Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

gmer.exe won't run Possible spyware


  • This topic is locked This topic is locked
18 replies to this topic

#1 roseville99

roseville99

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 03 April 2010 - 02:57 PM

I cannot run gmer.exe superantispyware.exe
WINXP SP3 running AVG Network and Spybot
Had popups that said Antispyware needed
"Exception EfOpenError in module aviWUSB54GC.dll at 0000DB5F. When I logged on today there were 75 of them


DDS (Ver_10-03-17.01) - NTFSx86
Run by ddk at 12:27:32.43 on Sat 04/03/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1411 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Barracuda\Web Security Agent\UpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\MSN\Toolbar\4.0.0390.0\mstbsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe
C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe
C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
C:\PROGRA~1\SAAZOD\RMHLPDSK.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\vsnapvss.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Barracuda\Web Security Agent\WSAMonitor.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Barracuda\Web Security Agent\BarracudaWSA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
C:\downloads\Malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080115
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=192.168.10.23:8080;https=192.168.10.23:8080;ftp=192.168.10.23:8080;gopher=192.168.10.23:8080;socks=192.168.10.23:8080
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [WSA Monitor] c:\program files\barracuda\web security agent\WSAMonitor.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [braviax] braviax.exe
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\windows\system32\BarracudaWSA.dll
Trusted Zone: ddk.net
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://sbs1/connectcomputer/nshelp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-4-21 52872]
R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [2010-4-2 181920]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-21 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-21 29512]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-21 242696]
R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [2010-4-2 101280]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-4 308064]
R2 CatenaLogic Updater Service;Barracuda Updater Service;c:\program files\barracuda\web security agent\UpdaterService.exe [2009-10-5 1088760]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12992]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-2-20 46112]
R2 mstbsvc;MSN Toolbar Setup;c:\program files\msn\toolbar\4.0.0390.0\mstbsvc.exe [2009-12-21 96768]
R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\saazod\SAAZDPMACTL.exe [2010-3-10 81920]
R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\saazod\SAAZRemoteSupport.exe [2010-3-10 73728]
R2 SAAZScheduler;SAAZScheduler;c:\progra~1\saazod\SAAZScheduler.exe [2010-2-18 77824]
R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\saazod\SAAZServerPlus.exe [2009-4-30 77824]
R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\saazod\SAAZWatchDog.exe [2010-3-10 81920]
R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\storagecraft\shadowprotect\ShadowProtectSvc.exe [2010-4-2 1497632]
R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2010-4-2 67616]
R3 BarracudaWSA;BarracudaWSA;c:\program files\barracuda\web security agent\BarracudaWSA.exe [2010-3-25 2990240]
S2 avgagent;AVG9 Remote Support Service (AvgAgent);avgagent.exe /srvfsys --> avgagent.exe [?]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-1-23 42832]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-04-03 18:26:07 6144 ----a-w- c:\windows\system32\cru629.dat
2010-04-03 18:26:07 6144 ----a-w- c:\windows\cru629.dat
2010-04-03 18:26:07 11264 ----a-w- c:\windows\braviax.exe
2010-04-03 18:25:29 4096 --sha-w- C:\VSM000.IDX
2010-04-03 00:28:02 101280 ----a-w- c:\windows\system32\drivers\sbmount.sys
2010-04-03 00:27:59 181920 ----a-w- c:\windows\system32\drivers\stcvsm.sys
2010-04-03 00:27:51 67616 ----a-w- c:\windows\system32\vsnapvss.exe
2010-04-03 00:27:47 26144 ----a-w- c:\windows\system32\stcsnap.dll
2010-04-03 00:21:28 0 d-----w- c:\program files\StorageCraft
2010-04-02 23:14:31 0 d-----w- C:\Files1
2010-04-02 23:07:56 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2010-04-02 23:07:55 0 d-----w- c:\program files\Belarc
2010-03-25 19:07:12 261288 ----a-w- c:\windows\system32\BarracudaWSADLL.dll
2010-03-22 23:18:40 280 ----a-w- c:\windows\system32\BarracudaWSAOff.ini
2010-03-22 21:49:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-15 09:05:06 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2010-03-15 09:04:02 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2010-03-10 07:00:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-10 07:00:47 0 d-----w- c:\program files\SAAZSBE
2010-03-10 07:00:14 0 d-----w- c:\windows\SetupLogs
2010-03-04 21:59:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll

==================== Find3M ====================

2010-03-25 19:07:08 303264 ----a-w- c:\windows\system32\BarracudaWSA.dll
2010-03-04 21:59:02 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-04 21:58:54 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-04 21:58:52 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-01-05 23:30:28 3599360 ------w- c:\windows\system32\dllcache\mshtml.dll

============= FINISH: 12:28:29.91 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:12 AM

Posted 03 April 2010 - 03:11 PM

Hello roseville99,


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Once you have run Malwarebytes, try running Gmer again then please post back with the MBAM log and Gmer log, if
you get it to run.

Thanks

unite.jpg


#3 roseville99

roseville99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 03 April 2010 - 04:09 PM

Yes malwarebytes removed some things.
Why wouldn't antispyware of AVg find this?
Why wouldn't gmer.exe and superantispyware.exe run?
Still waiting for gmer.exe

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3950

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

4/3/2010 1:26:34 PM
mbam-log-2010-04-03 (13-26-34).txt

Scan type: Quick scan
Objects scanned: 271702
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.



#4 roseville99

roseville99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 03 April 2010 - 06:39 PM

gmer.exe has been running for 2 + hours. Is this normal?
gmer.exe seems to be using 100 % resources. Is this normal?
Should we disable AntiVirus and Antispyware before starting?

Edited by roseville99, 03 April 2010 - 06:44 PM.


#5 roseville99

roseville99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 03 April 2010 - 06:48 PM

this is a test for email response.

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:12 AM

Posted 04 April 2010 - 06:35 AM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#7 roseville99

roseville99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 05 April 2010 - 01:22 PM

Can we run combofix using logmein or rdp?
Can we run combofix in safemode networking?
What do we do if combofix won't run just double click on .exe and nothing happens? Am rebooting into safe mode networking.
Nothing happens when double click combofix.exe, hijackthis.exe or gmer.exe
Only malwarebytes works.

Edited by roseville99, 05 April 2010 - 01:36 PM.


#8 roseville99

roseville99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 05 April 2010 - 02:02 PM

Ran malwarebytes again insafe mode networking and then reboot and now am successfully running combofix
however just noticed it deleted a file ..all users\application data\microsoft\network\downloader\qmgr0.dat and qmgr1.dat
are those bad files?

#9 roseville99

roseville99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 05 April 2010 - 02:56 PM

Here is combofix.txt
ComboFix 10-04-04.01 - ddk 04/05/2010 12:31:25.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1380 [GMT -7:00]
Running from: c:\downloads\Malware\Combofix\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://rlcexch1.domainr.local
.
((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 18:49 . 2010-04-05 18:49 -------- d-----w- c:\documents and settings\user1.domainr\Application Data\Malwarebytes
2010-04-05 18:36 . 2010-03-29 22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-05 18:36 . 2010-03-29 22:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-05 15:56 . 2010-04-05 15:56 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-03 20:20 . 2010-04-03 20:20 -------- d-----w- c:\documents and settings\ddk.domainr\Application Data\Malwarebytes
2010-04-03 20:19 . 2010-04-05 18:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 20:19 . 2010-04-03 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-03 00:28 . 2010-03-17 22:52 101280 ----a-w- c:\windows\system32\drivers\sbmount.sys
2010-04-03 00:27 . 2010-03-17 22:53 181920 ----a-w- c:\windows\system32\drivers\stcvsm.sys
2010-04-03 00:27 . 2010-03-17 22:53 67616 ----a-w- c:\windows\system32\vsnapvss.exe
2010-04-03 00:27 . 2010-03-17 22:53 26144 ----a-w- c:\windows\system32\stcsnap.dll
2010-04-03 00:21 . 2010-04-03 00:21 -------- d-----w- c:\program files\StorageCraft
2010-04-02 23:14 . 2010-04-03 20:27 -------- d-----w- C:\Files1
2010-04-02 23:07 . 2008-02-27 20:49 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2010-04-02 23:07 . 2010-04-02 23:07 -------- d-----w- c:\program files\Belarc
2010-03-25 19:07 . 2010-03-25 19:07 261288 ----a-w- c:\windows\system32\BarracudaWSADLL.dll
2010-03-22 21:49 . 2010-03-22 21:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-15 09:05 . 2009-12-16 18:43 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2010-03-15 09:04 . 2009-12-08 09:23 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2010-03-10 07:00 . 2010-03-10 07:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-10 07:00 . 2010-03-10 07:56 -------- d-----w- c:\program files\SAAZSBE
2010-03-10 07:00 . 2010-03-17 19:01 -------- d-----w- c:\windows\SetupLogs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 19:42 . 2010-02-18 23:39 -------- d-----w- c:\program files\SAAZOD
2010-04-05 19:37 . 2009-04-22 23:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-05 16:01 . 2010-04-05 16:01 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-05 15:58 . 2009-11-04 05:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-05 07:00 . 2010-02-20 17:04 -------- d-----w- c:\program files\LogMeIn
2010-04-03 03:08 . 2010-04-03 03:08 503808 ----a-w- c:\documents and settings\ddk.domainr\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3fa868a0-n\msvcp71.dll
2010-04-03 03:08 . 2010-04-03 03:08 499712 ----a-w- c:\documents and settings\ddk.domainr\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3fa868a0-n\jmc.dll
2010-04-03 03:08 . 2010-04-03 03:08 348160 ----a-w- c:\documents and settings\ddk.domainr\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3fa868a0-n\msvcr71.dll
2010-04-03 03:07 . 2010-04-03 03:07 61440 ----a-w- c:\documents and settings\ddk.domainr\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2b505ef5-n\decora-sse.dll
2010-04-03 03:07 . 2010-04-03 03:07 12800 ----a-w- c:\documents and settings\ddk.domainr\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2b505ef5-n\decora-d3d.dll
2010-04-03 03:07 . 2008-03-27 15:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-03 00:27 . 2008-01-16 04:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-26 21:10 . 2008-01-31 23:24 2936 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2010-03-25 19:07 . 2010-02-18 22:22 303264 ----a-w- c:\windows\system32\BarracudaWSA.dll
2010-03-23 16:00 . 2010-03-23 16:00 503808 ----a-w- c:\documents and settings\user2\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6045efa6-n\msvcp71.dll
2010-03-23 16:00 . 2010-03-23 16:00 499712 ----a-w- c:\documents and settings\user2\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6045efa6-n\jmc.dll
2010-03-23 16:00 . 2010-03-23 16:00 348160 ----a-w- c:\documents and settings\user2\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6045efa6-n\msvcr71.dll
2010-03-23 16:00 . 2010-03-23 16:00 61440 ----a-w- c:\documents and settings\user2\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5d323125-n\decora-sse.dll
2010-03-23 16:00 . 2010-03-23 16:00 12800 ----a-w- c:\documents and settings\user2\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5d323125-n\decora-d3d.dll
2010-03-22 21:50 . 2008-01-16 04:36 -------- d-----w- c:\program files\Common Files\Java
2010-03-22 21:49 . 2010-03-22 21:49 503808 ----a-w- c:\documents and settings\user1.domainr\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6f44b20f-n\msvcp71.dll
2010-03-22 21:49 . 2010-03-22 21:49 499712 ----a-w- c:\documents and settings\user1.domainr\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6f44b20f-n\jmc.dll
2010-03-22 21:49 . 2010-03-22 21:49 348160 ----a-w- c:\documents and settings\user1.domainr\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6f44b20f-n\msvcr71.dll
2010-03-22 21:49 . 2010-03-22 21:49 61440 ----a-w- c:\documents and settings\user1.domainr\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-16d36cd1-n\decora-sse.dll
2010-03-22 21:49 . 2010-03-22 21:49 12800 ----a-w- c:\documents and settings\user1.domainr\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-16d36cd1-n\decora-d3d.dll
2010-03-22 21:49 . 2008-01-16 04:36 -------- d-----w- c:\program files\Java
2010-03-04 21:59 . 2009-04-22 02:35 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-04 21:59 . 2010-03-04 21:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-04 21:59 . 2008-08-21 12:47 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-04 21:58 . 2009-04-22 02:35 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-04 21:58 . 2009-04-22 02:35 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-24 22:01 . 2008-08-20 21:50 73992 ----a-w- c:\documents and settings\user1.domainr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-24 19:33 . 2008-01-16 04:41 73992 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-24 18:50 . 2008-08-19 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-20 17:02 . 2010-02-20 17:02 -------- d-----w- c:\documents and settings\rlcbackoffice.domainr\Application Data\CyberLink
2010-02-20 17:02 . 2010-02-20 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-02-19 04:33 . 2008-12-12 13:27 -------- d-----w- c:\program files\SetupLogs
2010-02-19 04:30 . 2009-01-06 16:16 -------- d-----w- c:\program files\Common Files\VSoft
2010-02-19 04:30 . 2010-02-19 04:30 -------- d-----w- c:\program files\SAAZExmonScripts
2010-02-18 22:22 . 2010-02-18 22:22 -------- d-----w- c:\program files\Barracuda
2010-02-18 22:22 . 2010-02-18 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Barracuda
2010-02-11 07:34 . 2004-08-11 23:14 87763 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-08 16:22 . 2008-06-09 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"WSA Monitor"="c:\program files\Barracuda\Web Security Agent\WSAMonitor.exe" [2010-03-25 152224]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000003}\_SC_Acrobat.exe [2008-8-26 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-04 21:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1104\Scripts\Logon\0\0]
"Script"=PDrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1112\Scripts\Logon\0\0]
"Script"=PDrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1113\Scripts\Logon\0\0]
"Script"=PowerConfig.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1113\Scripts\Logon\1\0]
"Script"=rdrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1113\Scripts\Logon\2\0]
"Script"=qdrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1113\Scripts\Logon\3\0]
"Script"=PDrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1125\Scripts\Logon\0\0]
"Script"=PowerConfig.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1126\Scripts\Logon\0\0]
"Script"=rdrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1126\Scripts\Logon\1\0]
"Script"=qdrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1126\Scripts\Logon\2\0]
"Script"=PDrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1168\Scripts\Logon\0\0]
"Script"=PowerConfig.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1168\Scripts\Logon\1\0]
"Script"=rdrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1168\Scripts\Logon\2\0]
"Script"=qdrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2699182120-2673215378-188881637-1168\Scripts\Logon\3\0]
"Script"=PDrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3497611220-832292888-3165894037-1162\Scripts\Logon\0\0]
"Script"=PDrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3497611220-832292888-3165894037-1162\Scripts\Logon\1\0]
"Script"=qblogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3497611220-832292888-3165894037-1178\Scripts\Logon\0\0]
"Script"=PDrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3497611220-832292888-3165894037-1178\Scripts\Logon\1\0]
"Script"=qblogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3497611220-832292888-3165894037-2339\Scripts\Logon\0\0]
"Script"=PDrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3497611220-832292888-3165894037-2339\Scripts\Logon\1\0]
"Script"=qblogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3497611220-832292888-3165894037-2586\Scripts\Logon\0\0]
"Script"=PDrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3497611220-832292888-3165894037-2586\Scripts\Logon\1\0]
"Script"=qblogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3497611220-832292888-3165894037-2613\Scripts\Logon\0\0]
"Script"=PDrive.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3497611220-832292888-3165894037-2613\Scripts\Logon\1\0]
"Script"=qblogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3497611220-832292888-3165894037-2635\Scripts\Logon\0\0]
"Script"=PDrive.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Firewall Client Management.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Firewall Client Management.lnk
backup=c:\windows\pss\Microsoft Firewall Client Management.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-23 06:24 620152 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-07-27 01:03 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2007-08-03 23:09 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 23:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 15:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-09-25 01:12 1036288 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 13:42 143360 ----a-w- c:\windows\system32\mobsync.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/21/2009 7:35 PM 52872]
R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [4/2/2010 5:27 PM 181920]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/21/2009 7:35 PM 216200]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/21/2009 7:35 PM 242696]
R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [4/2/2010 5:28 PM 101280]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 2:58 AM 133968]
R2 avgagent;AVG9 Remote Support Service (AvgAgent);avgagent.exe /srvfsys --> avgagent.exe [?]
R2 CatenaLogic Updater Service;Barracuda Updater Service;c:\program files\Barracuda\Web Security Agent\UpdaterService.exe [10/5/2009 12:19 PM 1088760]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12992]
R2 mstbsvc;MSN Toolbar Setup;c:\program files\MSN\Toolbar\4.0.0390.0\mstbsvc.exe [12/21/2009 3:07 PM 96768]
R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.exe [3/10/2010 12:00 AM 81920]
R2 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [3/10/2010 12:00 AM 73728]
R2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [2/18/2010 9:26 PM 77824]
R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [4/30/2009 8:46 PM 77824]
R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\SAAZWatchDog.exe [3/10/2010 12:00 AM 81920]
R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [4/2/2010 5:27 PM 1497632]
R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [4/2/2010 5:27 PM 67616]
R3 BarracudaWSA;BarracudaWSA;c:\program files\Barracuda\Web Security Agent\BarracudaWSA.exe [3/25/2010 12:07 PM 2990240]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [1/23/2007 2:45 AM 42832]
S4 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/4/2010 2:58 PM 308064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=192.168.10.23:8080;https=192.168.10.23:8080;ftp=192.168.10.23:8080;gopher=192.168.10.23:8080;socks=192.168.10.23:8080
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\BarracudaWSA.dll
Trusted Zone: ddk.net
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
.
- - - - ORPHANS REMOVED - - - -

Notify-LMIinit - LMIinit.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 12:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\BarracudaWSA.dll
c:\program files\LogMeIn\x86\LMIhook.000.dll
c:\windows\system32\wininet.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\BarracudaWSA.dll

- - - - - - - > 'explorer.exe'(2752)
c:\windows\system32\WININET.dll
c:\program files\LogMeIn\x86\LMIhook.000.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\avgagent.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\progra~1\SAAZOD\RMHLPDSK.exe
c:\windows\System32\vssvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-04-05 12:48:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-05 19:48

Pre-Run: 55,326,130,176 bytes free
Post-Run: 55,301,771,264 bytes free

- - End Of File - - 4B0C4FC7E1480932C2AA05CAE08CF6FB


#10 roseville99

roseville99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 05 April 2010 - 03:03 PM

hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:01 PM, on 4/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\avgagent.exe
C:\Program Files\Barracuda\Web Security Agent\UpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\MSN\Toolbar\4.0.0390.0\mstbsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe
C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe
C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
C:\PROGRA~1\SAAZOD\RMHLPDSK.exe
C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\vsnapvss.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Barracuda\Web Security Agent\WSAMonitor.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Barracuda\Web Security Agent\BarracudaWSA.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\downloads\Malware\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080115
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.10.23:8080;https=192.168.10.23:8080;ftp=192.168.10.23:8080;gopher=192.168.10.23:8080;socks=192.168.10.23:8080
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [WSA Monitor] C:\Program Files\Barracuda\Web Security Agent\WSAMonitor.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\barracudawsa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\barracudawsa.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\barracudawsa.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: *.ddk.net (HKLM)
O15 - ESC Trusted Zone: http://ftp-sj.cisco.com (HKLM)
O15 - ESC Trusted Zone: http://www.cisco.com (HKLM)
O15 - ESC Trusted Zone: http://download.com.com (HKLM)
O15 - ESC Trusted Zone: *.ddk.net (HKLM)
O15 - ESC Trusted Zone: http://www.ddkhelp.com (HKLM)
O15 - ESC Trusted Zone: http://software-files.download.com (HKLM)
O15 - ESC Trusted Zone: http://www.download.com (HKLM)
O15 - ESC Trusted Zone: *.livemeeting.com (HKLM)
O15 - ESC Trusted Zone: http://www.msn.com (HKLM)
O15 - ESC Trusted Zone: http://scpwhb.ops.placeware.com (HKLM)
O15 - ESC Trusted Zone: http://www108.placeware.com (HKLM)
O15 - ESC Trusted Zone: *.rlcsbs1 (HKLM)
O15 - ESC Trusted Zone: http://*.rlcsbs1 (HKLM)
O15 - ESC Trusted Zone: *.webex.com (HKLM)
O15 - ESC Trusted Zone: http://www.winzip.com (HKLM)
O15 - ESC Trusted Zone: http://admin.xo.com (HKLM)
O15 - ESC Trusted Zone: http://www.xo.com (HKLM)
O15 - ESC Trusted IP range: http://192.168.1.1 (HKLM)
O15 - ESC Trusted IP range: http://192.168.72.1 (HKLM)
O15 - ESC Trusted IP range: http://192.168.61.9 (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://rlcsbs1/connectcomputer/nshelp.dll
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/...veX_Control.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/chuzzle...aploader_v6.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domainr.local
O17 - HKLM\Software\..\Telephony: DomainName = domainr.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domainr.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domainr.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG9 Remote Support Service (AvgAgent) (avgagent) - Unknown owner - avgagent.exe (file missing)
O23 - Service: BarracudaWSA - Unknown owner - C:\Program Files\Barracuda\Web Security Agent\BarracudaWSA.exe
O23 - Service: Barracuda Updater Service (CatenaLogic Updater Service) - CatenaLogic - C:\Program Files\Barracuda\Web Security Agent\UpdaterService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAAZDPMACTL - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe
O23 - Service: SAAZRemoteSupport - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe
O23 - Service: SAAZScheduler - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
O23 - Service: SAAZServerPlus - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
O23 - Service: SAAZWatchDog - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
O23 - Service: ShadowProtect Service (ShadowProtectSvc) - StorageCraft Technology Corporation - C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: StorageCraft Shadow Copy Provider (VSNAPVSS) - StorageCraft Technology Corporation - C:\WINDOWS\system32\vsnapvss.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 12674 bytes


#11 roseville99

roseville99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 05 April 2010 - 04:14 PM

attached is gmer ark.txt

Attached Files

  • Attached File  ark.txt   1.79KB   2 downloads

Edited by roseville99, 05 April 2010 - 04:14 PM.


#12 roseville99

roseville99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 05 April 2010 - 04:33 PM

Malwarebytes logs attached. 2 infected 1 clean?
What next?

Attached Files



#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:12 AM

Posted 06 April 2010 - 08:07 AM

I only asked you to run combofix, so why have you posted all the other logs?

unite.jpg


#14 roseville99

roseville99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 06 April 2010 - 10:46 AM

You asked to post malwarebytes log
We had to run couple different times so combofix would run

Hello roseville99,


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Once you have run Malwarebytes, try running Gmer again then please post back with the MBAM log and Gmer log, if
you get it to run.

#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:12 AM

Posted 06 April 2010 - 10:58 AM

I asked you to do that before and you did, we left them steps to do it another way, please do not go back over old steps
and I have never ased you to run Hijackthis. Please just follow the steps I give you then wait for my reply, do not ask
questions and expect me to reply rite away, I don't sit around here all day waiting for replies.

Please give me some time to look at your logs then I will get back with some instructions.


unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users