Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Highjacked?


  • This topic is locked This topic is locked
20 replies to this topic

#1 drabe96

drabe96

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 23 May 2010 - 11:27 AM

I removed a fake antivirus infection with Malwarebytes, superantispyware, and viper antivirus. The fake warnings stopped, but I could not aquire an ip address. I had to manually start a few of the networking services even though they were set to automatic ( I have to do this after every restart ). If I click on a google search link that has to do with malware removal i get redirected to generic sites with their own links. I also get the page cannot be displayed when using windows update. Here is my highjack this log. Thanks for any help.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:11:16, on 5/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1263842750734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1274588638468
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VIPRE Antivirus (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe

--
End of file - 3434 bytes


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:06 AM

Posted 23 May 2010 - 05:21 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Gmer

Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from GMER
      3.let me know of any problems you may have had

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 drabe96

drabe96
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 23 May 2010 - 07:17 PM

I do not see where I can click on thread tools. I am gathering the info you requested.

#4 drabe96

drabe96
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 23 May 2010 - 08:59 PM

Not sure what happened here so I deleted this post

Edited by drabe96, 23 May 2010 - 09:06 PM.


#5 drabe96

drabe96
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 23 May 2010 - 09:02 PM

I have to manually start DHCP Client even though it is set to automatic. The first time I ran GMER I got a ubfelkx4.exe has encountered a problem and needs to close error. While posting the logs explorer.exe, System, and or lsass.exe started consuming all cpu cycles and the computer became unusable. I ran GMER after a reboot without enabling the network and it completed successfully. Here are the logs.


DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 19:26:08.01 on Sun 05/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1713 [GMT -5:00]

AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\User\Desktop\Defogger.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263842750734
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1274588638468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\k08gqw7l.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-4-28 13400]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-8-26 202928]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-26 12672]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-4-28 69720]
S2 SBAMSvc;VIPRE Antivirus;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-4-19 2726000]
S3 Normandy;Normandy SR2; [x]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-2-6 27064]
S4 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-4-19 181584]

=============== Created Last 30 ================

2010-05-24 00:20:09 20 ----a-w- c:\documents and settings\user\defogger_reenable
2010-05-23 16:10:46 0 d-----w- c:\program files\Trend Micro
2010-05-23 04:38:00 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-23 04:30:37 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-23 04:30:23 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-28 23:52:11 69720 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-04-28 23:50:48 13400 ----a-w- c:\windows\system32\drivers\sbaphd.sys

==================== Find3M ====================

2010-05-23 00:05:15 42 ----a-w- c:\documents and settings\user\jagex_runescape_preferences.dat
2010-05-23 00:05:15 41 ----a-w- c:\documents and settings\user\jagex__preferences3.dat
2010-05-23 00:03:21 75 ----a-w- c:\documents and settings\user\jagex_runescape_preferences2.dat
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-19 18:48:04 27984 ----a-w- c:\windows\system32\sbbd.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-06 15:50:16 23 --sha-w- c:\windows\system32\edacded0.dat

============= FINISH: 19:27:18.03 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/26/2009 4:44:48 PM
System Uptime: 5/23/2010 7:21:14 PM (0 hours ago)

Motherboard: http://www.abit.com.tw/ | | IS7/IS7-G/IS7-E (Intel i865-ICH5)
Processor: Intel® Pentium® 4 CPU 2.60GHz | Socket 478 | 2605/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 43.522 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

18 WoS Across America
7-Zip 4.65
Adobe Flash Player 10 ActiveX
Adobe Shockwave Player 11.5
ClearType Tuning Control Panel Applet
CPUID CPU-Z 1.52.2
EVEREST Home Edition v2.20
Foxit Reader
Google Toolbar for Internet Explorer
GT Interactive - Driver
HiJackThis
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Java Auto Updater
Java™ 6 Update 20
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.6)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Drivers
Pirates of the Caribbean
Realtek AC'97 Audio
Revo Uninstaller Pro 2.1.0
Secunia PSI
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
The Sims™ 2 Apartment Life
The Sims™ 2 Double Deluxe
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIPRE Antivirus
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11

==== Event Viewer Messages From Past Week ========

5/23/2010 9:56:06 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
5/23/2010 9:56:06 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Spyware Doctor\SDContextExt32.dll. Reference error message: The operation completed successfully. .
5/23/2010 9:56:06 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
5/23/2010 9:51:03 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SASDIFSV SASKUTIL sbaphd
5/23/2010 10:32:47 AM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
5/23/2010 10:08:58 AM, error: SRService [104] - The System Restore initialization process failed.
5/23/2010 10:08:58 AM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
5/23/2010 1:46:50 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
5/22/2010 9:02:58 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
5/22/2010 9:02:58 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Task Scheduler service to connect.
5/22/2010 9:02:58 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Shell Hardware Detection service to connect.
5/22/2010 9:02:58 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the DHCP Client service to connect.
5/22/2010 9:02:58 PM, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/22/2010 9:02:58 PM, error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/22/2010 9:02:58 PM, error: Service Control Manager [7000] - The DHCP Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/22/2010 8:00:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
5/22/2010 7:58:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
5/22/2010 7:57:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
5/22/2010 7:50:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm sbaphd
5/22/2010 7:50:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/22/2010 7:49:22 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
5/22/2010 7:49:22 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================

First GMER log that did not complete successfully
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-23 19:31:44
Windows 5.1.2600 Service Pack 3
Running: ubfe1kx4.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\pwroiaob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xF79D34D0]
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xF79D3520]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\dmload.sys entry point in ".rsrc" section [0xF798E114]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB87AA360, 0x37388D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1020] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E8000A
.text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2480] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2480] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2480] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D5000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2480] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2480] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2480] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2480] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2480] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2480] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2480] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2480] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2480] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D5000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2536] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)

second GMER log that did complete suuccessfully
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-23 20:46:58
Windows 5.1.2600 Service Pack 3
Running: ubfe1kx4.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\pwroiaob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xB628B4D0]
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xB628B520]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\dmload.sys entry point in ".rsrc" section [0xF798E114]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8BFC360, 0x37388D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1072] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 010D000A
.text C:\WINDOWS\Explorer.EXE[1216] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1216] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1216] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A538D01

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x61 0x8E 0xBF 0x6A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x86 0x7D 0xA7 0x72 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x4B 0x03 0x0D 0xC5 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x37 0x46 0x6A 0x42 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0x3E 0x52 0xC7 0x4A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg43@ujdew 0x52 0x05 0x7C 0xB4 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg44 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg44@ujdew 0xA5 0x8A 0x3A 0xAC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x35 0xE4 0x19 0x94 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x35 0xE4 0x19 0x94 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\dmload.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#6 drabe96

drabe96
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 23 May 2010 - 09:14 PM

I will not be able to take any further actions untill tomorrow afternoon. Thanks for the help.

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:06 AM

Posted 23 May 2010 - 09:28 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 drabe96

drabe96
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 23 May 2010 - 10:21 PM

Combofix detected a rootkit and had to restart the computer. Everything is back to normal now. Here is the log. If you have time can you let me know what it actually was. They claim they were on Youtube when the fake antivirus warnings started popping up. Is there any combination of antivrus or spyware programs that will stop this from happening again. Thanks so much for your time.




ComboFix 10-05-23.01 - User 05/23/2010 22:03:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1745 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Application Data\Microsoft\HTML Help\hh.dat
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

Infected copy of c:\windows\system32\drivers\dmload.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))
.

2010-05-23 16:10 . 2010-05-23 16:10 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-23 16:10 . 2010-05-23 16:10 -------- d-----w- c:\program files\Trend Micro
2010-05-23 09:30 . 2010-05-23 09:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-23 04:38 . 2010-05-23 04:38 -------- d-----w- c:\program files\Common Files\Java
2010-05-23 04:38 . 2010-05-23 04:38 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-27db5a7a-n\decora-sse.dll
2010-05-23 04:38 . 2010-05-23 04:38 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-694482af-n\msvcp71.dll
2010-05-23 04:38 . 2010-05-23 04:38 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-694482af-n\jmc.dll
2010-05-23 04:38 . 2010-05-23 04:38 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-694482af-n\msvcr71.dll
2010-05-23 04:38 . 2010-05-23 04:38 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-27db5a7a-n\decora-d3d.dll
2010-05-23 04:38 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-23 04:30 . 2010-05-23 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-23 04:30 . 2010-05-23 15:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-23 03:33 . 2010-05-23 03:33 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-23 00:54 . 2010-05-23 00:54 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-23 00:40 . 2010-05-23 00:59 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\yquhaqeyo
2010-04-28 23:52 . 2010-01-04 11:29 69720 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-04-28 23:50 . 2010-01-04 11:29 13400 ----a-w- c:\windows\system32\drivers\sbaphd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 15:11 . 2009-10-17 15:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-23 04:37 . 2010-01-19 02:10 -------- d-----w- c:\program files\Java
2010-05-23 01:36 . 2010-03-03 02:28 -------- d-----w- c:\program files\Google
2010-05-23 00:51 . 2010-01-18 23:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 00:05 . 2010-03-24 21:17 41 ----a-w- c:\documents and settings\User\jagex__preferences3.dat
2010-05-23 00:05 . 2009-10-11 12:06 42 ----a-w- c:\documents and settings\User\jagex_runescape_preferences.dat
2010-05-23 00:03 . 2009-10-11 12:07 75 ----a-w- c:\documents and settings\User\jagex_runescape_preferences2.dat
2010-04-29 20:39 . 2010-01-18 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-01-18 23:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-19 18:48 . 2010-04-19 18:48 27984 ----a-w- c:\windows\system32\sbbd.exe
2010-03-10 06:15 . 2008-04-14 10:42 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2008-04-14 10:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 05:47 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-06 15:50 . 2010-02-06 15:50 23 --sha-w- c:\windows\system32\edacded0.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-04-19 1291600]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [4/28/2010 6:50 PM 13400]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 9:02 AM 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [8/26/2009 5:18 PM 202928]
R2 SBAMSvc;VIPRE Antivirus;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [4/19/2010 1:48 PM 2726000]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [4/28/2010 6:52 PM 69720]
S3 Normandy;Normandy SR2; [x]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2/6/2010 7:59 AM 27064]
S4 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [4/19/2010 1:47 PM 181584]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/4/2009 7:32 PM 721904]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\k08gqw7l.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-05-23 22:10:09
ComboFix-quarantined-files.txt 2010-05-24 03:10

Pre-Run: 50,094,157,824 bytes free
Post-Run: 50,374,246,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 29DE2FB4D3B9AE3D8FAA53066BE63DA4


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:06 AM

Posted 23 May 2010 - 10:34 PM

Greetings

You had a nasty rootkit that is going around called TDsserve and there is no perfect solution to keep from getting infected - when we finish i will give you some links to read to help stay safer

I need you to do the following then we can move on

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Let me have this log when complete

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:06 AM

Posted 26 May 2010 - 07:13 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 drabe96

drabe96
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 26 May 2010 - 06:00 PM

I'm sorry, we have been busy with my sons 8th grade graduation. I will run CFScript.txt as soon as posible and post the log.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:06 AM

Posted 26 May 2010 - 06:40 PM

OK no problem just let me know


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 drabe96

drabe96
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 26 May 2010 - 08:25 PM

ComboFix 10-05-26.01 - User 05/26/2010 20:19:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1634 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.

((((((((((((((((((((((((( Files Created from 2010-04-27 to 2010-05-27 )))))))))))))))))))))))))))))))
.

2010-05-23 16:10 . 2010-05-23 16:10 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-23 16:10 . 2010-05-23 16:10 -------- d-----w- c:\program files\Trend Micro
2010-05-23 09:30 . 2010-05-23 09:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-23 04:38 . 2010-05-23 04:38 -------- d-----w- c:\program files\Common Files\Java
2010-05-23 04:38 . 2010-05-23 04:38 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-27db5a7a-n\decora-sse.dll
2010-05-23 04:38 . 2010-05-23 04:38 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-694482af-n\msvcp71.dll
2010-05-23 04:38 . 2010-05-23 04:38 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-694482af-n\jmc.dll
2010-05-23 04:38 . 2010-05-23 04:38 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-694482af-n\msvcr71.dll
2010-05-23 04:38 . 2010-05-23 04:38 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-27db5a7a-n\decora-d3d.dll
2010-05-23 04:38 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-23 04:30 . 2010-05-23 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-23 04:30 . 2010-05-23 15:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-23 03:33 . 2010-05-23 03:33 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-23 00:54 . 2010-05-23 00:54 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-23 00:40 . 2010-05-23 00:59 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\yquhaqeyo
2010-04-28 23:52 . 2010-01-04 11:29 69720 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-04-28 23:50 . 2010-01-04 11:29 13400 ----a-w- c:\windows\system32\drivers\sbaphd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 21:24 . 2010-03-24 21:17 41 ----a-w- c:\documents and settings\User\jagex__preferences3.dat
2010-05-25 21:24 . 2009-10-11 12:06 42 ----a-w- c:\documents and settings\User\jagex_runescape_preferences.dat
2010-05-25 21:12 . 2009-10-11 12:07 81 ----a-w- c:\documents and settings\User\jagex_runescape_preferences2.dat
2010-05-23 15:11 . 2009-10-17 15:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-23 04:37 . 2010-01-19 02:10 -------- d-----w- c:\program files\Java
2010-05-23 01:36 . 2010-03-03 02:28 -------- d-----w- c:\program files\Google
2010-05-23 00:51 . 2010-01-18 23:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 20:39 . 2010-01-18 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-01-18 23:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-19 18:48 . 2010-04-19 18:48 27984 ----a-w- c:\windows\system32\sbbd.exe
2010-03-10 06:15 . 2008-04-14 10:42 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-06 15:50 . 2010-02-06 15:50 23 --sha-w- c:\windows\system32\edacded0.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-05-24_03.08.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-26 11:34 . 2010-05-26 11:34 16384 c:\windows\Temp\Perflib_Perfdata_6d4.dat
+ 2008-04-14 10:42 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
- 2008-04-14 10:42 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2009-10-11 12:06 . 2010-05-25 21:01 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll
- 2009-10-11 12:06 . 2010-05-22 23:43 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll
- 2009-10-11 12:06 . 2010-05-22 23:43 86016 c:\windows\.jagex_cache_32\runescape\jaggl.dll
+ 2009-10-11 12:06 . 2010-05-25 21:01 86016 c:\windows\.jagex_cache_32\runescape\jaggl.dll
+ 2010-05-22 15:45 . 2010-05-25 21:01 81920 c:\windows\.jagex_cache_32\runescape\hw3d.dll
- 2010-05-22 15:45 . 2010-05-22 23:43 81920 c:\windows\.jagex_cache_32\runescape\hw3d.dll
- 2010-02-08 22:00 . 2010-05-22 23:43 831488 c:\windows\.jagex_cache_32\runescape\sw3d.dll
+ 2010-02-08 22:00 . 2010-05-25 21:01 831488 c:\windows\.jagex_cache_32\runescape\sw3d.dll
- 2010-05-22 15:45 . 2010-05-22 23:43 102400 c:\windows\.jagex_cache_32\runescape\jagdx.dll
+ 2010-05-22 15:45 . 2010-05-25 21:01 102400 c:\windows\.jagex_cache_32\runescape\jagdx.dll
- 2010-05-22 15:45 . 2010-05-22 23:43 102400 c:\windows\.jagex_cache_32\runescape\jaclib.dll
+ 2010-05-22 15:45 . 2010-05-25 21:01 102400 c:\windows\.jagex_cache_32\runescape\jaclib.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-04-19 1291600]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [4/28/2010 6:50 PM 13400]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 9:02 AM 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [8/26/2009 5:18 PM 202928]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [4/28/2010 6:52 PM 69720]
S2 SBAMSvc;VIPRE Antivirus;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [4/19/2010 1:48 PM 2726000]
S3 Normandy;Normandy SR2; [x]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2/6/2010 7:59 AM 27064]
S4 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [4/19/2010 1:47 PM 181584]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/4/2009 7:32 PM 721904]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\k08gqw7l.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 20:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3492)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-26 20:23:01
ComboFix-quarantined-files.txt 2010-05-27 01:22
ComboFix2.txt 2010-05-24 03:10

Pre-Run: 50,269,642,752 bytes free
Post-Run: 50,285,772,800 bytes free

- - End Of File - - A281F82CE73338C46DCBFCF941A0ADC7


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:06 AM

Posted 26 May 2010 - 09:50 PM

hello drabe96

Please let me know how the computer is doing now.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

NOTE**
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will upload files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 drabe96

drabe96
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 27 May 2010 - 06:02 AM

The computer is running fine. The last post was the log fron ComboFix with the CFScript command line. Did you need me to run it a second time?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users