Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had Desktop Security 2010, DoubleD, FakeAlert, Vundo, Agent, Zlob, Media-Codec, Wild Tangent, Fraud.VirusResponseLab 2009


  • This topic is locked This topic is locked
5 replies to this topic

#1 littlewhiteowl

littlewhiteowl

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:North California
  • Local time:01:24 AM

Posted 22 May 2010 - 03:39 AM

Thank you so much for your help! My brother is pressuring me and I'm doing my best. I will appreciate any help you can give me!

Logs are attached as requested, however, after 5 hours of scanning with Gmer, when I clicked on Save, Gmer froze and is still not responding (CPU usage 100% stated on bottom of Task Manager), so I took a few photos of the Gmer window with my Nikon. All information can be seen. There are twenty entries and three are for my USB flash drive I believe. I could size them and prep them for efficiency and you should be able to see all that is there. May I post a photo jpg file or two? I will obviously have to reboot to be able to do anything on that computer...and there is no time to do another scan. I think a photo would show you the twenty listings.

Gmer shows:
3 SSDT listings
1 .text listing
3 AttachedDevice listings
13 Reg listings all beginning with: HKLM\SYSTEM\

Those all showed up in the first few minutes and after that, hours went by with no added listings.

Now for more details of the situation. For the most part, I will copy and paste what I wrote in the Am I Infected? part of the forum. Thank you, Orange Blossom, for responding and leading me over here for the next steps. Here is what I said...and I may add a little....

~~~~~

I am working on my brother's computer, an HP desktop with XP SP3. In April he got a massive host of trojans (he had no idea of how many), ran his StopZilla (something I don't use and don't like myself), and made zero headway. A couple days ago he brought over the tower to me to work on. I do not have it connected to our wireless network. I am using my laptop and a USB flash drive to get what I need to his computer.

I have run SuperAntispyware, Malwarebytes, Spybot, Lavasoft, Vundofix, rKill, HijackThis, not in that order. I have found and deleted MANY different trojans. Many have not reappeared, but some have. Last night after I finally got Malwarebytes to run by changing the name of the .exe BEFORE taking it to his computer, I thought I got it clean. It rebooted okay. But this morning I checked again, of course, and it's still got crapola on it; I used Malwarebytes again and found trojans Vundo and Agent. I have to stop StopZilla at every reboot as it interferes so much with this whole process.

So I have been reading A LOT in this forum and others as I have worked on all this and decided to run ComboFix today. I have two logs saved on my flash drive so I can post the log from the second run if needed. (Had to run twice I thought because of Stopzilla getting in the way the first time...I forgot to turn it off the first time.)

My bro has so much stuff running in the background and the computer has been so neglected...it's hard to do the research on every process and app and service going on in here. I did turn off System Restore last night after it seemed clean and turned it back on, but now, of course, that will need to be done again when it is *actually* clean.

I will appreciate your help so very much. He is very anxious to get his computer back and is leaving town for Alaska very soon. I have to return it tomorrow, Saturday, no matter what. He has no idea what all this requires. Thank you!!!!!!!!!

~~~~~

The list of trojans and malware that have been found are listed in the title. I don't know what is left, but my last Malwarebytes scan revealed about ten listings of Vundo and one listing of Agent. Those were supposedly quarantined...but I don't bet on anything at this point.

Thank you for your help!

~~~~~

DDS.txt log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 18:46:43.82 on Fri 05/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1463 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-18 64288]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-2-24 173328]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-18 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1228208]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-05-22 01:43:10 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-05-22 01:36:02 0 ----a-w- c:\documents and settings\hp_administrator\defogger_reenable
2010-05-22 01:01:36 0 d-----w- C:\VundoFix Backups
2010-05-21 23:04:55 0 d-----w- C:\ComboFix
2010-05-21 22:09:13 98816 ----a-w- c:\windows\sed.exe
2010-05-21 22:09:13 161792 ----a-w- c:\windows\SWREG.exe
2010-05-21 11:58:48 0 d-----w- c:\program files\IrfanView
2010-05-21 10:24:22 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2010-05-21 09:45:15 0 d-----w- c:\windows\pss
2010-05-21 08:30:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 08:30:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 03:21:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-18 23:00:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-18 22:34:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-18 22:33:41 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-18 22:33:28 0 d-----w- c:\program files\Lavasoft
2010-05-18 22:25:46 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-18 22:25:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-18 22:24:21 0 d-----w- c:\program files\Trend Micro
2010-05-18 22:19:12 0 d-----w- c:\program files\1 Downloads
2010-05-18 22:10:02 0 d-----w- c:\program files\Revo Uninstaller
2010-05-18 22:04:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-18 18:02:44 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-05-18 17:54:46 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-05-18 17:54:25 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-05-18 17:53:49 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================


============= FINISH: 18:46:52.71 ===============





~~~~~

ComboFix log:

ComboFix 10-05-20.07 - HP_Administrator 05/21/2010 15:10:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1379 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\system32\byvtqo.dll
c:\windows\system32\vtrpqq.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 )))))))))))))))))))))))))))))))
.

2010-05-21 22:10 . 2010-05-21 22:10 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-05-21 11:58 . 2010-05-21 11:58 -------- d-----w- c:\program files\IrfanView
2010-05-21 11:44 . 2010-05-21 11:44 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sonic
2010-05-21 11:44 . 2010-05-21 11:44 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Leadertech
2010-05-21 10:24 . 2010-05-21 10:24 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-05-21 08:30 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 08:30 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 03:21 . 2010-05-21 05:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-18 23:00 . 2010-05-21 11:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-18 22:55 . 2010-05-18 22:55 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-18 22:34 . 2010-05-18 22:34 -------- dc----w- c:\windows\system32\DRVSTORE
2010-05-18 22:34 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-18 22:33 . 2010-05-18 22:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-18 22:33 . 2010-05-18 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-18 22:33 . 2010-05-18 22:33 -------- d-----w- c:\program files\Lavasoft
2010-05-18 22:25 . 2010-05-18 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-18 22:25 . 2010-05-18 22:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-18 22:24 . 2010-05-18 22:24 -------- d-----w- c:\program files\Trend Micro
2010-05-18 22:19 . 2010-05-21 12:04 -------- d-----w- c:\program files\1 Downloads
2010-05-18 22:10 . 2010-05-18 22:10 -------- d-----w- c:\program files\Revo Uninstaller
2010-05-18 22:04 . 2010-05-18 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-18 18:02 . 2008-04-14 07:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-05-18 18:02 . 2008-04-14 07:09 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-05-18 17:54 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-05-18 17:54 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-05-18 17:54 . 2008-04-14 12:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-05-18 17:54 . 2008-04-14 12:41 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-05-18 17:53 . 2008-04-14 07:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-05-18 17:53 . 2008-04-14 07:15 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 22:20 . 2008-11-06 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-05-21 22:17 . 2010-05-21 22:17 80 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-05-21 22:17 . 2010-05-21 22:16 536 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-05-21 12:24 . 2009-05-19 14:10 -------- d-----w- c:\program files\Formatta 7.0
2010-05-21 11:50 . 2006-08-15 07:49 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-21 08:42 . 2008-09-16 02:01 -------- d-----w- c:\program files\Schwab
2010-05-21 08:40 . 2009-03-23 23:57 -------- d-----w- c:\program files\OpenOffice.org 3
2010-05-21 06:39 . 2008-09-15 16:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-21 05:39 . 2008-09-15 16:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-21 01:43 . 2008-09-21 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-18 22:24 . 2010-05-18 22:24 388096 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-16 18:08 . 2010-03-23 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2010-04-16 10:15 . 2010-04-16 10:15 -------- d-----w- c:\program files\STOPzilla!
2010-04-14 19:43 . 2009-11-04 13:54 79488 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-09 15:36 . 2009-03-24 00:01 1 ----a-w- c:\documents and settings\HP_Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-25 14:47 . 2010-03-23 12:54 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\ATTToolbar
2010-03-25 14:19 . 2010-03-23 12:43 -------- d-----w- c:\program files\Common Files\Motive
2010-03-23 12:54 . 2010-03-23 12:54 -------- d-----w- c:\program files\ATTToolbar
2010-03-23 12:52 . 2010-03-23 12:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Motive
2010-03-23 12:52 . 2010-03-23 12:51 -------- d-----w- c:\program files\ATT-SST
2010-03-23 12:43 . 2010-03-23 12:43 -------- d-----w- c:\program files\ATT
2010-03-23 12:43 . 2010-03-23 12:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2010-03-10 06:15 . 2004-08-10 04:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 01:16 . 2010-03-06 01:16 17408 ----a-r- c:\windows\system32\SZIO5.dll
2010-03-06 01:14 . 2010-03-06 01:14 442368 ----a-r- c:\windows\system32\SZBase5.dll
2010-03-06 01:13 . 2010-03-06 01:13 540672 ----a-r- c:\windows\system32\SZComp5.dll
2010-03-02 19:41 . 2010-03-02 19:41 26694 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}\UNINST_Uninstall_G_3DE5E7D47B88403CA3FD2017A8240C5B.exe
2010-02-25 06:24 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 22:06 . 2010-02-24 22:06 173328 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2010-02-24 13:11 . 2004-08-10 04:00 455680 ------w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-09-16 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=c:\windows\pss\Updates From HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CopyNowMainrlang]
2010-04-16 15:07 145920 ----a-w- c:\program files\Common Files\Sonic Shared\Sonic Central\Copy\MainrlangCopyNow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopTiVo]
2010-04-16 15:07 145920 ----a-w- c:\program files\Common Files\TiVo Shared\DirectShow\TiVoDirectShowFilterTiVo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-09 00:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-12-26 18:26 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-07 00:04 2017280 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-09-21 01:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Schwab\\SSPro\\SSPro.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/18/2010 3:34 PM 64288]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2/24/2010 3:06 PM 173328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 9:52 AM 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1228208]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-05-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:52]

2010-05-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-21 00:46]

2010-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 16:52]

2010-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 16:52]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: trymedia.com
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKCU-Run-qomjjgdrv - vtrpqq.dll
HKLM-Run-Recguard - c:\windows\SMINST\RECGUARD.EXE
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-Reminder - c:\windows\Creator\Remind_XP.exe
HKLM-Run-mlmnkhsys - byvtqo.dll
HKLM-Run-cbxvstdrv - vtrpqq.dll
HKU-Default-Run-awuttusys - byvtqo.dll
HKU-Default-Run-cbbbbxdrv - vtrpqq.dll
MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
MSConfigStartUp-SetupInstaller - c:\program files\adobe\reader 9.0\setup files\{ac76ba86-7ad7-1033-7b44-a91000000001}\setupsmall.exe
AddRemove-HPOOVClient-9972322 Uninstaller - c:\windows\HPCPCUninstall-9972322\HPBWSetup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 15:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3700)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-05-21 15:22:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-21 22:22

Pre-Run: 213,044,002,816 bytes free
Post-Run: 212,951,740,416 bytes free

- - End Of File - - 93B5C06D208EC67B994D90F953A200A8





Attached Files



BC AdBot (Login to Remove)

 


#2 littlewhiteowl

littlewhiteowl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:North California
  • Local time:01:24 AM

Posted 22 May 2010 - 04:52 AM

Here are three jpg photo images in which you can see the completed Gmer scan log on the screen. It's the best I can do. smile.gif I started the scan around 7:40 this evening and it completed at around 12:30 a.m.

One is full left to right, and the other two are the left and right side - for better readability. You should be able to see everything! After Gmer crashed I couldn't adjust the columns differently, but they show almost every letter. I'm sure you know...but the word that is cut off after "Device" is "Characteristics."

Oops, looks like I can only add one at a time due to size. They are 900 pixels wide so that you can read them.

Thanks!

Attached Files



#3 littlewhiteowl

littlewhiteowl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:North California
  • Local time:01:24 AM

Posted 22 May 2010 - 04:53 AM

Looks like I can't upload the two other images I prepared, so let me know if you need to see the right and left side zoomed more. I will prep the shots in smaller files. Thanks!

Edited by littlewhiteowl, 22 May 2010 - 04:57 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:24 AM

Posted 25 May 2010 - 05:32 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 littlewhiteowl

littlewhiteowl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:North California
  • Local time:01:24 AM

Posted 29 May 2010 - 09:47 PM

Thank you so much for your response and help! The story of the issue is in my first post and I posted ComboFix scan results including the ComboFix quarantined items log, the DDS log, and also the Gmer results. I did use the defogger as instructed before Gmer.

Unfortunately, my brother has left on his annual trip and I had to return his computer before he left. (It is NOT being used...or even plugged in!) I can resume work on his trojan problem when he returns in mid June. So I am unable to do the OTL scan at this time. However, I did do the Gmer scan and completed it. I posted a color jpg image of the scan results. (There were no RED entries.) I have a couple more photos of the right and left side of the screen that could be posted, but the one I posted is quite clear; it's just that the other two are a little closer. The computer crashed when I clicked on Save to save the Gmer log, so I got out my Nikon and took photos of the Gmer screen. They are very legible. Since the scan took five hours, I don't want to go through that again! smile.gif

The computer has not been touched since I returned it to him, and he will not use it when he gets back. All will be just as I left it and I can work on it again. Can we leave this thread open so we don't have to start over?

I can pick up where we left off in mid June as soon as he returns. He insisted on having his computer stored in his house while he is away. I will be happy to do this OTL scan when he returns and will post that log and we can move forward!

Thank you again so very much!

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:24 AM

Posted 30 May 2010 - 02:16 AM

Hi, in that case I will now close this topic and when you are ready to start working on this again, just send me a PM and I will reopen it so we can continue working on it.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users