Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit


  • This topic is locked This topic is locked
5 replies to this topic

#1 Fylo

Fylo

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 16 May 2010 - 12:19 AM

I have no clue what virus I have, but I will say I run Windows XP Pro, I cant get MBam to update (and the website won't load for me) I have no access to any other computers with internet. I followed the guide located here: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ steps 6-9 as instructed by Moderator boopme. Below are the results:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 21:25:41.64 on Sat 05/15/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.232 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Microsoft®Windows®OperatingSystem] c:\windows\system32\windows\taskmgr.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Microsoft®Windows®Defender] c:\windows\system32\windows\taskmgr.exe
mRun: [KTPWare] c:\program files\elantech\ktp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
dRunOnce: [RunNarrator] Narrator.exe
uExplorerRun: [WinOSPolicies] c:\windows\system32\windows\taskmgr.exe
mExplorerRun: [WinOSPolicies] c:\windows\system32\windows\taskmgr.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\scroll~1.lnk - c:\program files\scrollwall\ScrollWall.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {2C9A45CA-14D5-47F3-9E9F-CCB553CE73AA} - hxxp://pmdownloads.lexisnexis.com/installs/tmbm9/pro/install.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124312045095
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E19F9331-3110-11d4-991C-005004D3B3DB} - hxxp://java.sun.com/products/plugin/1.3.0_02/jinstall-130_02-win.cab
TCP: NameServer = 93.188.165.161,93.188.161.194
TCP: {25474FC6-12F2-43BD-813F-736AADC132D5} = 93.188.165.161,93.188.161.194
TCP: {8714CC59-420E-4419-A5D7-F94396469BC0} = 93.188.165.161,93.188.161.194
TCP: {969C510E-3460-49B6-926C-D10DD7ACD38E} = 192.168.0.10,65.32.1.70,65.32.1.65
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {IUQH0P6Q-J2YJ-DV3T-G45X-GO3T3C84U87N} - c:\windows\system32\windows\taskmgr.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\mvjza6hj.default\
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]

=============== Created Last 30 ================

2010-05-15 22:41:56 0 d-----w- c:\program files\Bulk Rename Utility
2010-05-15 15:17:03 63 ----a-w- c:\windows\WINHELP.BMK
2010-05-15 14:31:59 47458 ----a-w- c:\windows\DEL_AH.EXE
2010-05-15 14:31:59 40 ----a-w- c:\windows\X10.MAC
2010-05-15 14:31:59 127184 ----a-w- c:\windows\DEL_AH1.EXE
2010-05-15 14:30:16 0 d-----w- c:\program files\Home Control
2010-05-15 12:03:14 98304 ----a-w- c:\windows\swdata.v
2010-05-15 12:03:14 921654 ----a-w- c:\windows\scrollwall.bmp
2010-05-15 12:03:14 61440 ----a-w- c:\windows\system32\msado20.tlb
2010-05-15 12:03:14 45056 ----a-w- c:\windows\system32\project1.ocx
2010-05-15 12:03:14 17938 ----a-w- c:\windows\swdel.bmp
2010-05-15 12:03:14 118064 ----a-w- c:\windows\system32\msadodc.ocx
2010-05-15 12:03:14 0 d-----w- c:\program files\ScrollWall
2010-05-14 05:51:19 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-14 05:51:05 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-14 05:51:04 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-05-14 05:50:42 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-13 09:09:36 632832 -c--a-w- c:\windows\system32\dllcache\Notepad.exe
2010-05-13 09:09:35 69120 ----a-w- c:\windows\system32\notepad.exe.orig
2010-05-13 09:09:35 69120 ----a-w- c:\windows\notepad.exe.orig
2010-05-13 09:07:01 69120 ----a-w- c:\windows\notepad [Backup].exe
2010-05-13 09:06:35 69120 ----a-w- c:\windows\system32\notepad [Backup].exe
2010-05-13 09:04:11 0 d-----w- C:\Notepad
2010-05-13 01:18:10 0 d-----w- C:\spoolerlogs
2010-05-13 00:55:16 0 d-----w- c:\windows\system32\MpEngineStore
2010-05-13 00:54:19 0 d-----w- C:\04c676f66744429c9e91127a72
2010-05-13 00:51:35 183808 ----a-w- c:\windows\Rsuwua.exe
2010-05-11 00:32:56 0 d-----w- c:\docume~1\admini~1\applic~1\Walgreens
2010-05-10 18:32:35 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-10 18:03:01 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-05-10 18:01:51 0 d-----w- c:\program files\System Explorer
2010-05-09 11:10:52 11255751 ----a-w- c:\documents and settings\administrator\cardedit.udd
2010-05-09 10:57:26 9339175 ----a-w- c:\documents and settings\administrator\Onyx3.udd
2010-05-07 05:57:50 630 ---h--w- c:\windows\qmgmnt.for
2010-05-07 05:54:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Dragon's Eye Productions
2010-05-07 05:54:31 0 d-----w- c:\program files\Furcadia
2010-05-06 12:00:09 1064 ----a-w- c:\windows\Amy's Fantasies.dat
2010-05-04 14:39:26 0 d-----w- c:\program files\uTorrent
2010-05-04 14:39:09 0 d-----w- c:\docume~1\admini~1\applic~1\uTorrent
2010-05-04 14:28:44 0 d-----w- c:\program files\Combined Community Codec Pack
2010-05-04 14:20:17 6944 ----a-w- c:\windows\system\S20F0220.csr
2010-05-04 14:20:17 49152 ----a-w- c:\windows\BisonRem.exe
2010-05-04 14:20:17 2488 ----a-w- c:\windows\system\S20H0220.csr
2010-05-04 14:20:17 180224 ----a-w- c:\windows\system\StillDrv.dll
2010-05-04 14:20:17 13448 ----a-w- c:\windows\M2000Twn.src
2010-05-04 14:20:17 122880 ----a-w- c:\windows\system\BisonCam.dll
2010-05-04 14:20:17 118784 ----a-w- c:\windows\system\BisonVfw.dll
2010-05-04 14:20:16 646656 ----a-w- c:\windows\system32\drivers\BisonCam.sys
2010-05-04 14:20:16 15190 ----a-w- c:\windows\M2000Twn.ini

==================== Find3M ====================

2010-05-16 04:25:50 1349356 ---ha-w- c:\docume~1\admini~1\applic~1\cglogs.dat
2010-05-13 09:04:22 632832 ----a-w- c:\windows\system32\notepad.exe
2010-05-13 09:04:22 632832 ----a-w- c:\windows\notepad.exe
2010-05-07 05:54:34 407424 ----a-w- c:\windows\fonts\fsex2p00_public.ttf
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2006-04-02 11:25:45 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-06 21:58:12 16384 --sha-w-a c:\windows\system32\config\systemprofile\cookies\index.dat
2008-06-11 04:49:06 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061120080612\index.dat
2005-06-15 19:25:36 389120 --sh--r- c:\windows\system32\windows\taskmgr.exe

============= FINISH: 21:27:32.06 ===============






GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-15 22:18:54
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fwedapog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xACF9E950]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 450 804E2ABC 4 Bytes JMP 3ABDD7BA
? sgwisrp.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\drivers\dmio.sys entry point in ".rsrc" section [0xF744DB14]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[596] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[596] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[596] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[760] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01EF000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[760] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01F0000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[760] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 01EE000C
.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 008F000C
.text C:\WINDOWS\System32\svchost.exe[1400] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 02A8000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3156] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 011C000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3156] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 011D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3156] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 011B000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3156] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \FileSystem\Fastfat \Fat A6D4ED20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 83ADAEE4

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{101124FA-FFBB-531A-857D-17BCB9C0E544}\InprocServer32@ C:\Program Files\Microsoft Office\OFFICE11\ENVELOPE.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{101124FA-FFBB-531A-857D-17BCB9C0E544}\InprocServer32@InprocServer32 ']gAVn-}f(ZXfeAR6.jiOUTLOOKNonBootFiles>-4E9*E}mf(y-A__qm]R2?

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\dmio.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:32 AM

Posted 17 May 2010 - 12:33 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

:run combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log From Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Fylo

Fylo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 17 May 2010 - 02:02 AM

ComboFix 10-05-16.01 - Administrator 05/16/2010 23:48:22.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.546 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\cglogs.dat
c:\windows\notepad [Backup].exe
c:\windows\notepad.exe.orig
c:\windows\Rsuwua.exe
c:\windows\system32\windows
c:\windows\system32\windows\taskmgr.exe

Infected copy of c:\windows\system32\drivers\dmio.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
.

2010-05-16 05:19 . 2010-05-16 05:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\sexydreams
2010-05-15 22:41 . 2010-05-15 22:41 -------- d-----w- c:\program files\Bulk Rename Utility
2010-05-15 14:31 . 2001-01-12 18:50 47458 ----a-w- c:\windows\DEL_AH.EXE
2010-05-15 14:31 . 1999-06-25 15:56 127184 ----a-w- c:\windows\DEL_AH1.EXE
2010-05-15 14:30 . 2010-05-15 15:15 -------- d-----w- c:\program files\Home Control
2010-05-15 12:03 . 2010-05-15 12:03 -------- d-----w- c:\program files\ScrollWall
2010-05-14 05:51 . 2010-05-14 05:51 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-14 05:51 . 2010-05-14 05:51 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-14 05:51 . 2010-05-14 05:51 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-14 05:51 . 2010-05-14 05:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-14 05:51 . 2010-05-14 06:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-14 05:51 . 2010-05-14 05:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-05-14 05:50 . 2010-05-14 05:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-13 09:09 . 2010-05-13 09:04 632832 -c--a-w- c:\windows\system32\dllcache\Notepad.exe
2010-05-13 09:06 . 2008-04-14 00:12 69120 ----a-w- c:\windows\system32\notepad [Backup].exe
2010-05-13 09:04 . 2010-05-13 09:22 -------- d-----w- C:\Notepad
2010-05-13 01:18 . 2010-05-13 01:18 -------- d-----w- C:\spoolerlogs
2010-05-13 00:55 . 2010-05-13 09:36 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-13 00:54 . 2010-05-13 01:37 -------- d-----w- C:\04c676f66744429c9e91127a72
2010-05-13 00:33 . 2010-05-13 00:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2010-05-13 00:24 . 2010-05-13 00:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\MWPNACL
2010-05-11 00:32 . 2010-05-11 00:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Walgreens
2010-05-10 18:32 . 2010-05-10 18:32 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-10 18:03 . 2010-05-10 18:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-10 18:01 . 2010-05-10 18:31 -------- d-----w- c:\program files\System Explorer
2010-05-07 05:54 . 2010-05-07 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Dragon's Eye Productions
2010-05-07 05:54 . 2010-05-07 05:54 -------- d-----w- c:\program files\Furcadia
2010-05-07 05:54 . 2010-05-07 05:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Dragon's Eye Productions
2010-05-06 12:00 . 2010-05-06 12:00 1064 ----a-w- c:\windows\Amy's Fantasies.dat
2010-05-06 10:49 . 2010-05-06 11:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Oblivion
2010-05-06 08:42 . 2010-05-06 08:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2010-05-04 14:39 . 2010-05-15 12:41 -------- d-----w- c:\program files\uTorrent
2010-05-04 14:39 . 2010-05-15 12:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-05-04 14:28 . 2010-05-04 14:28 -------- d-----w- c:\program files\Combined Community Codec Pack
2010-05-04 14:20 . 2005-04-08 21:43 118784 ----a-w- c:\windows\system\BisonVfw.dll
2010-05-04 14:20 . 2005-03-23 21:01 49152 ----a-w- c:\windows\BisonRem.exe
2010-05-04 14:20 . 2005-01-25 13:45 122880 ----a-w- c:\windows\system\BisonCam.dll
2010-05-04 14:20 . 2005-01-14 17:47 180224 ----a-w- c:\windows\system\StillDrv.dll
2010-05-04 14:20 . 2005-04-18 22:24 646656 ----a-w- c:\windows\system32\drivers\BisonCam.sys
2010-05-04 13:14 . 2010-05-04 13:14 0 ----a-w- c:\windows\nsreg.dat
2010-05-04 13:14 . 2010-05-04 13:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-04-29 12:29 . 2010-05-10 17:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\WMTools Downloaded Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 03:51 . 2009-10-10 14:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData
2010-05-15 10:36 . 2006-02-17 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-05-14 22:01 . 2005-08-17 20:19 -------- d-----w- c:\program files\Elantech
2010-05-13 09:04 . 2005-08-17 15:37 632832 ----a-w- c:\windows\notepad.exe
2010-05-13 09:04 . 2004-08-04 12:00 632832 ----a-w- c:\windows\system32\notepad.exe
2010-05-13 08:56 . 2008-11-20 15:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 17:18 . 2005-09-12 22:04 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-10 18:30 . 2006-01-31 22:24 -------- d-----w- c:\program files\Windows Media Connect 2
2010-05-09 13:47 . 2006-09-26 14:33 -------- d-----w- c:\program files\Common Files\Java
2010-05-09 13:44 . 2006-09-26 14:33 -------- d-----w- c:\program files\Java
2010-05-08 21:10 . 2009-01-09 13:30 89088 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-06 11:17 . 2005-08-17 20:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-04 13:43 . 2009-12-08 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-04 10:34 . 2009-06-16 18:10 -------- d-----w- c:\program files\Yahoo!
2010-05-04 10:34 . 2009-10-09 23:21 -------- d-----w- c:\program files\HP
2010-05-04 10:33 . 2005-08-18 18:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-04 10:31 . 2005-10-04 22:34 -------- d-----w- c:\program files\Google
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\ARM Update\AcrobatUpdater.exe
2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2004-08-04 12:00 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2006-04-02 11:25 . 2006-04-02 11:25 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-06-03 14:24 . 2008-06-03 14:24 1530853 --sha-w- c:\windows\system32\rpisrvks.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-07 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KTPWare"="c:\program files\Elantech\ktp.exe" [2005-02-28 253952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"nwiz"="nwiz.exe" [2005-04-14 1495040]
"NvMediaCenter"="NvMCTray.dll" [2005-04-14 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ScrollWall.lnk - c:\program files\ScrollWall\ScrollWall.exe [2010-5-15 131072]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2005-11-28 19:02 118784 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 11:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-12-19 23:10 88358 ----a-r- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 14:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 20:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 20:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KTPWare]
2005-02-28 21:49 253952 ----a-r- c:\program files\Elantech\Ktp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-04-14 22:18 5562368 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-04-14 22:18 1495040 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 23:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-12-01 07:54 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartServiceMWPNACL]
2010-05-13 00:25 409600 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\MWPNACL\StartService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2005-11-28 19:02 988701 ----a-w- c:\program files\Acronis\TrueImage\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 00:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VETMSGNT"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"MDM"=2 (0x2)
"CAISafe"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"CaCCProvSP"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-16 c:\windows\Tasks\Defrag.job
- c:\windows\system32\defrag.exe [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: {969C510E-3460-49B6-926C-D10DD7ACD38E} = 192.168.0.10,65.32.1.70,65.32.1.65
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2C9A45CA-14D5-47F3-9E9F-CCB553CE73AA} - hxxp://pmdownloads.lexisnexis.com/installs/tmbm9/pro/install.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mvjza6hj.default\
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft®Windows®OperatingSystem - c:\windows\system32\Windows\taskmgr.exe
HKLM-Run-Microsoft®Windows®Defender - c:\windows\system32\Windows\taskmgr.exe
HKLM-Explorer_Run-WinOSPolicies - c:\windows\system32\Windows\taskmgr.exe
MSConfigStartUp-6464fbf8 - c:\windows\system32\swghahdl.dll
MSConfigStartUp-A00FEDBB02 - c:\docume~1\ctm\LOCALS~1\Temp\_A00FEDBB02.exe
MSConfigStartUp-IntelliPoint - c:\program files\Microsoft IntelliPoint\point32.exe
MSConfigStartUp-itype - c:\program files\Microsoft IntelliType Pro\itype.exe
MSConfigStartUp-M5T8QL3YW3 - c:\docume~1\ADMINI~1\LOCALS~1\Temp\Rbw.exe
MSConfigStartUp-Microsoft®Windows®Defender - c:\windows\system32\Windows\taskmgr.exe
MSConfigStartUp-Microsoft®Windows®OperatingSystem - c:\windows\system32\Windows\taskmgr.exe
MSConfigStartUp-QZAIB7KITK - c:\windows\Rsuwua.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-Windows update loader - c:\windows\xpupdate.exe
ActiveSetup-{IUQH0P6Q-J2YJ-DV3T-G45X-GO3T3C84U87N} - c:\windows\system32\Windows\taskmgr.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 23:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1004)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-05-16 23:56:17
ComboFix-quarantined-files.txt 2010-05-17 06:56

Pre-Run: 20,938,637,312 bytes free
Post-Run: 20,951,654,400 bytes free

- - End Of File - - 4DBB85BA135BEEE1CD543B8BAFA5D952






Seems to be doing better, Google doesn't redirect now it seems

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:32 AM

Posted 17 May 2010 - 02:25 AM

Hello Fylo

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

µTorrent

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.
please do not use it until your computer is cleaned.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 9.2
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment Standard Edition v1.3.0_02


    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 20 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 20 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u20 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. Log From ESET Online Scanner
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:32 AM

Posted 20 May 2010 - 11:33 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:32 AM

Posted 23 May 2010 - 01:44 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users