Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVE.exe, Google redirect rootkit


  • This topic is locked This topic is locked
37 replies to this topic

#1 sazmeister

sazmeister

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 18 April 2010 - 07:20 PM

Hi,

I've been having a lot of problems and have decided to leave it to people who know better to help me solve them!

The problems started when my sister clicked on a fake 'Win XP Security' pop-up (I don't know the exact wording) and now my system is crawling with viruses. Also my Google search results redirect to spam sites, and sometimes Internet Explorer will just crash with no warning when I click things (clicking on the 'Post New Topic' button on this page caused it to crash so I am posting from another computer).

I have so far detected:

sdra64.exe
ave.exe
mrt.exe
liveu.exe

Although I have deleted these files in the system32 folder and any registry entries containing them, they have a habit of coming back. I also suspect my atapi.sys file is infected but have taken no action until I'm sure.

I am posting below the DDS logs as requested in the forum guide, but I have tried twice to create a GMER log and on both occasions it has taken around an hour and then crashed my computer and given me a blue screen saying there is not sufficient space to continue (this took me by surprise as it never happens with any other process) - I hope someone is still able to assist me despite this, and thank you in advance for any help resolving this issue!

-----------------------------------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 14:29:59.48 on 18/04/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.510.69 [GMT 1:00]

AV: BullGuard Antivirus *On-access scanning enabled* (Updated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *disabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe -k BullGuard
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Owner\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Internet Explorer Plugin: {9fad24ba-9822-41b0-9eb9-50c824a02033} - sabb.dll
BHO: {AAE3E3EC-9663-4953-9B95-DE5B85912782} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Getdo] rundll32.exe "c:\documents and settings\owner\application data\adobe\update\flacor.dat""
uRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\bullguard.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\bullguard.exe" -boot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: lldkrx.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227985918484
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {0B9B6DEA-57F3-4D5E-ADF8-1C23062FCC8A} - rundll32 splv3.dll,laspi
mASetup: {59EC7186-6FFB-47E8-99BE-D1D07B1B4551} - rundll32 sabb.dll,laspi
IFEO: RapportMgmtService.exe - ZASRAKOMONDOHUI31338.EXE
IFEO: RapportService.exe - ZASRAKOMONDOHUI31338.EXE

============= SERVICES / DRIVERS ===============

R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [2010-4-8 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\system32\svchost.exe -k BullGuard [2004-8-4 14336]
R2 BsFire;BullGuard Firewall Service;c:\windows\system32\svchost.exe -k BullGuard [2004-8-4 14336]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\system32\svchost.exe -k BullGuard [2004-8-4 14336]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [2009-3-23 31640]
R3 afwcore;afwcore;c:\windows\system32\drivers\AfwCore.sys [2009-3-23 256792]
S3 BGRaSvc;BGRaSvc;c:\program files\bullguard ltd\bullguard\support\bgrasvc.exe [2009-6-1 83280]
S3 Persdi;Persdi; [x]

=============== Created Last 30 ================

2010-04-17 21:08:58 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-17 21:08:58 1409 ----a-w- c:\windows\QTFont.for
2010-04-17 19:52:23 0 d-----w- C:\ComboFix
2010-04-16 19:20:06 11264 ----a-w- c:\windows\system32\lldkrx.dll
2010-04-16 19:16:03 38400 ----a-w- c:\windows\system32\sabb.dll
2010-04-16 19:16:03 23144 ----a-w- c:\windows\system32\mrpgpt
2010-04-10 14:40:48 0 d-----w- c:\windows\pss
2010-04-09 01:41:48 0 d-sh--w- c:\windows\system32\lowsec
2010-04-09 01:41:34 122368 ----a-w- C:\U.exe
2010-04-08 17:46:53 0 d-----w- c:\docume~1\owner\applic~1\BullGuard
2010-04-08 17:46:53 0 d-----w- c:\docume~1\alluse~1.win\applic~1\BullGuard
2010-04-08 17:46:01 55504 ----a-w- c:\windows\system32\drivers\BdFileSpy.sys
2010-04-08 17:45:38 0 d-----w- c:\program files\BullGuard Ltd
2010-04-08 00:21:39 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-07 23:45:19 11264 ----a-w- c:\windows\system32\lkrdx.dll
2010-04-07 23:33:22 0 d-----w- c:\docume~1\owner\applic~1\Helper
2010-04-07 23:32:27 23162 ----a-w- c:\windows\system32\enb
2010-04-07 23:32:24 72704 ----a-w- c:\windows\system32\klgd.bmp
2010-04-06 15:11:19 0 d-----w- c:\windows\system32\windows media
2010-04-06 15:11:08 0 d--h--w- c:\windows\msdownld.tmp
2010-04-06 15:11:02 0 d-----w- c:\program files\Windows Media Components
2010-04-03 16:58:46 178176 ----a-w- c:\windows\system32\unrar.dll
2010-04-03 16:58:44 0 d-----w- c:\program files\K-Lite Codec Pack

==================== Find3M ====================

2010-04-16 19:41:00 13632 ----a-w- c:\windows\system32\drivers\omci.sys
2010-04-08 17:55:09 14160 ----a-w- c:\windows\system32\client_cc.dll
2010-04-08 17:55:08 87376 ----a-w- c:\windows\system32\BGLsp.dll
2010-04-08 17:54:00 256792 ----a-r- c:\windows\system32\drivers\AfwCore.sys
2010-04-08 17:53:59 31640 ----a-r- c:\windows\system32\drivers\Afw.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 03:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 08:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2001-08-22 12:15:48 245760 ----a-w- c:\windows\inf\i386\viceo.dll
2001-08-22 12:13:38 32768 ----a-w- c:\windows\inf\i386\Pmicro.dll
2001-08-22 12:13:30 61440 ----a-w- c:\windows\inf\i386\gl.dll
2001-08-03 17:29:18 13824 ----a-w- c:\windows\inf\i386\Usbscan.sys
2008-12-07 12:19:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120720081208\index.dat

============= FINISH: 14:31:22.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:23 PM

Posted 18 April 2010 - 09:43 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

One or more of the identified infections is a Backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If after careful consideration you have decided to move forward with cleanup then please proceed as I have outlined below.

==========

excl.gif P2P Warning excl.gif

Your log indicates that you have Limewire installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall Limewire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:23 PM

Posted 21 April 2010 - 07:02 PM

Do you still desire help?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 sazmeister

sazmeister
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 22 April 2010 - 01:06 PM

Hello!

Thank you so much for the quick reply, I didn't expect it to be so fast =) I do still need help, I'll have access to my PC tomorrow and will post again with a Combofix log as soon as I have one.

Thanks a lot! ^_^
sarah ~x~

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:23 PM

Posted 22 April 2010 - 01:32 PM

Hi Sarah,

In addition to the warnings and instructions I listed in my 1st post I would like you to do it this way please..............


Please do this......

RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
  • It shall produce a log located at C:\RKill. Please copy and paste it into your next reply.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* RKill log
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 sazmeister

sazmeister
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 23 April 2010 - 02:29 PM

Hi again,

Thanks for your patience =) None of the RKill links worked but I followed your instructions vis-a-vis Combofix and have attached the log.

Thank you!
sarah ~x~

Attached Files



#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:23 PM

Posted 23 April 2010 - 03:51 PM

ComboFix 10-04-21.01 - Owner 23/04/2010 19:56:35.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.510.139 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\thcbytes.exe
AV: BullGuard Antivirus *On-access scanning enabled* (Updated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *disabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dxe.txt
c:\windows\system32\fsc.txt
c:\windows\system32\ide.txt
c:\windows\system32\lldkrx.dll
c:\windows\system32\lpe.txt
c:\windows\system32\qks.txt

Infected copy of c:\windows\system32\drivers\omci.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-23 to 2010-04-23 )))))))))))))))))))))))))))))))
.

2010-04-18 17:17 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2010-04-18 17:17 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-04-16 19:16 . 2010-04-16 19:16 38400 ----a-w- c:\windows\system32\sabb.dll
2010-04-08 17:46 . 2010-04-23 19:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BullGuard
2010-04-08 17:46 . 2010-04-09 14:23 -------- d-----w- c:\documents and settings\Owner\Application Data\BullGuard
2010-04-08 17:46 . 2009-01-23 13:48 55504 ----a-w- c:\windows\system32\drivers\BdFileSpy.sys
2010-04-08 17:45 . 2010-04-08 17:45 -------- d-----w- c:\program files\BullGuard Ltd
2010-04-08 00:21 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-07 23:33 . 2010-04-07 23:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Helper
2010-04-06 15:11 . 2010-04-06 15:11 -------- d-----w- c:\windows\system32\windows media
2010-04-06 15:11 . 2010-04-06 15:11 -------- d--h--w- c:\windows\msdownld.tmp
2010-04-06 15:11 . 2010-04-06 15:11 -------- d-----w- c:\program files\Windows Media Components
2010-04-03 16:58 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2010-04-03 16:58 . 2010-04-03 16:58 -------- d-----w- c:\program files\K-Lite Codec Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-23 18:53 . 2007-05-05 14:45 13632 ----a-w- c:\windows\system32\drivers\omci.sys
2010-04-08 17:55 . 2008-09-19 13:48 14160 ----a-w- c:\windows\system32\client_cc.dll
2010-04-08 17:55 . 2009-04-28 10:51 87376 ----a-w- c:\windows\system32\BGLsp.dll
2010-04-08 17:54 . 2009-03-23 12:07 256792 ----a-r- c:\windows\system32\drivers\AfwCore.sys
2010-04-08 17:53 . 2009-03-23 12:07 31640 ----a-r- c:\windows\system32\drivers\Afw.sys
2010-04-04 22:24 . 2006-11-22 15:16 -------- d-----w- c:\program files\Common Files\Java
2010-04-04 21:58 . 2010-04-04 21:58 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3860b532-n\msvcp71.dll
2010-04-04 21:58 . 2010-04-04 21:58 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3860b532-n\jmc.dll
2010-04-04 21:58 . 2010-04-04 21:58 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3860b532-n\msvcr71.dll
2010-04-04 21:58 . 2010-04-04 21:58 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-21ec1ccb-n\decora-sse.dll
2010-04-04 21:58 . 2010-04-04 21:58 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-21ec1ccb-n\decora-d3d.dll
2010-04-04 21:58 . 2006-11-22 15:19 -------- d-----w- c:\program files\Java
2010-04-04 00:55 . 2009-01-30 22:41 -------- d-----w- c:\documents and settings\Owner\Application Data\ImTOO Software Studio
2010-04-04 00:53 . 2007-06-06 12:59 -------- d-----w- c:\program files\ImTOO
2010-04-03 17:00 . 2009-05-31 18:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Leawo
2010-04-03 16:58 . 2009-05-31 18:59 -------- d-----w- c:\program files\Leawo
2010-03-27 17:26 . 2006-10-17 17:06 -------- d-----w- c:\program files\Creatures 3
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Adobe\Reader\8.1\ARM\ARM Update\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Adobe\Reader\8.1\ARM\ARM Update\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Adobe\Reader\8.1\ARM\ARM Update\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Adobe\Reader\8.1\ARM\ARM Update\AcrobatUpdater.exe
2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-07-03 11:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 03:28 . 2008-12-07 11:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 08:10 . 2004-08-04 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-14 14:39 . 2010-02-14 14:39 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-14 14:39 . 2010-02-14 14:39 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9FAD24BA-9822-41B0-9EB9-50C824A02033}]
2010-04-16 19:16 38400 ----a-w- c:\windows\system32\sabb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Getdo"="c:\documents and settings\Owner\Application Data\Adobe\Update\flacor.dat" [2010-04-17 99840]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-04-08 304464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"P17Helper"="P17.dll" [2005-05-03 64512]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-04-08 304464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Sibelius Software\\Sibelius 6 Demo\\RegTool.exe"=
"c:\\Program Files\\Sibelius Software\\Sibelius 6 Demo\\Sibelius.exe"=

R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [08/04/2010 18:46 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [04/08/2004 13:00 14336]
R2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [04/08/2004 13:00 14336]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [04/08/2004 13:00 14336]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [23/03/2009 13:07 31640]
R3 afwcore;afwcore;c:\windows\system32\drivers\AfwCore.sys [23/03/2009 13:07 256792]
S3 BGRaSvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\bgrasvc.exe [01/06/2009 12:50 83280]
S3 Persdi;Persdi; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{59EC7186-6FFB-47E8-99BE-D1D07B1B4551}]
2010-04-16 19:16 38400 ----a-w- c:\windows\system32\sabb.dll
.
Contents of the 'Scheduled Tasks' folder

2007-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-23 20:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82072AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86fbf28
\Driver\ACPI -> ACPI.sys @ 0xf866ecb8
\Driver\atapi -> atapi.sys @ 0xf8626852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf851abb0
PacketIndicateHandler -> NDIS.sys @ 0xf8527a21
SendHandler -> NDIS.sys @ 0xf850587b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1417001333-1482476501-2146865803-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C7D16AF7-943B-2ABB-4E9D-5E03DAB34447}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eaempopnbp"=hex:66,61,6f,6c,65,62,6b,6a,67,6e,70,65,00,31
"dajlepid"=hex:64,62,69,6a,6d,63,65,6d,6e,65,61,66,69,6a,69,6b,6f,65,64,6a,66,
68,68,70,64,68,6c,68,70,6d,66,69,6c,61,63,64,67,6a,67,6a,00,00
"iamipnbbinfimnldae"=hex:6b,61,64,66,66,64,63,63,6a,6a,66,6d,6d,6e,65,6a,70,6e,
68,6c,65,64,00,00
"hagkmflfjiijdgne"=hex:6b,61,61,66,69,64,6c,68,70,63,62,6b,6a,6d,69,6f,67,67,
6b,6e,6b,6d,00,7f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2776)
c:\windows\system32\WININET.dll
c:\program files\BullGuard Ltd\BullGuard\antispam\PluginHook.dll
c:\program files\BullGuard Ltd\BullGuard\res\en\PluginHookRes.dll
c:\docume~1\Owner\LOCALS~1\Temp\23631764.nls
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-04-23 20:24:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-23 19:24
ComboFix2.txt 2010-04-18 17:42

Pre-Run: 72,172,298,240 bytes free
Post-Run: 72,156,405,760 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 56B8B7CC66A8329555C5DF161D362EB1

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:23 PM

Posted 23 April 2010 - 04:09 PM

Hi Sarah, smile.gif

Per my introduction....

QUOTE
Please copy and paste all logs into your post unless directed otherwise. If you encounter problems please stop and tell me about it.


So from now on please copy and paste all logs into the reply unless directed otherwise and do not proceed to the next step if you run into troubles with the prior. whistling.gif

Let's proceed............

==========

excl.gif Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! excl.gif

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the all of the text in the quotebox below (including the hyperlink if present) into it:

4. Combofix might upload a few suspicious files. Please allow this!!

QUOTE
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Suspect::[89]
c:\windows\system32\sabb.dll
c:\windows\system32\browserchoice.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=1
"DisableNotifications"=1

Driver::
Persdi

Regnull::
[HKEY_USERS\S-1-5-21-1417001333-1482476501-2146865803-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C7D16AF7-943B-2ABB-4E9D-5E03DAB34447}*]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Please re-open Gmer and uncheck "Devices". Now try to run it again and let me know if you have problems.

==========

With your next post please provide:

* Combofix.txt
* Gmer log
* How is your computer running now?

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 sazmeister

sazmeister
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 23 April 2010 - 08:42 PM

Hi,

Sorry, I shall copy and paste all from now on! =)

My computer is pretty much the same, ie. unpredictable. I already (to the best of my abilities) removed ave.exe from the C: drive and the registry yet it is back! I wasn't at my computer and when I came back the 'XP Security' ads were there again, even though I didn't have any other browser windows open. Also something new showed up in my running processes when I went to quit ave.exe, something called alg.exe which I've never seen before.

Thank you for all your help, things just keep coming back when I try and remove them myself! Gmer once again took two hours to scan then immediately froze my computer, and when I rebooted it froze again for a good 10 minutes once it loaded my desktop. Still, I'm pasting the new Combofix log below and hope it's sufficient seeing as none of these other scans are working! =)

------------------------------------------------------------------------------------------------------

ComboFix 10-04-21.01 - Owner 24/04/2010 0:02.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.510.161 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\thcbytes.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: BullGuard Antivirus *On-access scanning enabled* (Updated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *disabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}

file zipped: c:\windows\system32\browserchoice.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\ave.exe

Infected copy of c:\windows\system32\drivers\omci.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Persdi


((((((((((((((((((((((((( Files Created from 2010-03-23 to 2010-04-23 )))))))))))))))))))))))))))))))
.

2010-04-18 17:17 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2010-04-18 17:17 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-04-08 17:46 . 2010-04-23 23:17 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BullGuard
2010-04-08 17:46 . 2010-04-09 14:23 -------- d-----w- c:\documents and settings\Owner\Application Data\BullGuard
2010-04-08 17:46 . 2009-01-23 13:48 55504 ----a-w- c:\windows\system32\drivers\BdFileSpy.sys
2010-04-08 17:45 . 2010-04-08 17:45 -------- d-----w- c:\program files\BullGuard Ltd
2010-04-08 00:21 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-07 23:33 . 2010-04-07 23:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Helper
2010-04-06 15:11 . 2010-04-06 15:11 -------- d-----w- c:\windows\system32\windows media
2010-04-06 15:11 . 2010-04-06 15:11 -------- d--h--w- c:\windows\msdownld.tmp
2010-04-06 15:11 . 2010-04-06 15:11 -------- d-----w- c:\program files\Windows Media Components
2010-04-03 16:58 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2010-04-03 16:58 . 2010-04-03 16:58 -------- d-----w- c:\program files\K-Lite Codec Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-23 22:53 . 2007-05-05 14:45 13632 ----a-w- c:\windows\system32\drivers\omci.sys
2010-04-08 17:55 . 2008-09-19 13:48 14160 ----a-w- c:\windows\system32\client_cc.dll
2010-04-08 17:55 . 2009-04-28 10:51 87376 ----a-w- c:\windows\system32\BGLsp.dll
2010-04-08 17:54 . 2009-03-23 12:07 256792 ----a-r- c:\windows\system32\drivers\AfwCore.sys
2010-04-08 17:53 . 2009-03-23 12:07 31640 ----a-r- c:\windows\system32\drivers\Afw.sys
2010-04-04 22:24 . 2006-11-22 15:16 -------- d-----w- c:\program files\Common Files\Java
2010-04-04 21:58 . 2006-11-22 15:19 -------- d-----w- c:\program files\Java
2010-04-04 00:55 . 2009-01-30 22:41 -------- d-----w- c:\documents and settings\Owner\Application Data\ImTOO Software Studio
2010-04-04 00:53 . 2007-06-06 12:59 -------- d-----w- c:\program files\ImTOO
2010-04-03 17:00 . 2009-05-31 18:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Leawo
2010-04-03 16:58 . 2009-05-31 18:59 -------- d-----w- c:\program files\Leawo
2010-03-27 17:26 . 2006-10-17 17:06 -------- d-----w- c:\program files\Creatures 3
2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-07-03 11:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 03:28 . 2008-12-07 11:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 08:10 . 2004-08-04 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Getdo"="c:\documents and settings\Owner\Application Data\Adobe\Update\flacor.dat" [2010-04-17 99840]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-04-08 304464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"P17Helper"="P17.dll" [2005-05-03 64512]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-04-08 304464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Sibelius Software\\Sibelius 6 Demo\\RegTool.exe"=
"c:\\Program Files\\Sibelius Software\\Sibelius 6 Demo\\Sibelius.exe"=

R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [08/04/2010 18:46 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [04/08/2004 13:00 14336]
R2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [04/08/2004 13:00 14336]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [04/08/2004 13:00 14336]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\Afw.sys [23/03/2009 13:07 31640]
R3 afwcore;afwcore;c:\windows\system32\drivers\AfwCore.sys [23/03/2009 13:07 256792]
S3 BGRaSvc;BGRaSvc;c:\program files\BullGuard Ltd\BullGuard\support\bgrasvc.exe [01/06/2009 12:50 83280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire
.
Contents of the 'Scheduled Tasks' folder

2007-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-{59EC7186-6FFB-47E8-99BE-D1D07B1B4551} - sabb.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-24 00:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x820D6AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8704f28
\Driver\ACPI -> ACPI.sys @ 0xf8677cb8
\Driver\atapi -> atapi.sys @ 0xf862f852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf8523bb0
PacketIndicateHandler -> NDIS.sys @ 0xf8530a21
SendHandler -> NDIS.sys @ 0xf850e87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(988)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\WININET.dll
c:\program files\BullGuard Ltd\BullGuard\antispam\PluginHook.dll
c:\program files\BullGuard Ltd\BullGuard\res\en\PluginHookRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-04-24 00:29:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-23 23:29
ComboFix2.txt 2010-04-23 19:24
ComboFix3.txt 2010-04-18 17:42

Pre-Run: 72,241,422,336 bytes free
Post-Run: 72,182,722,560 bytes free

- - End Of File - - 61BA5B4A3F1A17C03530DC5642176830


#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:23 PM

Posted 24 April 2010 - 08:23 AM

Hi,

Hang in there. We will get it. Remember not to do anything other than what I have instructed please.

I see the problem. You have a system file that is patched with malware. Combofix was unable to replace it. Do you have an install CD by chance. We might need to snag a file off of it. The next scan will search some archives on your computer for a sufficient replacement.

==========

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
  6. Copy and Paste the following code into the textbox. Do not include the word "Code"


    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    omci.sys
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  7. Push
  8. A report will open. Copy and Paste that report in your next reply.
  9. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

==========

Try Gmer again. This time uncheck Devices and Registry.

==========

With your next post please provide:

* Exehelper log
* OTL.txt
* Extra.txt
* Gmer log

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 sazmeister

sazmeister
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 24 April 2010 - 01:47 PM

Hi,

Posting doesn't seem to work on this computer if there's lots of text...I'm just going to see if this works and if it does I shall post the logs separately!

exeHelper by Raktor
Build 20100414
Run at 15:44:07 on 04/24/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

#12 sazmeister

sazmeister
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 24 April 2010 - 01:50 PM

Whoo it worked! Well, one did...

I know, I am not going to delete/change anything whilst you are helping me =) I do have an XP install CD so yes, I can use that if required.

Afraid Gmer failed again but I was watching to see where it got to and ran it a second time and stopped the scan before it crashed (hopefully didn't miss anything out) so I have attached the log I managed to get from that if it helps.

All the other logs ran smoothly, I shall have to attach them though because my browser crashes when I paste a lot of text in, sorry! Many many thanks as ever!!
Sarah ~x~

Attached Files



#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:23 PM

Posted 24 April 2010 - 11:34 PM

Well done.

You have an infected system file that needs to be replaced. There is only one copy on your computer and its infected. Please cross your fingers that you have a copy on the install disc! sad.gif

You wouldn't by chance have another similar Dell Computer would you???????? whistling.gif

Place your install disc in your CD-rom. Press Start - My Computer - and confirm that the CD is in the D:\drive. After that proceed as outlined.......

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

CODE
@echo off
dir "D:\i386\omci.sy*" > log.txt&log.txt


Name the file as look.bat, making sure save as type is set to " All Files ". It should look like
Double click on look.bat & allow it to run. Copy and paste the content in your next reply.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 sazmeister

sazmeister
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 25 April 2010 - 08:26 AM

Oh man, we had another Dell exactly the same but my Dad JUST smashed it up and took it to the dump!! =( we've got a Dell with Windows 7 on it though, any chance that would work?

I did what you said, it said 'File not found' and also this:

Volume in drive D is XP_PRO_SP2_ENG
Volume Serial Number is 5A28-F894

Directory of D:\i386

Also I have to leave town and go finish my course today and won't be back til around the 6th May, so whilst that will give you a well-earned break from my mountain of problems, please don't close this topic while I'm gone! =)

Come to think of it I have a mountain of XP CDs from different versions, I might have used the wrong one...will keep trying and post again if I get a different result!
Sarah ~x~

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:23 PM

Posted 25 April 2010 - 09:26 AM

Hi Sarah,

This is the file we need.
QUOTE
c:\windows\system32\drivers\omci.sys


On the Windows 7 machine simply press the Start flag in the lower left then type omci.sys in the search box and press enter. If you have other install discs you can place it in the CD drive, open it & look in the i386 folder for omci.sys.

Let me know if you find a clean copy of the file.

If you cannot then I can ask my colleagues in our private forums to upload me a copy if it is available.

I will leave your thread open. We can continue when your ready. thumbup2.gif

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users