Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm not sure what I've got. Computer slow, crashes.


  • This topic is locked This topic is locked
23 replies to this topic

#1 Anna-Liisa

Anna-Liisa

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:07:04 PM

Posted 28 May 2010 - 12:43 AM

Hi, could you please help me?
I'm not sure what I've got but my computer is acting a bit strange.
I've scanned with couple of things and had some trojans or something what I removed, but now nothing shows up.
Maybe you can see something?

Many thanks in advance,

Anna-Liisa


DDS (Ver_10-03-17.01) - NTFSx86
Run by poopy at 17:36:30.32 on 27/05/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1379 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BitLord\BitLord.exe
C:\Documents and Settings\poopy\Local Settings\Temp\Password 2.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\poopy\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
mWinlogon: Shell=Explorer.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BitComet] "c:\program files\bitlord\BitLord.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRunOnce: [ws_uninst] c:\docume~1\poopy\locals~1\temp\ws_uninst.exe -s
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\passwo~2.lnk - c:\documents and settings\poopy\local settings\temp\Password 2.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\poopy\applic~1\mozilla\firefox\profiles\h3y7lxxk.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\documents and settings\poopy\application data\mozilla\firefox\profiles\h3y7lxxk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\poopy\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\poopy\application data\mozilla\firefox\profiles\h3y7lxxk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: XULRunner: {A8701F83-286E-48F8-B565-39438D206721} - c:\documents and settings\poopy\local settings\application data\{A8701F83-286E-48F8-B565-39438D206721}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-15 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-15 116328]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-7-24 10384]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-15 779496]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-7 136176]

=============== Created Last 30 ================

2010-05-27 16:22:24 0 d-----w- c:\program files\StopSign
2010-05-24 22:21:57 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-27 23:23:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-04-27 23:23:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
2010-04-27 20:13:01 0 d-----w- c:\program files\NTFS Undelete
2010-04-27 20:05:26 0 d-----w- c:\program files\MS Office 2007 Portable (6-in-1)

==================== Find3M ====================

2010-04-24 17:46:37 5642 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-04-24 17:44:08 88 --sh--r- c:\docume~1\alluse~1\applic~1\DFEC9160E9.sys
2010-04-02 10:15:44 1195 ----a-w- c:\docume~1\alluse~1\applic~1\_VOIDmfeklnmal.dll
2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 17:36:55.46 ===============










GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-28 06:35:45
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\poopy\LOCALS~1\Temp\pxtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xF3EC8D82]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xF3EC948E]
SSDT sptd.sys ZwCreateKey [0xF737D0D0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xF3EC95DA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xF3ECCD54]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xF3ECCD86]
SSDT sptd.sys ZwEnumerateKey [0xF7382FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF7383340]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xF3EC953E]
SSDT sptd.sys ZwOpenKey [0xF737D0B0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xF3EC8EC6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xF3EC90B8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xF3EC91EA]
SSDT sptd.sys ZwQueryKey [0xF7383418]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xF3ECCE5E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xF3ECCDC8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xF3ECCDFA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xF3ECCE2C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xF3EC8D30]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xF3EC963A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetValueKey [0xF3ECCCEC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xF3EC8CD4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xF3EC8C30]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xF3EC8C78]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 29A 804E4AF4 4 Bytes JMP 15F3EC91
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF66E2360, 0x1DEE5D, 0xE8000020]
.text USBPORT.SYS!DllUnload F668862C 5 Bytes JMP 899C1770
? System32\Drivers\a9ha5jht.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1188] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00412220 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1188] USER32.dll!EnumClipboardFormats + 213 77D6DC84 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1188] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1188] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2804] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 004394A0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2804] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2804] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2804] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 716E0022

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89BA91E8
Device \FileSystem\Fastfat \FatCdrom 89891260
Device \Driver\usbuhci \Device\USBPDO-0 899C01E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89C1D1E8
Device \Driver\dmio \Device\DmControl\DmConfig 89C1D1E8
Device \Driver\dmio \Device\DmControl\DmPnP 89C1D1E8
Device \Driver\dmio \Device\DmControl\DmInfo 89C1D1E8
Device \Driver\usbuhci \Device\USBPDO-1 899C01E8
Device \Driver\PCI_NTPNP6440 \Device\00000045 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-2 899C01E8
Device \Driver\usbuhci \Device\USBPDO-3 899C01E8
Device \Driver\usbehci \Device\USBPDO-4 899BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89BAB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 89BAB1E8
Device \Driver\Cdrom \Device\CdRom0 899FE1E8
Device \Driver\Cdrom \Device\CdRom1 899FE1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89BAA1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1b 89BAA1E8
Device \Driver\atapi \Device\Ide\IdePort0 89BAA1E8
Device \Driver\atapi \Device\Ide\IdePort1 89BAA1E8
Device \Driver\atapi \Device\Ide\IdePort2 89BAA1E8
Device \Driver\atapi \Device\Ide\IdePort3 89BAA1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 89BAA1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8928C1E8
Device \Driver\NetBT \Device\NetbiosSmb 8928C1E8
Device \Driver\usbuhci \Device\USBFDO-0 899C01E8
Device \Driver\usbuhci \Device\USBFDO-1 899C01E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 892801E8
Device \Driver\usbuhci \Device\USBFDO-2 899C01E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 892801E8
Device \Driver\usbuhci \Device\USBFDO-3 899C01E8
Device \Driver\usbehci \Device\USBFDO-4 899BF1E8
Device \Driver\Ftdisk \Device\FtControl 89BAB1E8
Device \Driver\a9ha5jht \Device\Scsi\a9ha5jht1Port4Path0Target0Lun0 899671E8
Device \Driver\a9ha5jht \Device\Scsi\a9ha5jht1 899671E8
Device \FileSystem\Fastfat \Fat 89891260
Device \FileSystem\Cdfs \Cdfs 89873608

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDE 0x6A 0x44 0x98 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF2 0xD7 0x9D 0x57 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x10 0x41 0x8D 0x82 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDE 0x6A 0x44 0x98 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF2 0xD7 0x9D 0x57 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x10 0x41 0x8D 0x82 ...

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:04 PM

Posted 31 May 2010 - 05:55 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 Anna-Liisa

Anna-Liisa
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:07:04 PM

Posted 02 June 2010 - 05:22 PM

here are the logs:


DDS (Ver_10-03-17.01) - NTFSx86
Run by poopy at 21:17:03.03 on 02/06/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1539 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\poopy\Local Settings\Temp\Password 2.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\poopy\My Documents\Downloads\dds(3).scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
mWinlogon: Shell=Explorer.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BitComet] "c:\program files\bitlord\BitLord.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\passwo~2.lnk - c:\documents and settings\poopy\local settings\temp\Password 2.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\poopy\applic~1\mozilla\firefox\profiles\h3y7lxxk.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\documents and settings\poopy\application data\mozilla\firefox\profiles\h3y7lxxk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\poopy\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\poopy\application data\mozilla\firefox\profiles\h3y7lxxk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: XULRunner: {A8701F83-286E-48F8-B565-39438D206721} - c:\documents and settings\poopy\local settings\application data\{A8701F83-286E-48F8-B565-39438D206721}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-15 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-15 116328]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-7-24 10384]

=============== Created Last 30 ================

2010-05-28 13:57:38 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-05-24 22:21:57 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2010-04-24 17:46:37 5642 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-04-24 17:44:08 88 --sh--r- c:\docume~1\alluse~1\applic~1\DFEC9160E9.sys
2010-04-02 10:15:44 1195 ----a-w- c:\docume~1\alluse~1\applic~1\_VOIDmfeklnmal.dll
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 21:18:31.12 ===============




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-02 21:14:04
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\poopy\LOCALS~1\Temp\pxtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xF4AC9D82]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xF4ACA48E]
SSDT sptd.sys ZwCreateKey [0xF737D0D0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xF4ACA5DA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xF4ACDD54]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xF4ACDD86]
SSDT sptd.sys ZwEnumerateKey [0xF7382FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF7383340]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xF4ACA53E]
SSDT sptd.sys ZwOpenKey [0xF737D0B0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xF4AC9EC6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xF4ACA0B8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xF4ACA1EA]
SSDT sptd.sys ZwQueryKey [0xF7383418]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xF4ACDE5E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xF4ACDDC8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xF4ACDDFA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xF4ACDE2C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xF4AC9D30]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xF4ACA63A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetValueKey [0xF4ACDCEC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xF4AC9CD4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xF4AC9C30]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xF4AC9C78]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 29A 804E4AF4 4 Bytes JMP 15F4ACA1
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF66CF360, 0x1DEE5D, 0xE8000020]
.text USBPORT.SYS!DllUnload F667562C 5 Bytes JMP 899B91C8
? System32\Drivers\a1yar4rs.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1180] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00412220 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1180] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1180] USER32.dll!EnumClipboardFormats + 213 77D6DC84 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1180] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1180] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2788] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 004394A0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2788] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2788] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2788] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 716E0022

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89BA91E8
Device \FileSystem\Fastfat \FatCdrom 898D6378
Device \Driver\usbuhci \Device\USBPDO-0 899B81E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89C1D1E8
Device \Driver\dmio \Device\DmControl\DmConfig 89C1D1E8
Device \Driver\dmio \Device\DmControl\DmPnP 89C1D1E8
Device \Driver\dmio \Device\DmControl\DmInfo 89C1D1E8
Device \Driver\usbuhci \Device\USBPDO-1 899B81E8
Device \Driver\usbuhci \Device\USBPDO-2 899B81E8
Device \Driver\PCI_NTPNP1192 \Device\00000046 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-3 899B81E8
Device \Driver\usbehci \Device\USBPDO-4 8998A1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89BAB1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 89BAB1E8
Device \Driver\Cdrom \Device\CdRom0 899D13E8
Device \Driver\Cdrom \Device\CdRom1 899D13E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89BAA1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1b 89BAA1E8
Device \Driver\atapi \Device\Ide\IdePort0 89BAA1E8
Device \Driver\atapi \Device\Ide\IdePort1 89BAA1E8
Device \Driver\atapi \Device\Ide\IdePort2 89BAA1E8
Device \Driver\atapi \Device\Ide\IdePort3 89BAA1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 89BAA1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8995E438
Device \Driver\NetBT \Device\NetbiosSmb 8995E438
Device \Driver\usbuhci \Device\USBFDO-0 899B81E8
Device \Driver\usbuhci \Device\USBFDO-1 899B81E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 896FB790
Device \Driver\usbuhci \Device\USBFDO-2 899B81E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 896FB790
Device \Driver\NetBT \Device\NetBT_Tcpip_{F852E0D1-A9C2-4B27-BC1D-D70A72019407} 8995E438
Device \Driver\usbuhci \Device\USBFDO-3 899B81E8
Device \Driver\usbehci \Device\USBFDO-4 8998A1E8
Device \Driver\Ftdisk \Device\FtControl 89BAB1E8
Device \Driver\a1yar4rs \Device\Scsi\a1yar4rs1Port4Path0Target0Lun0 899CF1E8
Device \Driver\a1yar4rs \Device\Scsi\a1yar4rs1 899CF1E8
Device \FileSystem\Fastfat \Fat 898D6378
Device \FileSystem\Cdfs \Cdfs 8971F5F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDE 0x6A 0x44 0x98 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF2 0xD7 0x9D 0x57 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x10 0x41 0x8D 0x82 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDE 0x6A 0x44 0x98 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF2 0xD7 0x9D 0x57 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x10 0x41 0x8D 0x82 ...

---- EOF - GMER 1.0.15 ----


Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:04 PM

Posted 06 June 2010 - 07:48 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please begin bu running both these tools

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


And

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image
m0le is a proud member of UNITE

#5 Anna-Liisa

Anna-Liisa
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:07:04 PM

Posted 07 June 2010 - 05:20 PM

I'm doing the scans now again. Did my logs show anything before? I've done lots of the scans before but it's still acting strange.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:04 PM

Posted 07 June 2010 - 05:24 PM

I didn't see anything but in these days of rootkits that doesn't tend to help in most cases.
Posted Image
m0le is a proud member of UNITE

#7 Anna-Liisa

Anna-Liisa
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:07:04 PM

Posted 08 June 2010 - 02:09 AM

Hi!
Thank you for the response.

Oh no...I think I removed something good with that antivirus program.
Something did come up I clicked to remove and then restarted it ans now the msls51.dll is missing : (

#8 Anna-Liisa

Anna-Liisa
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:07:04 PM

Posted 08 June 2010 - 12:01 PM

Got the file back from the quarantine. Scanning again now...

#9 Anna-Liisa

Anna-Liisa
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:07:04 PM

Posted 10 June 2010 - 11:06 AM

Every time I scan it comes up with something : (
Don't know what to do.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:04 PM

Posted 10 June 2010 - 04:46 PM

Well, you could start with pasting the logs that you are seeing.

Please paste the MBAM and SAS logs which show the recurring problem.
Posted Image
m0le is a proud member of UNITE

#11 Anna-Liisa

Anna-Liisa
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:07:04 PM

Posted 11 June 2010 - 12:21 PM

Here they are:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/11/2010 at 06:17 PM

Application Version : 4.39.1002

Core Rules Database Version : 5059
Trace Rules Database Version: 2871

Scan type : Complete Scan
Total Scan Time : 05:55:56

Memory items scanned : 379
Memory threats detected : 0
Registry items scanned : 5527
Registry threats detected : 0
File items scanned : 107347
File threats detected : 9

Adware.Tracking Cookie
C:\Documents and Settings\poopy\Cookies\poopy@atdmt[2].txt
C:\Documents and Settings\poopy\Cookies\poopy@doubleclick[1].txt
.collective-media.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zx03jo6.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zx03jo6.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zx03jo6.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zx03jo6.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zx03jo6.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6zx03jo6.default\cookies.sqlite ]

Trojan.Agent/Gen-Nullo[Short]
J:\SYSTEM VOLUME INFORMATION\_RESTORE{A601B53C-E8C5-4A8C-A032-5A73449F28DF}\RP138\A0043776.EXE


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

11/06/2010 15:41:28
mbam-log-2010-06-11 (15-41-21).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|J:\|)
Objects scanned: 218756
Time elapsed: 1 hour(s), 48 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msls51.dll (Trojan.Agent) -> No action taken.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:04 PM

Posted 11 June 2010 - 08:41 PM

The trojan.agent is too strong for MBAM to deal with.


Please download and run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 Anna-Liisa

Anna-Liisa
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:07:04 PM

Posted 12 June 2010 - 10:44 AM

here's the log

ComboFix 10-06-11.01 - poopy 12/06/2010 16:30:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1537 [GMT 1:00]
Running from: c:\documents and settings\poopy\Desktop\comfix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\_VOIDmfeklnmal.dll
c:\documents and settings\poopy\Local Settings\Application Data\{A8701F83-286E-48F8-B565-39438D206721}
c:\documents and settings\poopy\Local Settings\Application Data\{A8701F83-286E-48F8-B565-39438D206721}\chrome.manifest
c:\documents and settings\poopy\Local Settings\Application Data\{A8701F83-286E-48F8-B565-39438D206721}\chrome\content\_cfg.js
c:\documents and settings\poopy\Local Settings\Application Data\{A8701F83-286E-48F8-B565-39438D206721}\chrome\content\overlay.xul
c:\documents and settings\poopy\Local Settings\Application Data\{A8701F83-286E-48F8-B565-39438D206721}\install.rdf
c:\windows\system32\msls51.dll

Infected copy of c:\windows\system32\uxtheme.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\uxtheme.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-12 to 2010-06-12 )))))))))))))))))))))))))))))))
.

2010-06-08 17:22 . 2010-06-08 17:22 655360 ----a-w- c:\documents and settings\poopy\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll
2010-06-08 17:22 . 2010-06-08 17:22 282624 ----a-w- c:\documents and settings\poopy\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll
2010-06-08 17:22 . 2010-06-08 17:22 208896 ----a-w- c:\documents and settings\poopy\Application Data\Spotify\Gracenote\gnsdk_dsp.dll
2010-06-08 17:22 . 2010-06-11 03:32 -------- d-----w- c:\documents and settings\poopy\Local Settings\Application Data\Spotify
2010-06-08 17:22 . 2010-06-10 20:10 -------- d-----w- c:\documents and settings\poopy\Application Data\Spotify
2010-06-08 17:21 . 2010-06-08 17:21 -------- d-----w- c:\program files\Spotify
2010-06-07 22:03 . 2010-06-09 13:35 63488 ----a-w- c:\documents and settings\poopy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-07 22:03 . 2010-06-07 22:03 52224 ----a-w- c:\documents and settings\poopy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-07 22:03 . 2010-06-09 13:35 117760 ----a-w- c:\documents and settings\poopy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-07 22:02 . 2010-06-07 22:02 -------- d-----w- c:\documents and settings\poopy\Application Data\SUPERAntiSpyware.com
2010-06-07 22:02 . 2010-06-07 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-07 22:02 . 2010-06-11 06:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-28 13:57 . 2010-05-28 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-27 18:32 . 2010-05-27 18:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Last.fm
2010-05-27 18:31 . 2010-05-27 18:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2010-05-24 22:21 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 15:38 . 2009-12-19 13:40 -------- d-----w- c:\program files\PeerGuardian2
2010-06-09 13:24 . 2009-06-30 22:59 -------- d-----w- c:\program files\Winamp
2010-06-09 13:23 . 2009-06-30 22:59 -------- d-----w- c:\documents and settings\poopy\Application Data\Winamp
2010-06-07 21:56 . 2010-03-24 23:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 14:10 . 2009-07-26 19:30 -------- d-----w- c:\documents and settings\poopy\Application Data\dvdcss
2010-06-02 09:02 . 2009-07-01 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-23 11:48 . 2009-07-25 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2010-05-10 17:04 . 2010-01-21 13:31 -------- d-----w- c:\program files\AKME
2010-05-09 23:35 . 2010-05-07 11:27 -------- d-----w- c:\program files\Google
2010-05-08 09:35 . 2010-03-26 09:45 -------- d-----w- c:\documents and settings\poopy\Application Data\QuickScan
2010-04-29 14:39 . 2010-03-24 23:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2010-03-24 23:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 05:45 . 2009-06-30 23:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-28 05:45 . 2009-06-30 23:10 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-27 20:18 . 2010-04-27 20:13 -------- d-----w- c:\program files\NTFS Undelete
2010-04-27 20:13 . 2010-04-23 20:50 -------- d-----w- c:\documents and settings\poopy\Application Data\Corel
2010-04-27 20:10 . 2009-06-30 22:32 14192 ----a-w- c:\documents and settings\poopy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-27 20:10 . 2010-04-27 20:05 -------- d-----w- c:\program files\MS Office 2007 Portable (6-in-1)
2010-04-24 17:46 . 2010-04-23 20:50 5642 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-24 17:46 . 2010-04-23 20:50 5642 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-24 17:44 . 2010-04-23 20:50 88 --sh--r- c:\documents and settings\All Users\Application Data\DFEC9160E9.sys
2010-04-24 17:44 . 2010-04-23 20:50 88 --sh--r- c:\documents and settings\All Users\Application Data\DFEC9160E9.sys
2010-04-23 20:46 . 2010-04-23 20:46 -------- d-----w- c:\program files\SmartSound Software
2010-04-23 20:46 . 2010-04-23 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2010-04-23 20:34 . 2010-04-23 20:34 -------- d-----w- c:\program files\Windows Media Components
2010-04-23 19:14 . 2009-11-13 00:16 -------- d-----w- c:\program files\DivX
2010-04-23 18:48 . 2010-04-23 18:48 -------- d-----w- c:\documents and settings\poopy\Application Data\D-Zed Software
2010-04-23 18:48 . 2010-04-23 18:48 -------- d-----w- c:\program files\D-Zed Software
2010-04-23 18:48 . 2010-04-23 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\D-Zed Software
2010-04-09 18:21 . 2010-04-09 18:21 50354 ----a-w- c:\documents and settings\poopy\Application Data\Facebook\uninstall.exe
2010-03-26 01:25 . 2010-03-26 09:45 666576 ----a-w- c:\documents and settings\poopy\Application Data\Mozilla\Firefox\Profiles\h3y7lxxk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-03-26 01:25 . 2010-03-26 09:45 828816 ----a-w- c:\documents and settings\poopy\Application Data\Mozilla\Firefox\Profiles\h3y7lxxk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-03-24 06:41 . 2010-02-11 13:59 120 ----a-w- c:\windows\Lxepumamumuse.dat
2010-03-24 06:41 . 2010-02-11 13:59 0 ----a-w- c:\windows\Dneyeye.bin
2010-03-21 13:22 . 2010-03-21 13:25 34399664 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_eng_web(2).exe
2010-03-21 13:09 . 2010-03-21 13:09 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\Installer\CommonCustomActions\msxml6Exec.exe
2010-03-21 13:09 . 2010-03-21 13:09 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\Installer\CommonCustomActions\Sleep.exe
2010-03-21 13:09 . 2010-03-21 13:09 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\Installer\CommonCustomActions\vcredistExec.exe
2010-03-21 13:09 . 2010-03-21 13:11 34642680 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\NokiaSoftwareUpdaterSetup_en.exe
2010-03-21 13:04 . 2010-03-21 13:04 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe
2010-03-21 13:04 . 2010-03-21 13:04 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe
2010-03-21 13:04 . 2010-03-21 13:04 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-03-21 13:04 . 2010-03-21 13:04 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe
2010-03-21 13:03 . 2010-03-21 13:04 34399664 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_eng_web.exe
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]
"BitComet"="c:\program files\BitLord\BitLord.exe" [2005-05-07 2224128]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-11 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-15 6803456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-06-15 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-18 23:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\J:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk
backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Password .lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Password .lnk
backup=c:\windows\pss\Password .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Password.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Password.lnk
backup=c:\windows\pss\Password.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 16:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 17:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
2005-05-07 00:47 2224128 ----a-w- c:\program files\BitLord\BitLord.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
2006-03-22 23:13 1591808 ----a-w- c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-12-18 22:42 76304 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 00:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-06-15 17:20 6803456 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2005-06-15 17:20 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-06-15 17:20 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-10-30 18:49 16269312 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 17:04 2879488 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 04:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2009-10-15 01:28 5238258 ----a-w- c:\program files\Vidalia Bundle\Vidalia\vidalia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-05-25 16:08 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/03/2010 14:47 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 14:47 116328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [24/07/2009 08:33 10384]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 14:47 779496]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/05/2010 12:27 136176]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [01/07/2009 08:18 685816]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder

2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-07 11:27]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-07 11:27]

2010-06-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-03-25 22:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\poopy\Application Data\Mozilla\Firefox\Profiles\h3y7lxxk.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\documents and settings\poopy\Application Data\Mozilla\Firefox\Profiles\h3y7lxxk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\poopy\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\poopy\Application Data\Mozilla\Firefox\Profiles\h3y7lxxk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Kpigopolo - c:\windows\aqilofos.dll
MSConfigStartUp-PC Suite Tray - c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
MSConfigStartUp-ServUTrayIcon - c:\program files\RhinoSoft.com\Serv-U\Serv-U-Tray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-12 16:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(4628)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-12 16:39:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-12 15:39

Pre-Run: 570,765,312 bytes free
Post-Run: 605,511,680 bytes free

- - End Of File - - 9E1D140FA7B8CB20CA4A4C3EA68AF74C


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:04 PM

Posted 12 June 2010 - 05:16 PM

Unless you know what these are please run the following two files through the online scan below:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\Lxepumamumuse.dat
c:\windows\Dneyeye.bin

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal
Posted Image
m0le is a proud member of UNITE

#15 Anna-Liisa

Anna-Liisa
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:UK
  • Local time:07:04 PM

Posted 12 June 2010 - 08:56 PM

c:\windows\Dneyeye.bin says:
Status:
File is empty (0 bytes)!

and the other:
Filename: Lxepumamumuse.dat
Status:
Scan finished. 0 out of 19 scanners reported malware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users