Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware doctor and browser search hijacking


  • This topic is locked This topic is locked
23 replies to this topic

#1 trburkholder

trburkholder

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 01 June 2010 - 11:22 AM

Last night, my son installed some variety of Antimalware Doctor.

I think I removed that using Malwarebytes Anti-Malware, but in the meantime, something keeps writing over the Google search plugin in Program Files/Mozilla Firefox/searchplugins as well as the Google search provider in IE 8
Whatever it is redirects searches in Safari, Firefox and IE to search.wish-search.com. If you go directly to Google, something redirects URL's like hxxp://www.superantispyware.com/?rid=3324 to random search sites.

I've deleted Mozilla Firefox program and the Program Files/Mozilla Firefox folder
mbam detected and removed several BHO objects and malware, (see attached zipped mbam log files) but it doesn't detect whatever this is and neither does SuperAntiSpyware
There is an entry in the Add/Remove Programs for a Performance Platform Voguecash application which cannot be removed.
I've only logged in as my son, but up to 3 instances of rundll32.exe start up on login. At least two appear to be related to the malware.

gmer seems to crash right after starting to scan WINDOWS\system32\DRIVERS

Any advice on what to look for or delete would be greatly appreciated.

Tom


(Note, my system drive is k:/)


DDS (Ver_10-03-17.01) - NTFSx86
Run by alan at 10:44:56.20 on Tue 06/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2506 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

K:\WINDOWS\system32\nvsvc32.exe
K:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
K:\WINDOWS\System32\svchost.exe -k netsvcs
K:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
K:\WINDOWS\system32\spoolsv.exe
svchost.exe
K:\WINDOWS\System32\svchost.exe -k Akamai
K:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
K:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
K:\Program Files\Java\jre6\bin\jqs.exe
K:\Program Files\McAfee\Common Framework\FrameworkService.exe
K:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
K:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
K:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
K:\Program Files\CDBurnerXP\NMSAccessU.exe
K:\WINDOWS\System32\svchost.exe -k imgsvc
K:\Program Files\Viewpoint\Common\ViewpointService.exe
K:\WINDOWS\system32\wuauclt.exe
K:\Program Files\Canon\CAL\CALMAIN.exe
K:\WINDOWS\Explorer.EXE
K:\WINDOWS\System32\svchost.exe -k HTTPFilter
K:\WINDOWS\RTHDCPL.EXE
K:\Program Files\McAfee\Common Framework\UdaterUI.exe
K:\WINDOWS\system32\rundll32.exe
K:\WINDOWS\system32\RUNDLL32.EXE
K:\Program Files\iTunes\iTunesHelper.exe
K:\Program Files\Common Files\Java\Java Update\jusched.exe
K:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
K:\WINDOWS\system32\ctfmon.exe
K:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
K:\Program Files\McAfee\Common Framework\McTray.exe
K:\Program Files\iPod\bin\iPodService.exe
K:\Documents and Settings\alan\Desktop\gmer.exe
M:\dds.scr
K:\WINDOWS\system32\taskmgr.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ign.com/
BHO: {03097B3E-DF1E-4119-B7C0-74845BEA0EF5} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - k:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {4E74FD4F-85B6-C7C1-401D-5C48948CEAFE} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - k:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - k:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {B897D236-2A23-46CD-8789-11E02A62843D} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - k:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - k:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - k:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Aim6]
uRun: [EA Core] "k:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [SpybotSD TeaTimer] k:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] k:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] k:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ShStatEXE] "k:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "k:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AppleSyncNotifier] k:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE k:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE k:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [amd_dc_opt] k:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [QuickTime Task] "k:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "k:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "k:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "k:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "k:\program files\common files\java\java update\jusched.exe"
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - k:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - k:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - k:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229010388343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {D8F5FBA4-80FF-4258-B205-603A34E766A6} = 192.168.1.1,208.67.220.220
Notify: !SASWinLogon - k:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - k:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - k:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 HWiNFO32;HWiNFO32 Kernel Driver;k:\program files\hwinfo32\HWiNFO32.SYS [2010-1-14 19064]
R1 mferkdk;VSCore mferkdk;k:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 SASDIFSV;SASDIFSV;k:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;k:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Akamai;Akamai NetSession Interface;k:\windows\system32\svchost.exe -k Akamai [2003-3-31 14336]
R2 cpuz132;cpuz132;k:\windows\system32\drivers\cpuz132_x32.sys [2010-1-14 12672]
R3 mfeavfk;McAfee Inc.;k:\windows\system32\drivers\mfeavfk.sys [2008-12-11 72264]
R3 mfebopk;McAfee Inc.;k:\windows\system32\drivers\mfebopk.sys [2008-12-11 34152]
R3 mfehidk;McAfee Inc.;k:\windows\system32\drivers\mfehidk.sys [2008-12-11 170408]
S2 gupdate1c99889d504a85f;Google Update Service (gupdate1c99889d504a85f);k:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
S3 FLASHSYS;FLASHSYS;\??\k:\program files\msi\live update 4\lu4\flashsys.sys --> k:\program files\msi\live update 4\lu4\FLASHSYS.sys [?]
S3 QCEmerald;Logitech QuickCam Web;k:\windows\system32\drivers\ovce.sys [2009-4-9 31872]
S3 TMPassthruMP;TMPassthruMP;k:\windows\system32\drivers\tmpassthru.sys --> k:\windows\system32\drivers\TMPassthru.sys [?]

=============== Created Last 30 ================

2010-06-01 12:56:03 73728 ----a-w- k:\windows\system32\javacpl.cpl
2010-06-01 12:56:03 411368 ----a-w- k:\windows\system32\deployJava1.dll
2010-06-01 11:08:13 0 d-----w- k:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-01 10:49:41 0 d-----w- k:\program files\JRE
2010-06-01 00:52:48 0 d-----w- k:\docume~1\alan\applic~1\Street-Ads
2010-06-01 00:52:41 0 d-----w- k:\docume~1\alan\applic~1\Sky-Banners
2010-06-01 00:50:50 34688 -c--a-w- k:\windows\system32\dllcache\lbrtfdc.sys
2010-06-01 00:50:50 34688 ----a-w- k:\windows\system32\drivers\lbrtfdc.sys
2010-06-01 00:50:50 0 d-----w- k:\docume~1\alluse~1\applic~1\Update
2010-06-01 00:50:49 8576 -c--a-w- k:\windows\system32\dllcache\i2omgmt.sys
2010-06-01 00:50:49 8576 ----a-w- k:\windows\system32\drivers\i2omgmt.sys
2010-06-01 00:50:48 8192 -c--a-w- k:\windows\system32\dllcache\changer.sys
2010-06-01 00:50:48 8192 ----a-w- k:\windows\system32\drivers\changer.sys
2010-06-01 00:50:21 0 d-----w- k:\docume~1\alan\applic~1\E65104B963EA58D7DD03791E29C2EAF6
2010-05-31 01:45:04 14077 ----a-w- k:\documents and settings\alan\.recently-used.xbel
2010-05-05 22:10:38 0 d-----w- k:\docume~1\alan\applic~1\LucasArts
2010-05-05 20:23:58 12800 ----a-r- k:\windows\system32\WING32.DLL

==================== Find3M ====================

2010-06-01 11:59:29 33088 ---ha-w- k:\windows\system32\mlfcache.dat
2010-04-29 19:39:38 38224 ----a-w- k:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- k:\windows\system32\drivers\mbam.sys
2010-04-16 12:33:36 41472 ----a-w- k:\windows\system32\drivers\usbaapl.sys
2010-04-16 12:33:36 3003680 ----a-w- k:\windows\system32\usbaaplrc.dll
2010-04-08 17:20:02 91424 ----a-w- k:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- k:\windows\system32\dns-sd.exe
2010-04-07 18:38:51 1700352 ----a-w- k:\windows\system32\gdiplus.dll
2010-03-10 06:15:52 420352 ----a-w- k:\windows\system32\vbscript.dll

============= FINISH: 10:47:06.53 ===============

Attached Files


Edited by Orange Blossom, 01 June 2010 - 09:59 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 trburkholder

trburkholder
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 02 June 2010 - 11:46 AM

GMER ran to completion in Safe mode Log attached.

Attached Files



#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 02 June 2010 - 03:10 PM

Hello.

My name is Extremeboy (or EB for short), and I will be helping you with your log.

Seems you're infected with one of the newer TDL3 rootkit. Let's start off with Combofix and see if it can be dealt with. If not, we'll try something else.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 trburkholder

trburkholder
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 02 June 2010 - 03:30 PM

Thanks for your reply, I'll do that when I get home tonight.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 02 June 2010 - 03:32 PM

Sounds good.

Talk to you soon then.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 trburkholder

trburkholder
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 02 June 2010 - 09:20 PM

Here's the ComboFix log


ComboFix 10-06-02.02 - alan 06/02/2010 22:00:46.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2733 [GMT -4:00]
Running from: k:\documents and settings\alan\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

k:\documents and settings\alan\Local Settings\Application Data\Windows Server
k:\documents and settings\alan\Local Settings\Application Data\Windows Server\flags.ini
k:\documents and settings\alan\Local Settings\Application Data\Windows Server\uses32.dat

.
((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-06-02 12:58 . 2010-06-02 12:58 552 ----a-w- k:\windows\system32\d3d8caps.dat
2010-06-02 01:37 . 2010-06-02 01:37 63488 ----a-w- k:\documents and settings\tina\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-02 01:37 . 2010-06-02 01:37 52224 ----a-w- k:\documents and settings\tina\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-02 01:37 . 2010-06-02 01:37 117760 ----a-w- k:\documents and settings\tina\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-02 01:37 . 2010-06-02 01:37 -------- d-----w- k:\documents and settings\tina\Application Data\SUPERAntiSpyware.com
2010-06-02 00:08 . 2010-06-02 00:08 1 ----a-w- k:\documents and settings\Brianna\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-01 12:56 . 2010-06-01 12:56 -------- d-----w- k:\program files\Common Files\Java
2010-06-01 12:56 . 2010-06-01 12:55 411368 ----a-w- k:\windows\system32\deployJava1.dll
2010-06-01 12:32 . 2010-06-01 12:32 61440 ----a-w- k:\documents and settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-52345546-n\decora-sse.dll
2010-06-01 12:32 . 2010-06-01 12:32 503808 ----a-w- k:\documents and settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-60224102-n\msvcp71.dll
2010-06-01 12:32 . 2010-06-01 12:32 499712 ----a-w- k:\documents and settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-60224102-n\jmc.dll
2010-06-01 12:32 . 2010-06-01 12:32 348160 ----a-w- k:\documents and settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-60224102-n\msvcr71.dll
2010-06-01 12:32 . 2010-06-01 12:32 12800 ----a-w- k:\documents and settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-52345546-n\decora-d3d.dll
2010-06-01 11:08 . 2010-06-01 11:08 63488 ----a-w- k:\documents and settings\alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-01 11:08 . 2010-06-01 11:08 52224 ----a-w- k:\documents and settings\alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-01 11:08 . 2010-06-01 11:08 117760 ----a-w- k:\documents and settings\alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-01 11:08 . 2010-06-01 11:08 -------- d-----w- k:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-01 10:49 . 2010-06-01 10:49 -------- d-----w- k:\program files\JRE
2010-06-01 00:52 . 2010-06-01 13:00 -------- d-----w- k:\documents and settings\alan\Application Data\Street-Ads
2010-06-01 00:52 . 2010-06-01 00:52 -------- d-----w- k:\documents and settings\alan\Application Data\Sky-Banners
2010-06-01 00:50 . 2010-06-01 15:19 -------- d-----w- k:\documents and settings\All Users\Application Data\Update
2010-06-01 00:50 . 2008-04-13 17:40 34688 -c--a-w- k:\windows\system32\dllcache\lbrtfdc.sys
2010-06-01 00:50 . 2008-04-13 17:40 34688 ----a-w- k:\windows\system32\drivers\lbrtfdc.sys
2010-06-01 00:50 . 2008-04-13 17:41 8576 -c--a-w- k:\windows\system32\dllcache\i2omgmt.sys
2010-06-01 00:50 . 2008-04-13 17:41 8576 ----a-w- k:\windows\system32\drivers\i2omgmt.sys
2010-06-01 00:50 . 2008-04-13 17:40 8192 -c--a-w- k:\windows\system32\dllcache\changer.sys
2010-06-01 00:50 . 2008-04-13 17:40 8192 ----a-w- k:\windows\system32\drivers\changer.sys
2010-06-01 00:50 . 2010-06-01 02:13 -------- d-----w- k:\documents and settings\alan\Application Data\E65104B963EA58D7DD03791E29C2EAF6
2010-05-12 19:00 . 2010-05-12 19:00 -------- d-----w- k:\documents and settings\Brianna\Local Settings\Application Data\Adobe
2010-05-12 18:06 . 2010-05-12 18:06 -------- d-----w- k:\documents and settings\Brianna\Application Data\Apple Computer
2010-05-07 13:40 . 2010-05-07 13:41 -------- d-----w- k:\documents and settings\tom\My Music
2010-05-05 22:10 . 2010-05-05 22:10 -------- d-----w- k:\documents and settings\alan\Application Data\LucasArts
2010-05-05 20:23 . 1994-12-06 04:00 12800 ----a-r- k:\windows\system32\WING32.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 01:56 . 2010-03-11 22:32 -------- d-----w- k:\program files\Common Files\Akamai
2010-06-03 00:16 . 2008-12-13 00:20 1 ----a-w- k:\documents and settings\alan\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-02 00:18 . 2008-12-15 17:22 1 ----a-w- k:\documents and settings\tina\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-01 23:02 . 2008-12-11 16:44 -------- d-----w- k:\program files\Mozilla Thunderbird
2010-06-01 21:10 . 2008-12-13 18:28 1 ----a-w- k:\documents and settings\eric\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-01 13:31 . 2009-02-27 03:27 -------- d-----w- k:\program files\Xming
2010-06-01 13:28 . 2008-12-11 23:07 41536 ----a-w- k:\documents and settings\alan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-01 13:20 . 2008-12-11 18:28 -------- d-----w- k:\program files\Java
2010-06-01 13:04 . 2010-01-25 00:07 -------- d-----w- k:\program files\Pan
2010-06-01 13:01 . 2009-12-25 23:01 -------- d-----w- k:\program files\Common Files\Adobe
2010-06-01 13:01 . 2010-01-30 14:27 -------- d-----w- k:\documents and settings\All Users\Application Data\5Spice Analysis
2010-06-01 11:59 . 2009-11-27 18:47 33088 ---ha-w- k:\windows\system32\mlfcache.dat
2010-06-01 11:58 . 2008-12-19 15:45 -------- d-----w- k:\documents and settings\alan\Application Data\Apple Computer
2010-06-01 11:08 . 2010-02-15 11:54 -------- d-----w- k:\documents and settings\alan\Application Data\SUPERAntiSpyware.com
2010-06-01 11:07 . 2010-02-15 11:54 -------- d-----w- k:\program files\SUPERAntiSpyware
2010-06-01 11:07 . 2009-10-01 19:19 -------- d-----w- k:\program files\Common Files\Wise Installation Wizard
2010-06-01 10:49 . 2008-12-11 18:33 -------- d-----w- k:\program files\OpenOffice.org 3
2010-05-31 01:43 . 2009-05-16 14:11 -------- d-----w- k:\documents and settings\alan\Application Data\gtk-2.0
2010-05-30 20:20 . 2009-08-25 17:22 -------- d-----w- k:\program files\LEGO Island
2010-05-29 20:53 . 2010-03-09 23:20 -------- d-----w- k:\program files\Frets on Fire
2010-05-15 12:04 . 2009-02-27 03:16 -------- d-----w- k:\program files\Google
2010-05-07 13:36 . 2010-01-25 12:30 -------- d-----w- k:\documents and settings\tom\Application Data\Dropbox
2010-05-05 22:01 . 2009-05-25 12:57 -------- d-----w- k:\program files\LucasArts
2010-05-01 22:17 . 2008-12-12 23:39 1324 ----a-w- k:\windows\system32\d3d9caps.dat
2010-05-01 18:06 . 2010-01-26 13:53 -------- d-----w- k:\documents and settings\tom\Application Data\vlc
2010-05-01 10:58 . 2010-05-01 10:58 -------- d-----w- k:\program files\iTunes
2010-05-01 10:58 . 2010-05-01 10:58 -------- d-----w- k:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-01 10:58 . 2010-05-01 10:58 -------- d-----w- k:\program files\iPod
2010-05-01 10:58 . 2008-12-12 21:25 -------- d-----w- k:\program files\Common Files\Apple
2010-05-01 10:56 . 2010-05-01 10:55 -------- d-----w- k:\program files\QuickTime
2010-05-01 10:52 . 2010-05-01 10:52 -------- d-----w- k:\program files\Bonjour
2010-05-01 10:50 . 2010-05-01 10:50 73000 ----a-w- k:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-29 19:39 . 2010-02-10 22:17 38224 ----a-w- k:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-02-10 22:17 20952 ----a-w- k:\windows\system32\drivers\mbam.sys
2010-04-16 12:33 . 2009-03-15 19:01 3003680 ----a-w- k:\windows\system32\usbaaplrc.dll
2010-04-16 12:33 . 2008-12-12 21:25 41472 ----a-w- k:\windows\system32\drivers\usbaapl.sys
2010-04-15 19:20 . 2009-01-02 22:07 -------- d-----w- k:\program files\Telltale Games
2010-04-11 16:58 . 2010-04-11 16:58 55287536 ----a-w- k:\documents and settings\alan\Application Data\LEGO Company\LEGO Digital Designer\setupLDD-PC-3_1_3.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- k:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- k:\windows\system32\dns-sd.exe
2010-04-07 18:38 . 2010-04-07 18:38 1700352 ----a-w- k:\windows\system32\gdiplus.dll
2010-03-10 06:15 . 2003-03-31 12:00 420352 ----a-w- k:\windows\system32\vbscript.dll
2010-03-07 18:45 . 2010-03-07 18:45 144160 ----a-w- k:\documents and settings\tom\Application Data\Move Networks\uninstall.exe
2010-03-07 18:45 . 2009-12-10 19:26 4187512 ----a-w- k:\documents and settings\tom\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-03-07 18:44 . 2010-03-07 18:44 1436320 ----a-w- k:\documents and settings\tom\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="k:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="k:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2397424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 16132608]
"ShStatEXE"="k:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]
"McAfeeUpdaterUI"="k:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AppleSyncNotifier"="k:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"NvCplDaemon"="k:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="k:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"amd_dc_opt"="k:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"QuickTime Task"="k:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="k:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe Reader Speed Launcher"="k:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="k:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="k:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

k:\documents and settings\Brianna\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - k:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

k:\documents and settings\eric\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - k:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

k:\documents and settings\tina\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - k:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "k:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- k:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"k:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"k:\\Program Files\\AIM6\\aim6.exe"=
"k:\\Program Files\\BitTorrent\\bittorrent.exe"=
"k:\\Documents and Settings\\tom\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"k:\\WINDOWS\\system32\\sessmgr.exe"=
"k:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"k:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1032:TCP"= 1032:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 HWiNFO32;HWiNFO32 Kernel Driver;k:\program files\HWiNFO32\HWiNFO32.SYS [1/14/2010 10:15 AM 19064]
R1 SASDIFSV;SASDIFSV;k:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;k:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 Akamai;Akamai NetSession Interface;k:\windows\System32\svchost.exe -k Akamai [3/31/2003 8:00 AM 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;k:\program files\Viewpoint\Common\ViewpointService.exe [12/12/2008 5:27 PM 24652]
S2 gupdate1c99889d504a85f;Google Update Service (gupdate1c99889d504a85f);k:\program files\Google\Update\GoogleUpdate.exe [2/26/2009 11:16 PM 133104]
S3 FLASHSYS;FLASHSYS;\??\k:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys --> k:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;k:\windows\system32\drivers\mbamswissarmy.sys [2/10/2010 6:17 PM 38224]
S3 QCEmerald;Logitech QuickCam Web;k:\windows\system32\drivers\ovce.sys [4/9/2009 4:52 PM 31872]
S3 TMPassthruMP;TMPassthruMP;k:\windows\system32\DRIVERS\TMPassthru.sys --> k:\windows\system32\DRIVERS\TMPassthru.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-05-30 k:\windows\Tasks\AppleSoftwareUpdate.job
- k:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-03 k:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- k:\program files\Google\Update\GoogleUpdate.exe [2009-02-27 03:16]

2010-06-03 k:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- k:\program files\Google\Update\GoogleUpdate.exe [2009-02-27 03:16]

2010-06-01 k:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1336601894-682003330-1003Core.job
- k:\documents and settings\tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-20 12:36]

2010-06-03 k:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1336601894-682003330-1003UA.job
- k:\documents and settings\tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-20 12:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ign.com/
IE: Add to Google Photos Screensa&ver - k:\windows\system32\GPhotos.scr/200
TCP: {D8F5FBA4-80FF-4258-B205-603A34E766A6} = 192.168.1.1,208.67.220.220
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
.
- - - - ORPHANS REMOVED - - - -

BHO-{03097B3E-DF1E-4119-B7C0-74845BEA0EF5} - (no file)
BHO-{4E74FD4F-85B6-C7C1-401D-5C48948CEAFE} - (no file)
BHO-{B897D236-2A23-46CD-8789-11E02A62843D} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKCU-Run-Aim6 - (no file)
HKCU-Run-EA Core - k:\program files\Electronic Arts\EADM\Core.exe
AddRemove-rdxuqlafouyydqrx - k:\windows\system32\rdxuqlafouyydqrx.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 22:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys >>UNKNOWN [0x8A5BEAEA]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cf28
\Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8
\Driver\atapi -> atapi.sys @ 0xb7f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb7e0abb0
PacketIndicateHandler -> NDIS.sys @ 0xb7df9a0d
SendHandler -> NDIS.sys @ 0xb7e0db40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-1336601894-682003330-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:7f,97,76,a8,1c,d9,03,5c,4a,73,30,3a,ae,3b,72,11,04,34,84,d0,7e,21,48,
7c,5c,41,46,c1,34,0e,74,d2,29,78,16,44,82,83,73,ad,42,c1,78,6a,a3,0d,02,f5,\
"??"=hex:44,7d,07,b6,f4,ca,45,ce,7a,11,2c,2a,70,4e,52,5c

[HKEY_USERS\S-1-5-21-1202660629-1336601894-682003330-1006\Software\SecuROM\License information*]
"datasecu"=hex:37,3d,ca,86,9f,21,fa,26,ff,4c,6f,63,d1,12,99,7f,28,d2,6e,94,39,
a2,90,08,7f,64,fe,5f,fa,4f,a8,69,71,bd,a4,2b,07,d4,a4,8a,ea,5d,23,3e,ed,cb,\
"rkeysecu"=hex:06,ae,06,01,3c,78,a9,54,cd,6a,2c,0b,2f,f0,d5,9e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
k:\windows\system32\WININET.dll
k:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(828)
k:\windows\system32\WININET.dll
.
Completion time: 2010-06-02 22:15:35
ComboFix-quarantined-files.txt 2010-06-03 02:15
ComboFix2.txt 2010-02-10 23:36

Pre-Run: 249,188,990,976 bytes free
Post-Run: 251,236,143,104 bytes free

- - End Of File - - DA5B18C5BE25667F4EBE0CFC6D03DAE6


#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 03 June 2010 - 02:43 PM

Hello.

The driver was not deal with successfully, let's try the following...

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    TDL::
    K:\WINDOWS\system32\DRIVERS\kbdhid.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 trburkholder

trburkholder
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 04 June 2010 - 04:58 AM

Here are the results from the CFScript run:


ComboFix 10-06-02.02 - alan 06/03/2010 20:46:42.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2869 [GMT -4:00]
Running from: k:\documents and settings\alan\Desktop\ComboFix.exe
Command switches used :: k:\documents and settings\alan\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-06-02 12:58 . 2010-06-02 12:58 552 ----a-w- k:\windows\system32\d3d8caps.dat
2010-06-02 01:37 . 2010-06-02 01:37 63488 ----a-w- k:\documents and settings\tina\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-02 01:37 . 2010-06-02 01:37 52224 ----a-w- k:\documents and settings\tina\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-02 01:37 . 2010-06-02 01:37 117760 ----a-w- k:\documents and settings\tina\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-02 01:37 . 2010-06-02 01:37 -------- d-----w- k:\documents and settings\tina\Application Data\SUPERAntiSpyware.com
2010-06-02 00:08 . 2010-06-02 00:08 1 ----a-w- k:\documents and settings\Brianna\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-01 12:56 . 2010-06-01 12:56 -------- d-----w- k:\program files\Common Files\Java
2010-06-01 12:56 . 2010-06-01 12:55 411368 ----a-w- k:\windows\system32\deployJava1.dll
2010-06-01 12:32 . 2010-06-01 12:32 61440 ----a-w- k:\documents and settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-52345546-n\decora-sse.dll
2010-06-01 12:32 . 2010-06-01 12:32 503808 ----a-w- k:\documents and settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-60224102-n\msvcp71.dll
2010-06-01 12:32 . 2010-06-01 12:32 499712 ----a-w- k:\documents and settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-60224102-n\jmc.dll
2010-06-01 12:32 . 2010-06-01 12:32 348160 ----a-w- k:\documents and settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-60224102-n\msvcr71.dll
2010-06-01 12:32 . 2010-06-01 12:32 12800 ----a-w- k:\documents and settings\alan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-52345546-n\decora-d3d.dll
2010-06-01 11:08 . 2010-06-01 11:08 63488 ----a-w- k:\documents and settings\alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-01 11:08 . 2010-06-01 11:08 52224 ----a-w- k:\documents and settings\alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-01 11:08 . 2010-06-01 11:08 117760 ----a-w- k:\documents and settings\alan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-01 11:08 . 2010-06-01 11:08 -------- d-----w- k:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-01 10:49 . 2010-06-01 10:49 -------- d-----w- k:\program files\JRE
2010-06-01 00:52 . 2010-06-01 13:00 -------- d-----w- k:\documents and settings\alan\Application Data\Street-Ads
2010-06-01 00:52 . 2010-06-01 00:52 -------- d-----w- k:\documents and settings\alan\Application Data\Sky-Banners
2010-06-01 00:50 . 2010-06-01 15:19 -------- d-----w- k:\documents and settings\All Users\Application Data\Update
2010-06-01 00:50 . 2008-04-13 17:40 34688 -c--a-w- k:\windows\system32\dllcache\lbrtfdc.sys
2010-06-01 00:50 . 2008-04-13 17:40 34688 ----a-w- k:\windows\system32\drivers\lbrtfdc.sys
2010-06-01 00:50 . 2008-04-13 17:41 8576 -c--a-w- k:\windows\system32\dllcache\i2omgmt.sys
2010-06-01 00:50 . 2008-04-13 17:41 8576 ----a-w- k:\windows\system32\drivers\i2omgmt.sys
2010-06-01 00:50 . 2008-04-13 17:40 8192 -c--a-w- k:\windows\system32\dllcache\changer.sys
2010-06-01 00:50 . 2008-04-13 17:40 8192 ----a-w- k:\windows\system32\drivers\changer.sys
2010-06-01 00:50 . 2010-06-01 02:13 -------- d-----w- k:\documents and settings\alan\Application Data\E65104B963EA58D7DD03791E29C2EAF6
2010-05-12 19:00 . 2010-05-12 19:00 -------- d-----w- k:\documents and settings\Brianna\Local Settings\Application Data\Adobe
2010-05-12 18:06 . 2010-05-12 18:06 -------- d-----w- k:\documents and settings\Brianna\Application Data\Apple Computer
2010-05-07 13:40 . 2010-05-07 13:41 -------- d-----w- k:\documents and settings\tom\My Music
2010-05-05 22:10 . 2010-05-05 22:10 -------- d-----w- k:\documents and settings\alan\Application Data\LucasArts
2010-05-05 20:23 . 1994-12-06 04:00 12800 ----a-r- k:\windows\system32\WING32.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 00:40 . 2010-03-11 22:32 -------- d-----w- k:\program files\Common Files\Akamai
2010-06-03 00:16 . 2008-12-13 00:20 1 ----a-w- k:\documents and settings\alan\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-02 00:18 . 2008-12-15 17:22 1 ----a-w- k:\documents and settings\tina\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-01 23:02 . 2008-12-11 16:44 -------- d-----w- k:\program files\Mozilla Thunderbird
2010-06-01 21:10 . 2008-12-13 18:28 1 ----a-w- k:\documents and settings\eric\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-01 13:31 . 2009-02-27 03:27 -------- d-----w- k:\program files\Xming
2010-06-01 13:28 . 2008-12-11 23:07 41536 ----a-w- k:\documents and settings\alan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-01 13:20 . 2008-12-11 18:28 -------- d-----w- k:\program files\Java
2010-06-01 13:04 . 2010-01-25 00:07 -------- d-----w- k:\program files\Pan
2010-06-01 13:01 . 2009-12-25 23:01 -------- d-----w- k:\program files\Common Files\Adobe
2010-06-01 13:01 . 2010-01-30 14:27 -------- d-----w- k:\documents and settings\All Users\Application Data\5Spice Analysis
2010-06-01 11:59 . 2009-11-27 18:47 33088 ---ha-w- k:\windows\system32\mlfcache.dat
2010-06-01 11:58 . 2008-12-19 15:45 -------- d-----w- k:\documents and settings\alan\Application Data\Apple Computer
2010-06-01 11:08 . 2010-02-15 11:54 -------- d-----w- k:\documents and settings\alan\Application Data\SUPERAntiSpyware.com
2010-06-01 11:07 . 2010-02-15 11:54 -------- d-----w- k:\program files\SUPERAntiSpyware
2010-06-01 11:07 . 2009-10-01 19:19 -------- d-----w- k:\program files\Common Files\Wise Installation Wizard
2010-06-01 10:49 . 2008-12-11 18:33 -------- d-----w- k:\program files\OpenOffice.org 3
2010-05-31 01:43 . 2009-05-16 14:11 -------- d-----w- k:\documents and settings\alan\Application Data\gtk-2.0
2010-05-30 20:20 . 2009-08-25 17:22 -------- d-----w- k:\program files\LEGO Island
2010-05-29 20:53 . 2010-03-09 23:20 -------- d-----w- k:\program files\Frets on Fire
2010-05-15 12:04 . 2009-02-27 03:16 -------- d-----w- k:\program files\Google
2010-05-07 13:36 . 2010-01-25 12:30 -------- d-----w- k:\documents and settings\tom\Application Data\Dropbox
2010-05-05 22:01 . 2009-05-25 12:57 -------- d-----w- k:\program files\LucasArts
2010-05-01 22:17 . 2008-12-12 23:39 1324 ----a-w- k:\windows\system32\d3d9caps.dat
2010-05-01 18:06 . 2010-01-26 13:53 -------- d-----w- k:\documents and settings\tom\Application Data\vlc
2010-05-01 10:58 . 2010-05-01 10:58 -------- d-----w- k:\program files\iTunes
2010-05-01 10:58 . 2010-05-01 10:58 -------- d-----w- k:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-01 10:58 . 2010-05-01 10:58 -------- d-----w- k:\program files\iPod
2010-05-01 10:58 . 2008-12-12 21:25 -------- d-----w- k:\program files\Common Files\Apple
2010-05-01 10:56 . 2010-05-01 10:55 -------- d-----w- k:\program files\QuickTime
2010-05-01 10:52 . 2010-05-01 10:52 -------- d-----w- k:\program files\Bonjour
2010-05-01 10:50 . 2010-05-01 10:50 73000 ----a-w- k:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-29 19:39 . 2010-02-10 22:17 38224 ----a-w- k:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-02-10 22:17 20952 ----a-w- k:\windows\system32\drivers\mbam.sys
2010-04-16 12:33 . 2009-03-15 19:01 3003680 ----a-w- k:\windows\system32\usbaaplrc.dll
2010-04-16 12:33 . 2008-12-12 21:25 41472 ----a-w- k:\windows\system32\drivers\usbaapl.sys
2010-04-15 19:20 . 2009-01-02 22:07 -------- d-----w- k:\program files\Telltale Games
2010-04-11 16:58 . 2010-04-11 16:58 55287536 ----a-w- k:\documents and settings\alan\Application Data\LEGO Company\LEGO Digital Designer\setupLDD-PC-3_1_3.exe
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- k:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- k:\windows\system32\dns-sd.exe
2010-04-07 18:38 . 2010-04-07 18:38 1700352 ----a-w- k:\windows\system32\gdiplus.dll
2010-03-10 06:15 . 2003-03-31 12:00 420352 ----a-w- k:\windows\system32\vbscript.dll
2010-03-07 18:45 . 2010-03-07 18:45 144160 ----a-w- k:\documents and settings\tom\Application Data\Move Networks\uninstall.exe
2010-03-07 18:45 . 2009-12-10 19:26 4187512 ----a-w- k:\documents and settings\tom\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-03-07 18:44 . 2010-03-07 18:44 1436320 ----a-w- k:\documents and settings\tom\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-06-03_02.12.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-04 00:40 . 2010-06-04 00:40 16384 k:\windows\Temp\Perflib_Perfdata_6f4.dat
+ 2010-06-04 00:40 . 2010-06-04 00:40 16384 k:\windows\Temp\Perflib_Perfdata_63c.dat
- 2008-12-11 15:03 . 2010-05-31 20:32 32768 k:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-11 15:03 . 2010-06-03 12:25 32768 k:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-11 15:03 . 2010-06-03 12:25 32768 k:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-11 15:03 . 2010-05-31 20:32 32768 k:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-06-03 13:31 . 2010-06-03 12:25 16384 k:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-02-11 10:00 . 2010-05-31 20:32 16384 k:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-25 21:56 . 2010-06-03 02:12 245760 k:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-06-25 21:56 . 2010-06-02 23:21 245760 k:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="k:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="k:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2397424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 16132608]
"ShStatEXE"="k:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]
"McAfeeUpdaterUI"="k:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AppleSyncNotifier"="k:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"NvCplDaemon"="k:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="k:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"amd_dc_opt"="k:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"QuickTime Task"="k:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="k:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe Reader Speed Launcher"="k:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="k:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="k:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

k:\documents and settings\Brianna\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - k:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

k:\documents and settings\eric\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - k:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

k:\documents and settings\tina\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - k:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "k:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- k:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"k:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"k:\\Program Files\\AIM6\\aim6.exe"=
"k:\\Program Files\\BitTorrent\\bittorrent.exe"=
"k:\\Documents and Settings\\tom\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"k:\\WINDOWS\\system32\\sessmgr.exe"=
"k:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"k:\\Program Files\\iTunes\\iTunes.exe"=

R1 HWiNFO32;HWiNFO32 Kernel Driver;k:\program files\HWiNFO32\HWiNFO32.SYS [1/14/2010 10:15 AM 19064]
R1 SASDIFSV;SASDIFSV;k:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;k:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 Akamai;Akamai NetSession Interface;k:\windows\System32\svchost.exe -k Akamai [3/31/2003 8:00 AM 14336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;k:\program files\Viewpoint\Common\ViewpointService.exe [12/12/2008 5:27 PM 24652]
S2 gupdate1c99889d504a85f;Google Update Service (gupdate1c99889d504a85f);k:\program files\Google\Update\GoogleUpdate.exe [2/26/2009 11:16 PM 133104]
S3 FLASHSYS;FLASHSYS;\??\k:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys --> k:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;k:\windows\system32\drivers\mbamswissarmy.sys [2/10/2010 6:17 PM 38224]
S3 QCEmerald;Logitech QuickCam Web;k:\windows\system32\drivers\ovce.sys [4/9/2009 4:52 PM 31872]
S3 TMPassthruMP;TMPassthruMP;k:\windows\system32\DRIVERS\TMPassthru.sys --> k:\windows\system32\DRIVERS\TMPassthru.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-05-30 k:\windows\Tasks\AppleSoftwareUpdate.job
- k:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-04 k:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- k:\program files\Google\Update\GoogleUpdate.exe [2009-02-27 03:16]

2010-06-03 k:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- k:\program files\Google\Update\GoogleUpdate.exe [2009-02-27 03:16]

2010-06-01 k:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1336601894-682003330-1003Core.job
- k:\documents and settings\tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-20 12:36]

2010-06-03 k:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1336601894-682003330-1003UA.job
- k:\documents and settings\tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-20 12:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ign.com/
IE: Add to Google Photos Screensa&ver - k:\windows\system32\GPhotos.scr/200
TCP: {D8F5FBA4-80FF-4258-B205-603A34E766A6} = 192.168.1.1,208.67.220.220
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
.
- - - - ORPHANS REMOVED - - - -

BHO-{03097B3E-DF1E-4119-B7C0-74845BEA0EF5} - (no file)
BHO-{4E74FD4F-85B6-C7C1-401D-5C48948CEAFE} - (no file)
BHO-{B897D236-2A23-46CD-8789-11E02A62843D} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 20:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys >>UNKNOWN [0x8A598AEA]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cf28
\Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8
\Driver\atapi -> atapi.sys @ 0xb7f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb7e0abb0
PacketIndicateHandler -> NDIS.sys @ 0xb7df9a0d
SendHandler -> NDIS.sys @ 0xb7e0db40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-1336601894-682003330-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:7f,97,76,a8,1c,d9,03,5c,4a,73,30,3a,ae,3b,72,11,04,34,84,d0,7e,21,48,
7c,5c,41,46,c1,34,0e,74,d2,29,78,16,44,82,83,73,ad,42,c1,78,6a,a3,0d,02,f5,\
"??"=hex:44,7d,07,b6,f4,ca,45,ce,7a,11,2c,2a,70,4e,52,5c

[HKEY_USERS\S-1-5-21-1202660629-1336601894-682003330-1006\Software\SecuROM\License information*]
"datasecu"=hex:37,3d,ca,86,9f,21,fa,26,ff,4c,6f,63,d1,12,99,7f,28,d2,6e,94,39,
a2,90,08,7f,64,fe,5f,fa,4f,a8,69,71,bd,a4,2b,07,d4,a4,8a,ea,5d,23,3e,ed,cb,\
"rkeysecu"=hex:06,ae,06,01,3c,78,a9,54,cd,6a,2c,0b,2f,f0,d5,9e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
k:\windows\system32\WININET.dll
k:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(828)
k:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2468)
k:\windows\system32\WININET.dll
k:\windows\system32\ieframe.dll
k:\windows\system32\webcheck.dll
k:\windows\system32\WPDShServiceObj.dll
k:\windows\system32\PortableDeviceTypes.dll
k:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-03 20:59:57
ComboFix-quarantined-files.txt 2010-06-04 00:59
ComboFix2.txt 2010-06-03 11:55
ComboFix3.txt 2010-06-03 02:15
ComboFix4.txt 2010-02-10 23:36

Pre-Run: 251,191,545,856 bytes free
Post-Run: 251,152,314,368 bytes free

- - End Of File - - 1C3445110411A3B7A1E69F99AF43EB37


#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 05 June 2010 - 08:38 PM

Hello.

Doesn't appear to have been removed. We need to look for a replacement copy now to replace that.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    kbdhid.*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 trburkholder

trburkholder
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 06 June 2010 - 10:18 AM

Here it is. there are three instances, one is a backup from when I installed SP 3 and the other two date to about the time of the infection:

Is the next step to tell ComboFix where those kbdhid.sys files are?


S y s t e m L o o k v 1 . 0 b y j p s h o r t s t u f f ( 1 1 . 0 1 . 1 0 )

L o g c r e a t e d a t 1 1 : 1 2 o n 0 6 / 0 6 / 2 0 1 0 b y t i n a ( A d m i n i s t r a t o r - E l e v a t i o n s u c c e s s f u l )



= = = = = = = = = = f i l e f i n d = = = = = = = = = =



S e a r c h i n g f o r " k b d h i d . * "

K : \ W I N D O W S \ $ N t S e r v i c e P a c k U n i n s t a l l $ \ k b d h i d . s y s - - - - - c 1 4 8 4 8 b y t e s [ 1 7 : 0 5 1 1 / 1 2 / 2 0 0 8 ] [ 0 5 : 5 8 0 4 / 0 8 / 2 0 0 4 ] E 1 8 2 F A 8 E 4 9 E 8 E E 4 1 B 4 A D C 5 3 0 9 3 F 3 C 7 E 6

K : \ W I N D O W S \ S e r v i c e P a c k F i l e s \ i 3 8 6 \ k b d h i d . s y s - - - - - - 1 4 5 9 2 b y t e s [ 0 5 : 5 8 0 4 / 0 8 / 2 0 0 4 ] [ 1 8 : 3 9 1 3 / 0 4 / 2 0 0 8 ] 9 E F 4 8 7 A 1 8 6 D E A 3 6 1 A A 0 6 9 1 3 A 7 5 B 3 F A 9 9

K : \ W I N D O W S \ s y s t e m 3 2 \ d l l c a c h e \ k b d h i d . s y s - - a - - c 1 4 5 9 2 b y t e s [ 2 0 : 1 8 0 6 / 0 2 / 2 0 1 0 ] [ 1 8 : 3 9 1 3 / 0 4 / 2 0 0 8 ] 9 E F 4 8 7 A 1 8 6 D E A 3 6 1 A A 0 6 9 1 3 A 7 5 B 3 F A 9 9

K : \ W I N D O W S \ s y s t e m 3 2 \ d r i v e r s \ k b d h i d . s y s - - a - - - 1 4 5 9 2 b y t e s [ 2 0 : 1 8 0 6 / 0 2 / 2 0 1 0 ] [ 1 8 : 3 9 1 3 / 0 4 / 2 0 0 8 ] 9 E F 4 8 7 A 1 8 6 D E A 3 6 1 A A 0 6 9 1 3 A 7 5 B 3 F A 9 9



- = E n d O f F i l e = -

Edited by extremeboy, 06 June 2010 - 05:04 PM.


#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 06 June 2010 - 05:07 PM

Hello.

Thanks for the log. Please avoid changing the spacing and font of the logs/text.

This is what we are going to do now...

First...

Create and Run batch script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".
    QUOTE
    @Echo Off

    Copy /y "K:\Windows\ServicePackFiles\i386\kbdhid.sys" C:\
    Del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Copy.bat.
  • Hit OK.
When done properly, the icon should look like for XP machines and for Vista machines.

Double click on Copy.bat to run it. If you are using Windows Vista, please right-click and Run As Administrator...

A Black DOS window shall appear and then disappear. Then, please confirm there is a file called k b d h i d . s y s in your C:\ drive.



Then...

Please read here under the Booting into the Recovery Console section on how to boot into the Windows Recovery Console.

Once you're in the Recovery Console and at the C:\Windows prompt type in the following and hitting enter on your keyboard after execcuting each line...

cd c:\windows\system32\drivers
ren kbdhid.sys kbdhid.old
copy c:\kbdhid.sys c:\windows\system32\drivers
exit


Typing in "exit" will reboot your computer.

Let it boot back into Normal Mode and then...

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c "mbr -t" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 trburkholder

trburkholder
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 06 June 2010 - 06:50 PM

I'm assuming I was supposed to replace the kbdhid.sys on the k:\ system drive so that's what I did.

Here is the log file:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK


#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 06 June 2010 - 06:54 PM

Nicely done.

That was done successfully. smile.gif

That is now done, let's get a Malwarebytes scan and another look at your system...

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 trburkholder

trburkholder
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 06 June 2010 - 07:19 PM

Here are the mbam and DDS logs:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4173

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/6/2010 8:09:54 PM
mbam-log-2010-06-06 (20-09-54).txt

Scan type: Quick scan
Objects scanned: 173328
Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS (Ver_10-03-17.01) - NTFSx86
Run by alan at 20:14:52.40 on Sun 06/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2685 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

K:\WINDOWS\system32\nvsvc32.exe
K:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
K:\WINDOWS\System32\svchost.exe -k netsvcs
K:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
K:\WINDOWS\system32\spoolsv.exe
svchost.exe
K:\WINDOWS\System32\svchost.exe -k Akamai
K:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
K:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
K:\Program Files\Java\jre6\bin\jqs.exe
K:\Program Files\McAfee\Common Framework\FrameworkService.exe
K:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
K:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
K:\Program Files\CDBurnerXP\NMSAccessU.exe
K:\WINDOWS\System32\svchost.exe -k imgsvc
K:\Program Files\Viewpoint\Common\ViewpointService.exe
K:\Program Files\Canon\CAL\CALMAIN.exe
K:\WINDOWS\Explorer.EXE
K:\WINDOWS\RTHDCPL.EXE
K:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
K:\Program Files\McAfee\Common Framework\UdaterUI.exe
K:\WINDOWS\system32\rundll32.exe
K:\WINDOWS\system32\RUNDLL32.EXE
K:\Program Files\iTunes\iTunesHelper.exe
K:\Program Files\McAfee\Common Framework\McTray.exe
K:\Program Files\Common Files\Java\Java Update\jusched.exe
K:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
K:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
K:\Program Files\iPod\bin\iPodService.exe
K:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
K:\Documents and Settings\alan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ign.com/
BHO: {03097B3E-DF1E-4119-B7C0-74845BEA0EF5} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - k:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {4E74FD4F-85B6-C7C1-401D-5C48948CEAFE} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - k:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - k:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {B897D236-2A23-46CD-8789-11E02A62843D} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - k:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - k:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - k:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] k:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] k:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ShStatEXE] "k:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "k:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AppleSyncNotifier] k:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE k:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE k:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [amd_dc_opt] k:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [QuickTime Task] "k:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "k:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "k:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "k:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "k:\program files\common files\java\java update\jusched.exe"
IE: Add to Google Photos Screensa&ver - k:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - k:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - k:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229010388343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {D8F5FBA4-80FF-4258-B205-603A34E766A6} = 192.168.1.1,208.67.220.220
Notify: !SASWinLogon - k:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - k:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - k:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 HWiNFO32;HWiNFO32 Kernel Driver;k:\program files\hwinfo32\HWiNFO32.SYS [2010-1-14 19064]
R1 mferkdk;VSCore mferkdk;k:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 SASDIFSV;SASDIFSV;k:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;k:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Akamai;Akamai NetSession Interface;k:\windows\system32\svchost.exe -k Akamai [2003-3-31 14336]
R2 cpuz132;cpuz132;k:\windows\system32\drivers\cpuz132_x32.sys [2010-1-14 12672]
R2 McAfeeFramework;McAfee Framework Service;k:\program files\mcafee\common framework\FrameworkService.exe [2008-12-11 104000]
R2 McShield;McAfee McShield;k:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-2-22 144960]
R2 McTaskManager;McAfee Task Manager;k:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-2-22 54872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;k:\program files\viewpoint\common\ViewpointService.exe [2008-12-12 24652]
R3 mfeavfk;McAfee Inc.;k:\windows\system32\drivers\mfeavfk.sys [2008-12-11 72264]
R3 mfebopk;McAfee Inc.;k:\windows\system32\drivers\mfebopk.sys [2008-12-11 34152]
R3 mfehidk;McAfee Inc.;k:\windows\system32\drivers\mfehidk.sys [2008-12-11 170408]
S2 gupdate1c99889d504a85f;Google Update Service (gupdate1c99889d504a85f);k:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
S3 FLASHSYS;FLASHSYS;\??\k:\program files\msi\live update 4\lu4\flashsys.sys --> k:\program files\msi\live update 4\lu4\FLASHSYS.sys [?]
S3 QCEmerald;Logitech QuickCam Web;k:\windows\system32\drivers\ovce.sys [2009-4-9 31872]
S3 TMPassthruMP;TMPassthruMP;k:\windows\system32\drivers\tmpassthru.sys --> k:\windows\system32\drivers\TMPassthru.sys [?]

=============== Created Last 30 ================

2010-06-06 22:41:45 14592 ----a-w- k:\windows\system32\drivers\kbdhid.sys
2010-06-02 12:58:10 552 ----a-w- k:\windows\system32\d3d8caps.dat
2010-06-01 12:56:03 73728 ----a-w- k:\windows\system32\javacpl.cpl
2010-06-01 12:56:03 411368 ----a-w- k:\windows\system32\deployJava1.dll
2010-06-01 11:08:13 0 d-----w- k:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-01 10:49:41 0 d-----w- k:\program files\JRE
2010-06-01 00:52:48 0 d-----w- k:\docume~1\alan\applic~1\Street-Ads
2010-06-01 00:52:41 0 d-----w- k:\docume~1\alan\applic~1\Sky-Banners
2010-06-01 00:50:50 34688 -c--a-w- k:\windows\system32\dllcache\lbrtfdc.sys
2010-06-01 00:50:50 34688 ----a-w- k:\windows\system32\drivers\lbrtfdc.sys
2010-06-01 00:50:50 0 d-----w- k:\docume~1\alluse~1\applic~1\Update
2010-06-01 00:50:49 8576 -c--a-w- k:\windows\system32\dllcache\i2omgmt.sys
2010-06-01 00:50:49 8576 ----a-w- k:\windows\system32\drivers\i2omgmt.sys
2010-06-01 00:50:48 8192 -c--a-w- k:\windows\system32\dllcache\changer.sys
2010-06-01 00:50:48 8192 ----a-w- k:\windows\system32\drivers\changer.sys
2010-06-01 00:50:21 0 d-----w- k:\docume~1\alan\applic~1\E65104B963EA58D7DD03791E29C2EAF6
2010-05-31 01:45:04 14077 ----a-w- k:\documents and settings\alan\.recently-used.xbel

==================== Find3M ====================

2010-06-01 11:59:29 33088 ---ha-w- k:\windows\system32\mlfcache.dat
2010-04-29 19:39:38 38224 ----a-w- k:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- k:\windows\system32\drivers\mbam.sys
2010-04-26 19:58:12 256512 ----a-w- k:\windows\PEV.exe
2010-04-16 12:33:36 41472 ----a-w- k:\windows\system32\drivers\usbaapl.sys
2010-04-16 12:33:36 3003680 ----a-w- k:\windows\system32\usbaaplrc.dll
2010-04-08 17:20:02 91424 ----a-w- k:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- k:\windows\system32\dns-sd.exe
2010-04-07 18:38:51 1700352 ----a-w- k:\windows\system32\gdiplus.dll
2010-03-10 06:15:52 420352 ----a-w- k:\windows\system32\vbscript.dll

============= FINISH: 20:15:24.91 ===============

Attached Files



#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 07 June 2010 - 07:28 PM

Great, let's get an online scan done now...

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users