Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Security 2010 keeps coming back!


  • This topic is locked This topic is locked
24 replies to this topic

#1 Lynette S

Lynette S

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 02 April 2010 - 08:44 PM

Hello! My computer got infected with XP Security 2010. I ran Malwarebytes, and that cleared it up temporarily, but it keeps coming back. Now AVG Resident Shield shows "Virus identified Win32/Patched.CG C:\Windows\system32\drivers\atapi.sys. Object is white-listed (critical/system file that should not be removed). Also, my computer won't let me access the Microsoft Windows update site. The last thing I tried was running Superantispyware, but I think I'm still infected. Can anyone help me with this?? Attached are my logs. Thanks in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:43 AM

Posted 03 April 2010 - 07:03 PM


Hello Lynette S smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.














Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Lynette S

Lynette S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 03 April 2010 - 08:39 PM

Hi thewall! Thanks for helping me. Following is my log.

ComboFix 10-04-03.01 - Bob 04/03/2010 20:21:45.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1487 [GMT -5:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{39B3C8B3-3654-4D6A-8792-0182E635470B}
c:\documents and settings\Administrator\Local Settings\Application Data\{39B3C8B3-3654-4D6A-8792-0182E635470B}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{39B3C8B3-3654-4D6A-8792-0182E635470B}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{39B3C8B3-3654-4D6A-8792-0182E635470B}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{39B3C8B3-3654-4D6A-8792-0182E635470B}\install.rdf
c:\documents and settings\Bob\Local Settings\Application Data\{10281F25-0FAB-407E-AF54-F6D81D0D2F54}
c:\documents and settings\Bob\Local Settings\Application Data\{10281F25-0FAB-407E-AF54-F6D81D0D2F54}\chrome.manifest
c:\documents and settings\Bob\Local Settings\Application Data\{10281F25-0FAB-407E-AF54-F6D81D0D2F54}\chrome\content\_cfg.js
c:\documents and settings\Bob\Local Settings\Application Data\{10281F25-0FAB-407E-AF54-F6D81D0D2F54}\chrome\content\overlay.xul
c:\documents and settings\Bob\Local Settings\Application Data\{10281F25-0FAB-407E-AF54-F6D81D0D2F54}\install.rdf
c:\windows\AppPatch\AcAdProc.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-04 to 2010-04-04 )))))))))))))))))))))))))))))))
.

2010-04-02 22:22 . 2010-02-24 15:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-04-02 21:25 . 2010-04-02 21:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-02 21:24 . 2010-04-02 21:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-02 14:50 . 2010-04-02 14:50 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-02 14:45 . 2010-04-02 14:45 -------- d-----w- c:\windows\ie8updates
2010-04-02 14:41 . 2010-02-25 06:24 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-04-02 14:41 . 2010-02-25 06:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-02 00:37 . 2010-04-02 00:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-01 05:18 . 2010-04-01 05:18 -------- d-sh--w- c:\documents and settings\Bob\IECompatCache
2010-04-01 05:08 . 2010-04-01 05:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-01 05:08 . 2010-04-01 05:08 -------- d-sh--w- c:\documents and settings\Bob\PrivacIE
2010-04-01 05:06 . 2010-04-01 05:06 -------- d-sh--w- c:\documents and settings\Bob\IETldCache
2010-04-01 04:55 . 2010-04-01 04:57 -------- dc-h--w- c:\windows\ie8
2010-03-29 16:44 . 2010-03-29 16:44 -------- d-----w- c:\documents and settings\Bob\Application Data\Malwarebytes
2010-03-29 16:44 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 16:44 . 2010-04-01 01:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-29 16:44 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 16:44 . 2010-03-29 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-29 16:40 . 2010-03-29 16:39 335 ----a-w- C:\FixExe.reg
2010-03-29 16:40 . 2010-03-29 16:39 5061512 ----a-w- C:\mbam-setup.exe
2010-03-27 04:01 . 2010-03-27 04:01 -------- d-----w- C:\olb
2010-03-27 03:24 . 2010-03-27 03:24 -------- d-----w- C:\Users
2010-03-27 02:58 . 2010-03-27 05:30 -------- d-----w- c:\documents and settings\Bob\Application Data\Online Backup
2010-03-27 02:57 . 2010-03-27 02:57 -------- d-----w- c:\program files\QuickBooks Online Backup
2010-03-26 21:33 . 2010-03-26 21:33 -------- d-----w- C:\$AVG
2010-03-26 21:32 . 2010-03-26 21:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-26 21:32 . 2010-03-26 21:32 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-26 21:32 . 2010-03-26 21:32 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-26 21:32 . 2010-03-26 21:32 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-26 21:32 . 2010-04-04 00:59 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-26 21:29 . 2010-03-26 21:29 -------- d-----w- c:\program files\AVG
2010-03-26 21:29 . 2010-03-27 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-26 20:50 . 2010-03-26 21:03 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Deployment
2010-03-26 16:53 . 2010-03-26 16:53 -------- d-----w- c:\documents and settings\Dave\Application Data\SUPERAntiSpyware.com
2010-03-26 13:33 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\3710946.sys
2010-03-26 13:33 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\37109461.sys
2010-03-25 21:24 . 2010-03-25 21:24 -------- d-----w- c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com
2010-03-25 21:24 . 2010-03-25 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-25 21:16 . 2010-03-25 21:16 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\{5A432A41-6D43-4AA6-92E0-48D82083FECC}
2010-03-23 17:38 . 2010-03-23 17:38 -------- d-----w- c:\documents and settings\Bob\Application Data\U3
2010-03-23 17:37 . 2010-03-23 17:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\MediaDirect
2010-03-18 01:47 . 2008-05-24 12:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-03-18 01:47 . 2010-03-26 21:33 -------- d-----w- c:\documents and settings\Administrator
2010-03-18 01:47 . 2010-03-23 17:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-03-18 01:47 . 2008-05-24 12:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\SingleClick Systems
2010-03-17 22:43 . 2010-04-01 23:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 18:38 . 2010-03-23 17:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-17 17:48 . 2001-08-17 18:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2010-03-17 17:48 . 2001-08-17 18:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2010-03-17 17:47 . 2005-02-10 22:52 34816 ------w- c:\windows\system32\BrWiaNCp.dll
2010-03-17 17:47 . 2005-09-16 23:21 54784 ------w- c:\windows\system32\BrNetSti.dll
2010-03-17 17:47 . 2005-06-15 18:12 31744 ------w- c:\windows\system32\Brnsplg.dll
2010-03-10 16:30 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 01:32 . 2008-05-31 04:22 256 ----a-w- c:\windows\system32\pool.bin
2010-04-04 01:30 . 2008-05-24 12:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-04 00:55 . 2008-05-30 19:58 -------- d-----w- c:\program files\LogMeIn
2010-04-02 21:25 . 2010-04-02 21:25 52224 ----a-w- c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-02 21:25 . 2010-04-02 21:25 117760 ----a-w- c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-02 00:36 . 2008-05-24 11:59 -------- d-----w- c:\program files\Java
2010-04-02 00:33 . 2010-04-02 00:33 152576 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-04-02 00:32 . 2010-04-02 00:32 79488 ----a-w- c:\documents and settings\Bob\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-01 14:54 . 2010-04-01 14:54 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-01 14:54 . 2010-04-01 14:54 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-01 06:21 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-01 01:06 . 2010-03-29 16:44 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-27 03:56 . 2008-05-29 21:15 3464 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2010-03-26 21:20 . 2008-05-29 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-26 21:06 . 2010-03-26 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2010-03-26 19:02 . 2010-03-22 19:08 0 ----a-w- c:\windows\Agapusur.bin
2010-03-23 23:25 . 2008-10-01 20:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-03-23 21:49 . 2010-03-22 19:08 120 ----a-w- c:\windows\Odesunepozan.dat
2010-03-23 18:11 . 2008-05-29 19:29 414 ----a-w- c:\windows\system32\RDC210SF.DAT
2010-03-23 17:37 . 2010-03-23 17:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2010-03-23 01:18 . 2010-03-18 01:47 60888 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 20:04 . 2008-05-29 19:22 50 ----a-w- c:\windows\system32\bd9420cn.dat
2010-03-17 20:02 . 2008-05-29 19:19 57 ----a-w- c:\documents and settings\All Users\Application Data\SP\SpLog\BrCollectDir\BR_cat.bat
2010-03-16 12:51 . 2008-12-14 20:26 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-01 10:06 . 2009-11-14 22:05 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-25 06:24 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-04 22:06 . 2009-11-14 22:06 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-04 16:08 . 2009-11-14 22:05 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-04 16:08 . 2009-11-14 22:05 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-28 20:52 . 2010-01-28 20:52 1956072 ----a-w- c:\documents and settings\Bob\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-01-27 10:07 . 2009-11-14 22:06 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-27 10:07 . 2009-11-14 23:11 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-27 10:07 . 2009-11-14 22:06 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-27 10:07 . 2009-11-14 22:06 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-27 10:07 . 2009-11-14 22:06 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-27 10:07 . 2009-11-14 22:06 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-27 10:07 . 2009-11-14 22:06 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-27 10:07 . 2009-11-14 22:06 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-27 10:07 . 2009-11-14 22:06 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-27 10:06 . 2009-11-14 22:06 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-27 10:06 . 2009-11-14 22:06 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-27 10:06 . 2009-11-14 22:05 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-27 10:06 . 2009-11-14 22:05 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-27 10:06 . 2009-11-14 22:05 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-27 10:06 . 2009-11-14 22:05 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2008-06-04 16:18 . 2008-06-04 16:18 0 ----a-w- c:\program files\error.dat
2001-12-03 22:09 . 2008-10-20 21:17 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"OnlineBackupScheduler"="c:\program files\QuickBooks Online Backup\OnlineBackup.exe" [2007-11-02 610304]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-04-02 149280]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-04 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SetDefPrt"="c:\program files\SP\Brmfl05b\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\program files\SP\ControlCenter2\brctrcen.exe" [2006-09-07 933888]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-5-24 7168]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-11-19 1807704]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-24 50688]
Online Backup Scheduler.lnk - c:\windows\Installer\{A9255718-8A40-45F9-B738-93655FBD4F6F}\_C90BDFE323B95CEE248723.exe [2010-3-26 1078]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-26 21:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-05-20 19:09 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/14/2009 5:06 PM 64288]
R1 37109461;37109461;c:\windows\system32\drivers\37109461.sys [3/26/2010 8:33 AM 128016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/26/2010 4:32 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/26/2010 4:32 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/26/2010 4:31 PM 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1181328]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Bob\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Bob\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Bob\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\Bob\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/24/2008 7:05 AM 30192]
S3 SASENUM;SASENUM;\??\c:\docume~1\Bob\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\Bob\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-04 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:08]

2010-04-04 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:08]

2010-04-04 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:08]

2010-04-04 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:08]

2010-04-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080524
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080524
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: isqft.com
Trusted Zone: isqft.com\www
Trusted Zone: isqft.com\www
DPF: {4125262D-2E47-11D3-9387-00C04F5B12B1} - hxxps://www.backup.com/user/webrestore.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKCU-Run-Adware Professional - c:\program files\Adware Professional\Adware Professional.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-Cxavolonizokizic - c:\windows\opuvireb.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-03 20:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\LMIinit.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(2652)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\brsvc01a.exe
c:\windows\system32\brss01a.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Dell Network Assistant\ezi_hnm2.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-04-03 20:36:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-04 01:36

Pre-Run: 288,981,454,848 bytes free
Post-Run: 289,395,118,080 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 4BC8C4217D744EE3F07C98759A09FC29


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:43 AM

Posted 04 April 2010 - 09:21 AM

You're welcome. I need for you to upload the following file so I can check it:

  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/t/306781/xp-security-2010-keeps-coming-back/?p=1699461
  • Click Browse and select the c:\windows\system32\drivers\3710946.sys
  • Under the comments section, say that thewall asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Lynette S

Lynette S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 04 April 2010 - 12:41 PM

Hi thewall. I submitted the file you requested.

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:43 AM

Posted 04 April 2010 - 01:04 PM

Thanks, I received it. Can you tell me the date you realized your computer was infected?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Lynette S

Lynette S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 04 April 2010 - 01:07 PM

I think it was March 18.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:43 AM

Posted 04 April 2010 - 02:59 PM

Next thing is for you to open your MalwareBytes then perform an update. After that do a Quick Scan. If it finds anything post the log it produces.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Lynette S

Lynette S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 04 April 2010 - 04:10 PM

I ran it. No malicious items were detected.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:43 AM

Posted 04 April 2010 - 04:48 PM

That's good news. Let's update your Adobe Reader and although your version of Java is only a couple versions old you have another older version still showing that needs to be removed so let's go ahead and update it too then we'll run one more scan and see how things look.



Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.






Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 19 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u19-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.








It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 Lynette S

Lynette S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 05 April 2010 - 09:23 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, April 5, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, April 05, 2010 01:34:17
Records in database: 3914096
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 103963
Threats found: 2
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 01:58:10


File name / Threat / Threats count
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\61\6a323fbd-4ef6afe5 Infected: Trojan-Downloader.Java.Agent.ax 3
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.Tdss.ai 1

Selected area has been scanned.


#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:43 AM

Posted 05 April 2010 - 09:54 AM

The one entry is Qoobox which is the quarantine area for ComboFix. That will be gone when when we uninstall the program.

Go to the following link for instructions on how to clean out your Java cache.

http://support.f-secure.com/enu/home/virus...javacache.shtml



When that is completed if everything is still running OK we should be able to wrap up.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 Lynette S

Lynette S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 05 April 2010 - 10:26 AM

I don't have a NetworkService folder in C:\Documents and Settings. And if I look in C:\Documents and Settings\Bob\Application Data\Sun\Java\Deployment\cache\6.0\61 I don't see the infected file listed. Is that normal?


#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:43 AM

Posted 05 April 2010 - 10:32 AM

Did you run Kaspersky before or after you updated your Java?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Lynette S

Lynette S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 05 April 2010 - 11:15 AM

After.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users