Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspect Vundo variant infection on my laptop


  • Please log in to reply
16 replies to this topic

#1 kemo slobby

kemo slobby

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 25 February 2010 - 03:53 AM

Thank you for your help. I think I have a Vundo variant- whenever I try to do a google search I am redirected to spam websites. My SuperAntiSpyware picked it up but I have read that it is very difficult to eradicate. Per the directions on the tutorial I have ran the tools specified therein. Below is the DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 0:48:51.83 on Thu 02/25/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.38 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com
mStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [CARPService] carpserv.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ipn212~1.lnk - c:\program files\inprocomm\ipn2120\wlan_ui.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188913145768
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\oqxqrmg6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\oqxqrmg6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\oqxqrmg6.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayAccessComponent.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\oqxqrmg6.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayShortcutMaker.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-2-14 59328]
R3 IPN2120;INPROCOMM IPN2120 Wireless LAN Card Driver;c:\windows\system32\drivers\i2120ntx.sys [2007-3-26 116736]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wa301b.sys [2007-9-4 32823]

=============== Created Last 30 ================

2010-02-25 06:32:38 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-02-15 20:03:19 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-15 20:02:27 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-15 20:02:26 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-02-15 19:50:22 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-12 18:28:39 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-11 02:34:10 12464 ------w- c:\windows\system32\avgrsstx.dll.install_backup
2010-02-11 02:23:48 0 d-----w- c:\program files\AVG(3)
2010-02-09 18:19:20 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-02-09 18:18:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-09 18:18:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 14:06:52 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-02-08 14:05:47 0 d-----w- c:\program files\Security Task Manager
2010-02-08 13:52:35 0 d-----w- c:\docume~1\owner\applic~1\Uniblue
2010-02-08 13:51:10 0 d-----w- c:\program files\Uniblue
2010-02-08 06:48:59 0 d-----w- C:\$AVG
2010-02-08 06:46:52 0 d-----w- c:\windows\system32\drivers\Avg(2)
2010-02-08 06:43:48 0 d-----w- c:\program files\AVG(2)
2010-02-08 06:42:58 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9(2)

==================== Find3M ====================


============= FINISH: 0:50:50.83 ===============
QUOTE



In the tutorial I was told to attach the attach.txt file from my desktop but I don't see an attachment section as shown in the turorial. I do have it saved. Thank you for your help.

Move to log forum. ~ OB

Edited by Orange Blossom, 25 February 2010 - 06:07 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:04 PM

Posted 27 February 2010 - 08:36 AM

hi,

Lets start with Malwarebytes:

Please download Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

How Can I Reduce My Risk to Malware?


#3 kemo slobby

kemo slobby
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 28 February 2010 - 02:03 AM

Thanks for your reply. I thought I should mention that I'm running Spybot S&D in case it matters. Find below the log from Malwarebytes scan:

Malwarebytes' Anti-Malware 1.44
Database version: 3805
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

2/28/2010 12:42:22 AM
mbam-log-2010-02-28 (00-42-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 173489
Time elapsed: 48 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RJL0ESDY\c6043[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\n.exn (Trojan.Dropper) -> Quarantined and deleted successfully.


I appreciate any help you can provide.


#4 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:04 PM

Posted 28 February 2010 - 08:14 AM

ok we will get another download to use. Its called combofix. There is a guide you need to read first. Read through the guide then download combofix to your desktop, following the instructions in the guide and the prompts from combofix itself. Post the log in your reply.

Guide to using Combofix


How Can I Reduce My Risk to Malware?


#5 kemo slobby

kemo slobby
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 28 February 2010 - 10:13 PM

Hi, Shelf Life-

I ran the combofix program and I should mention that I turned off my firewall and disable Spybot S&D. After the log was posted I had 7 instances of this window: "Spybot S&D has detected an important registry entry that has been changed."
Categories were "System Startup user entry" (3), "Browser page" (2), "Command Processor" (2) and "Disable Registrytool".
In all cases I denied the change yet when my desktop was restored I had a Windows Explorer icon installed.

Here is the log:

ComboFix 10-02-27.04 - Owner 02/28/2010 20:27:10.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.107 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Tasks\dbyolncg.job

----- BITS: Possible infected sites -----

hxxp://85.12.18.119
.
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-02-28 02:50 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-28 02:49 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 00:26 . 2010-02-23 00:26 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-23 00:26 . 2010-02-23 00:26 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-23 00:26 . 2010-02-23 00:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-22 07:08 . 2010-02-22 07:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-02-17 05:03 . 2010-02-17 05:06 -------- d-----w- c:\program files\QuickTime
2010-02-17 05:03 . 2010-02-17 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-17 05:01 . 2010-02-17 05:01 -------- d-----w- c:\program files\Common Files\Apple
2010-02-17 05:00 . 2010-02-17 05:00 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2010-02-17 04:59 . 2010-02-17 04:59 -------- d-----w- c:\program files\Apple Software Update
2010-02-17 04:59 . 2010-02-17 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-17 04:58 . 2010-02-17 04:58 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2010-02-15 20:04 . 2010-02-15 20:04 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 20:04 . 2010-02-23 00:13 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 20:03 . 2010-02-15 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-15 20:02 . 2010-02-15 20:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-15 20:02 . 2010-02-15 20:02 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-02-15 19:50 . 2010-02-15 19:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-12 18:28 . 2010-02-12 18:28 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-11 02:23 . 2010-02-12 18:18 -------- d-----w- c:\program files\AVG(3)
2010-02-09 18:19 . 2010-02-09 18:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-09 18:18 . 2010-02-09 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-09 18:18 . 2010-02-28 02:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 14:06 . 2010-02-12 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-02-08 14:05 . 2010-02-12 18:23 -------- d-----w- c:\program files\Security Task Manager
2010-02-08 13:52 . 2010-02-08 13:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2010-02-08 13:51 . 2010-02-08 13:51 -------- d-----w- c:\program files\Uniblue
2010-02-08 06:48 . 2010-02-08 08:03 -------- d-----w- C:\$AVG
2010-02-08 06:46 . 2010-02-08 23:07 -------- d-----w- c:\windows\system32\drivers\Avg(2)
2010-02-08 06:43 . 2010-02-12 18:23 -------- d-----w- c:\program files\AVG(2)
2010-02-08 06:42 . 2010-02-12 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 23:34 . 2008-12-09 00:39 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-02-27 08:19 . 2009-10-31 03:13 -------- d-----w- c:\program files\PokerStars
2010-02-12 18:27 . 2009-02-04 23:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-12 18:21 . 2007-09-04 12:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-10 09:29 . 2007-09-04 13:34 -------- d-----w- c:\program files\CyberLink
2010-02-08 06:03 . 2007-09-04 12:49 68456 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-02 20:23 . 2008-08-02 15:24 -------- d-----w- c:\program files\Quicken Legal Business Pro 2006
2009-12-15 04:14 . 2009-12-23 15:44 94208 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oqxqrmg6.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
2009-12-15 04:14 . 2009-12-23 15:44 50176 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oqxqrmg6.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-01-23 4608]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
IPN2120 WLAN Configuration Utility.lnk - c:\program files\InProComm\IPN2120\wlan_ui.exe [2007-3-26 446464]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-10-10 20:32 203264 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 00:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
2009-01-18 18:46 632048 ----a-w- c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2/14/2003 1:03 PM 59328]
R3 IPN2120;INPROCOMM IPN2120 Wireless LAN Card Driver;c:\windows\system32\drivers\i2120ntx.sys [3/26/2007 12:03 AM 116736]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wa301b.sys [9/4/2007 6:48 AM 32823]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oqxqrmg6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oqxqrmg6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oqxqrmg6.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oqxqrmg6.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Owner\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 20:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x812C88C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf92c6fc3
\Driver\ACPI -> ACPI.sys @ 0xf9219cb8
\Driver\atapi -> atapi.sys @ 0xf91b69f2
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
NDIS: INPROCOMM IPN2120 Wireless LAN Card -> SendCompleteHandler -> NDIS.sys @ 0xf90b9ba0
PacketIndicateHandler -> NDIS.sys @ 0xf90c6b21
SendHandler -> NDIS.sys @ 0xf90a487b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-02-28 20:50:20
ComboFix-quarantined-files.txt 2010-03-01 02:50

Pre-Run: 30,516,056,064 bytes free
Post-Run: 31,347,372,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 6EF882D5FED12FBBA015AF1252371F22

Again thank you very much for your help and I look forward to hearing from you again.
Kemo Slobby

#6 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:04 PM

Posted 01 March 2010 - 07:21 PM

hi,


ok thanks for the info. did you disable Spybots Tea Timer before using combofix? Hows it looking on your end now?

How Can I Reduce My Risk to Malware?


#7 kemo slobby

kemo slobby
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 01 March 2010 - 07:29 PM

Hi, I'm still getting spam redirects from google search. I ~thought~ I disabled Spybot's Tea Timer but apparently I did not as evidenced by the window: "Spybot S&D has detected an important registry entry that has been changed." Should I rerun combofix again?

#8 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:04 PM

Posted 02 March 2010 - 08:03 PM

Yes you can run combofix for another pass. to disable Tea timer;

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

also check Malwarebytes for updates and rescan with it and post its log please.

How Can I Reduce My Risk to Malware?


#9 kemo slobby

kemo slobby
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 03 March 2010 - 03:31 AM

Hi, SL-
I updated malwarebytes but every time I try to load Spybot S&D, even in safe mode, the program crashes. Should I reinstall Spybot S&D?

Thank your,
ks

#10 kemo slobby

kemo slobby
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 03 March 2010 - 05:35 PM

Hi, SL-

Today I was able to run Spybot without the program crashing and implemented the changes you specified. Here is the new Combofix log:

ComboFix 10-03-03.03 - Owner 03/03/2010 15:26:50.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.136 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-02-28 02:50 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-28 02:49 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 00:26 . 2010-02-23 00:26 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-23 00:26 . 2010-02-23 00:26 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-23 00:26 . 2010-02-23 00:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-22 07:08 . 2010-02-22 07:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-02-17 05:03 . 2010-02-17 05:06 -------- d-----w- c:\program files\QuickTime
2010-02-17 05:03 . 2010-02-17 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-17 05:01 . 2010-02-17 05:01 -------- d-----w- c:\program files\Common Files\Apple
2010-02-17 05:00 . 2010-02-17 05:00 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple
2010-02-17 04:59 . 2010-02-17 04:59 -------- d-----w- c:\program files\Apple Software Update
2010-02-17 04:59 . 2010-02-17 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-17 04:58 . 2010-02-17 04:58 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2010-02-15 20:04 . 2010-02-15 20:04 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 20:04 . 2010-02-23 00:13 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 20:03 . 2010-02-15 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-15 20:02 . 2010-02-15 20:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-15 20:02 . 2010-02-15 20:02 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-02-15 19:50 . 2010-02-15 19:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-12 18:28 . 2010-02-12 18:28 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-11 02:23 . 2010-02-12 18:18 -------- d-----w- c:\program files\AVG(3)
2010-02-09 18:19 . 2010-02-09 18:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-09 18:18 . 2010-02-09 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-09 18:18 . 2010-02-28 02:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 14:06 . 2010-02-12 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-02-08 14:05 . 2010-02-12 18:23 -------- d-----w- c:\program files\Security Task Manager
2010-02-08 13:52 . 2010-02-08 13:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2010-02-08 13:51 . 2010-02-08 13:51 -------- d-----w- c:\program files\Uniblue
2010-02-08 06:48 . 2010-02-08 08:03 -------- d-----w- C:\$AVG
2010-02-08 06:46 . 2010-02-08 23:07 -------- d-----w- c:\windows\system32\drivers\Avg(2)
2010-02-08 06:43 . 2010-02-12 18:23 -------- d-----w- c:\program files\AVG(2)
2010-02-08 06:42 . 2010-02-12 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 21:12 . 2008-12-09 00:39 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-03-03 05:19 . 2009-10-31 03:13 -------- d-----w- c:\program files\PokerStars
2010-02-12 18:27 . 2009-02-04 23:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-12 18:21 . 2007-09-04 12:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-10 09:29 . 2007-09-04 13:34 -------- d-----w- c:\program files\CyberLink
2010-02-08 06:03 . 2007-09-04 12:49 68456 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-02 20:23 . 2008-08-02 15:24 -------- d-----w- c:\program files\Quicken Legal Business Pro 2006
2009-12-15 04:14 . 2009-12-23 15:44 94208 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oqxqrmg6.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
2009-12-15 04:14 . 2009-12-23 15:44 50176 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oqxqrmg6.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-03-01_02.42.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-03 21:12 . 2010-03-03 21:12 16384 c:\windows\Temp\Perflib_Perfdata_6f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-01-23 4608]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
IPN2120 WLAN Configuration Utility.lnk - c:\program files\InProComm\IPN2120\wlan_ui.exe [2007-3-26 446464]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-10-10 20:32 203264 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 00:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
2009-01-18 18:46 632048 ----a-w- c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2/14/2003 1:03 PM 59328]
R3 IPN2120;INPROCOMM IPN2120 Wireless LAN Card Driver;c:\windows\system32\drivers\i2120ntx.sys [3/26/2007 12:03 AM 116736]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wa301b.sys [9/4/2007 6:48 AM 32823]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/27/2010 8:50 PM 38224]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oqxqrmg6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oqxqrmg6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oqxqrmg6.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oqxqrmg6.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 15:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x812B48C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf92c6fc3
\Driver\ACPI -> ACPI.sys @ 0xf9219cb8
\Driver\atapi -> atapi.sys @ 0xf91b69f2
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
NDIS: INPROCOMM IPN2120 Wireless LAN Card -> SendCompleteHandler -> NDIS.sys @ 0xf90a7ba0
PacketIndicateHandler -> NDIS.sys @ 0xf90b4b21
SendHandler -> NDIS.sys @ 0xf909287b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3844)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-03 15:46:39
ComboFix-quarantined-files.txt 2010-03-03 21:46
ComboFix2.txt 2010-03-03 20:14
ComboFix3.txt 2010-03-01 02:50

Pre-Run: 31,294,357,504 bytes free
Post-Run: 31,252,946,944 bytes free

- - End Of File - - B90520E28CE3754169B84FE23B59AF09


And here is the malwarebytes log:

Malwarebytes' Anti-Malware 1.44
Database version: 3822
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

3/3/2010 4:30:54 PM
mbam-log-2010-03-03 (16-30-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 168585
Time elapsed: 37 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks again for your help
KS

#11 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:04 PM

Posted 03 March 2010 - 07:36 PM

hi,

ok lets do this: follow this link below, read and follow the instructions in step 6 and step 8. post the Gmer log in your reply

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

How Can I Reduce My Risk to Malware?


#12 kemo slobby

kemo slobby
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 04 March 2010 - 11:04 PM

Hi, SL-

Here is the gmer log you asked for:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-04 22:01:46
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdapog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEF3710B0]

Code \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F91B69F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F91B69F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F91B69F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

I hope this helps. Thanks again for your assistance.
kemo slobby

#13 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:04 PM

Posted 06 March 2010 - 08:37 PM

ok thanks for the info. We will get one more download to use. Link and directions:

Please download TDSS Killer.zip and save it to your desktop
Extract the zip file to your desktop
Click start > run and copy/paste whats below into the run box. Click ok or enter


"%userprofile%\desktop\tdsskiller.exe" -l report.txt.

When its finished press any key to continue.
If prompted please reboot your computer
Please post the report.txt that will be generated on your desktop after running the utility.

How Can I Reduce My Risk to Malware?


#14 kemo slobby

kemo slobby
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 07 March 2010 - 05:47 PM

SL-

I ran the utility you directed to me and by golly I think you solved my problem. However, I wasn't able to generate the report you want. But now I have no redirects from my search engines. If the report is that critical to you, I'll try to get you one.

Thankyou thankyou thankyou veryvery much.

ks

#15 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:04 PM

Posted 07 March 2010 - 08:56 PM

ok good. your welcome. you dont see the report.txt file on your desktop?

Cruise around and make sure the redirects are gone then we can finish up.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users