Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

strange program (file name is only symbols) loading at startup


  • This topic is locked This topic is locked
25 replies to this topic

#1 loneverse

loneverse

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 04 March 2010 - 12:18 AM

Hi.

I just fixed up my PC following the instructions given on another thread in this forum by m0le. The topic can be found here:
http://www.bleepingcomputer.com/forums/t/293153/extra-program-files-folder-created-automatically-iexploreexe-virus/

I have installed an antivirus program's trial version after the clean-up (Quickheal). Now I seem to have another infection on my pc.

Some weird programs (file name is nothing but symbols) load at startup, although I uncheck them from the startup programs list every time before I shut down my pc. A picture of the same is attached. These programs were not present till before 5-6 days.

Also, until yesterday, every time I boot my pc, my antivirus shows that a program by the name of "U ? ?" is trying to execute itself, and I am prompted to repair the file or ignore it. I clicked on repair each time, but this kept repeating every time I re-booted.

I ran a full scan using various tools, including Quickheal, Superantispyware, and AdAware. None of them detected any infections. However, the "U ? ?" program prompts have stopped appearing now when I boot my pc.

Please help me clean up my pc again sad.gif

Regards,
Megha




BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 AM

Posted 04 March 2010 - 07:42 AM

Hi again loneverse,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks thumbup2.gif


Can you please run a DDS and Gmer scan

Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Now Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Edited by m0le, 04 March 2010 - 07:47 AM.

Posted Image
m0le is a proud member of UNITE

#3 loneverse

loneverse
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 05 March 2010 - 11:33 PM

Hi m0le!

I am sorry for replying late, but I can't download the run the scans right now.. You see, I have an appraisal for which I need to prepare a presentation. Hence I can act on your instructions only on Monday. Sorry for the inconvinience!

Regards,
Megha

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 AM

Posted 06 March 2010 - 07:56 AM

That's okay. Good luck at the appraisal. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 loneverse

loneverse
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 08 March 2010 - 03:34 AM

Hi m0le! Sorry for the late reply, but I finally got down to it and ran the scans.

Here is the DDS log


DDS (Ver_09-12-01.01) - NTFSx86
Run by Megha Mookim at 10:43:20.64 on Mon 03/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.441 [GMT 5.5:30]

AV: Quick Heal 11.00 *On-access scanning disabled* (Outdated) {05C1329D-F0E0-4B19-9D15-54F9BC3ADE87}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\SAPISSVC.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\onlinent.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\UPSCHD.EXE
C:\PROGRA~1\QUICKH~1\QUICKH~1\SCANMSG.EXE
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Megha Mookim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Megha Mookim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Megha Mookim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Megha Mookim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Megha Mookim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Megha Mookim\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\Megha Mookim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Megha Mookim\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.in/
uInternet Settings,ProxyServer = 172.50.6.230:8080
uInternet Settings,ProxyOverride = <local>
BHO: AutorunsDisabled - No File
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 6\SnagItBHO.dll
BHO: QHIEPro Class: {02d6b6b3-5d97-4ede-aac1-4d0be8fe9cd3} - c:\progra~1\quickh~1\quickh~1\qhiepro.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 6\SnagItIEAddin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Quick Heal Core UI] c:\progra~1\quickh~1\quickh~1\strtupap.exe
mRunOnce: [Startup Scan] c:\progra~1\quickh~1\quickh~1\Sensor.EXE /check
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {C9A25090-D6C4-4D33-87ED-53AA0C3ECE65} - hxxp://download6.quickheal.com/onlnscan/activex/nt/onlnscan.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-24 64288]
R1 ggc;ggc;c:\windows\system32\drivers\ggc.sys [2010-2-24 46456]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 66632]
R2 catflt;catflt;c:\windows\system32\drivers\catflt.sys [2010-2-24 109176]
R2 Core Mail Protection;Core Mail Protection;c:\progra~1\quickh~1\quickh~1\EMLPROXY.EXE [2010-2-24 30168]
R2 Core Scanning Server;Core Scanning Server;c:\progra~1\quickh~1\quickh~1\SAPISSVC.EXE [2010-2-24 58744]
R2 EMLSS;EMLSS;c:\windows\system32\drivers\EMLTDI.SYS [2010-2-24 29304]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
R2 Online Protection System;Online Protection System;c:\progra~1\quickh~1\quickh~1\opssvc.exe [2010-2-24 19320]
R2 Quick Update Service;Quick Update Service;c:\progra~1\quickh~1\quickh~1\quhlpsvc.exe [2010-2-24 58744]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
S0 mscank;mscank;c:\windows\system32\drivers\mscank.sys [2010-2-24 28280]
S2 ijwbywsr;Manager System;c:\windows\system32\svchost.exe -k netsvcs [2009-1-14 14336]
S2 jruhmfydv;Universal Image;c:\windows\system32\svchost.exe -k netsvcs [2009-1-14 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-2-20 1684736]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-29 38224]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S4 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S4 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S4 sxbryzeb;Driver Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2009-1-14 14336]

=============== Created Last 30 ================

2010-03-08 05:05:21 0 d--h--w- c:\windows\PIF
2010-02-24 11:37:21 6223 ----a-w- c:\windows\RegAct.dat
2010-02-24 11:33:33 28280 ----a-w- c:\windows\system32\drivers\mscank.sys
2010-02-24 11:33:33 0 ----a-w- c:\windows\sensor.INI
2010-02-24 11:33:04 0 ----a-w- c:\windows\hqstat.mtl
2010-02-24 11:33:04 0 ----a-w- c:\windows\hqstat.mnt
2010-02-24 11:32:58 29304 ----a-w- c:\windows\system32\drivers\EMLTDI.SYS
2010-02-24 11:32:24 109176 ----a-w- c:\windows\system32\drivers\catflt.sys
2010-02-24 11:32:22 0 d-----w- c:\program files\Quick Heal
2010-02-24 11:26:26 60 ----a-w- c:\windows\QH32.INI
2010-02-24 11:25:45 0 d-----w- c:\windows\system32\gprodat
2010-02-24 11:25:25 46456 ----a-w- c:\windows\system32\drivers\ggc.sys
2010-02-24 10:08:04 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-24 10:07:54 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-24 09:58:33 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-24 09:58:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-24 09:56:20 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-24 09:55:46 0 d-----w- c:\program files\Lavasoft
2010-02-18 05:03:26 0 d-----w- c:\program files\ESET
2010-02-15 09:04:57 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-15 09:04:46 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-15 09:04:46 0 d-----w- c:\docume~1\megham~1\applic~1\SUPERAntiSpyware.com
2010-02-15 09:04:21 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-10 05:28:50 6144 --sha-w- c:\windows\system32\Thumbs.db

==================== Find3M ====================

2010-01-07 10:37:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 10:37:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 05:08:39 10 ----a-w- c:\docume~1\megham~1\applic~1\~ielog.dat
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-02-20 19:49:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-05-09 03:24:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050820090509\index.dat

============= FINISH: 10:43:41.92 ===============

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 AM

Posted 08 March 2010 - 08:44 PM

There are some unknown drivers on the log which we may need to remove.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 AM

Posted 11 March 2010 - 07:14 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#8 loneverse

loneverse
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 12 March 2010 - 12:09 AM

Hi m0le!

I am extremely sorry for the delay.. I've been travelling for a couple of days now, and haven't even checked my mail. I just ran the combofix tool, and have attached the log to this post.

Once again, am very sorry!

Regards,
Megha

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 AM

Posted 12 March 2010 - 07:00 PM

That's okay. There are a few things going on on the Combofix log so let's see if we can deal with them.


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\kernel32.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal


Now let's rerun Combofix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2904:TCP"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#10 loneverse

loneverse
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 15 March 2010 - 12:33 AM

Hi again m0le!

Jotti scanned the file and all the 21 scanners "found nothing".

Below is the combofix log:

ComboFix 10-03-14.04 - Megha Mookim 03/15/2010 10:49:38.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.549 [GMT 5.5:30]
Running from: c:\documents and settings\Megha Mookim\Desktop\combofix.exe
Command switches used :: c:\documents and settings\Megha Mookim\Desktop\CFScript.txt
AV: Quick Heal 11.00 *On-access scanning disabled* (Outdated) {05C1329D-F0E0-4B19-9D15-54F9BC3ADE87}
.

((((((((((((((((((((((((( Files Created from 2010-02-15 to 2010-03-15 )))))))))))))))))))))))))))))))
.

2010-03-08 06:34 . 2010-03-08 06:38 -------- d-----w- c:\windows\SxsCaPendDel
2010-03-08 06:00 . 2010-03-08 06:01 -------- d-----w- c:\documents and settings\Administrator
2010-03-08 05:05 . 2010-03-08 05:05 -------- d--h--w- c:\windows\PIF
2010-03-03 12:12 . 2010-03-03 12:12 135 ----a-w- c:\documents and settings\Megha Mookim\Local Settings\Application Data\fusioncache.dat
2010-03-03 10:09 . 2010-03-03 10:09 89560 ----a-w- c:\documents and settings\Megha Mookim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-02 05:18 . 2010-03-02 05:18 79488 ----a-w- c:\documents and settings\Megha Mookim\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-24 11:37 . 2010-02-24 11:37 6223 ----a-w- c:\windows\RegAct.dat
2010-02-24 11:33 . 2010-02-24 11:32 28280 ----a-w- c:\windows\system32\drivers\mscank.sys
2010-02-24 11:32 . 2010-02-24 11:32 29304 ----a-w- c:\windows\system32\drivers\EMLTDI.SYS
2010-02-24 11:32 . 2010-02-24 11:32 109176 ----a-w- c:\windows\system32\drivers\catflt.sys
2010-02-24 11:32 . 2010-02-24 11:32 -------- d-----w- c:\program files\Quick Heal
2010-02-24 11:25 . 2010-02-24 11:33 -------- d-----w- c:\windows\system32\gprodat
2010-02-24 11:25 . 2010-02-24 11:25 46456 ----a-w- c:\windows\system32\drivers\ggc.sys
2010-02-24 10:07 . 2010-02-24 10:07 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-24 09:58 . 2010-02-24 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-24 09:58 . 2010-02-24 10:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-24 09:55 . 2010-03-08 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-18 05:03 . 2010-02-18 05:03 -------- d-----w- c:\program files\ESET
2010-02-15 09:05 . 2010-02-15 09:05 52224 ----a-w- c:\documents and settings\Megha Mookim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 09:05 . 2010-03-03 06:32 117760 ----a-w- c:\documents and settings\Megha Mookim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 09:04 . 2010-02-15 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-15 09:04 . 2010-02-19 04:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-15 09:04 . 2010-02-15 09:04 -------- d-----w- c:\documents and settings\Megha Mookim\Application Data\SUPERAntiSpyware.com
2010-02-15 09:04 . 2010-02-15 09:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 08:23 . 2009-02-20 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-12 10:20 . 2010-02-12 10:30 182898 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-02-12 05:10 . 2009-12-29 12:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 05:09 . 2010-02-12 05:09 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-10 05:25 . 2009-02-20 13:56 -------- d-----w- c:\program files\Windows Media Connect 2
2010-02-07 16:27 . 2010-02-03 16:50 -------- d-----w- c:\program files\Microsoft Works
2010-02-05 05:09 . 2010-02-05 05:09 251376 ----a-w- c:\documents and settings\Megha Mookim\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-03 16:48 . 2010-02-03 16:48 -------- d-----w- c:\program files\Microsoft.NET
2010-02-03 16:45 . 2010-02-03 16:45 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-02-03 16:33 . 2009-12-29 12:41 -------- d-----w- c:\program files\MSBuild
2010-02-03 15:11 . 2009-12-28 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-03 15:10 . 2009-12-28 10:33 -------- d-----w- c:\program files\McAfee
2010-01-07 10:37 . 2009-12-29 12:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 10:37 . 2009-12-29 12:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2009-01-13 21:09 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 05:08 . 2009-12-26 05:46 10 ----a-w- c:\documents and settings\Megha Mookim\Application Data\~ielog.dat
2009-12-21 19:14 . 2009-01-13 21:09 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-01-13 22:21 343040 ----a-w- c:\windows\system32\mspaint.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-12-04 114688]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-12-18 622592]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864]
"Quick Heal Core UI"="c:\progra~1\QUICKH~1\QUICKH~1\strtupap.exe" [2010-02-24 46456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-1-14 376832]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 08:51 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-itŪ Software Notes Lite.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Post-itŪ Software Notes Lite.lnk
backup=c:\windows\pss\Post-itŪ Software Notes Lite.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 03:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-30 09:22 135664 ----atw- c:\documents and settings\Megha Mookim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 06:14 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-17 15:51 413696 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 10:37 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-19 04:56 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2004-12-20 18:41 33792 ----a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Megha Mookim\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Megha Mookim\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 ggc;ggc;c:\windows\system32\drivers\ggc.sys [2/24/2010 4:55 PM 46456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 66632]
R2 catflt;catflt;c:\windows\system32\drivers\catflt.sys [2/24/2010 5:02 PM 109176]
R2 Core Mail Protection;Core Mail Protection;c:\progra~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE [2/24/2010 5:02 PM 30168]
R2 Core Scanning Server;Core Scanning Server;c:\progra~1\QUICKH~1\QUICKH~1\SAPISSVC.EXE [2/24/2010 5:02 PM 58744]
R2 EMLSS;EMLSS;c:\windows\system32\drivers\EMLTDI.SYS [2/24/2010 5:02 PM 29304]
R2 Quick Update Service;Quick Update Service;c:\progra~1\QUICKH~1\QUICKH~1\quhlpsvc.exe [2/24/2010 5:02 PM 58744]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/18/2007 6:39 AM 11032]
R4 Online Protection System;Online Protection System;c:\progra~1\QUICKH~1\QUICKH~1\opssvc.exe [2/24/2010 5:02 PM 19320]
S0 mscank;mscank;c:\windows\system32\drivers\mscank.sys [2/24/2010 5:03 PM 28280]
S2 ijwbywsr;Manager System;c:\windows\system32\svchost.exe -k netsvcs [1/14/2009 2:39 AM 14336]
S2 jruhmfydv;Universal Image;c:\windows\system32\svchost.exe -k netsvcs [1/14/2009 2:39 AM 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/20/2009 8:22 AM 1684736]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/29/2009 6:03 PM 38224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S4 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S4 sxbryzeb;Driver Microsoft;c:\windows\system32\svchost.exe -k netsvcs [1/14/2009 2:39 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jruhmfydv
sxbryzeb
ijwbywsr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
uInternet Settings,ProxyServer = 172.50.6.230:8080
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: {603CF69E-F55C-4608-B8C0-80318CA46E4C} = 172.80.6.21
DPF: {C9A25090-D6C4-4D33-87ED-53AA0C3ECE65} - hxxp://download6.quickheal.com/onlnscan/activex/nt/onlnscan.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-15 10:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3876)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-15 10:58:24
ComboFix-quarantined-files.txt 2010-03-15 05:28
ComboFix2.txt 2010-03-12 04:54

Pre-Run: 66,458,488,832 bytes free
Post-Run: 66,418,929,664 bytes free

- - End Of File - - EFEEBCE5F7D0706E81C37C9370D55FCE


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 AM

Posted 15 March 2010 - 06:09 PM

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
  4. Push the large button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.

Are you still getting the strange startup program loading now?
Posted Image
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 AM

Posted 18 March 2010 - 08:31 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 AM

Posted 19 March 2010 - 09:27 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 AM

Posted 22 March 2010 - 12:58 PM

Reopened at user's request.

----------------------------------------------------

Please post the OTM log in this topic.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#15 loneverse

loneverse
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 23 March 2010 - 12:03 AM

I ran the OTM application and am including the reply below.

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ru\ not found.

OTM by OldTimer - Version 3.1.8.0 log created on 03222010_101726




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users