adm~1\applic~1\FreeFixer
2010-02-12 04:26:17 0 d-----w- c:\program files\SpywareBlaster
2010-02-12 04:10:57 1152 ----a-w- c:\windows\system32\windrv.sys
2010-02-12 04:10:04 0 dc----w- c:\docume~1\hp_adm~1\applic~1\GetRightToGo
2010-02-11 22:44:00 2002160 ----a-w- c:\program files\e5e8b01a-a97e-4a63-82df-f051bcde8670.exe
2010-02-10 04:36:49 0 dc----w- c:\docume~1\alluse~1\applic~1\CA
2010-02-10 04:05:02 0 d-----w- c:\program files\ESET
2010-02-10 03:59:10 0 dc----w- c:\docume~1\hp_adm~1\applic~1\QuickScan
2010-02-10 02:31:23 0 d-----w- c:\program files\CCleaner
2010-02-10 01:34:57 10240 --sha-w- c:\windows\system32\Thumbs.db
2010-02-10 00:01:12 2002160 ----a-w- c:\program files\64c3a19c-3419-42a4-a1fb-1f8dbd5f3c36.exe
2010-02-06 22:38:28 2002160 ----a-w- c:\program files\02801f44-4f02-4c3f-8966-1ad308ebb74e.exe
2010-02-06 02:36:11 0 d-----w- c:\program files\Enigma Software Group
2010-02-05 22:32:26 2002160 ----a-w- c:\program files\cac351e3-9350-47d7-8a99-604bb4198209.exe
2010-02-05 21:39:40 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-05 21:22:06 0 dc----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-02-05 00:24:14 2002160 ----a-w- c:\program files\c44972ee-bb1b-4d4c-9b6b-10a6aeea355a.exe
2010-02-04 19:21:26 17408 ----a-r- c:\windows\system32\SZIO5.dll
2010-02-04 19:19:02 442368 ----a-r- c:\windows\system32\SZBase5.dll
2010-02-04 19:18:28 540672 ----a-r- c:\windows\system32\SZComp5.dll
2010-02-04 14:49:55 2002160 ----a-w- c:\program files\e4145feb-8922-406e-a8c2-bc789f407d45.exe
2010-02-04 09:07:00 792064 ----a-w- c:\windows\system32\drivers\eceuh.sys
2010-01-29 08:00:14 1308 -c--a-w- C:\error.fstmp
2010-01-29 08:00:14 0 -c--a-w- C:\infect.fstmp
2010-01-27 18:19:32 167312 ----a-r- c:\windows\system32\drivers\SZKGFS.sys

==================== Find3M ====================

2010-02-10 01:00:46 15 -c--a-w- c:\documents and settings\hp_administrator\settings.dat
2010-01-28 06:08:09 2002160 ----a-w- c:\program files\SUPERANTISPYWARE.EXE
2010-01-14 12:03:57 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-01-08 00:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-11 00:11:40 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-12-11 00:11:32 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-12-11 00:09:24 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-12-11 00:09:08 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-12-11 00:08:48 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-12-11 00:06:52 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-12-11 00:06:30 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-12-11 00:05:54 94208 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-12-11 00:02:42 729088 ----a-r- c:\windows\system32\IS3Base5.dll
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\dllcache\msrle32.dll
2009-10-07 23:16:38 74480 ----a-w- c:\program files\SASKUTIL.SYS
2009-10-07 23:16:36 548352 ----a-w- c:\program files\SASWINLO.DLL
2009-08-11 06:24:08 1068 ----a-w- c:\program files\gmluibsc.txt
2009-04-28 18:33:44 7408 ----a-r- c:\program files\SASENUM.SYS
2009-04-28 18:33:42 9968 ----a-w- c:\program files\sasdifsv.sys
2009-04-28 18:33:38 158960 ----a-w- c:\program files\SSUpdate.exe
2009-04-28 15:11:26 15542816 ----a-w- c:\program files\PROCESSLIST.DB
2009-04-28 15:11:06 1151947 ----a-w- c:\program files\PROCESSLISTRELATED.DB
2008-11-03 20:49:26 47912 ----a-w- c:\program files\RUNSAS.EXE
2008-07-28 18:10:52 411136 ----a-w- c:\program files\SASREPAIRS.STG
2008-05-13 17:13:36 77824 ----a-w- c:\program files\SASSEH.DLL
2008-03-12 18:29:50 24576 ----a-r- c:\program files\SASINST.EXE
2007-11-27 20:12:26 1088725 ----a-w- c:\program files\SUPERAntiSpyware.chm
2007-10-02 21:08:48 122168 ----a-r- c:\program files\BootSafe.exe
2007-02-27 19:39:26 61440 ----a-w- c:\program files\SASCTXMN.DLL
2006-09-19 22:55:38 360448 ----a-r- c:\program files\deupx.dll
2006-05-13 21:05:04 102268 -c--a-w- c:\program files\MXDB.DB
2006-05-09 04:47:46 101212 -c--a-w- c:\program files\MXDB.bak
2006-04-29 21:00:47 602 -c--a-w- c:\program files\ListName.TCX
2004-05-20 20:28:44 2048 ----a-w- c:\program files\detect.wav
2004-05-07 22:31:40 348160 -c--a-w- c:\program files\msvcr71.dll

============= FINISH: 16:59:08.54 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/15/2006 8:48:03 PM
System Uptime: 2/20/2010 10:36:22 AM (6 hours ago)

Motherboard: ASUSTek Computer INC. | | Amberine M
Processor: AMD Athlon™ 64 Processor 3700+ | Socket 939 | 2188/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 178 GiB total, 54.545 GiB free.
D: is FIXED (FAT32) - 9 GiB total, 1.117 GiB free.
E: is CDROM ()
F: is CDROM ()
H: is Removable
I: is Removable
J: is Removable
K: is Removable
L: is Removable
M: is CDROM (CDFS)
P: is FIXED (FAT32) - 75 GiB total, 53.832 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\9472C811D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\9472C811D800
Service: NIC1394

Class GUID: {00000000-0000-0000-0000-000000000000}
Description: Multimedia Video Controller
Device ID: PCI\VEN_14F1&DEV_8800&SUBSYS_00000000&REV_05\4&FB75CB&0&40A4
Manufacturer:
Name: Multimedia Video Controller
PNP Device ID: PCI\VEN_14F1&DEV_8800&SUBSYS_00000000&REV_05\4&FB75CB&0&40A4
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device ID: PCI\VEN_1186&DEV_1300&SUBSYS_13011186&REV_10\4&FB75CB&0&50A4
Manufacturer: Realtek
Name: Realtek RTL8139 Family PCI Fast Ethernet NIC #2
PNP Device ID: PCI\VEN_1186&DEV_1300&SUBSYS_13011186&REV_10\4&FB75CB&0&50A4
Service: rtl8139

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.1.0
Apple Software Update
ATI Display Driver
Brother MFL-Pro Suite
CCleaner
cp_LightScribeConfig
cp_LightScribePlugin
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
Critical Update for Windows Media Player 11 (KB959772)
Data Fax SoftModem with SmartCP
DivX Web Player
Drag'n Drop CD+DVD4
F-Secure PSC Prerequisites
Flock (2.0.3)
Full Tilt Poker
Google Earth
High Achiever Grammar
High Definition Audio Driver Package - KB888111
Highlight Viewer (Windows Live Toolbar)
honestech VHS to DVD 4.0 Plus
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Image Zone for Media Center PC
HPProductAssistant
HpSdpAppCoreApp
InterVideo WinDVD Player
Java™ 6 Update 5
LightScribe 1.4.52.1
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft Application Error Reporting
Microsoft Away Mode
Microsoft Choice Guard
Microsoft Money 2005
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft XML Parser
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.5.8)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero Suite
PokerStars
QuickTime
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Smart Menus (Windows Live Toolbar)
Sophos Anti-Rootkit 1.5.0
SpeedBit Video Accelerator
Spybot - Search & Destroy
SpywareBlaster 4.2
STOPzilla
SUPERAntiSpyware Free Edition
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
USB2.0 VIDBOX NW03
VC80CRTRedist - 8.0.50727.762
WebFldrs XP
Windows Driver Package - eMPIA Technology (USB28xxBGA) Media (06/22/2007 6.22.0116.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

2/18/2010 9:55:16 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the szserver service.
2/18/2010 9:52:25 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
2/18/2010 9:52:16 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
2/18/2010 9:52:13 PM, error: Service Control Manager [7034] - The ARSVC service terminated unexpectedly. It has done this 1 time(s).
2/18/2010 9:43:40 PM, error: ipnathlp [31008] - The DNS proxy agent was unable to read the local list of name-resolution servers from the registry. The data is the error code.
2/18/2010 11:20:00 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor IntelIde ViaIde
2/13/2010 8:13:42 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 AvgLdx86 AvgMfx86 Fips iaStor IntelIde ohci1394 SASDIFSV SASKUTIL ViaIde
2/13/2010 8:12:25 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
2/13/2010 1:59:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-20 17:59:56
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\uwldapod.sys


---- System - GMER 1.0.15 ----

SSDT szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) ZwTerminateProcess [0xF7515100] <-- ROOTKIT !!!

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8658C518

AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] eceuh <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00027200cb42
Reg HKLM\SYSTEM\CurrentControlSet\Services\eceuh@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\eceuh@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\eceuh@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\eceuh@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00027200cb42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\eceuh@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\eceuh@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\eceuh@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\eceuh@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----

Edited by Orange Blossom, 20 February 2010 - 09:19 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:37 AM

Posted 22 February 2010 - 01:00 AM

Hi geofade,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.


You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can. I recommend this good free antivirus:

Avira
  • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
  • In the left pane click Status. In the right pane click Scan system now.
  • After the scan finished let it remove what it finds and then Click Report.
  • You can get the last report also by clicking on Reports on the left pane.
  • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
  • A window opens, click on Report file.
  • Copy and paste the content of the report to your reply.


#3 geofade

geofade
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 AM

Posted 22 February 2010 - 02:53 AM

Hey farbar,
Thanks for the help!
Here is the report.....i use stopzilla as my antivirus
thanks
Geo


Avira AntiVir Personal
Report file date: Sunday, February 21, 2010 22:40

Scanning for 1777243 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : PINOLE

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 19:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 06:38:17
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 06:38:36
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 06:38:43
VBASE004.VDF : 7.10.3.76 2048 Bytes 1/26/2010 06:38:44
VBASE005.VDF : 7.10.3.77 2048 Bytes 1/26/2010 06:38:44
VBASE006.VDF : 7.10.3.78 2048 Bytes 1/26/2010 06:38:44
VBASE007.VDF : 7.10.3.79 2048 Bytes 1/26/2010 06:38:44
VBASE008.VDF : 7.10.3.80 2048 Bytes 1/26/2010 06:38:44
VBASE009.VDF : 7.10.3.81 2048 Bytes 1/26/2010 06:38:45
VBASE010.VDF : 7.10.3.82 2048 Bytes 1/26/2010 06:38:45
VBASE011.VDF : 7.10.3.83 2048 Bytes 1/26/2010 06:38:45
VBASE012.VDF : 7.10.3.84 2048 Bytes 1/26/2010 06:38:45
VBASE013.VDF : 7.10.3.85 2048 Bytes 1/26/2010 06:38:45
VBASE014.VDF : 7.10.3.122 172544 Bytes 1/29/2010 06:38:47
VBASE015.VDF : 7.10.3.149 79872 Bytes 2/1/2010 06:38:48
VBASE016.VDF : 7.10.3.174 68608 Bytes 2/3/2010 06:38:48
VBASE017.VDF : 7.10.3.199 76800 Bytes 2/4/2010 06:38:49
VBASE018.VDF : 7.10.3.222 64512 Bytes 2/5/2010 06:38:50
VBASE019.VDF : 7.10.3.243 75776 Bytes 2/8/2010 06:38:51
VBASE020.VDF : 7.10.4.6 81920 Bytes 2/9/2010 06:38:53
VBASE021.VDF : 7.10.4.30 78848 Bytes 2/11/2010 06:38:53
VBASE022.VDF : 7.10.4.50 107520 Bytes 2/15/2010 06:38:55
VBASE023.VDF : 7.10.4.62 105472 Bytes 2/15/2010 06:38:57
VBASE024.VDF : 7.10.4.85 111616 Bytes 2/17/2010 06:38:58
VBASE025.VDF : 7.10.4.86 2048 Bytes 2/17/2010 06:38:58
VBASE026.VDF : 7.10.4.87 2048 Bytes 2/17/2010 06:38:58
VBASE027.VDF : 7.10.4.88 2048 Bytes 2/17/2010 06:38:58
VBASE028.VDF : 7.10.4.89 2048 Bytes 2/17/2010 06:38:58
VBASE029.VDF : 7.10.4.90 2048 Bytes 2/17/2010 06:38:59
VBASE030.VDF : 7.10.4.91 2048 Bytes 2/17/2010 06:38:59
VBASE031.VDF : 7.10.4.107 122368 Bytes 2/21/2010 06:39:00
Engineversion : 8.2.1.172
AEVDF.DLL : 8.1.1.3 106868 Bytes 2/22/2010 06:39:22
AESCRIPT.DLL : 8.1.3.16 827771 Bytes 2/22/2010 06:39:22
AESCN.DLL : 8.1.4.0 127348 Bytes 2/22/2010 06:39:19
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 15:38:44
AERDL.DLL : 8.1.4.2 479602 Bytes 2/22/2010 06:39:18
AEPACK.DLL : 8.2.0.8 426357 Bytes 2/22/2010 06:39:16
AEOFFICE.DLL : 8.1.0.39 196987 Bytes 2/22/2010 06:39:13
AEHEUR.DLL : 8.1.1.7 2326902 Bytes 2/22/2010 06:39:12
AEHELP.DLL : 8.1.10.0 237942 Bytes 2/22/2010 06:39:04
AEGEN.DLL : 8.1.1.87 369013 Bytes 2/22/2010 06:39:03
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 15:38:26
AECORE.DLL : 8.1.11.1 184694 Bytes 2/22/2010 06:39:01
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 15:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 23:14:02
AVREP.DLL : 8.0.0.7 159784 Bytes 2/22/2010 06:39:25
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 20:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, P:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Sunday, February 21, 2010 22:40

Starting search for hidden objects.
'77234' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'STOPzilla.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'VideoAcceleratorEngine.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'VideoAcceleratorService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'arservice.exe' - '1' Module(s) have been scanned
Scan process 'ezSP_Px.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SZServer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
36 processes with 36 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!
Master boot sector HD6
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'P:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '65' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0036352.exe
[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application
C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0036354.exe
[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application
C:\Documents and Settings\HP_Administrator\My Documents\V-pro\Downloads\snm-2.67_swpl.exe
[DETECTION] Contains recognition pattern of the PHISH/FraudTool.SpyNoMore.G.76 phishing file/email
C:\hp\bin\KillIt.exe
[DETECTION] Contains recognition pattern of the APPL/KillApp.A application
Begin scan in 'D:\' <HP_RECOVERY>
Begin scan in 'P:\' <BACKUPDRIVE>

Beginning disinfection:
C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0036352.exe
[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application
[NOTE] The file was moved to '4bb237ab.qua'!
C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0036354.exe
[DETECTION] Contains recognition pattern of the APPL/KillApplicat.A application
[NOTE] The file was moved to '4acca14c.qua'!
C:\Documents and Settings\HP_Administrator\My Documents\V-pro\Downloads\snm-2.67_swpl.exe
[DETECTION] Contains recognition pattern of the PHISH/FraudTool.SpyNoMore.G.76 phishing file/email
[NOTE] The file was moved to '4bef37e9.qua'!
C:\hp\bin\KillIt.exe
[DETECTION] Contains recognition pattern of the APPL/KillApp.A application
[NOTE] The file was moved to '4bee37e5.qua'!


End of the scan: Sunday, February 21, 2010 23:51
Used time: 55:34 Minute(s)

The scan has been done completely.

7701 Scanned directories
377644 Files were scanned
4 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
4 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
377638 Files not concerned
15363 Archives were scanned
2 Warnings
6 Notes
77234 Objects were scanned with rootkit scan
0 Hidden objects were found



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:37 AM

Posted 22 February 2010 - 03:29 AM

  1. Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

  2. DDS didn't recognized STOPzilla as antivirus and I thought it is just antispyware. In that case please uninstall Avira. Two anti-viruses on one system might cause system problems.

  3. Please tell me if you know these randomly named exe files in the Program Files directory? They are all the same size with different names:


    2010-02-12 21:00:36 2002160 ----a-w- c:\program files\a3587819-0979-4c47-bf86-bf503d0a2e56.exe
    2010-02-12 06:28:39 2002160 ----a-w- c:\program files\cfc0efa2-ccab-40cd-b588-51fe45f4f11b.exe
    2010-02-11 22:44:00 2002160 ----a-w- c:\program files\e5e8b01a-a97e-4a63-82df-f051bcde8670.exe
    2010-02-10 00:01:12 2002160 ----a-w- c:\program files\64c3a19c-3419-42a4-a1fb-1f8dbd5f3c36.exe
    2010-02-06 22:38:28 2002160 ----a-w- c:\program files\02801f44-4f02-4c3f-8966-1ad308ebb74e.exe
    2010-02-05 22:32:26 2002160 ----a-w- c:\program files\cac351e3-9350-47d7-8a99-604bb4198209.exe
    2010-02-05 00:24:14 2002160 ----a-w- c:\program files\c44972ee-bb1b-4d4c-9b6b-10a6aeea355a.exe
    2010-02-04 14:49:55 2002160 ----a-w- c:\program files\e4145feb-8922-406e-a8c2-bc789f407d45.exe

  4. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.



#5 geofade

geofade
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 AM

Posted 23 February 2010 - 03:37 PM

Hey Farbar,

1. I agree to not making any changes to the computer from now on.

2. I uninstalled stopzilla and kept Avira for now.

3. 2010-02-12 21:00:36 2002160 ----a-w- c:\program files\a3587819-0979-4c47-bf86-bf503d0a2e56.exe
2010-02-12 06:28:39 2002160 ----a-w- c:\program files\cfc0efa2-ccab-40cd-b588-51fe45f4f11b.exe
2010-02-11 22:44:00 2002160 ----a-w- c:\program files\e5e8b01a-a97e-4a63-82df-f051bcde8670.exe
2010-02-10 00:01:12 2002160 ----a-w- c:\program files\64c3a19c-3419-42a4-a1fb-1f8dbd5f3c36.exe
2010-02-06 22:38:28 2002160 ----a-w- c:\program files\02801f44-4f02-4c3f-8966-1ad308ebb74e.exe
2010-02-05 22:32:26 2002160 ----a-w- c:\program files\cac351e3-9350-47d7-8a99-604bb4198209.exe
2010-02-05 00:24:14 2002160 ----a-w- c:\program files\c44972ee-bb1b-4d4c-9b6b-10a6aeea355a.exe
2010-02-04 14:49:55 2002160 ----a-w- c:\program files\e4145feb-8922-406e-a8c2-bc789f407d45.exe

I dont recognize any of these files...any files I download or install have a name that i can recognize.

4. Here is the combofix log.... When I ran combofix, the computer automatically rebooted,,, I hope that it was meant to do that.....

ComboFix 10-02-21.02 - HP_Administrator 02/22/2010 11:21:06.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.416 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\hjgruigmrwrnod.dat
c:\windows\system32\hjgruipulvbwtx.dll.uss_dis
c:\windows\system32\hjgruitkonippm.dat
c:\windows\system32\Thumbs.db
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_hjgruibrkrotrd
-------\Service_hjgruibrkrotrd


((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-22 06:34 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-22 06:34 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-22 06:34 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-02-22 06:34 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-02-22 06:34 . 2010-02-22 06:34 -------- dc----w- c:\documents and settings\All Users\Application Data\Avira
2010-02-22 06:34 . 2010-02-22 06:34 -------- d-----w- c:\program files\Avira
2010-02-19 21:33 . 2009-06-18 20:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-02-19 05:47 . 2010-02-19 05:47 -------- d-----w- c:\program files\Sophos
2010-02-12 21:06 . 2010-02-12 21:06 -------- d-----w- c:\program files\AVG
2010-02-12 21:00 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\a3587819-0979-4c47-bf86-bf503d0a2e56.exe
2010-02-12 06:28 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\cfc0efa2-ccab-40cd-b588-51fe45f4f11b.exe
2010-02-12 05:55 . 2010-02-12 05:55 217088 -c-ha-w- C:\SZKGFS.dat
2010-02-12 04:49 . 2010-02-12 04:49 -------- dc----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\FreeFixer
2010-02-12 04:49 . 2010-02-12 04:49 -------- dc----w- c:\documents and settings\HP_Administrator\Application Data\FreeFixer
2010-02-12 04:26 . 2010-02-12 05:54 -------- d-----w- c:\program files\SpywareBlaster
2010-02-12 04:10 . 2010-02-12 04:10 1152 ----a-w- c:\windows\system32\windrv.sys
2010-02-12 04:10 . 2010-02-12 04:10 -------- dc----w- c:\documents and settings\HP_Administrator\Application Data\GetRightToGo
2010-02-11 22:44 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\e5e8b01a-a97e-4a63-82df-f051bcde8670.exe
2010-02-10 04:36 . 2010-02-10 04:36 -------- dc----w- c:\documents and settings\All Users\Application Data\CA
2010-02-10 04:05 . 2010-02-10 04:05 -------- d-----w- c:\program files\ESET
2010-02-10 03:59 . 2010-02-12 06:46 -------- dc----w- c:\documents and settings\HP_Administrator\Application Data\QuickScan
2010-02-10 03:58 . 2010-01-12 01:32 698184 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\o4dwkt3h.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2010-02-10 03:58 . 2010-01-12 01:33 789320 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\o4dwkt3h.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-02-10 02:31 . 2010-02-10 02:31 -------- d-----w- c:\program files\CCleaner
2010-02-10 02:31 . 2010-02-10 02:31 -------- dc----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Downloaded Installations
2010-02-10 00:01 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\64c3a19c-3419-42a4-a1fb-1f8dbd5f3c36.exe
2010-02-06 22:38 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\02801f44-4f02-4c3f-8966-1ad308ebb74e.exe
2010-02-06 02:36 . 2010-02-09 23:22 -------- d-----w- c:\program files\Enigma Software Group
2010-02-05 22:32 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\cac351e3-9350-47d7-8a99-604bb4198209.exe
2010-02-05 21:39 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-05 21:22 . 2010-02-09 23:25 -------- dc----w- c:\documents and settings\All Users\Application Data\RegCure
2010-02-05 00:24 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\c44972ee-bb1b-4d4c-9b6b-10a6aeea355a.exe
2010-02-04 14:49 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\e4145feb-8922-406e-a8c2-bc789f407d45.exe
2010-02-02 07:43 . 2010-02-02 07:43 5115823 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-22 19:08 . 2009-08-04 06:07 -------- dc----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-22 18:45 . 2010-02-22 18:45 832 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-21 05:44 . 2010-02-21 05:44 0 ----a-w- c:\windows\system32\drivers\396f3e3804160f43408c6f462c6e363a.szcpf
2010-02-13 03:53 . 2009-07-29 07:48 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-12 07:03 . 2009-07-29 07:57 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-10 03:24 . 2007-12-10 20:47 -------- dc----w- c:\documents and settings\All Users\Application Data\fssg
2010-02-10 03:12 . 2008-12-04 02:17 -------- dc----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-02-10 02:31 . 2007-01-09 08:51 -------- dc----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-10 02:31 . 2006-03-16 07:24 -------- d-----w- c:\program files\Yahoo!
2010-02-10 02:31 . 2009-04-30 20:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 01:02 . 2005-12-02 23:47 -------- d-----w- c:\program files\Common Files\LightScribe
2010-02-10 01:00 . 2009-08-11 06:31 15 -c--a-w- c:\documents and settings\HP_Administrator\settings.dat
2010-02-04 20:01 . 2010-02-04 20:01 24 ----a-w- c:\documents and settings\LocalService\Application Data\anvkgp.dat
2010-01-28 06:08 . 2009-04-28 18:33 2002160 ----a-w- c:\program files\SUPERANTISPYWARE.EXE
2010-01-20 19:00 . 2008-08-08 12:44 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 01:25 . 2010-01-16 01:24 -------- d-----w- c:\program files\QuickTime
2010-01-16 01:23 . 2006-07-17 09:28 -------- dc----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-16 01:23 . 2010-01-16 01:23 -------- d-----w- c:\program files\Apple Software Update
2010-01-16 01:23 . 2010-01-16 01:23 -------- dc----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-16 01:21 . 2010-01-16 01:21 -------- d-----w- c:\program files\DIFX
2010-01-16 01:21 . 2010-01-16 01:21 -------- d-----w- c:\program files\VIDBOX NW03
2010-01-16 01:21 . 2005-12-02 23:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-16 01:18 . 2010-01-16 01:18 -------- d-----w- c:\program files\honestech
2010-01-16 01:17 . 2010-01-16 01:17 -------- d-----w- c:\program files\honestech VHS to DVD 4.0 Plus
2010-01-16 01:16 . 2010-01-16 01:16 -------- dc----w- c:\documents and settings\HP_Administrator\Application Data\InstallShield
2010-01-14 12:03 . 2008-12-24 22:47 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-01-10 09:38 . 2006-05-25 03:34 -------- d-----w- c:\program files\muvee
2010-01-08 00:07 . 2009-04-30 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2009-04-30 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 09:15 . 2008-05-12 23:55 -------- d-----w- c:\program files\PokerStars
2009-12-31 16:50 . 2004-08-10 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-10 12:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2004-08-10 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-10 19:00 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2004-08-10 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2004-08-10 19:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2004-08-10 19:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2004-08-10 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-10 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-10-07 23:16 . 2009-04-28 18:33 74480 ----a-w- c:\program files\SASKUTIL.SYS
2009-10-07 23:16 . 2008-12-22 19:05 548352 ----a-w- c:\program files\SASWINLO.DLL
2009-08-11 06:24 . 2009-08-11 06:24 1068 ----a-w- c:\program files\gmluibsc.txt
2009-04-28 18:33 . 2009-04-28 18:33 7408 ----a-r- c:\program files\SASENUM.SYS
2009-04-28 18:33 . 2009-04-28 18:33 9968 ----a-w- c:\program files\sasdifsv.sys
2009-04-28 18:33 . 2009-04-28 18:33 158960 ----a-w- c:\program files\SSUpdate.exe
2009-04-28 15:11 . 2009-04-28 15:11 15542816 ----a-w- c:\program files\PROCESSLIST.DB
2009-04-28 15:11 . 2009-04-28 15:11 1151947 ----a-w- c:\program files\PROCESSLISTRELATED.DB
2008-11-03 20:49 . 2008-11-03 20:49 47912 ----a-w- c:\program files\RUNSAS.EXE
2008-07-28 18:10 . 2008-07-28 18:10 411136 ----a-w- c:\program files\SASREPAIRS.STG
2008-05-13 17:13 . 2008-05-13 17:13 77824 ----a-w- c:\program files\SASSEH.DLL
2008-03-12 18:29 . 2008-03-12 18:29 24576 ----a-r- c:\program files\SASINST.EXE
2007-11-27 20:12 . 2007-11-27 20:12 1088725 ----a-w- c:\program files\SUPERAntiSpyware.chm
2007-10-02 21:08 . 2007-10-02 21:08 122168 ----a-r- c:\program files\BootSafe.exe
2007-02-27 19:39 . 2007-02-27 19:39 61440 ----a-w- c:\program files\SASCTXMN.DLL
2006-09-19 22:55 . 2006-09-19 22:55 360448 ----a-r- c:\program files\deupx.dll
2006-05-13 21:05 . 2006-04-29 04:30 102268 -c--a-w- c:\program files\MXDB.DB
2006-05-09 04:47 . 2006-04-29 04:30 101212 -c--a-w- c:\program files\MXDB.bak
2006-04-29 21:00 . 2006-04-29 20:16 602 -c--a-w- c:\program files\ListName.TCX
2004-05-20 20:28 . 2004-05-20 20:28 2048 ----a-w- c:\program files\detect.wav
2004-05-07 22:31 . 2004-05-07 22:31 348160 -c--a-w- c:\program files\msvcr71.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"RECGUARD"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2003-11-01 45056]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-07 23:16 548352 ----a-w- c:\program files\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-03 07:19 77312 -c--a-w- c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
2003-11-01 03:49 45056 -c--a-w- c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 14:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-11-11 01:02 1880064 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-06 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-05-30 03:30 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\Macromed\\Flash\\NPSWF32_FlashUtil.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [12/24/2008 2:47 PM 33920]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [4/25/2006 6:16 PM 15172]
R1 SASDIFSV;SASDIFSV;c:\program files\sasdifsv.sys [4/28/2009 10:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SASKUTIL.SYS [4/28/2009 10:33 AM 74480]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2/19/2010 1:33 PM 18816]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/21/2010 10:34 PM 108289]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
S0 eceuh;eceuh; [x]
S3 FSORSPClient;F-Secure ORSP Client;"c:\program files\Charter Security Suite\ORSP Client\fsorsp.exe" --> c:\program files\Charter Security Suite\ORSP Client\fsorsp.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\15.tmp --> c:\windows\system32\15.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SASENUM.SYS [4/28/2009 10:33 AM 7408]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: cainternetsecurity.net
Trusted Zone: yahoo.com\www
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\o4dwkt3h.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\o4dwkt3h.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
MSConfigStartUp-Drag'n Drop CD+DVD4 - c:\program files\Drag'n Drop CD+DVD4\BinFiles\DragDrop.exe
MSConfigStartUp-News Service - c:\program files\Charter High-Speed Security Suite\FSGUI\ispnews.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-22 11:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\15.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3f,3f,21,23,6e,e0,1d,4b,90,54,cc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3f,3f,21,23,6e,e0,1d,4b,90,54,cc,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3132)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\arservice.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\ALCXMNTR.EXE
c:\progra~1\SPEEDB~1\VideoAcceleratorEngine.exe
.
**************************************************************************
.
Completion time: 2010-02-22 11:33:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-22 19:33

Pre-Run: 58,415,480,832 bytes free
Post-Run: 58,628,190,208 bytes free

- - End Of File - - 6E84F477D7ECACE63C8D4E542A2DD7DB


Thanks for the help!
Geo cool.gif

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:37 AM

Posted 23 February 2010 - 05:31 PM

Well done. thumbup2.gif

Click on this link--> virustotal

Click the browse button. Copy and paste the lines in bold in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

c:\program files\64c3a19c-3419-42a4-a1fb-1f8dbd5f3c36.exe

If the file is analyzed before, click Reanalyse File Now button.
Please copy and paste the results of the scan in your next post.

#7 geofade

geofade
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 AM

Posted 23 February 2010 - 07:58 PM

Hey farbar,

Thanks for the help!
Here is the log!


File 64c3a19c-3419-42a4-a1fb-1f8dbd5f3 received on 2010.02.24 00:53:42 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.23 -
AhnLab-V3 5.0.0.2 2010.02.23 -
AntiVir 8.2.1.172 2010.02.23 -
Antiy-AVL 2.0.3.7 2010.02.23 -
Authentium 5.2.0.5 2010.02.23 -
Avast 4.8.1351.0 2010.02.23 -
AVG 9.0.0.730 2010.02.24 -
BitDefender 7.2 2010.02.24 -
CAT-QuickHeal 10.00 2010.02.23 -
ClamAV 0.96.0.0-git 2010.02.23 -
Comodo 4040 2010.02.23 -
DrWeb 5.0.1.12222 2010.02.24 -
eSafe 7.0.17.0 2010.02.23 -
eTrust-Vet 35.2.7323 2010.02.23 -
F-Prot 4.5.1.85 2010.02.23 -
F-Secure 9.0.15370.0 2010.02.24 -
Fortinet 4.0.14.0 2010.02.21 -
GData 19 2010.02.24 -
Ikarus T3.1.1.80.0 2010.02.23 -
Jiangmin 13.0.900 2010.02.23 -
K7AntiVirus 7.10.981 2010.02.23 -
Kaspersky 7.0.0.125 2010.02.24 -
McAfee 5901 2010.02.23 -
McAfee+Artemis 5901 2010.02.23 -
McAfee-GW-Edition 6.8.5 2010.02.23 -
Microsoft 1.5406 2010.02.23 -
NOD32 4891 2010.02.23 -
Norman 6.04.08 2010.02.23 -
nProtect 2009.1.8.0 2010.02.23 -
Panda 10.0.2.2 2010.02.23 -
PCTools 7.0.3.5 2010.02.23 -
Prevx 3.0 2010.02.24 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.23 -
Sunbelt 5696 2010.02.24 -
Symantec 20091.2.0.41 2010.02.24 -
TheHacker 6.5.1.6.208 2010.02.24 -
TrendMicro 9.120.0.1004 2010.02.23 -
VBA32 3.12.12.2 2010.02.23 -
ViRobot 2010.2.23.2198 2010.02.23 -
VirusBuster 5.0.27.0 2010.02.24 -
Additional information
File size: 2002160 bytes
MD5...: d2d23a999f3795dec7ec439be1933e95
SHA1..: 0542a8fa43ee80e9743a60f26e4f70c76fc3e269
SHA256: 3cda05673fee9d73c92af7f8c78728f44ada4069992519c106cabd13d1b3d7e3
ssdeep: 24576:DPw1hwlAB7Yu4bxBIjQmOdG4KTb+wmXhDrd4A1PZzaZ6mtmNxHAsGAsagM
75:ywvTNnRTBaZp6VAsGAsZMV
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xa2de5
timedatestamp.....: 0x4b436050 (Tue Jan 05 15:52:48 2010)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xdec93 0xdee00 6.42 6a14ced7612e0b180f715cfbbc135444
.rdata 0xe0000 0x287e6 0x28800 5.03 43c5e8352d5d86adb5b9d389d75ab8f9
.data 0x109000 0x54c64 0x9c00 5.35 4fe72e4c7bcdce3bc36d9372600aff21
.rsrc 0x15e000 0xd694c 0xd6a00 6.50 bea43a530b3f8d6d9133d8495ef6139c

( 14 imports )
> KERNEL32.dll: SetFilePointer, DeleteFileA, DeleteFileW, CopyFileA, CopyFileW, CreateDirectoryW, GetFileAttributesA, GetFileAttributesW, SetFileAttributesA, SetFileAttributesW, MoveFileExA, MoveFileExW, GetFileTime, GetShortPathNameA, GetShortPathNameW, GetOverlappedResult, RemoveDirectoryA, RemoveDirectoryW, BackupRead, BackupSeek, CreateEventA, CreateEventW, OpenProcess, TerminateProcess, CreateToolhelp32Snapshot, Toolhelp32ReadProcessMemory, Module32First, Module32FirstW, Module32Next, Module32NextW, Process32First, Process32FirstW, Process32Next, Process32NextW, GetVersionExA, lstrlenW, HeapAlloc, GetProcessHeap, MultiByteToWideChar, TlsAlloc, SetNamedPipeHandleState, WaitNamedPipeA, GetSystemTime, SetLastError, TlsSetValue, TlsGetValue, SearchPathA, GetWindowsDirectoryA, VirtualAlloc, VirtualFree, VirtualProtect, HeapCreate, HeapDestroy, QueryPerformanceCounter, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, QueryPerformanceFrequency, TlsFree, OutputDebugStringA, GetCurrentThreadId, WaitForSingleObject, FileTimeToSystemTime, FileTimeToLocalFileTime, DosDateTimeToFileTime, GetDiskFreeSpaceExA, MoveFileA, GetTempFileNameA, SetEndOfFile, SetFileTime, IsBadReadPtr, HeapFree, GetVolumeInformationA, GetModuleHandleA, MapViewOfFile, CreateFileMappingA, UnmapViewOfFile, VirtualQuery, GetDiskFreeSpaceA, GetSystemDirectoryA, GetDriveTypeA, GetCommandLineA, MulDiv, SetProcessAffinityMask, GetProcessAffinityMask, FindNextFileW, SystemTimeToFileTime, ResetEvent, GlobalMemoryStatus, GetFileSize, SetUnhandledExceptionFilter, GetSystemDefaultLangID, GetComputerNameA, VerLanguageNameA, CompareFileTime, SetEvent, GetLogicalDriveStringsA, CallNamedPipeA, GetLocaleInfoA, LocalFileTimeToFileTime, GetCurrentDirectoryA, GetFileInformationByHandle, FindNextFileA, FindFirstFileW, FindFirstFileA, VirtualLock, FindResourceA, LoadResource, LockResource, FreeResource, VirtualUnlock, SetCurrentDirectoryA, SetVolumeLabelA, CreateProcessA, IsBadStringPtrA, FileTimeToDosDateTime, GlobalSize, GlobalReAlloc, IsDBCSLeadByte, lstrcmpA, GlobalLock, GlobalAlloc, GlobalHandle, GlobalUnlock, GlobalFree, SetEnvironmentVariableA, CompareStringW, CompareStringA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, FlushFileBuffers, SetStdHandle, InitializeCriticalSectionAndSpinCount, GetStringTypeW, GetStringTypeA, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetTimeZoneInformation, HeapSize, GetConsoleMode, GetConsoleCP, ExitProcess, HeapReAlloc, GetStdHandle, LCMapStringW, LCMapStringA, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, InterlockedDecrement, InterlockedIncrement, GetModuleHandleW, IsDebuggerPresent, UnhandledExceptionFilter, GetStartupInfoA, GetSystemTimeAsFileTime, RtlUnwind, RaiseException, InterlockedExchange, LocalFree, LocalAlloc, WriteFile, ReadFile, CreateFileW, LoadLibraryA, CloseHandle, WideCharToMultiByte, OpenEventA, FindClose, lstrcpynA, GetTempPathA, CreateDirectoryA, ExpandEnvironmentStringsA, GetProcAddress, FreeLibrary, lstrlenA, GetModuleFileNameA, lstrcpyA, lstrcatA, GetTickCount, Sleep, GetFullPathNameA, GetCurrentProcessId, DeviceIoControl, GetLastError, CreateFileA, GetCurrentProcess, GetLocalTime, CreateThread, lstrcmpiA
> USER32.dll: GetClientRect, CreateWindowExA, GetWindowRect, CharUpperBuffA, CharPrevA, CharNextA, OemToCharA, CharUpperA, GetActiveWindow, GetWindowThreadProcessId, WaitForInputIdle, CharLowerA, OemToCharBuffA, CharToOemA, SendMessageA, ShowWindow, DestroyWindow, TranslateAcceleratorA, GetFocus, GetNextDlgTabItem, GetMessageA, LoadAcceleratorsA, GetAsyncKeyState, FindWindowA, EnableWindow, SendMessageTimeoutA, SetWindowTextA, FindWindowExA, BringWindowToTop, GetForegroundWindow, IsIconic, SendDlgItemMessageA, IsWindowVisible, IsWindow, GetDlgItem, CreateDialogParamA, PostMessageA, GetSystemMetrics, ExitWindowsEx, wsprintfA, DispatchMessageA, IsDialogMessageA, DestroyAcceleratorTable, SetWindowsHookExA, GetSysColor, FillRect, DrawIconEx, FrameRect, PostQuitMessage, TranslateMessage, PeekMessageA, MessageBoxA, LoadImageA, MoveWindow, ScreenToClient, EndPaint, DrawTextA, DrawEdge, BeginPaint, CallWindowProcA, SetCursor, LoadCursorA, GetWindowTextA, GetWindowLongA, SetWindowLongA, GetClassNameA, EnumChildWindows, GetMenuItemCount, GetMenuItemInfoA, GetMenuStringA, SetMenuItemInfoA, LoadMenuA, GetSubMenu, CheckMenuItem, DeleteMenu, TrackPopupMenu, DestroyMenu, CallNextHookEx, SetDlgItemInt, EnumWindows, RegisterWindowMessageA, GetCursorPos, GetDesktopWindow, SetRect, GetClassInfoA, LoadIconA, CopyRect, SystemParametersInfoA, GetDC, ReleaseDC, RegisterClassA, InvalidateRect, UpdateWindow, DefWindowProcA, CheckDlgButton, IsDlgButtonChecked, KillTimer, SetTimer, DialogBoxParamA, EndDialog, LoadStringA, SetFocus, GetDlgItemTextA, SetDlgItemTextA, GetParent, SetForegroundWindow, SetWindowPos, SetActiveWindow
> GDI32.dll: SetBkMode, DeleteDC, BitBlt, GetObjectA, CreateCompatibleDC, SelectObject, CreateSolidBrush, SetBkColor, GetTextExtentPoint32A, GetStockObject, SetTextColor, DeleteObject, SetGraphicsMode, ModifyWorldTransform, SetViewportOrgEx, CreateFontIndirectA, GetBkColor, ExtTextOutA, SetWindowOrgEx, GetDeviceCaps
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, Shell_NotifyIconA, ShellExecuteA, ShellExecuteExA, SHFileOperationA, SHGetMalloc, SHGetSpecialFolderLocation
> ole32.dll: StgCreateDocfile, StgCreateStorageEx, StgIsStorageFile, OleUninitialize, CoTaskMemFree, StgOpenStorage, StgOpenStorageEx, CoInitializeSecurity, CoSetProxyBlanket, OleInitialize, CoInitialize, CoUninitialize, CoCreateInstance, CoCreateGuid, StringFromGUID2, CoInitializeEx
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -
> SHLWAPI.dll: PathRemoveBackslashA, PathGetDriveNumberA, PathFindNextComponentA, StrChrA, PathRemoveExtensionA, StrStrA, PathQuoteSpacesA, PathRemoveArgsA, PathUnquoteSpacesA, StrCmpNIA, PathRemoveBlanksA, PathGetArgsA, StrCpyW, PathFindFileNameA, SHCopyKeyW, SHCopyKeyA, SHDeleteValueW, SHDeleteValueA, SHDeleteKeyW, PathStripToRootA, PathIsFileSpecA, PathIsNetworkPathA, UrlUnescapeA, StrCmpNA, PathAddExtensionA, PathSetDlgItemPathA, StrRChrA, PathFindExtensionA, PathRemoveFileSpecA, StrStrIA, PathAppendA, PathAddBackslashA, PathFileExistsA, PathFileExistsW, PathIsDirectoryA, PathIsDirectoryW, SHGetValueA, SHGetValueW, SHSetValueA, SHSetValueW, SHDeleteKeyA
> WINMM.dll: timeGetTime, PlaySoundA
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoSizeW, GetFileVersionInfoA, GetFileVersionInfoW, VerQueryValueA
> IPHLPAPI.DLL: GetAdaptersInfo
> COMCTL32.dll: InitCommonControlsEx, ImageList_Create, ImageList_ReplaceIcon, PropertySheetA, CreatePropertySheetPageA
> WININET.dll: FindNextUrlCacheEntryA, FindCloseUrlCache, DeleteUrlCacheEntry, InternetCrackUrlA, HttpSendRequestW, HttpSendRequestA, HttpOpenRequestW, HttpOpenRequestA, InternetConnectW, InternetConnectA, InternetOpenW, InternetOpenA, InternetCloseHandle, FindFirstUrlCacheEntryA, InternetReadFile, InternetOpenUrlA, InternetGetCookieA
> WS2_32.dll: WSCInstallProvider
> COMDLG32.dll: GetSaveFileNameA

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (87.2%)
Win32 Executable Generic (8.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: SUPERAntiSpyware.com
copyright....: Copyright © 2005-2010 by SUPERAntiSpyware.com and SUPERAdBlocker.com
product......: SUPERAntiSpyware
description..: SUPERAntiSpyware Application
original name: SUPERAntiSpyware.exe
internal name: SUPERAntiSpyware Application
file version.: 4, 33, 0, 1000
comments.....: n/a
signers......: SuperAdBlocker.com
Thawte Code Signing CA
Thawte Premium Server CA
signing date.: 1:54 AM 2/24/2010
verified.....: -

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:37 AM

Posted 24 February 2010 - 12:03 PM

Now I see these files are made by SUPERAntiSpyware, randomly named, probably to be able to scape blacklisting by the malware. But I don't know why they are left behind. You may delete them as I'm sure SAS makes them when needed.

Probably there is nothing to upload, but this is the rootkit Malwarbyte had trouble to remove and we want to make sure it is removed.

Open notepad and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/t/297352/infected-with-rootkit-agent/

collect::
C:\WINDOWS\system32\drivers\eceuh.sys

Driver::
eceuh
RegLockDel::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]


Save this as CFScript.txt





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

**Important Note**



#9 geofade

geofade
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 AM

Posted 24 February 2010 - 03:06 PM

Hey farbar,

Thanks again for helping me!

Here is the Log...
Geo


ComboFix 10-02-24.01 - HP_Administrator 02/24/2010 11:50:54.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.451 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ECEUH
-------\Service_eceuh


((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
.

2010-02-22 06:34 . 2010-02-23 06:35 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-22 06:34 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-22 06:34 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-02-22 06:34 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-02-22 06:34 . 2010-02-22 06:34 -------- dc----w- c:\documents and settings\All Users\Application Data\Avira
2010-02-22 06:34 . 2010-02-22 06:34 -------- d-----w- c:\program files\Avira
2010-02-19 21:33 . 2009-06-18 20:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-02-19 05:47 . 2010-02-19 05:47 -------- d-----w- c:\program files\Sophos
2010-02-12 21:06 . 2010-02-12 21:06 -------- d-----w- c:\program files\AVG
2010-02-12 21:00 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\a3587819-0979-4c47-bf86-bf503d0a2e56.exe
2010-02-12 06:28 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\cfc0efa2-ccab-40cd-b588-51fe45f4f11b.exe
2010-02-12 05:55 . 2010-02-12 05:55 217088 -c-ha-w- C:\SZKGFS.dat
2010-02-12 04:49 . 2010-02-12 04:49 -------- dc----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\FreeFixer
2010-02-12 04:49 . 2010-02-12 04:49 -------- dc----w- c:\documents and settings\HP_Administrator\Application Data\FreeFixer
2010-02-12 04:26 . 2010-02-12 05:54 -------- d-----w- c:\program files\SpywareBlaster
2010-02-12 04:10 . 2010-02-12 04:10 1152 ----a-w- c:\windows\system32\windrv.sys
2010-02-12 04:10 . 2010-02-12 04:10 -------- dc----w- c:\documents and settings\HP_Administrator\Application Data\GetRightToGo
2010-02-11 22:44 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\e5e8b01a-a97e-4a63-82df-f051bcde8670.exe
2010-02-10 04:36 . 2010-02-10 04:36 -------- dc----w- c:\documents and settings\All Users\Application Data\CA
2010-02-10 04:05 . 2010-02-10 04:05 -------- d-----w- c:\program files\ESET
2010-02-10 03:59 . 2010-02-12 06:46 -------- dc----w- c:\documents and settings\HP_Administrator\Application Data\QuickScan
2010-02-10 03:58 . 2010-01-12 01:32 698184 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\o4dwkt3h.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
2010-02-10 03:58 . 2010-01-12 01:33 789320 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\o4dwkt3h.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-02-10 02:31 . 2010-02-10 02:31 -------- d-----w- c:\program files\CCleaner
2010-02-10 02:31 . 2010-02-10 02:31 -------- dc----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Downloaded Installations
2010-02-10 00:01 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\64c3a19c-3419-42a4-a1fb-1f8dbd5f3c36.exe
2010-02-06 22:38 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\02801f44-4f02-4c3f-8966-1ad308ebb74e.exe
2010-02-06 02:36 . 2010-02-09 23:22 -------- d-----w- c:\program files\Enigma Software Group
2010-02-05 22:32 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\cac351e3-9350-47d7-8a99-604bb4198209.exe
2010-02-05 21:39 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-05 21:22 . 2010-02-09 23:25 -------- dc----w- c:\documents and settings\All Users\Application Data\RegCure
2010-02-05 00:24 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\c44972ee-bb1b-4d4c-9b6b-10a6aeea355a.exe
2010-02-04 14:49 . 2010-01-28 06:08 2002160 ----a-w- c:\program files\e4145feb-8922-406e-a8c2-bc789f407d45.exe
2010-02-02 07:43 . 2010-02-02 07:43 5115823 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-22 19:08 . 2009-08-04 06:07 -------- dc----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-22 18:45 . 2010-02-22 18:45 832 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-21 05:44 . 2010-02-21 05:44 0 ----a-w- c:\windows\system32\drivers\396f3e3804160f43408c6f462c6e363a.szcpf
2010-02-13 03:53 . 2009-07-29 07:48 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-12 07:03 . 2009-07-29 07:57 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-10 03:24 . 2007-12-10 20:47 -------- dc----w- c:\documents and settings\All Users\Application Data\fssg
2010-02-10 03:12 . 2008-12-04 02:17 -------- dc----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-02-10 02:31 . 2007-01-09 08:51 -------- dc----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-10 02:31 . 2006-03-16 07:24 -------- d-----w- c:\program files\Yahoo!
2010-02-10 02:31 . 2009-04-30 20:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 01:02 . 2005-12-02 23:47 -------- d-----w- c:\program files\Common Files\LightScribe
2010-02-10 01:00 . 2009-08-11 06:31 15 -c--a-w- c:\documents and settings\HP_Administrator\settings.dat
2010-02-04 20:01 . 2010-02-04 20:01 24 ----a-w- c:\documents and settings\LocalService\Application Data\anvkgp.dat
2010-02-04 09:06 . 2010-02-04 09:06 24 ----a-w- c:\windows\system32\config\systemprofile\Application Data\anvkgp.dat
2010-01-28 06:08 . 2009-04-28 18:33 2002160 ----a-w- c:\program files\SUPERANTISPYWARE.EXE
2010-01-20 19:00 . 2008-08-08 12:44 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 01:25 . 2010-01-16 01:24 -------- d-----w- c:\program files\QuickTime
2010-01-16 01:23 . 2006-07-17 09:28 -------- dc----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-16 01:23 . 2010-01-16 01:23 -------- d-----w- c:\program files\Apple Software Update
2010-01-16 01:23 . 2010-01-16 01:23 -------- dc----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-16 01:21 . 2010-01-16 01:21 -------- d-----w- c:\program files\DIFX
2010-01-16 01:21 . 2010-01-16 01:21 -------- d-----w- c:\program files\VIDBOX NW03
2010-01-16 01:21 . 2005-12-02 23:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-16 01:18 . 2010-01-16 01:18 -------- d-----w- c:\program files\honestech
2010-01-16 01:17 . 2010-01-16 01:17 -------- d-----w- c:\program files\honestech VHS to DVD 4.0 Plus
2010-01-16 01:16 . 2010-01-16 01:16 -------- dc----w- c:\documents and settings\HP_Administrator\Application Data\InstallShield
2010-01-14 12:03 . 2008-12-24 22:47 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-01-10 09:38 . 2006-05-25 03:34 -------- d-----w- c:\program files\muvee
2010-01-08 00:07 . 2009-04-30 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2009-04-30 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 09:15 . 2008-05-12 23:55 -------- d-----w- c:\program files\PokerStars
2009-12-31 16:50 . 2004-08-10 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-10 12:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2004-08-10 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-10 19:00 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2004-08-10 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2004-08-10 19:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2004-08-10 19:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2004-08-10 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-10 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-10-07 23:16 . 2009-04-28 18:33 74480 ----a-w- c:\program files\SASKUTIL.SYS
2009-10-07 23:16 . 2008-12-22 19:05 548352 ----a-w- c:\program files\SASWINLO.DLL
2009-08-11 06:24 . 2009-08-11 06:24 1068 ----a-w- c:\program files\gmluibsc.txt
2009-04-28 18:33 . 2009-04-28 18:33 7408 ----a-r- c:\program files\SASENUM.SYS
2009-04-28 18:33 . 2009-04-28 18:33 9968 ----a-w- c:\program files\sasdifsv.sys
2009-04-28 18:33 . 2009-04-28 18:33 158960 ----a-w- c:\program files\SSUpdate.exe
2009-04-28 15:11 . 2009-04-28 15:11 15542816 ----a-w- c:\program files\PROCESSLIST.DB
2009-04-28 15:11 . 2009-04-28 15:11 1151947 ----a-w- c:\program files\PROCESSLISTRELATED.DB
2008-11-03 20:49 . 2008-11-03 20:49 47912 ----a-w- c:\program files\RUNSAS.EXE
2008-07-28 18:10 . 2008-07-28 18:10 411136 ----a-w- c:\program files\SASREPAIRS.STG
2008-05-13 17:13 . 2008-05-13 17:13 77824 ----a-w- c:\program files\SASSEH.DLL
2008-03-12 18:29 . 2008-03-12 18:29 24576 ----a-r- c:\program files\SASINST.EXE
2007-11-27 20:12 . 2007-11-27 20:12 1088725 ----a-w- c:\program files\SUPERAntiSpyware.chm
2007-10-02 21:08 . 2007-10-02 21:08 122168 ----a-r- c:\program files\BootSafe.exe
2007-02-27 19:39 . 2007-02-27 19:39 61440 ----a-w- c:\program files\SASCTXMN.DLL
2006-09-19 22:55 . 2006-09-19 22:55 360448 ----a-r- c:\program files\deupx.dll
2006-05-13 21:05 . 2006-04-29 04:30 102268 -c--a-w- c:\program files\MXDB.DB
2006-05-09 04:47 . 2006-04-29 04:30 101212 -c--a-w- c:\program files\MXDB.bak
2006-04-29 21:00 . 2006-04-29 20:16 602 -c--a-w- c:\program files\ListName.TCX
2004-05-20 20:28 . 2004-05-20 20:28 2048 ----a-w- c:\program files\detect.wav
2004-05-07 22:31 . 2004-05-07 22:31 348160 -c--a-w- c:\program files\msvcr71.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"RECGUARD"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2003-11-01 45056]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-07 23:16 548352 ----a-w- c:\program files\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-03 07:19 77312 -c--a-w- c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
2003-11-01 03:49 45056 -c--a-w- c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 14:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-11-11 01:02 1880064 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-06 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-05-30 03:30 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\Macromed\\Flash\\NPSWF32_FlashUtil.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [12/24/2008 2:47 PM 33920]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [4/25/2006 6:16 PM 15172]
R1 SASDIFSV;SASDIFSV;c:\program files\sasdifsv.sys [4/28/2009 10:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SASKUTIL.SYS [4/28/2009 10:33 AM 74480]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2/19/2010 1:33 PM 18816]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/21/2010 10:34 PM 108289]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
S3 FSORSPClient;F-Secure ORSP Client;"c:\program files\Charter Security Suite\ORSP Client\fsorsp.exe" --> c:\program files\Charter Security Suite\ORSP Client\fsorsp.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\15.tmp --> c:\windows\system32\15.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SASENUM.SYS [4/28/2009 10:33 AM 7408]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: cainternetsecurity.net
Trusted Zone: yahoo.com\www
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\o4dwkt3h.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\o4dwkt3h.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 11:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\15.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\program files\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3484)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\arservice.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe
c:\progra~1\SPEEDB~1\VideoAcceleratorEngine.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\ALCXMNTR.EXE
.
**************************************************************************
.
Completion time: 2010-02-24 12:03:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-24 20:03
ComboFix2.txt 2010-02-22 19:33

Pre-Run: 58,560,892,928 bytes free
Post-Run: 58,541,883,392 bytes free

- - End Of File - - A4091C5C9C8724CF99AC854E0D304CB8


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:37 AM

Posted 24 February 2010 - 03:29 PM

It looks good Geo. thumbup2.gif
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 18 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

  2. I see on your log that Pokerstar is installed on your computer:

    This program is known to be related to adware/spyware. More information here: http://www.bleepingcomputer.com/uninstall/...rStars.net.html
    To uninstall it:
    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    PokerStars

    Also remove the folder in bold: C:\Program Files\PokerStars

  3. You Adobe Acrobat is outdated. I strongly recommend you to update your Adobe Acrobat to the latest version to avoid being infected through its security holes.

Happy Surfing Geo.

#11 geofade

geofade
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 AM

Posted 24 February 2010 - 07:52 PM

Thanks a lot for the help!

I'm assuming that [C:\WINDOWS\system32\drivers\eceuh.sys] is not a threat?

I will follow the directions and thanks again for all the time and help with my computer!
you guys rock!

Thanks!
Geo
thumbup.gif

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:37 AM

Posted 25 February 2010 - 02:25 AM

QUOTE
I'm assuming that [C:\WINDOWS\system32\drivers\eceuh.sys] is not a threat?

eceuh.sys is a rootkit and is a threat and was the one reported by GMER. When we run ComboFix, it made it possible to be removed. I saw it on the logs earlier but after running CombpFix it was removed and its service was broken. To make sure I removed the broken service and checked the file with ComboFix. At this point both the service and the file are removed from your computer.

And you are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.









0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users