Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootRepeal and Runscanner refuse to open


  • This topic is locked This topic is locked
21 replies to this topic

#1 zse45tgb

zse45tgb

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 23 March 2010 - 01:08 PM

Hello,
I have been referred here from the Am I Infected? forum by boopme. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/295063/antivirus-pro-2010/ ~ OB Although we cleaned out quite a bit of rubbish from my system, apparantly there is still work to be done. As mentioned in the title, I have Runscanner and RootRepeal on my desktop and am unable to open, move or delete them. I am also getting a message from Microsoft stating:
"This copy of Windows did not pass genuine validation.
The product key found on this computer is not valid for use in your region."
I have run a dds as well as a Gmer scan and the logs are included.

Thank you in advance for your time,

Mike

Gmer Scan:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-22 14:24:24
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\ugtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\DOCUME~1\User\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEEB740B0]

---- EOF - GMER 1.0.15 ----


dds scan:


DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 12:11:57.87 on Mon 03/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://sfbay.craigslist.org/eby/
uDefault_Page_URL = hxxp://www.msn.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
uRun: [ctfmon.exe] c:\windows.1\system32\ctfmon.exe
uRun: [ComcastAntispyClient] "c:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hide
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [EPSON Stylus CX6400] c:\windows.1\system32\spool\drivers\w32x86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRunOnce: [B Register c:\program files\divx\divx codec\divxdec.ax] "c:\windows.1\system32\rundll32.exe" "c:\program files\divx\divx codec\DivXDec.ax",DllRegisterServer
mRunOnce: [B Register c:\program files\divx\divx plus directshow filters\divxdech264.ax] "c:\windows.1\system32\rundll32.exe" "c:\program files\divx\divx plus directshow filters\DivXDecH264.ax",DllRegisterServer
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1.1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.1\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {11B762AF-09CC-8DB8-0706-030102020402} - c:\windows.1\system32\svchost.exe

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-03-22 19:11:33 0 ----a-w- c:\documents and settings\user\defogger_reenable
2010-03-19 19:01:06 0 d-----w- c:\docume~1\alluse~1.1\applic~1\DivX
2010-03-19 00:27:44 0 d-----w- c:\program files\ESET
2010-03-18 23:12:25 75776 ------w- c:\windows.1\system32\dllcache\strmfilt.dll
2010-03-18 23:12:25 265728 ------w- c:\windows.1\system32\dllcache\http.sys
2010-03-18 23:12:25 25088 ------w- c:\windows.1\system32\dllcache\httpapi.dll
2010-03-18 19:07:27 3243 ----a-w- c:\windows.1\system32\wbem\Outlook_01cac6ce3ff944c6.mof
2010-03-18 02:03:24 3558912 ------w- c:\windows.1\system32\dllcache\moviemk.exe
2010-03-18 02:02:28 471552 ------w- c:\windows.1\system32\dllcache\aclayers.dll
2010-03-18 01:27:17 38224 ----a-w- c:\windows.1\system32\drivers\mbamswissarmy.sys
2010-03-18 01:27:15 19160 ----a-w- c:\windows.1\system32\drivers\mbam.sys
2010-03-18 01:27:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 22:53:11 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-17 22:52:43 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-17 22:45:08 92928 ------w- c:\windows.1\system32\dllcache\ksecdd.sys
2010-03-17 22:45:08 136192 ------w- c:\windows.1\system32\dllcache\msv1_0.dll
2010-03-17 22:45:07 54272 ------w- c:\windows.1\system32\dllcache\wdigest.dll
2010-03-17 22:45:07 301568 ------w- c:\windows.1\system32\dllcache\kerberos.dll
2010-03-17 21:38:15 0 d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-03-17 21:38:15 0 d-----w- c:\docume~1\alluse~1.1\applic~1\SUPERAntiSpyware.com
2010-03-17 00:55:13 0 d--h--w- c:\windows.1\PIF
2010-03-08 17:59:18 94208 ----a-w- c:\windows.1\system32\dpl100.dll
2010-03-02 18:16:04 353592 ----a-w- c:\windows.1\system32\DivXControlPanelApplet.cpl

==================== Find3M ====================

2010-02-19 19:27:36 720384 ----a-w- c:\windows.1\system32\DivX.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows.1\system32\divx_xx0c.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows.1\system32\divx_xx07.dll
2010-02-19 19:27:16 847872 ----a-w- c:\windows.1\system32\divx_xx0a.dll
2010-02-19 19:27:16 843776 ----a-w- c:\windows.1\system32\divx_xx16.dll
2010-02-19 19:27:16 839680 ----a-w- c:\windows.1\system32\divx_xx11.dll
2009-12-31 16:50:03 353792 ------w- c:\windows.1\system32\dllcache\srv.sys
2009-09-14 21:23:37 19669 ----a-w- c:\program files\common files\hikicaqop._sy
2009-09-14 21:23:36 13527 ----a-w- c:\program files\common files\odinu.bat
2009-09-12 06:09:01 17459 ----a-w- c:\program files\common files\ciwikatyda.sys
2009-09-12 06:09:01 10762 ----a-w- c:\program files\common files\koxovureqa.com
2009-09-12 04:04:37 11454 ----a-w- c:\program files\common files\ysidaleqi.pif
2009-09-12 03:38:07 17840 ----a-w- c:\program files\common files\tycy._dl
2009-09-12 03:21:40 16599 ----a-w- c:\program files\common files\ifariho.pif
2007-11-06 10:46:30 27936568 ----a-w- c:\program files\wmp11-windowsxp-x64-enu.exe
2007-11-06 10:44:33 25755448 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2009-08-04 20:42:12 32768 --sha-w- c:\windows.1\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080420090805\index.dat

============= FINISH: 12:12:17.71 ===============

Attached Files


Edited by Orange Blossom, 23 March 2010 - 08:48 PM.


BC AdBot (Login to Remove)

 


#2 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 AM

Posted 27 March 2010 - 12:08 AM

Hello zse45tgb,

I do still see infection onboard. Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#3 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 27 March 2010 - 07:22 PM

Hello Ried,
I was a little concerned about running ComboFix after reading about it "bricking" systems, but if I didn't have faith in the opinions of the folks in this forum, it wouldn't make much sense for me to be here. When I started ComboFix, it informed me that AVG was active on my computer. I checked in my Control Panel and could not find it, but it was in my Program Files folder, but I have no idea how to disable it. I tried to terminate ComboFix by clicking the "X" box in the upper right corner, but as you probably know, it started its scan anyway. I only mention this because I have no idea if this could affect the scan results.
Another thing that puzzles me is that when ComboFix went to download the Microsoft Recovery Console, I was asked if I was running Windows XP Home, which is incorrect according to my System Properties so I clicked no, but it downloaded anyway. It says that I am running Windows XP Professional, Version 2002, Service Pack 3. When my computer boots, it also says Windows XP Professional, but it also says I may be running counterfeit software. I don't know if this is pertinent, but I know how aggravating it can be to work with too little information.

Thank You in advance for your time and trouble,

Mike


Below is my ComboFix log:

ComboFix 10-03-27.02 - User 03/27/2010 16:22:05.1.1 - x86
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS.1\Application Data\faso.bat
c:\documents and settings\All Users.WINDOWS.1\Application Data\ipehujuk.inf
c:\documents and settings\All Users.WINDOWS.1\Documents\alym.inf
c:\documents and settings\All Users.WINDOWS.1\Documents\bedocidera.reg
c:\documents and settings\All Users.WINDOWS.1\Documents\gotojotyr.bat
c:\documents and settings\All Users.WINDOWS.1\Documents\lifaj.bat
c:\documents and settings\Tasha\My Documents\twunk_32.exe
c:\documents and settings\User\Application Data\gavivomu.vbs
c:\documents and settings\User\Application Data\luti.bat
c:\documents and settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.txt.lnk
c:\documents and settings\User\Application Data\nafylen.vbs
c:\documents and settings\User\Application Data\ujimuf.bat
c:\documents and settings\User\Cookies\bageduve.sys
c:\documents and settings\User\Cookies\elevy.db
c:\documents and settings\User\Cookies\goso.vbs
c:\documents and settings\User\Cookies\igasu.bat
c:\documents and settings\User\Cookies\ipyvyl.dl
c:\documents and settings\User\Cookies\kimewyke.dll
c:\documents and settings\User\Cookies\kokucy.vbs
c:\documents and settings\User\Cookies\licy._sy
c:\documents and settings\User\Cookies\neganyfy.db
c:\documents and settings\User\Cookies\osymuhu._sy
c:\documents and settings\User\Cookies\rizibu.vbs
c:\documents and settings\User\Cookies\roqufejiq.inf
c:\documents and settings\User\Cookies\ryjoqodo.sys
c:\documents and settings\User\Cookies\socebozuku.sys
c:\documents and settings\User\Cookies\tovifet.inf
c:\documents and settings\User\Cookies\uzikyqu.vbs
c:\documents and settings\User\Cookies\wofejinaka.bat
c:\documents and settings\User\Local Settings\Application Data\exixazedak.reg
c:\documents and settings\User\Local Settings\Application Data\kyvel.reg
c:\documents and settings\User\Local Settings\Application Data\nurezaxyh.bat
c:\documents and settings\User\Local Settings\Application Data\pafe.bat
c:\documents and settings\User\Local Settings\Application Data\ucuw.inf
c:\program files\Common Files\odinu.bat
c:\program files\crosof~1
c:\program files\webserver
c:\recycler\S-1-5-21-439199626-869750193-1123432360-1006
c:\recycler\S-1-5-21-439199626-869750193-1123432360-1007
c:\recycler\S-1-5-21-507921405-602162358-839522115-1001
c:\recycler\S-1-5-21-507921405-602162358-839522115-500
c:\windows.1\cyralevyvu.bat
c:\windows.1\dykot.bat
c:\windows.1\egok.scr
c:\windows.1\ejof.scr
c:\windows.1\fisozacup._sy
c:\windows.1\ixiv.bat
c:\windows.1\jovobirule.reg
c:\windows.1\pyxe.inf
c:\windows.1\qomi.bat
c:\windows.1\run.log
c:\windows.1\system32\bubonerugu.reg
c:\windows.1\system32\lodevuly.bat
c:\windows.1\system32\SHELLLNK.TLB
c:\windows.1\system32\zunyreh.reg
c:\windows.1\udyh.vbs
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DDNSFILTER
-------\Legacy_WEBSERVER
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-26 10:36 . 2010-03-26 10:36 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-23 18:16 . 2010-03-23 18:16 -------- d-----w- c:\program files\ieSpell
2010-03-19 19:03 . 2010-03-19 19:03 54073 ----a-w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-03-19 19:03 . 2010-03-19 19:03 56969 ----a-w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-03-19 19:01 . 2010-03-19 19:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX
2010-03-19 00:27 . 2010-03-19 00:27 -------- d-----w- c:\program files\ESET
2010-03-18 23:12 . 2009-10-21 05:38 75776 ------w- c:\windows.1\system32\dllcache\strmfilt.dll
2010-03-18 23:12 . 2009-10-21 05:38 25088 ------w- c:\windows.1\system32\dllcache\httpapi.dll
2010-03-18 23:12 . 2009-10-20 16:20 265728 ------w- c:\windows.1\system32\dllcache\http.sys
2010-03-18 02:03 . 2009-10-23 15:28 3558912 ------w- c:\windows.1\system32\dllcache\moviemk.exe
2010-03-18 02:02 . 2009-11-21 15:51 471552 ------w- c:\windows.1\system32\dllcache\aclayers.dll
2010-03-18 01:27 . 2010-01-07 23:07 38224 ----a-w- c:\windows.1\system32\drivers\mbamswissarmy.sys
2010-03-18 01:27 . 2010-03-18 03:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-18 01:27 . 2010-01-07 23:07 19160 ----a-w- c:\windows.1\system32\drivers\mbam.sys
2010-03-17 22:53 . 2010-03-17 22:53 52224 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-17 22:53 . 2010-03-17 22:53 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-17 22:53 . 2010-03-17 22:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-17 22:52 . 2010-03-17 22:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-17 22:45 . 2009-09-11 14:18 136192 ------w- c:\windows.1\system32\dllcache\msv1_0.dll
2010-03-17 22:45 . 2009-06-24 11:18 92928 ------w- c:\windows.1\system32\dllcache\ksecdd.sys
2010-03-17 22:45 . 2009-06-25 08:25 54272 ------w- c:\windows.1\system32\dllcache\wdigest.dll
2010-03-17 22:45 . 2009-06-25 08:25 301568 ------w- c:\windows.1\system32\dllcache\kerberos.dll
2010-03-17 21:38 . 2010-03-17 21:38 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2010-03-17 21:38 . 2010-03-17 21:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1\Application Data\SUPERAntiSpyware.com
2010-03-17 00:55 . 2010-03-17 17:24 -------- d--h--w- c:\windows.1\PIF
2010-03-12 19:31 . 2010-03-12 19:31 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Runscanner.net
2010-03-12 19:30 . 2010-03-12 19:30 -------- d-----w- C:\rsit
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows.1\system32\dpl100.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-24 22:04 . 2009-09-09 21:37 -------- d-----w- c:\program files\IrfanView
2010-03-19 19:03 . 2009-09-09 21:43 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-19 19:01 . 2010-03-19 19:04 754984 ----a-w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX\Setup\Resource.dll
2010-03-19 19:01 . 2010-03-19 19:04 986904 ----a-w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX\Setup\DivXSetup.exe
2010-03-19 01:33 . 2007-11-20 01:41 -------- d-----w- c:\program files\MSConfig CleanUp
2010-03-19 00:00 . 2007-12-19 02:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1\Application Data\Microsoft Help
2010-03-18 23:26 . 2007-11-20 03:00 84416 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-18 07:01 . 2007-11-08 07:27 -------- d-----w- c:\program files\Microsoft Works
2010-03-12 21:08 . 2007-09-03 07:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-12 21:08 . 2007-11-20 03:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1\Application Data\Spybot - Search & Destroy
2010-03-12 19:38 . 2007-09-14 21:52 -------- d-----w- c:\program files\Yahoo!
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows.1\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows.1\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows.1\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows.1\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows.1\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows.1\system32\divx_xx11.dll
2010-02-12 13:11 . 2007-12-01 02:33 1324 ----a-w- c:\windows.1\system32\d3d9caps.dat
2010-02-11 23:01 . 2009-09-14 23:52 -------- d-----w- c:\documents and settings\User\Application Data\CallingID
2010-02-11 20:30 . 2009-09-14 23:51 -------- d-----w- c:\documents and settings\User\Application Data\comcasttb
2009-12-31 16:50 . 2007-09-04 01:58 353792 ----a-w- c:\windows.1\system32\drivers\srv.sys
2009-09-14 21:23 . 2009-09-14 21:23 19669 ----a-w- c:\program files\Common Files\hikicaqop._sy
2009-09-12 06:09 . 2009-09-12 06:09 17459 ----a-w- c:\program files\Common Files\ciwikatyda.sys
2009-09-12 06:09 . 2009-09-12 06:09 10762 ----a-w- c:\program files\Common Files\koxovureqa.com
2009-09-12 04:04 . 2009-09-12 04:04 11454 ----a-w- c:\program files\Common Files\ysidaleqi.pif
2009-09-12 03:38 . 2009-09-12 03:38 17840 ----a-w- c:\program files\Common Files\tycy._dl
2009-09-12 03:21 . 2009-09-12 03:21 16599 ----a-w- c:\program files\Common Files\ifariho.pif
2007-11-06 10:46 . 2007-11-06 10:46 27936568 ----a-w- c:\program files\wmp11-windowsxp-x64-enu.exe
2007-11-06 10:44 . 2007-11-06 10:44 25755448 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2009-08-12 19:15 . 2007-11-08 05:05 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-08-12 19:15 . 2007-11-08 05:05 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-08-12 19:15 . 2007-11-08 05:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-08-12 19:15 . 2007-11-08 05:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-08-12 19:15 . 2007-11-08 05:05 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------


[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows.1\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows.1\$NtServicePackUninstall$\eventlog.dll

c:\windows.1\System32\drivers\beep.sys ... is missing !!
c:\windows.1\System32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]
"ctfmon.exe"="c:\windows.1\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX6400"="c:\windows.1\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" [2003-06-03 99840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\User\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users.WINDOWS.1\Start Menu\Programs\Startup\
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2007-12-26 237568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS.1\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS.1\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"53:TCP"= 53:TCP:webserver
"8085:TCP"= 8085:TCP:ddnsfilter

R1 Filter;Filter;c:\windows.1\system32\drivers\Filter.sys [x]
R1 SABKUTIL;SABKUTIL;c:\documents and settings\User\Desktop\SABKUTIL.sys [x]
R1 SASDIFSV;SASDIFSV;c:\docume~1\User\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\docume~1\User\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [x]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
R3 SASENUM;SASENUM;c:\docume~1\User\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [x]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{11B762AF-09CC-8DB8-0706-030102020402}]
2008-04-14 00:12 14336 ------w- c:\windows.1\system32\svchost.exe
.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows.1\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-03-21 c:\windows.1\Tasks\User_Feed_Synchronization-{2483770E-186B-4C34-9F26-85EC8B7A3FBE}.job
- c:\windows.1\system32\msfeedssync.exe [2007-11-20 11:31]

2010-03-17 c:\windows.1\Tasks\WGASetup.job
- c:\windows.1\system32\KB905474\wgasetup.exe [2009-08-01 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sfbay.craigslist.org/eby/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-*{73c7d5b0-7b03-444a-84c7-ce1ba03b5573} - (no file)
SafeBoot-klmdb.sys
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 16:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows.1\system32\wbem\Performance\WmiApRpl_new.ini 924 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows.1\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'explorer.exe'(3332)
c:\windows.1\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
c:\windows.1\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows.1\system32\ieframe.dll
c:\windows.1\system32\webcheck.dll
c:\windows.1\system32\wpdshserviceobj.dll
c:\windows.1\system32\hnetcfg.dll
c:\windows.1\system32\portabledevicetypes.dll
c:\windows.1\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\windows.1\system32\msiexec.exe
c:\windows.1\system32\dllhost.exe
c:\windows.1\System32\vssvc.exe
c:\windows.1\system32\wbem\wmiapsrv.exe
c:\windows.1\system32\dllhost.exe
c:\windows.1\system32\msdtc.exe
c:\windows.1\system32\WgaTray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-27 16:33:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-27 23:33

Pre-Run: 8,863,469,568 bytes free
Post-Run: 8,805,572,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS.1
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS.1="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C802F2600F6BC70072D72F9C4E705C69


#4 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 AM

Posted 27 March 2010 - 10:51 PM

You're welcome, Mike and I do appreciate the info. smile.gif

I still have several questions for you. We'll get to those after you perform this next step to finish removing the malware.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/t/304418/rootrepeal-and-runscanner-refuse-to-open/

FCopy::
c:\windows.1\ServicePackFiles\i386\eventlog.dll | c:\windows.1\System32\eventlog.dll

Collect::
c:\Program Files\Common Files\hikicaqop._sy
c:\Program Files\Common Files\ciwikatyda.sys
c:\Program Files\Common Files\koxovureqa.com
c:\Program Files\Common Files\ysidaleqi.pif
c:\Program Files\Common Files\tycy._dl
c:\Program Files\Common Files\ifariho.pif

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:TCP"=-áá
"8085:TCP"=-áá
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{11B762AF-09CC-8DB8-0706-030102020402}]


Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
============================

Did you uninstall AVG? I have a lot of conflicting information in these logs. I don't see it listed in your Add/Remove programs lis, yet Windows Management Instrumentation sees, and I see active components in the log

QUOTE
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]


Without AVG being installed, you have no onboard Anti Virus program. Is that correct?

- What about SuperAntiSpyware? I see it as installed, but the service has missing drivers
- AdAware - I do not see it in your list of installed programs, but I see it in services.

QUOTE
Another thing that puzzles me is that when ComboFix went to download the Microsoft Recovery Console, I was asked if I was running Windows XP Home, which is incorrect according to my System Properties so I clicked no, but it downloaded anyway. It says that I am running Windows XP Professional, Version 2002, Service Pack 3. When my computer boots, it also says Windows XP Professional, but it also says I may be running counterfeit software.


Again, conflicting information given by Windows. It appears as though this was originally an XP Home Installation, then someone did a parallel install using XP Pro? Have you always had that message about possible counterfeit software?

Please provide the info you can, and don't forget to post the C:\ComboFix.txt smile.gif

Edited by Ried, 29 March 2010 - 06:25 AM.
open code

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#5 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 28 March 2010 - 02:18 AM

Hello again,
I've tried twice to paste the scan log from ComboFix withe the modified script, and each time my browser locks up. I don't know what the reason is, and I've included a screenshot. I saw that ComboFix did upload info, and I'm just assuming it was to you (collectively) at bleepingcomputer.com. If it didn't upload all the info I see in the log.txt file, can I just attach it to a reply?



Now might be a good time to grab a cup of coffee wacko.gif

As far as AVG goes, no I did not uninstall it. It is not listed in my add/remove programs window. It is listed in C:\Program Files\AVG, but I can't find any .exe file for it, except in the Toolbar, Toolbar.new and Toolbar.old folders, and I'm not a big fan of toolbars from anyone.
As far as virus protection goes, according to my Windows Security Center I do have an antivirus program running, in fact it says that "AVG reports that it is up to date and virus scanning is on." I hate to sound like a glass half empty kind of guy, but I find it hard to believe I do have an active antivirus program running.

As to SUPERAntispyware; I couldn't get the standard download to open, so I had to download and run RUNSAS.EXE, which succeeded in opening and running the program on my computer, and leaving its little bug icon with my other TSR's in my taskbar. I don't know what to tell you about the missing drivers. I was following directions from boopme when I did the install, with the exception of the location for RUNSAS.EXE which I had to find on the Support page for SUPERAntispyware.

Now on to AdAware; There are two versions of AdAware on this computer, AdAware 6 and Adaware SE Professional. AdAware 6 is on a different disk partition, and like AVG, I can find no executable files in any of the folders. AdAware SE Professional is on the same disk partition as my operating system, but I do not think it is actively running.

Now we get to the fun part, Windows;
Let me start by saying that this is not MY computer, it belongs to my roommates who have neither the time nor the patience to go through this excersize.
A little (perhaps necessary) info on them; they are a married couple who have raised two daughters who are now in their early twenties, and all the above mentioned parties have had active access to this computer. They are out of town this weekend so I can't ask if they bought this computer new, but I will.
Here's the information on the computer system; It is an HP Compaq dc 5000 MT, and it has what appears to be an official Microsoft sticker on the top of the case. I say 'appears' because the sticker does have the hologram, as well as the security band running through it and the rest of the sticker vertically. It says "Windows XP Professional 1-2 CPU, and under that it simply says HP. There is quite a bit more on the sticker, including the product key, which by the way is NOT the product key listed in the registry. I have NOT tried to change this registry value.
If I try to get information on my computer using System Information, I get the following window:



and when I try to close it I get the following:



Which I find a little odd, since I was not using Internet Explorer to try and get my System Information.

If I right click on My Computer and click properties, I can get information about my system, I get the information that I am running Windows XP Professional, Version 2002, Service Pack 3. I don't see any references to XP Home. I've only been using this computer since June of 2009, and I believe the counterfeit message has been there since I started using it, but I can't say how long before.

I realize that fixing my problems is not why I am here, but I thought some of this information might be pertinent.

Thank You again, and let me know if I can attach the ComboFix log,

Mike

#6 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 AM

Posted 28 March 2010 - 10:05 PM

Thanks for taking the time to put all that together for me. Please go ahead and attach the ComboFix.txt and while I'm waiting for that, it'll give me time to sort through what you just explained. smile.gif

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#7 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 29 March 2010 - 02:30 AM

I think I may know what the story is for AVG; when I first noticed all of the Antivirus Pro 2010 notices and fake alerts, I tried to DL & install AVG (yes I do know better) which of course didn't work. As for AdAware; I remember trying unsuccessfully to open it, but I didn't try to install it.
It looks like I'm lucky the ComboFix log wasn't a little longer, I've only got 15.9 k remaining out of my 512.

Regards,

Mike

ComboFix 10-03-27.02 - User 03/27/2010 21:58:38.2.1 - x86
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

file zipped: c:\program files\Common Files\ciwikatyda.sys
file zipped: c:\program files\Common Files\hikicaqop._sy
file zipped: c:\program files\Common Files\ifariho.pif
file zipped: c:\program files\Common Files\koxovureqa.com
file zipped: c:\program files\Common Files\tycy._dl
file zipped: c:\program files\Common Files\ysidaleqi.pif
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\ciwikatyda.sys
c:\program files\Common Files\hikicaqop._sy
c:\program files\Common Files\ifariho.pif
c:\program files\Common Files\koxovureqa.com
c:\program files\Common Files\tycy._dl
c:\program files\Common Files\ysidaleqi.pif

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-26 10:36 . 2010-03-26 10:36 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-23 18:16 . 2010-03-23 18:16 -------- d-----w- c:\program files\ieSpell
2010-03-19 19:03 . 2010-03-19 19:03 54073 ----a-w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-03-19 19:03 . 2010-03-19 19:03 56969 ----a-w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-03-19 19:01 . 2010-03-19 19:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX
2010-03-19 00:27 . 2010-03-19 00:27 -------- d-----w- c:\program files\ESET
2010-03-18 23:12 . 2009-10-21 05:38 75776 ------w- c:\windows.1\system32\dllcache\strmfilt.dll
2010-03-18 23:12 . 2009-10-21 05:38 25088 ------w- c:\windows.1\system32\dllcache\httpapi.dll
2010-03-18 23:12 . 2009-10-20 16:20 265728 ------w- c:\windows.1\system32\dllcache\http.sys
2010-03-18 02:03 . 2009-10-23 15:28 3558912 ------w- c:\windows.1\system32\dllcache\moviemk.exe
2010-03-18 02:02 . 2009-11-21 15:51 471552 ------w- c:\windows.1\system32\dllcache\aclayers.dll
2010-03-18 01:27 . 2010-01-07 23:07 38224 ----a-w- c:\windows.1\system32\drivers\mbamswissarmy.sys
2010-03-18 01:27 . 2010-03-18 03:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-18 01:27 . 2010-01-07 23:07 19160 ----a-w- c:\windows.1\system32\drivers\mbam.sys
2010-03-17 22:53 . 2010-03-17 22:53 52224 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-17 22:53 . 2010-03-17 22:53 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-17 22:53 . 2010-03-17 22:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-17 22:52 . 2010-03-17 22:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-17 22:45 . 2009-09-11 14:18 136192 ------w- c:\windows.1\system32\dllcache\msv1_0.dll
2010-03-17 22:45 . 2009-06-24 11:18 92928 ------w- c:\windows.1\system32\dllcache\ksecdd.sys
2010-03-17 22:45 . 2009-06-25 08:25 54272 ------w- c:\windows.1\system32\dllcache\wdigest.dll
2010-03-17 22:45 . 2009-06-25 08:25 301568 ------w- c:\windows.1\system32\dllcache\kerberos.dll
2010-03-17 21:38 . 2010-03-17 21:38 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2010-03-17 21:38 . 2010-03-17 21:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1\Application Data\SUPERAntiSpyware.com
2010-03-17 00:55 . 2010-03-17 17:24 -------- d--h--w- c:\windows.1\PIF
2010-03-12 19:31 . 2010-03-12 19:31 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Runscanner.net
2010-03-12 19:30 . 2010-03-12 19:30 -------- d-----w- C:\rsit
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows.1\system32\dpl100.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-24 22:04 . 2009-09-09 21:37 -------- d-----w- c:\program files\IrfanView
2010-03-19 19:03 . 2009-09-09 21:43 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-19 19:01 . 2010-03-19 19:04 754984 ----a-w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX\Setup\Resource.dll
2010-03-19 19:01 . 2010-03-19 19:04 986904 ----a-w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX\Setup\DivXSetup.exe
2010-03-19 01:33 . 2007-11-20 01:41 -------- d-----w- c:\program files\MSConfig CleanUp
2010-03-19 00:00 . 2007-12-19 02:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1\Application Data\Microsoft Help
2010-03-18 23:26 . 2007-11-20 03:00 84416 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-18 07:01 . 2007-11-08 07:27 -------- d-----w- c:\program files\Microsoft Works
2010-03-12 21:08 . 2007-09-03 07:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-12 21:08 . 2007-11-20 03:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1\Application Data\Spybot - Search & Destroy
2010-03-12 19:38 . 2007-09-14 21:52 -------- d-----w- c:\program files\Yahoo!
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows.1\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows.1\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows.1\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows.1\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows.1\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows.1\system32\divx_xx11.dll
2010-02-12 13:11 . 2007-12-01 02:33 1324 ----a-w- c:\windows.1\system32\d3d9caps.dat
2010-02-11 23:01 . 2009-09-14 23:52 -------- d-----w- c:\documents and settings\User\Application Data\CallingID
2010-02-11 20:30 . 2009-09-14 23:51 -------- d-----w- c:\documents and settings\User\Application Data\comcasttb
2009-12-31 16:50 . 2007-09-04 01:58 353792 ----a-w- c:\windows.1\system32\drivers\srv.sys
2007-11-06 10:46 . 2007-11-06 10:46 27936568 ----a-w- c:\program files\wmp11-windowsxp-x64-enu.exe
2007-11-06 10:44 . 2007-11-06 10:44 25755448 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2009-08-12 19:15 . 2007-11-08 05:05 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-08-12 19:15 . 2007-11-08 05:05 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-08-12 19:15 . 2007-11-08 05:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-08-12 19:15 . 2007-11-08 05:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-08-12 19:15 . 2007-11-08 05:05 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------


[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows.1\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows.1\$NtServicePackUninstall$\eventlog.dll

c:\windows.1\System32\drivers\beep.sys ... is missing !!
c:\windows.1\System32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-03-27_23.28.57 )))))))))))))))))))))))))))))))))))))))))
.
-- Snapshot reset to current date --
.

**edited to save space**


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX6400"="c:\windows.1\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" [2003-06-03 99840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\User\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users.WINDOWS.1\Start Menu\Programs\Startup\
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2007-12-26 237568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS.1\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS.1\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 Filter;Filter;c:\windows.1\system32\drivers\Filter.sys [x]
R1 SABKUTIL;SABKUTIL;c:\documents and settings\User\Desktop\SABKUTIL.sys [x]
R1 SASDIFSV;SASDIFSV;c:\docume~1\User\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\docume~1\User\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [x]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
R3 SASENUM;SASENUM;c:\docume~1\User\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [x]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]

.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows.1\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-03-21 c:\windows.1\Tasks\User_Feed_Synchronization-{2483770E-186B-4C34-9F26-85EC8B7A3FBE}.job
- c:\windows.1\system32\msfeedssync.exe [2007-11-20 11:31]

2010-03-17 c:\windows.1\Tasks\WGASetup.job
- c:\windows.1\system32\KB905474\wgasetup.exe [2009-08-01 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sfbay.craigslist.org/eby/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 22:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows.1\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
.
Completion time: 2010-03-27 22:06:00
ComboFix-quarantined-files.txt 2010-03-28 05:05
ComboFix2.txt 2010-03-27 23:33

Pre-Run: 8,816,500,736 bytes free
Post-Run: 8,798,302,208 bytes free

- - End Of File - - 4AE4DE28B4691CC4509FC066A38C7A35
Upload was successful

Attached Files


Edited by Ried, 29 March 2010 - 09:37 PM.


#8 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 AM

Posted 29 March 2010 - 09:59 PM

Thanks, Mike. We'll pull out the remnants ourselves. Afterwards, try again to install AVG or another free AV of your choice.

Open notepad and copy/paste the text in the code box below into it:

CODE
FCopy::
c:\windows.1\ServicePackFiles\i386\eventlog.dll | c:\windows.1\System32\eventlog.dll

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"=-
[-HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"=-
[-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"=-
[-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

Driver::
Lavasoft Ad-Aware Service


Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, please include the C:\ComboFix.txt in your next reply.


=======================


Manually delete this folder:

c:\program files\AVG

=======================

QUOTE
There is quite a bit more on the sticker, including the product key, which by the way is NOT the product key listed in the registry. I have NOT tried to change this registry value.


Someone did something to change that. Your initial post mentioned - "This copy of Windows did not pass genuine validation. The product key found on this computer is not valid for use in your region." See this link for one explanation for having that particular message ==> http://social.microsoft.com/Forums/en-US/g...6c-57cb70225dcb


QUOTE
Cannot access the Windows Management Instrumentation software. Windows Management files may be moved or missing.


This can cause problems further down the line. When we're through here, I would suggest talking to the folks in the Windows XP section and see if they can sort this out for you.

Please return with the C:\ComboFix.txt and an update on system behavior.



Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#9 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 30 March 2010 - 12:06 AM

Hi Ried,
I tried deleting c:\program files\AVG, but ComboFix found it anyway when it started. I don't know what else to do to remove it without going in and ripping it out of the registry.

Regards,
Mike


Here is the ComboFix log:

ComboFix 10-03-29.02 - User 03/29/2010 21:19:39.3.1 - x86
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows.1\ServicePackFiles\i386\eventlog.dll --> c:\windows.1\System32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LAVASOFT_AD-AWARE_SERVICE
-------\Service_Lavasoft Ad-Aware Service


((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-30 04:19 . 2008-04-14 00:11 56320 ----a-w- c:\windows.1\system32\eventlog.dll
2010-03-30 04:19 . 2008-04-14 00:11 56320 ----a-w- c:\windows.1\system32\dllcache\eventlog.dll
2010-03-26 10:36 . 2010-03-26 10:36 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-23 18:16 . 2010-03-23 18:16 -------- d-----w- c:\program files\ieSpell
2010-03-19 19:03 . 2010-03-19 19:03 54073 ----a-w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-03-19 19:03 . 2010-03-19 19:03 56969 ----a-w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-03-19 19:01 . 2010-03-19 19:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX
2010-03-19 00:27 . 2010-03-19 00:27 -------- d-----w- c:\program files\ESET
2010-03-18 23:12 . 2009-10-21 05:38 75776 ------w- c:\windows.1\system32\dllcache\strmfilt.dll
2010-03-18 23:12 . 2009-10-21 05:38 25088 ------w- c:\windows.1\system32\dllcache\httpapi.dll
2010-03-18 23:12 . 2009-10-20 16:20 265728 ------w- c:\windows.1\system32\dllcache\http.sys
2010-03-18 02:03 . 2009-10-23 15:28 3558912 ------w- c:\windows.1\system32\dllcache\moviemk.exe
2010-03-18 02:02 . 2009-11-21 15:51 471552 ------w- c:\windows.1\system32\dllcache\aclayers.dll
2010-03-18 01:27 . 2010-01-07 23:07 38224 ----a-w- c:\windows.1\system32\drivers\mbamswissarmy.sys
2010-03-18 01:27 . 2010-03-18 03:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-18 01:27 . 2010-01-07 23:07 19160 ----a-w- c:\windows.1\system32\drivers\mbam.sys
2010-03-17 22:53 . 2010-03-17 22:53 52224 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-17 22:53 . 2010-03-17 22:53 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-17 22:53 . 2010-03-17 22:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-17 22:52 . 2010-03-17 22:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-17 22:45 . 2009-09-11 14:18 136192 ------w- c:\windows.1\system32\dllcache\msv1_0.dll
2010-03-17 22:45 . 2009-06-24 11:18 92928 ------w- c:\windows.1\system32\dllcache\ksecdd.sys
2010-03-17 22:45 . 2009-06-25 08:25 54272 ------w- c:\windows.1\system32\dllcache\wdigest.dll
2010-03-17 22:45 . 2009-06-25 08:25 301568 ------w- c:\windows.1\system32\dllcache\kerberos.dll
2010-03-17 21:38 . 2010-03-17 21:38 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2010-03-17 21:38 . 2010-03-17 21:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1\Application Data\SUPERAntiSpyware.com
2010-03-17 00:55 . 2010-03-17 17:24 -------- d--h--w- c:\windows.1\PIF
2010-03-12 19:31 . 2010-03-12 19:31 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Runscanner.net
2010-03-12 19:30 . 2010-03-12 19:30 -------- d-----w- C:\rsit
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows.1\system32\dpl100.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-24 22:04 . 2009-09-09 21:37 -------- d-----w- c:\program files\IrfanView
2010-03-19 19:03 . 2009-09-09 21:43 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-19 19:01 . 2010-03-19 19:04 754984 ----a-w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX\Setup\Resource.dll
2010-03-19 19:01 . 2010-03-19 19:04 986904 ----a-w- c:\documents and settings\All Users.WINDOWS.1\Application Data\DivX\Setup\DivXSetup.exe
2010-03-19 01:33 . 2007-11-20 01:41 -------- d-----w- c:\program files\MSConfig CleanUp
2010-03-19 00:00 . 2007-12-19 02:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1\Application Data\Microsoft Help
2010-03-18 23:26 . 2007-11-20 03:00 84416 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-18 07:01 . 2007-11-08 07:27 -------- d-----w- c:\program files\Microsoft Works
2010-03-12 21:08 . 2007-09-03 07:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-12 21:08 . 2007-11-20 03:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS.1\Application Data\Spybot - Search & Destroy
2010-03-12 19:38 . 2007-09-14 21:52 -------- d-----w- c:\program files\Yahoo!
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows.1\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows.1\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows.1\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows.1\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows.1\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows.1\system32\divx_xx11.dll
2010-02-12 13:11 . 2007-12-01 02:33 1324 ----a-w- c:\windows.1\system32\d3d9caps.dat
2010-02-11 23:01 . 2009-09-14 23:52 -------- d-----w- c:\documents and settings\User\Application Data\CallingID
2010-02-11 20:30 . 2009-09-14 23:51 -------- d-----w- c:\documents and settings\User\Application Data\comcasttb
2009-12-31 16:50 . 2007-09-04 01:58 353792 ----a-w- c:\windows.1\system32\drivers\srv.sys
2007-11-06 10:46 . 2007-11-06 10:46 27936568 ----a-w- c:\program files\wmp11-windowsxp-x64-enu.exe
2007-11-06 10:44 . 2007-11-06 10:44 25755448 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2009-08-12 19:15 . 2007-11-08 05:05 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-08-12 19:15 . 2007-11-08 05:05 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-08-12 19:15 . 2007-11-08 05:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-08-12 19:15 . 2007-11-08 05:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-08-12 19:15 . 2007-11-08 05:05 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-03-28_05.04.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 12:00 . 2010-03-27 23:32 68360 c:\windows.1\system32\perfc009.dat
+ 2001-08-23 12:00 . 2010-03-30 04:29 68360 c:\windows.1\system32\perfc009.dat
+ 2001-08-23 12:00 . 2010-03-30 04:29 435590 c:\windows.1\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-03-27 23:32 435590 c:\windows.1\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]
"ctfmon.exe"="c:\windows.1\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX6400"="c:\windows.1\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" [2003-06-03 99840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\User\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users.WINDOWS.1\Start Menu\Programs\Startup\
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2007-12-26 237568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS.1\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS.1\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 Filter;Filter;c:\windows.1\system32\drivers\Filter.sys [x]
R1 SABKUTIL;SABKUTIL;c:\documents and settings\User\Desktop\SABKUTIL.sys [x]
R1 SASDIFSV;SASDIFSV;c:\docume~1\User\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\docume~1\User\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [x]
R3 SASENUM;SASENUM;c:\docume~1\User\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [x]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]

.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows.1\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-03-30 c:\windows.1\Tasks\User_Feed_Synchronization-{2483770E-186B-4C34-9F26-85EC8B7A3FBE}.job
- c:\windows.1\system32\msfeedssync.exe [2007-11-20 11:31]

2010-03-30 c:\windows.1\Tasks\WGASetup.job
- c:\windows.1\system32\KB905474\wgasetup.exe [2009-08-01 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sfbay.craigslist.org/eby/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 21:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows.1\system32\wbem\Performance\WmiApRpl_new.ini 924 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows.1\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'explorer.exe'(952)
c:\windows.1\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
c:\windows.1\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows.1\system32\ieframe.dll
c:\windows.1\system32\webcheck.dll
c:\windows.1\system32\wpdshserviceobj.dll
c:\windows.1\system32\hnetcfg.dll
c:\windows.1\system32\portabledevicetypes.dll
c:\windows.1\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\windows.1\system32\msiexec.exe
c:\windows.1\system32\dllhost.exe
c:\windows.1\System32\vssvc.exe
c:\windows.1\system32\wbem\wmiapsrv.exe
c:\windows.1\system32\dllhost.exe
c:\windows.1\system32\WgaTray.exe
c:\windows.1\system32\msdtc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-29 21:32:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-30 04:32
ComboFix2.txt 2010-03-28 05:06
ComboFix3.txt 2010-03-27 23:33

Pre-Run: 9,346,609,152 bytes free
Post-Run: 9,309,696,000 bytes free

- - End Of File - - 7E5942368EBD7A2AB44BBBF54F69BFBF


#10 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 AM

Posted 30 March 2010 - 06:29 AM

Hi Mike,

Simple enough to resolve.


1. Click on the Start menu.
2. Select Run...
3. Type wbemtest and click OK
4. Connect to root\SecurityCenter
5. Click on Query
6. Type in or copy/paste SELECT * FROM AntiVirusProduct and click on Apply

You should see AVG listed there. Single click and select Delete.

Then download the AVG Uninstaller. How is the system behaving now?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#11 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 30 March 2010 - 02:01 PM

Good Morning Ried,
The AVG Uninstaller reported a lot of "not found" in the log, but my Security Center does report that I am no longer protected so I suppose it was a success. My system is running fine, does this mean I'm clean?
As far as installing a different anti virus goes, I'm open to suggestions. Unfortunately, I'm limited to the free version since I'm not working at this time. I noticed there is a tutorial for Avast, and I was wondering what your opinion is on it.

Again, Many Thanks,

Mike

#12 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 AM

Posted 30 March 2010 - 03:12 PM

Due to the level of infection that was onboard, and the fact AVG wasn't working properly, I feel it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.




Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#13 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 30 March 2010 - 11:21 PM

Good Evening,
You weren't joking when you said it may take some time. I hope the results are good news.

Regards,
Mike

Here are the results:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, March 30, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, March 30, 2010 14:57:50
Records in database: 3901472
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 164345
Threats found: 6
Infected objects found: 8
Suspicious objects found: 0
Scan duration: 06:58:34


File name / Threat / Threats count
C:\Documents and Settings\All Users\Start Menu\Programs\Total Commander 7.EXE Infected: Trojan-Dropper.Win32.Agent.bkit 1
C:\Documents and Settings\Tasha\Local Settings\Application Data\Microsoft\CD Burning\pw\XPC.zip Infected: HackTool.Win32.BruteForce.i 1
C:\Documents and Settings\Tasha\My Documents\crAcK\ophcrack-livecd-1.2.2.iso Infected: not-a-virus:PSWTool.Win32.PWDump.2 1
C:\Documents and Settings\Tasha\My Documents\crAcK\ophcrack-livecd-1.2.2.iso Infected: not-a-virus:PSWTool.Win32.PWDump.s 1
C:\Documents and Settings\Tasha\My Documents\crAcK\ophcrack-livecd-1.2.2.iso Infected: not-a-virus:PSWTool.Win32.PWDump.d 2
C:\Documents and Settings\Tasha\My Documents\crAcK\pw\XPC.zip Infected: HackTool.Win32.BruteForce.i 1
C:\WINDOWS\system32\winbfi32.txt Infected: Trojan.Win32.Dialer.qn 1

Selected area has been scanned.


Just a side note,
Any of the "Tasha" entries listed aren't necessary, so complete removal could be an easy(?) option.

Mike

Edited by zse45tgb, 31 March 2010 - 12:28 PM.


#14 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:23 AM

Posted 31 March 2010 - 03:59 PM

Well no, not if Tasha is a user profile. If it is, then you want to delete the profile?? If not, then delete that password cracker.

Also delete this file:

C:\WINDOWS\system32\winbfi32.txt

==============================

Regarding your earlier question about Avast - yes - it is an excellent free AV. I use it myself. smile.gif



After completing the above, your logs are clean. If there aren't any more problems, we have some final housekeeping to tend to now. Please do not skip this step as it will implement some important cleanup procedures, one of which is resetting your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point for you.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /uninstall

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
    • SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

  • WOT, Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • BACKING UP YOUR REGISTRY
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.


**Kindly respond one more time and let me know if we may consider this thread resolved.

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#15 zse45tgb

zse45tgb
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 31 March 2010 - 05:21 PM

Hello again,
I did delete the User Profile "Tasha" as well as "C:\WINDOWS\system32\winbfi32.txt", but I believe that still leaves:

"C:\Documents and Settings\All Users\Start Menu\Programs\Total Commander 7.EXE Infected: Trojan-Dropper.Win32.Agent.bkit 1"

or has that been taken care of? I have also run the ComboFix uninstall routine. One other item I would like to address is the fact that I am still unable to open, move, or more importantly, delete RootRepeal or Runscanner from my desktop.
Unfortunately, the Windows Update is going to have to wait until I get my Windows issues straightened out. But like you said, that's better addressed in the Windows Forums.

Again, Many Thanks for your time, trouble, and most of all patience,

Mike




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users