Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Packed.Win32.katusha.j and MAL/ENCPK-MP


  • This topic is locked This topic is locked
4 replies to this topic

#1 orpcat

orpcat

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 18 April 2010 - 11:35 AM

Hi,

I got the BSOD IRQL_NOT_LESS_OR_EQUAL 0X0000000A,(0X00000000,0X00000002,0X00000001,0X804DC11D). This happened every time on re-boot. So I re-booted into Safe Mode and disabled SPTD.sys. I renamed SPTD.sys and did a normal re-boot.
Windows started ok then I started to get a number of trojan warnings from ThreatFire (Packed. Win32.katusha.j and MAL/ENCPK-MP). I let ThreatFire kill and quarntee all and then tried to start PCTools Antivirus but could not. All programs were disabled, and I received the error that rundll was missing. I rebooted into Safe Mode again the fixed the rundll problem and was able to open all programs. I noticed that my FireWall was disabled and Restore was disabled. I restarted my Firewall but did not restart Restore

I ran PCTools AntiVirus in Safe Mode and it found no problems and then ran ThreatFire and found no other problems. I did a normal re-boot and the same thing happend ThreatFire started to find the same Trojans but this time I could open up all other programs and everything seemed normal but running slow. Here is the DDS file.

Thank you.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jeff at 12:21:23.46 on Sat 04/17/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.644 [GMT -4:00]

AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
F:\WINDOWS\system32\svchost -k rpcss
F:\WINDOWS\System32\svchost.exe -k netsvcs
F:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
F:\WINDOWS\System32\svchost.exe -k NetworkService
F:\WINDOWS\System32\svchost.exe -k LocalService
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\ThreatFire\TFTray.exe
F:\Program Files\PC Tools AntiVirus\PCTAV.exe
F:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
F:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
F:\Program Files\Turtle Beach\Turtle Beach USB MIDI 1x1\TBUM11.exe
F:\Program Files\Brother\ControlCenter3\brccMCtl.exe
F:\Program Files\Common Files\Java\Java Update\jusched.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\System32\svchost.exe -k LocalService
F:\Program Files\uTorrent\uTorrent.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
F:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
F:\Program Files\Brother\Brmfcmon\BrMfimon.exe
F:\WINDOWS\System32\snmp.exe
F:\WINDOWS\System32\svchost.exe -k imgsvc
F:\Program Files\ThreatFire\TFService.exe
F:\WINDOWS\System32\ups.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\Common Files\Java\Java Update\jucheck.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Jeff\Desktop\dds.scr
F:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: f:\windows\system32\eqj837i.dll: {a9ba40a1-74f1-52bd-f431-00b15a2c8953} - f:\windows\system32\eqj837i.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - f:\program files\askbardis\bar\bin\askBar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - f:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "f:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [swg] f:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [uTorrent] "f:\program files\utorrent\uTorrent.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [SSBkgdUpdate] "f:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] f:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] f:\program files\scansoft\paperport\IndexSearch.exe
mRun: [RemoteControl] "f:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [ThreatFire] f:\program files\threatfire\TFTray.exe
mRun: [QuickTime Task] "f:\program files\quicktime\qttask.exe" -atboottime
mRun: [PCTAVApp] "f:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
mRun: [BrMfcWnd] f:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] f:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [GrooveMonitor] "f:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [GhostStartTrayApp] f:\program files\symantec\norton ghost 2003\GhostStartTrayApp.exe
mRun: [NeroFilterCheck] f:\windows\system32\NeroCheck.exe
mRun: [Turtle Beach USB MIDI 1x1] f:\program files\turtle beach\turtle beach usb midi 1x1\TBUM11.exe
mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "f:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "f:\program files\common files\java\java update\jusched.exe"
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - f:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://f:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://f:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
TCP: NameServer = 93.188.163.137,93.188.166.120
TCP: {F98DBA2A-DD59-4981-814D-E7F2B6DEAF66} = 93.188.163.137,93.188.166.120
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - f:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: wogipute.dll,lopuheso.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
STS: f:\windows\system32\eqj837i.dll: {a9ba40a1-74f1-52bd-f431-00b15a2c8953} - f:\windows\system32\eqj837i.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - f:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli wogipute.dll lopuheso.dll
IFEO: MpCmdRun.exe - f:\windows\system32\svchost.exe
IFEO: MSASCui.exe - f:\windows\system32\svchost.exe
IFEO: MsMpEng.exe - f:\windows\system32\svchost.exe
IFEO: msseces.exe - f:\windows\system32\svchost.exe

================= FIREFOX ===================

FF - ProfilePath - f:\docume~1\jeff\applic~1\mozilla\firefox\profiles\eg5fn7i6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.tattoodle.com?tid={BB4813CA-3964-454D-9A81-C9C67ADBD03F}
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={BB4813CA-3964-454D-9A81-C9C67ADBD03F}&q=
FF - plugin: f:\documents and settings\jeff\local settings\application data\yahoo!\browserplus\2.6.0\plugins\npybrowserplus_2.6.0.dll
FF - plugin: f:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: f:\program files\google\google updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: f:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: f:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
f:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;f:\windows\system32\drivers\PCTCore.sys [2009-8-9 130936]
R0 TfFsMon;TfFsMon;f:\windows\system32\drivers\TfFsMon.sys [2009-9-23 51984]
R0 TfSysMon;TfSysMon;f:\windows\system32\drivers\TfSysMon.sys [2009-9-23 59664]
R1 GhPciScan;GhostPciScanner;f:\program files\symantec\norton ghost 2003\GhPciScan.sys [2003-12-17 5632]
R2 AVFilter;AVFilter;f:\windows\system32\drivers\AVFilter.sys [2009-8-9 21904]
R2 Ias;MicroSoft Snapshot Services;f:\windows\system32\svchost.exe -k netsvcs [2002-9-3 14336]
R2 PCTAVSvc;PC Tools AntiVirus Engine;f:\program files\pc tools antivirus\PCTAVSvc.exe [2009-8-9 826600]
R2 ThreatFire;ThreatFire;f:\program files\threatfire\tfservice.exe service --> f:\program files\threatfire\TFService.exe service [?]
R3 AVHook;AVHook;f:\windows\system32\drivers\AVHook.sys [2009-8-9 28560]
R3 TfNetMon;TfNetMon;f:\windows\system32\drivers\TfNetMon.sys [2009-9-23 33552]
S2 gupdate1ca25251c891426;Google Update Service (gupdate1ca25251c891426);f:\program files\google\update\GoogleUpdate.exe [2009-8-24 133104]
S3 diskchk;diskchk;\??\f:\windows\system32\diskchk.sys --> f:\windows\system32\diskchk.sys [?]
S3 TBU11;Turtle Beach USB MIDI 1x1 Driver;f:\windows\system32\drivers\tbu11.sys [2009-9-3 13824]

=============== Created Last 30 ================

2010-04-17 16:19:20 176 ----a-w- f:\documents and settings\jeff\defogger_reenable
2010-04-17 14:47:19 0 d-----w- f:\program files\Trend Micro
2010-04-17 13:56:05 1341 ----a-w- F:\regtools.vbs
2010-04-17 13:51:47 9830 ----a-w- F:\exefix.reg
2010-04-17 12:35:46 20000 ----a-w- f:\windows\system32\eqj837i.dll
2010-04-13 15:58:29 73728 ----a-w- f:\windows\system32\javacpl.cpl
2010-04-13 15:58:29 411368 ----a-w- f:\windows\system32\deploytk.dll
2010-04-11 18:05:11 230824 ----a-r- f:\windows\cpnprt2.cid
2010-04-11 18:05:05 230824 ------w- f:\windows\system32\cpnprt2.cid
2010-04-11 18:04:59 0 d-----w- f:\windows\Cache
2010-04-11 18:04:56 0 d-----w- f:\program files\Coupons
2010-04-08 00:10:25 401 ----a-w- f:\windows\system32\lame_acm.xml
2010-04-08 00:10:25 172032 ----a-w- f:\windows\system32\LameACM.acm
2010-04-08 00:10:19 0 d-----w- f:\program files\Motorola
2010-04-08 00:07:14 20267652 ----a-w- F:\Setup.exe
2010-04-07 22:04:44 32223338 ----a-w- F:\iDENPhonebookManager.exe
2010-04-07 22:03:44 4794841 ----a-w- F:\MotorolaMP3Loader_R01.02.00.exe
2010-04-03 13:50:17 0 d-----w- f:\program files\Virgin Interactive
2010-04-03 13:47:04 0 d-----w- f:\program files\directx
2010-04-01 00:19:04 0 d-----w- f:\program files\[PC] 18 WHEELS OF STEEL EXTREME TRUCKER-[ESPACONSOLAS.com]
2010-03-28 17:38:46 0 d-----w- f:\program files\G4FON Software
2010-03-28 13:58:56 0 d-----w- f:\program files\K1RFD
2010-03-27 16:34:36 900015 ----a-w- f:\windows\system32\TmpA17830421
2010-03-27 16:25:28 0 d-----w- f:\program files\18 WoS Pedal to the Metal
2010-03-27 11:22:17 3558912 -c----w- f:\windows\system32\dllcache\moviemk.exe
2010-03-21 13:54:06 0 d-----w- f:\docume~1\jeff\applic~1\Mp3tag
2010-03-21 13:53:55 0 d-----w- f:\program files\Mp3tag

==================== Find3M ====================

2010-04-17 12:20:33 697328 ----a-w- f:\windows\system32\drivers\sppp.sys
2010-02-25 06:24:37 916480 ----a-w- f:\windows\system32\wininet.dll
2010-01-31 19:26:44 2828 --sha-w- f:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-01-31 19:26:41 88 --sh--r- f:\docume~1\alluse~1\applic~1\69C9A7AA0A.sys

============= FINISH: 12:26:37.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 18 April 2010 - 05:38 PM

Hello.

I see quite a bit of infections on your system. Let's start off with Combofix and proceed from there.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 orpcat

orpcat
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 18 April 2010 - 08:19 PM

Ran Combofix here is the log file.

Thanks

ComboFix 10-04-17.07 - Jeff 04/18/2010 20:24:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.913 [GMT -4:00]
Running from: f:\documents and settings\Jeff\Desktop\ComboFix.exe
AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\docume~1\Jeff\LOCALS~1\Temp\mvNat.exe
f:\documents and settings\Jeff\Application Data\inst.exe
f:\program files\Common Files\Uninstall
f:\program files\Common Files\Uninstall\PersonalAV\Uninstall.lnk
F:\setup.exe
f:\windows\system32\ctfmon .exe
f:\windows\system32\spool\prtprocs\w32x86\00004b4c.tmp

Infected copy of f:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - f:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-18 19:14 . 2010-04-18 19:14 -------- d-----w- f:\documents and settings\Jeff\Application Data\SUPERAntiSpyware.com
2010-04-18 19:14 . 2010-04-18 19:14 -------- d-----w- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-18 12:15 . 2010-04-18 12:15 -------- d-----w- f:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-04-18 12:12 . 2010-04-18 12:12 69624 ----a-w- f:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-17 14:47 . 2010-04-17 14:47 -------- d-----w- f:\program files\Trend Micro
2010-04-17 13:56 . 2010-04-17 13:56 1341 ----a-w- F:\regtools.vbs
2010-04-17 13:51 . 2010-04-17 13:51 9830 ----a-w- F:\exefix.reg
2010-04-13 15:59 . 2010-04-13 15:59 61440 ----a-w- f:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-242a5f22-n\decora-sse.dll
2010-04-13 15:59 . 2010-04-13 15:59 503808 ----a-w- f:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4f0f7ec7-n\msvcp71.dll
2010-04-13 15:59 . 2010-04-13 15:59 499712 ----a-w- f:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4f0f7ec7-n\jmc.dll
2010-04-13 15:59 . 2010-04-13 15:59 348160 ----a-w- f:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4f0f7ec7-n\msvcr71.dll
2010-04-13 15:59 . 2010-04-13 15:59 12800 ----a-w- f:\documents and settings\Jeff\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-242a5f22-n\decora-d3d.dll
2010-04-13 15:59 . 2010-04-13 15:59 -------- d-----w- f:\windows\Sun
2010-04-13 15:59 . 2010-04-13 15:59 -------- d-----w- f:\program files\Common Files\Java
2010-04-13 15:58 . 2010-04-13 15:58 411368 ----a-w- f:\windows\system32\deploytk.dll
2010-04-13 15:57 . 2010-04-13 15:57 -------- d-----w- f:\program files\Java
2010-04-11 18:04 . 2010-04-11 18:04 -------- d-----w- f:\windows\Cache
2010-04-11 18:04 . 2010-04-11 18:06 -------- d-----w- f:\program files\Coupons
2010-04-08 00:10 . 2010-04-18 14:48 -------- d-----w- f:\program files\Motorola
2010-04-07 22:04 . 2010-04-07 22:04 32223338 ----a-w- F:\iDENPhonebookManager.exe
2010-04-07 22:03 . 2010-04-07 22:03 4794841 ----a-w- F:\MotorolaMP3Loader_R01.02.00.exe
2010-04-04 14:03 . 2010-04-04 14:32 -------- d-----w- f:\documents and settings\Jeff\Application Data\AdobeUM
2010-04-03 13:50 . 2010-04-03 13:50 -------- d-----w- f:\program files\Virgin Interactive
2010-04-03 13:47 . 2010-04-03 13:47 -------- d-----w- f:\program files\directx
2010-04-01 00:19 . 2010-04-01 00:34 -------- d-----w- f:\program files\[PC] 18 WHEELS OF STEEL EXTREME TRUCKER-[ESPACONSOLAS.com]
2010-03-28 17:38 . 2010-03-28 17:38 -------- d-----w- f:\program files\G4FON Software
2010-03-28 13:58 . 2010-03-28 13:58 53248 ----a-r- f:\documents and settings\Jeff\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Web_Site._B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2010-03-28 13:58 . 2010-03-28 13:58 53248 ----a-r- f:\documents and settings\Jeff\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Support.u_B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2010-03-28 13:58 . 2010-03-28 13:58 45056 ----a-r- f:\documents and settings\Jeff\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.chm_B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2010-03-28 13:58 . 2010-03-28 13:58 40960 ----a-r- f:\documents and settings\Jeff\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe11_B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2010-03-28 13:58 . 2010-03-28 13:58 40960 ----a-r- f:\documents and settings\Jeff\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe1_B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2010-03-28 13:58 . 2010-03-28 13:58 40960 ----a-r- f:\documents and settings\Jeff\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\ARPPRODUCTICON.exe
2010-03-28 13:58 . 2010-03-28 13:58 -------- d-----w- f:\program files\K1RFD
2010-03-27 11:22 . 2009-10-23 15:28 3558912 -c----w- f:\windows\system32\dllcache\moviemk.exe
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- f:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\25242\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- f:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\25242\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- f:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\25242\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- f:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\25242\AcrobatUpdater.exe
2010-03-21 13:54 . 2010-03-21 14:10 -------- d-----w- f:\documents and settings\Jeff\Application Data\Mp3tag
2010-03-21 13:53 . 2010-03-21 13:53 -------- d-----w- f:\program files\Mp3tag

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 00:54 . 2009-08-08 21:40 -------- d---a-w- f:\documents and settings\All Users\Application Data\TEMP
2010-04-19 00:52 . 2009-08-09 20:24 -------- d-----w- f:\program files\PC Tools AntiVirus
2010-04-18 20:54 . 2009-08-08 20:14 69232 ----a-w- f:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-18 19:57 . 2009-08-30 20:47 -------- d-----w- f:\program files\Antares Audio Technologies
2010-04-18 19:57 . 2009-08-30 19:27 -------- d-----w- f:\program files\VstPlugins
2010-04-18 19:56 . 2009-08-08 22:31 -------- d-----w- f:\program files\Common Files\Adobe
2010-04-18 14:48 . 2009-08-08 22:52 -------- d--h--w- f:\program files\InstallShield Installation Information
2010-04-18 14:46 . 2009-08-30 16:27 -------- d-----w- f:\documents and settings\Jeff\Application Data\uTorrent
2010-04-17 12:20 . 2009-08-30 17:11 697328 ----a-w- f:\windows\system32\drivers\sppp.sys
2010-04-14 20:21 . 2009-08-25 01:39 -------- d-----w- f:\program files\Google
2010-04-10 13:08 . 2009-08-08 21:24 16 ----a-w- f:\windows\popcinfo.dat
2010-03-27 11:33 . 2009-08-13 00:09 -------- d-----w- f:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-28 13:20 . 2010-02-28 13:19 -------- d-----w- f:\documents and settings\All Users\Application Data\Trymedia
2010-02-25 06:24 . 2002-09-03 17:12 916480 ----a-w- f:\windows\system32\wininet.dll
2010-02-21 15:30 . 2010-02-21 15:30 -------- d-----w- f:\program files\F5BUD
2010-02-21 12:39 . 2010-02-20 19:51 -------- d-----w- f:\documents and settings\Jeff\Application Data\Simon Brown, HB9DRV
2010-02-21 02:12 . 2010-02-21 02:12 -------- d-----w- f:\program files\COM Port Stress Test
2010-02-21 01:42 . 2010-02-20 19:51 -------- d-----w- f:\program files\Amateur Radio
2010-02-03 16:48 . 2010-02-03 16:48 86016 ----a-w- f:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-31 19:26 . 2009-09-05 00:53 2828 --sha-w- f:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-31 19:26 . 2009-09-05 00:53 2828 --sha-w- f:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-31 19:26 . 2009-09-05 00:53 88 --sh--r- f:\documents and settings\All Users\Application Data\69C9A7AA0A.sys
2010-01-31 19:26 . 2009-09-05 00:53 88 --sh--r- f:\documents and settings\All Users\Application Data\69C9A7AA0A.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "f:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "f:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="f:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-25 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="f:\windows\System32\NvCpl.dll" [2003-04-24 4616192]
"SSBkgdUpdate"="f:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="f:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="f:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"RemoteControl"="f:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"ThreatFire"="f:\program files\ThreatFire\TFTray.exe" [2009-09-23 382224]
"QuickTime Task"="f:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"PCTAVApp"="f:\program files\PC Tools AntiVirus\PCTAV.exe" [2009-02-19 1374096]
"BrMfcWnd"="f:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="f:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"GrooveMonitor"="f:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"GhostStartTrayApp"="f:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2003-12-17 94208]
"NeroFilterCheck"="f:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Turtle Beach USB MIDI 1x1"="f:\program files\Turtle Beach\Turtle Beach USB MIDI 1x1\TBUM11.exe" [2003-06-17 1814528]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SunJavaUpdateSched"="f:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\Program Files\\K1RFD\\EchoLink\\EchoLink.exe"=
"f:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"f:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R0 PCTCore;PCTools KDS;f:\windows\system32\drivers\PCTCore.sys [8/9/2009 4:25 PM 130936]
R0 TfFsMon;TfFsMon;f:\windows\system32\drivers\TfFsMon.sys [9/23/2009 9:44 AM 51984]
R0 TfSysMon;TfSysMon;f:\windows\system32\drivers\TfSysMon.sys [9/23/2009 9:44 AM 59664]
R1 GhPciScan;GhostPciScanner;f:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [12/17/2003 3:41 PM 5632]
R3 TfNetMon;TfNetMon;f:\windows\system32\drivers\TfNetMon.sys [9/23/2009 9:44 AM 33552]
S1 SASDIFSV;SASDIFSV;\??\f:\docume~1\Jeff\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> f:\docume~1\Jeff\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\f:\docume~1\Jeff\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> f:\docume~1\Jeff\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S3 diskchk;diskchk;\??\f:\windows\system32\diskchk.sys --> f:\windows\system32\diskchk.sys [?]
S3 SASENUM;SASENUM;\??\f:\docume~1\Jeff\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> f:\docume~1\Jeff\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
S3 TBU11;Turtle Beach USB MIDI 1x1 Driver;f:\windows\system32\drivers\tbu11.sys [9/3/2009 7:18 PM 13824]
S4 sptd;sptd;f:\windows\system32\Drivers\sptd.sys --> f:\windows\system32\Drivers\sptd.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-19 f:\windows\Tasks\Google Software Updater.job
- f:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-25 01:39]

2010-04-19 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- f:\program files\Google\Update\GoogleUpdate.exe [2009-08-25 01:40]

2010-04-18 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- f:\program files\Google\Update\GoogleUpdate.exe [2009-08-25 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
DPF: DirectAnimation Java Classes - file://f:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://f:\windows\Java\classes\xmldso.cab
FF - ProfilePath - f:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\eg5fn7i6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.tattoodle.com?tid={BB4813CA-3964-454D-9A81-C9C67ADBD03F}
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={BB4813CA-3964-454D-9A81-C9C67ADBD03F}&q=
FF - plugin: f:\documents and settings\Jeff\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll
FF - plugin: f:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: f:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: f:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
f:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{A9BA40A1-74F1-52BD-F431-00B15A2C8953} - (no file)
Toolbar-Locked - (no file)
SharedTaskScheduler-{A9BA40A1-74F1-52BD-F431-00B15A2C8953} - (no file)
MSConfigStartUp-hsf87efjhdsf87f3jfsdi7fhsujfd - f:\docume~1\Jeff\LOCALS~1\Temp\notepad.exe
AddRemove-RD - f:\program files\d-lusion\DT\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 20:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Turtle Beach USB MIDI 1x1 = f:\program files\Turtle Beach\Turtle Beach USB MIDI 1x1\TBUM11.exe??????????????L?????B~|???????????????????\?????B~??B~2????????????1F?2????????=??????2??????????????????????????????????????? #G?????????????????D>????????????A??=???=???=????????G?6?????????G

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
f:\program files\ThreatFire\TFNI.dll
f:\program files\ThreatFire\TFMon.dll
f:\program files\ThreatFire\TFRK.dll
f:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'lsass.exe'(724)
f:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'explorer.exe'(3852)
f:\windows\system32\WININET.dll
f:\program files\ThreatFire\TfWah.dll
f:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
f:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
f:\program files\Java\jre6\bin\jqs.exe
f:\windows\System32\nvsvc32.exe
f:\program files\PC Tools AntiVirus\PCTAVSvc.exe
f:\windows\System32\snmp.exe
f:\program files\ThreatFire\TFService.exe
f:\program files\Brother\ControlCenter3\brccMCtl.exe
f:\program files\Brother\Brmfcmon\BrMfimon.exe
.
**************************************************************************
.
Completion time: 2010-04-18 21:04:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-19 01:04

Pre-Run: 117,935,321,088 bytes free
Post-Run: 118,003,642,368 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 67DC752A657D89FAE75C894B79C1D3B3


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 20 April 2010 - 04:09 PM

Hello again.

Sorry for the delay.

That looks better. Combofix dealt with the driver successfully! smile.gif

Let's get an online scan now.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 08 May 2010 - 11:49 AM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users