Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS Hijacked, unable to completely clean


  • This topic is locked This topic is locked
34 replies to this topic

#1 june2010

june2010

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 01 June 2010 - 11:27 PM

My computer had its DNS hijacked. My browser was being redirected and popping up new browser windows. I am running XP. I could not view hidden files or folders. Windows update was disabled, and anytime I tried to go to antivirus site, e.g, Kaspersky, I would get blocked. I ran Malwarebytes, Superantispyware, spydel.reg, and updated my host file, which helped, but did not eliminate the problem. I still cannot access Windows Update, and I am still getting blocked occasionally from anti-virus sites.

I've ran both DDS and GMER and am pasting the logs below. Please let me know if can help out. Thanks in advance!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Joon Oh at 20:31:18.45 on Mon 05/31/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.529 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Gizmo\gservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Joon Oh\Desktop\OTScanIt\Virus\Virus\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://remote.winston.com/remote.nsf/redirect
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: moigh Object: {349a9132-6c65-4ad2-803f-61b9085defde} - c:\windows\system32\cgeoervd.dll
BHO: adShotHlpr Object: {475b7759-6049-4f64-baea-d87ebc25caa9} - c:\windows\system32\mmtpqoro.dll
BHO: voguecash browser enhancer: {de108634-3de7-b6c8-1940-7b3b4eeb0813} - c:\windows\system32\ltsihszakzes.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [Google Update] "c:\documents and settings\joon oh\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [GizmoDriveDelegate] RUNDLL32.EXE c:\progra~1\gizmo\GDRIVE.DLL,Remount_Startup_Images
mRun: [S3TRAY2] S3Tray2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [TPKMAPMN] c:\program files\thinkpad\utilities\TpKmapMn.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [atwtusb] atwtusb.exe beta
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Yahoo! Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: {7771DC55-0EA4-4580-9E82-D4170D9BEF8D} - c:\program files\movies extractor scout lite\flashextract.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/abarth/us/win/QuickTimeFullInstaller.exe
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://www.windowsecurity.com/trojanscan/axscan.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {1865347B-BDB8-4AB2-9736-8AD3943766D0} = 8.8.4.4
TCP: {B07D24B1-F473-4D01-B997-AD3E97CD4C04} = 8.8.4.4
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joonoh~1\applic~1\mozilla\firefox\profiles\433sa5xc.firefox2\
FF - plugin: c:\documents and settings\joon oh\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\joon oh\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\joon oh\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox 3\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox 3\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox 3\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox 3\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 GizmoDrv;Gizmo Device Driver;c:\windows\system32\drivers\gizmodrv.sys [2009-9-26 23624]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 67656]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2003-8-24 15360]
R2 Gizmo Central;Gizmo Central;c:\program files\gizmo\gservice.exe [2009-9-26 31856]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-11-28 102463]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2003-9-29 237657]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2003-9-29 69706]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]
S0 rewmvzjk;rewmvzjk; [x]
S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [2006-4-7 22272]
S3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\Gt680x.sys [2004-2-19 17376]
S3 NikeDrv;nike psa[play driver;c:\windows\system32\drivers\nikedrv.sys [2001-8-17 12032]
S3 OkiPar;OkiPar;c:\windows\system32\drivers\OKIPAR.SYS [2001-10-2 40192]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [2002-1-12 3567]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]
S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\VisorUsb.sys [2003-9-5 19968]

=============== Created Last 30 ================

2010-05-30 03:01:03 0 d-----w- c:\docume~1\joonoh~1\applic~1\Street-Ads
2010-05-30 03:01:03 0 d-----w- c:\docume~1\joonoh~1\applic~1\Sky-Banners
2010-05-30 01:10:59 124416 ----a-w- c:\windows\Btybea.exe
2010-05-30 01:10:13 0 d-----w- c:\docume~1\joonoh~1\applic~1\5739596A2C5D2CAA199F7A38B650D798

==================== Find3M ====================

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 08:02:04 417792 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-03-10 05:21:20 1506304 ------w- c:\windows\system32\dllcache\shdocvw.dll
2010-03-10 05:21:13 1023488 ------w- c:\windows\system32\dllcache\browseui.dll
2003-08-29 18:12:00 61440 -c--a-w- c:\windows\inf\i386\Viz7300.dll
2003-08-29 18:12:00 17376 -c--a-w- c:\windows\inf\i386\Gt680x.sys
2004-09-24 23:39:00 56 -csh--r- c:\windows\system32\EC0BEE9A4D.sys

============= FINISH: 20:32:26.84 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-31 23:18:48
Windows 5.1.2600 Service Pack 2
Running: 6xxd88zo.exe; Driver: C:\DOCUME~1\JOONOH~1\LOCALS~1\Temp\pgdyraob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF2EF1620]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xF7BA8814]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1304] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E000A
.text C:\WINDOWS\System32\svchost.exe[1304] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[1304] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007D000C
.text C:\WINDOWS\System32\svchost.exe[1304] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 0394000A
.text C:\WINDOWS\System32\svchost.exe[1304] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00AD000A
.text C:\WINDOWS\Explorer.EXE[1692] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B9000A
.text C:\WINDOWS\Explorer.EXE[1692] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BA000A
.text C:\WINDOWS\Explorer.EXE[1692] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat tdrpm174.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86E9BEC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@NextDetectionTime 2010-05-31 06:50:32

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by boopme, 02 June 2010 - 12:24 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:30 PM

Posted 02 June 2010 - 03:25 PM

Hello. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log.

You seem to be infected with one of the newer TDL3 rootkit. Let's start off with Combofix and continue from there.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 june2010

june2010
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 04 June 2010 - 01:11 PM

I have attached the ComboFix log below. I had to run it in safe mode, as it would not run otherwise. Let me know if I should run it again in regular mode and anything else I need to do. Thanks

ComboFix 10-05-30.09 - Administrator 06/04/2010 0:02.3.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.844 [GMT -7:00]
Running from: c:\documents and settings\Joon Oh\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joon Oh\Application Data\5739596A2C5D2CAA199F7A38B650D798
c:\documents and settings\Joon Oh\Application Data\5739596A2C5D2CAA199F7A38B650D798\enemies-names.txt
c:\documents and settings\Joon Oh\Local Settings\Application Data\Windows Server
c:\documents and settings\Joon Oh\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Joon Oh\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\Joon Oh\Start Menu\Programs\Antimalware Doctor
c:\documents and settings\Joon Oh\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\documents and settings\Joon Oh\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
C:\feed.txt
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\NetMonInstaller.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\system32\Data
c:\windows\system32\hlp.dat
c:\windows\system32\tmp.reg
c:\windows\system32\Vb40032.dll

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-06-04 06:55 . 2010-06-04 07:16 -------- d-----w- \ComboFix
2010-05-30 07:56 . 2010-05-30 07:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-05-30 05:26 . 2010-05-30 05:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\scar5
2010-05-30 05:22 . 2010-05-30 05:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-30 05:20 . 2010-05-30 05:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-30 03:01 . 2010-05-30 03:01 -------- d-----w- c:\documents and settings\Joon Oh\Application Data\Street-Ads
2010-05-30 03:01 . 2010-05-30 03:01 -------- d-----w- c:\documents and settings\Joon Oh\Application Data\Sky-Banners
2010-05-30 01:12 . 2010-05-30 01:12 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-05-30 01:10 . 2010-05-30 01:10 124416 ----a-w- c:\windows\Btybea.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 06:27 . 2010-01-04 08:56 -------- d-----w- c:\program files\Mozilla Firefox 3
2010-05-30 07:43 . 2008-10-05 16:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-30 05:57 . 2005-11-14 04:46 34 ----a-w- c:\windows\sfshell.tmp
2010-05-30 05:04 . 2010-05-22 14:59 63488 ----a-w- c:\documents and settings\Joon Oh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-30 05:04 . 2009-03-21 05:52 117760 ----a-w- c:\documents and settings\Joon Oh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-30 03:28 . 2008-10-12 05:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 03:19 . 2010-01-11 04:30 -------- d-----w- c:\program files\Veetle
2010-04-24 07:05 . 2010-04-24 07:04 -------- d-----w- c:\program files\iTunes
2010-04-24 07:05 . 2010-04-24 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-24 07:04 . 2005-03-30 14:06 -------- d-----w- c:\program files\iPod
2010-04-24 07:04 . 2008-12-01 01:21 -------- d-----w- c:\program files\Common Files\Apple
2010-04-24 07:02 . 2010-04-24 07:01 -------- d-----w- c:\program files\QuickTime
2010-04-24 06:56 . 2010-04-24 06:56 -------- d-----w- c:\program files\Bonjour
2010-04-24 06:42 . 2010-04-24 06:42 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-17 05:13 . 2007-10-25 04:31 -------- d-----w- c:\documents and settings\Joon Oh\Application Data\foobar2000
2008-12-20 03:40 . 2005-02-03 00:46 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 03:40 . 2005-02-03 00:46 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 03:40 . 2008-02-09 16:46 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 03:40 . 2008-02-09 16:46 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 03:40 . 2005-02-03 00:46 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-17 01:42 . 2008-08-17 01:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-17 01:42 . 2008-08-17 01:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-17 01:42 . 2008-08-17 01:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-17 01:42 . 2008-08-17 01:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-17 01:43 . 2008-08-17 01:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-17 01:42 . 2008-08-17 01:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-17 01:42 . 2008-08-17 01:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 16:41 . 2008-05-21 16:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 16:41 . 2008-05-21 16:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 16:41 . 2008-05-21 16:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 21:58 . 2008-06-05 21:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-17 01:42 . 2008-08-17 01:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2004-09-24 23:39 . 2004-09-24 20:26 56 -csh--r- c:\windows\system32\EC0BEE9A4D.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"Google Update"="c:\documents and settings\Joon Oh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-05 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-30 2397424]
"GizmoDriveDelegate"="c:\progra~1\GIZMO\GDRIVE.DLL" [2009-09-27 390752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe beta" [X]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-08 512000]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 380416]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-03-10 94208]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 64000]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2003-01-17 20480]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2004-02-04 32768]
"TP4EX"="tp4ex.exe" [2002-09-04 53248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-12-24 204800]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 135224]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2008-02-20 127036]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-01-21 4359280]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-01-21 960536]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-21 377232]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-10-05 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-01-01 07:43 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\WM Recorder 10\\RMR.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

S0 rewmvzjk;rewmvzjk; [x]
S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [4/7/2006 2:36 PM 22272]
S1 GizmoDrv;Gizmo Device Driver;c:\windows\system32\drivers\gizmodrv.sys [9/26/2009 5:28 PM 23624]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 12:53 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 11:39 AM 67656]
S1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [8/24/2003 3:45 AM 15360]
S2 Gizmo Central;Gizmo Central;c:\program files\Gizmo\gservice.exe [9/26/2009 5:28 PM 31856]
S3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\Gt680x.sys [2/19/2004 4:42 PM 17376]
S3 NikeDrv;nike psa[play driver;c:\windows\system32\drivers\nikedrv.sys [8/17/2001 1:24 PM 12032]
S3 OkiPar;OkiPar;c:\windows\system32\drivers\OKIPAR.SYS [10/2/2001 8:54 AM 40192]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [1/12/2002 2:30 PM 3567]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 12872]
S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\VisorUsb.sys [9/5/2003 12:35 PM 19968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6cc90e49-a5d0-11dc-9520-001125ae173e}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95b0be42-84f4-11dc-951b-001125ae173e}]
\Shell\AutoRun\command - e:\portableapps\PortableAppsMenu\PortableAppsMenu.exe
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://remote.winston.com/remote.nsf/redirect
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: {{7771DC55-0EA4-4580-9E82-D4170D9BEF8D} - c:\program files\Movies Extractor Scout LITE\flashextract.exe
TCP: {1865347B-BDB8-4AB2-9736-8AD3943766D0} = 8.8.4.4
TCP: {B07D24B1-F473-4D01-B997-AD3E97CD4C04} = 8.8.4.4
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Joon Oh\Application Data\Mozilla\Firefox\Profiles\433sa5xc.Firefox2\
FF - plugin: c:\documents and settings\Joon Oh\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Joon Oh\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\Joon Oh\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox 3\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox 3\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox 3\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{349A9132-6C65-4AD2-803F-61B9085DEFDE} - c:\windows\system32\cgeoervd.dll
BHO-{475B7759-6049-4F64-BAEA-D87EBC25CAA9} - c:\windows\system32\mmtpqoro.dll
BHO-{DE108634-3DE7-B6C8-1940-7B3B4EEB0813} - c:\windows\system32\ltsihszakzes.dll
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-04 00:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86E98EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7624fc3
\Driver\ACPI -> ACPI.sys @ 0xf7597cb8
\Driver\atapi -> atapi.sys @ 0xf75317b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6
SecurityProcedure -> ntoskrnl.exe @ 0x8059d056
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a18f6
SecurityProcedure -> ntoskrnl.exe @ 0x8059d056
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\smss.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
.
**************************************************************************
.
Completion time: 2010-06-04 00:26:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-04 07:25
ComboFix2.txt 2008-10-06 08:58
ComboFix3.txt 2008-10-05 14:07

Pre-Run: 136,918,388,736 bytes free
Post-Run: 136,923,848,704 bytes free

- - End Of File - - B5A1DA3F0623F9697140EE6AB8E3A000


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:30 PM

Posted 05 June 2010 - 09:02 PM

Hello.

Doesn't seem to be fully disinfected or is still active somehow, could you do the following in Normal Mode. It should work.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    TDL::
    C:\WINDOWS\system32\drivers\pciide.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 june2010

june2010
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 06 June 2010 - 10:39 AM

I tried to run ComboFix in normal mode using the script you provided. Unfortunately, I ran into a blue screen as ComboFix was setting up a restore point (unlike before before I ran ComboFix in safe mode, I was able to reach the disclaimer Yes/No box in normal mode before it rebooted). Relevant blue screen info below.
IRQL_NOT_LESS_OR_EQUAL
STOP: 0x0000000A (0x488B0845, 0x00000002, 0x00000001, 0x804DBC9A)

Also, let me know if I should delete the following:
2010-05-30 01:10:59 124416 ----a-w- c:\windows\Btybea.exe
It is not a file that I recognize.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:30 PM

Posted 06 June 2010 - 05:09 PM

Hello.

Try Combofix in Safe Mode then.

Regarding that file, that WILL need to be removed and dealt with but right now we'll focusing on that driver as that's the main thing that needs to be dealt with first and the other infections we will remove all at once next post.

Let me know how Combofix goes.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 june2010

june2010
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 07 June 2010 - 12:24 AM

New log after safe mode

ComboFix 10-05-30.09 - Joon Oh 06/06/2010 21:56:13.4.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.834 [GMT -7:00]
Running from: c:\documents and settings\Joon Oh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joon Oh\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joon Oh\Application Data\020000009fae3efd922C.manifest
c:\documents and settings\Joon Oh\Application Data\020000009fae3efd922O.manifest
c:\documents and settings\Joon Oh\Application Data\020000009fae3efd922P.manifest
c:\documents and settings\Joon Oh\Application Data\020000009fae3efd922S.manifest

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\pciide.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\pciide.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\PCIIde.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-05-30 07:56 . 2010-05-30 07:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-05-30 05:26 . 2010-05-30 05:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\scar5
2010-05-30 05:22 . 2010-05-30 05:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-30 05:20 . 2010-05-30 05:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-30 03:01 . 2010-05-30 03:01 -------- d-----w- c:\documents and settings\Joon Oh\Application Data\Street-Ads
2010-05-30 03:01 . 2010-05-30 03:01 -------- d-----w- c:\documents and settings\Joon Oh\Application Data\Sky-Banners
2010-05-30 01:12 . 2010-05-30 01:12 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-05-30 01:10 . 2010-05-30 01:10 124416 ----a-w- c:\windows\Btybea.exe
2010-05-22 14:59 . 2010-05-30 05:04 63488 ----a-w- c:\documents and settings\Joon Oh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 06:27 . 2010-01-04 08:56 -------- d-----w- c:\program files\Mozilla Firefox 3
2010-05-30 07:43 . 2008-10-05 16:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-30 05:57 . 2005-11-14 04:46 34 ----a-w- c:\windows\sfshell.tmp
2010-05-30 05:04 . 2009-03-21 05:52 117760 ----a-w- c:\documents and settings\Joon Oh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-30 03:28 . 2008-10-12 05:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 03:19 . 2010-01-11 04:30 -------- d-----w- c:\program files\Veetle
2010-04-29 22:39 . 2008-10-12 05:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2008-10-12 05:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 07:05 . 2010-04-24 07:04 -------- d-----w- c:\program files\iTunes
2010-04-24 07:05 . 2010-04-24 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-24 07:04 . 2005-03-30 14:06 -------- d-----w- c:\program files\iPod
2010-04-24 07:04 . 2008-12-01 01:21 -------- d-----w- c:\program files\Common Files\Apple
2010-04-24 07:02 . 2010-04-24 07:01 -------- d-----w- c:\program files\QuickTime
2010-04-24 06:56 . 2010-04-24 06:56 -------- d-----w- c:\program files\Bonjour
2010-04-24 06:42 . 2010-04-24 06:42 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-17 05:13 . 2007-10-25 04:31 -------- d-----w- c:\documents and settings\Joon Oh\Application Data\foobar2000
2010-03-10 08:02 . 1980-01-01 07:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2008-12-20 03:40 . 2005-02-03 00:46 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 03:40 . 2005-02-03 00:46 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 03:40 . 2008-02-09 16:46 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 03:40 . 2008-02-09 16:46 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 03:40 . 2005-02-03 00:46 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-17 01:42 . 2008-08-17 01:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-17 01:42 . 2008-08-17 01:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-17 01:42 . 2008-08-17 01:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-17 01:42 . 2008-08-17 01:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-17 01:43 . 2008-08-17 01:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-17 01:42 . 2008-08-17 01:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-17 01:42 . 2008-08-17 01:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 16:41 . 2008-05-21 16:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 16:41 . 2008-05-21 16:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 16:41 . 2008-05-21 16:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 21:58 . 2008-06-05 21:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-17 01:42 . 2008-08-17 01:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2004-09-24 23:39 . 2004-09-24 20:26 56 -csh--r- c:\windows\system32\EC0BEE9A4D.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"Google Update"="c:\documents and settings\Joon Oh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-05 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-30 2397424]
"GizmoDriveDelegate"="c:\progra~1\GIZMO\GDRIVE.DLL" [2009-09-27 390752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe beta" [X]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-08 512000]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 380416]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-03-10 94208]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 64000]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2003-01-17 20480]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2004-02-04 32768]
"TP4EX"="tp4ex.exe" [2002-09-04 53248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-12-24 204800]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 135224]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2008-02-20 127036]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-01-21 4359280]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-01-21 960536]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-21 377232]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-10-05 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-01-01 07:43 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\WM Recorder 10\\RMR.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

S0 rewmvzjk;rewmvzjk; [x]
S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [4/7/2006 2:36 PM 22272]
S1 GizmoDrv;Gizmo Device Driver;c:\windows\system32\drivers\gizmodrv.sys [9/26/2009 5:28 PM 23624]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 12:53 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 11:39 AM 67656]
S1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [8/24/2003 3:45 AM 15360]
S2 Gizmo Central;Gizmo Central;c:\program files\Gizmo\gservice.exe [9/26/2009 5:28 PM 31856]
S3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\Gt680x.sys [2/19/2004 4:42 PM 17376]
S3 NikeDrv;nike psa[play driver;c:\windows\system32\drivers\nikedrv.sys [8/17/2001 1:24 PM 12032]
S3 OkiPar;OkiPar;c:\windows\system32\drivers\OKIPAR.SYS [10/2/2001 8:54 AM 40192]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [1/12/2002 2:30 PM 3567]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 12872]
S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\VisorUsb.sys [9/5/2003 12:35 PM 19968]
.
Contents of the 'Scheduled Tasks' folder

2006-03-14 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2003-08-24 08:32]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-347567380-643298238-3171162626-1004Core.job
- c:\documents and settings\Joon Oh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-05 06:24]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-347567380-643298238-3171162626-1004UA.job
- c:\documents and settings\Joon Oh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-05 06:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://remote.winston.com/remote.nsf/redirect
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: {{7771DC55-0EA4-4580-9E82-D4170D9BEF8D} - c:\program files\Movies Extractor Scout LITE\flashextract.exe
TCP: {1865347B-BDB8-4AB2-9736-8AD3943766D0} = 8.8.4.4
TCP: {B07D24B1-F473-4D01-B997-AD3E97CD4C04} = 8.8.4.4
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\if95vrnb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\Joon Oh\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Joon Oh\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox 3\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox 3\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox 3\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-InstallShield_{44A537A5-859C-43A6-8285-C0668142A090} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
AddRemove-Simple File Shredder - c:\program files\scar5\Simple File Shredder\uninst.exe
AddRemove-urgjkeyenpfz - c:\windows\system32\urgjkeyenpfz.exe
AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 22:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(296)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-06-06 22:15:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-07 05:15
ComboFix2.txt 2010-06-04 07:26
ComboFix3.txt 2008-10-06 08:58
ComboFix4.txt 2008-10-05 14:07

Pre-Run: 136,872,902,656 bytes free
Post-Run: 136,840,994,816 bytes free

- - End Of File - - A6E271F83E12F4A98437FB7D29CF2606


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:30 PM

Posted 07 June 2010 - 07:56 PM

Hello.

Looking better.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/320946/dns-hijacked-unable-to-completely-clean/
    Collect::[68]
    c:\windows\Btybea.exe
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "atwtusb"=-
    Driver::
    rewmvzjk
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.


Let me know how it goes and if the upload went successfully or not in your next reply.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 june2010

june2010
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 08 June 2010 - 03:10 AM

I had to upload the zip file manually. Thanks. Let me know what else there is.

Edited by june2010, 08 June 2010 - 08:57 AM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:30 PM

Posted 09 June 2010 - 06:01 PM

Yup, that's fine, but please post the C:\Combofix.txt log as well.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 june2010

june2010
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 10 June 2010 - 05:16 PM

ComboFix 10-06-07.03 - Joon Oh 06/08/2010 0:37.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.695 [GMT -7:00]
Running from: c:\documents and settings\Joon Oh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joon Oh\Desktop\CFScript.txt

file zipped: c:\windows\Btybea.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Btybea.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_REWMVZJK
-------\Service_rewmvzjk


((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 )))))))))))))))))))))))))))))))
.

2010-05-30 07:56 . 2010-05-30 07:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-05-30 05:26 . 2010-05-30 05:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\scar5
2010-05-30 05:22 . 2010-05-30 05:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-30 05:20 . 2010-05-30 05:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-30 03:01 . 2010-05-30 03:01 -------- d-----w- c:\documents and settings\Joon Oh\Application Data\Street-Ads
2010-05-30 03:01 . 2010-05-30 03:01 -------- d-----w- c:\documents and settings\Joon Oh\Application Data\Sky-Banners
2010-05-30 01:12 . 2010-05-30 01:12 -------- d-----w- c:\program files\$NtUninstallWTF1012$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-08 07:28 . 2010-01-04 08:56 -------- d-----w- c:\program files\Mozilla Firefox 3
2010-05-30 07:43 . 2008-10-05 16:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-30 05:57 . 2005-11-14 04:46 34 ----a-w- c:\windows\sfshell.tmp
2010-05-30 05:04 . 2010-05-22 14:59 63488 ----a-w- c:\documents and settings\Joon Oh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-30 05:04 . 2009-03-21 05:52 117760 ----a-w- c:\documents and settings\Joon Oh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-30 03:28 . 2008-10-12 05:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 03:19 . 2010-01-11 04:30 -------- d-----w- c:\program files\Veetle
2010-04-29 22:39 . 2008-10-12 05:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2008-10-12 05:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 07:05 . 2010-04-24 07:04 -------- d-----w- c:\program files\iTunes
2010-04-24 07:05 . 2010-04-24 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-24 07:04 . 2005-03-30 14:06 -------- d-----w- c:\program files\iPod
2010-04-24 07:04 . 2008-12-01 01:21 -------- d-----w- c:\program files\Common Files\Apple
2010-04-24 07:02 . 2010-04-24 07:01 -------- d-----w- c:\program files\QuickTime
2010-04-24 06:56 . 2010-04-24 06:56 -------- d-----w- c:\program files\Bonjour
2010-04-24 06:42 . 2010-04-24 06:42 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-17 05:13 . 2007-10-25 04:31 -------- d-----w- c:\documents and settings\Joon Oh\Application Data\foobar2000
2010-03-10 08:02 . 1980-01-01 07:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2008-12-20 03:40 . 2005-02-03 00:46 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 03:40 . 2005-02-03 00:46 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 03:40 . 2008-02-09 16:46 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 03:40 . 2008-02-09 16:46 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 03:40 . 2005-02-03 00:46 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-17 01:42 . 2008-08-17 01:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-17 01:42 . 2008-08-17 01:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-17 01:42 . 2008-08-17 01:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-17 01:42 . 2008-08-17 01:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-17 01:43 . 2008-08-17 01:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-17 01:42 . 2008-08-17 01:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-17 01:42 . 2008-08-17 01:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 16:41 . 2008-05-21 16:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 16:41 . 2008-05-21 16:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 16:41 . 2008-05-21 16:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 21:58 . 2008-06-05 21:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-17 01:42 . 2008-08-17 01:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2004-09-24 23:39 . 2004-09-24 20:26 56 -csh--r- c:\windows\system32\EC0BEE9A4D.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"Google Update"="c:\documents and settings\Joon Oh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-05 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-30 2397424]
"GizmoDriveDelegate"="c:\progra~1\GIZMO\GDRIVE.DLL" [2009-09-27 390752]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-08 512000]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 380416]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-03-10 94208]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 64000]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2003-01-17 20480]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2004-02-04 32768]
"TP4EX"="tp4ex.exe" [2002-09-04 53248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-12-24 204800]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 135224]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2008-02-20 127036]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-01-21 4359280]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-01-21 960536]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-21 377232]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-10-05 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-01-01 07:43 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\WM Recorder 10\\RMR.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 GizmoDrv;Gizmo Device Driver;c:\windows\system32\drivers\gizmodrv.sys [9/26/2009 5:28 PM 23624]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 12:53 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 11:39 AM 67656]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [8/24/2003 3:45 AM 15360]
R2 Gizmo Central;Gizmo Central;c:\program files\Gizmo\gservice.exe [9/26/2009 5:28 PM 31856]
S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [4/7/2006 2:36 PM 22272]
S3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\Gt680x.sys [2/19/2004 4:42 PM 17376]
S3 NikeDrv;nike psa[play driver;c:\windows\system32\drivers\nikedrv.sys [8/17/2001 1:24 PM 12032]
S3 OkiPar;OkiPar;c:\windows\system32\drivers\OKIPAR.SYS [10/2/2001 8:54 AM 40192]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [1/12/2002 2:30 PM 3567]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 12872]
S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\VisorUsb.sys [9/5/2003 12:35 PM 19968]
.
Contents of the 'Scheduled Tasks' folder

2006-03-14 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2003-08-24 08:32]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-347567380-643298238-3171162626-1004Core.job
- c:\documents and settings\Joon Oh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-05 06:24]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-347567380-643298238-3171162626-1004UA.job
- c:\documents and settings\Joon Oh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-05 06:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://remote.winston.com/remote.nsf/redirect
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: {{7771DC55-0EA4-4580-9E82-D4170D9BEF8D} - c:\program files\Movies Extractor Scout LITE\flashextract.exe
TCP: {1865347B-BDB8-4AB2-9736-8AD3943766D0} = 8.8.4.4
TCP: {B07D24B1-F473-4D01-B997-AD3E97CD4C04} = 8.8.4.4
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Joon Oh\Application Data\Mozilla\Firefox\Profiles\433sa5xc.Firefox2\
FF - plugin: c:\documents and settings\Joon Oh\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Joon Oh\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\Joon Oh\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox 3\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox 3\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox 3\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-08 00:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1092)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\cscui.dll

- - - - - - - > 'explorer.exe'(2488)
c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\ibmpmsvc.exe
c:\windows\System32\S24EvMon.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\RunDll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\windows\AGRSMMSG.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\windows\System32\QCONSVC.EXE
c:\windows\System32\RegSrvc.exe
c:\windows\system32\TpKmpSVC.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-08 00:56:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-08 07:55
ComboFix2.txt 2010-06-07 05:15
ComboFix3.txt 2010-06-04 07:26
ComboFix4.txt 2008-10-06 08:58
ComboFix5.txt 2010-06-08 07:34

Pre-Run: 135,687,098,368 bytes free
Post-Run: 135,599,734,784 bytes free

- - End Of File - - C8E196BD075DD6983DEC43C5C82B51E0


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:30 PM

Posted 11 June 2010 - 05:01 PM

Looking good. Let's get an online scan done.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 june2010

june2010
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 13 June 2010 - 11:36 AM

I have pasted below the Kaspersky log and DDS log (not sure if Kaspersky removed anything it found). I have attached the Attach log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, June 13, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, June 12, 2010 18:14:49
Records in database: 4265396
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 111119
Threats found: 4
Infected objects found: 7
Suspicious objects found: 0
Scan duration: 04:34:34


File name / Threat / Threats count
C:\Program Files\Alo RM Converter\alorm.exe Infected: Backdoor.Win32.Rbot.airf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\Drivers\PCIIde.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\QooBox\Quarantine\C\WINDOWS\system32\Drivers\pciide.sys.vir_ Infected: Rootkit.Win32.TDSS.ap 1
C:\QooBox\Quarantine\[68]-Submit_2010-06-08_00.37.48.zip Infected: Trojan.Win32.Tdss.bfcf 1
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0004101.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0004123.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\WINDOWS\system32\SBUtils\SBWebCtl.dll Infected: not-a-virus:AdWare.Win32.WindowEnhancer.f 1

Selected area has been scanned.



*****



DDS (Ver_10-03-17.01) - NTFSx86
Run by Joon Oh at 9:27:48.72 on Sun 06/13/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.793 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Gizmo\gservice.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Joon Oh\Desktop\OTScanIt\Virus\Virus\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://remote.winston.com/remote.nsf/redirect
uInternet Settings,ProxyOverride = *.local
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [Google Update] "c:\documents and settings\joon oh\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [GizmoDriveDelegate] RUNDLL32.EXE c:\progra~1\gizmo\GDRIVE.DLL,Remount_Startup_Images
mRun: [S3TRAY2] S3Tray2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [TPKMAPMN] c:\program files\thinkpad\utilities\TpKmapMn.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Yahoo! Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: {7771DC55-0EA4-4580-9E82-D4170D9BEF8D} - c:\program files\movies extractor scout lite\flashextract.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/abarth/us/win/QuickTimeFullInstaller.exe
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxp://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://www.windowsecurity.com/trojanscan/axscan.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {1865347B-BDB8-4AB2-9736-8AD3943766D0} = 8.8.4.4
TCP: {B07D24B1-F473-4D01-B997-AD3E97CD4C04} = 8.8.4.4
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joonoh~1\applic~1\mozilla\firefox\profiles\433sa5xc.firefox2\
FF - plugin: c:\documents and settings\joon oh\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\joon oh\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\joon oh\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox 3\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox 3\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox 3\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox 3\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

P2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2003-9-29 237657]
R1 GizmoDrv;Gizmo Device Driver;c:\windows\system32\drivers\gizmodrv.sys [2009-9-26 23624]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 67656]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2003-8-24 15360]
R2 Gizmo Central;Gizmo Central;c:\program files\gizmo\gservice.exe [2009-9-26 31856]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-11-28 102463]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2003-9-29 69706]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]
S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [2006-4-7 22272]
S3 GT680xNT;Visioneer OneTouch 7300 Driver;c:\windows\system32\drivers\Gt680x.sys [2004-2-19 17376]
S3 NikeDrv;nike psa[play driver;c:\windows\system32\drivers\nikedrv.sys [2001-8-17 12032]
S3 OkiPar;OkiPar;c:\windows\system32\drivers\OKIPAR.SYS [2001-10-2 40192]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [2002-1-12 3567]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]
S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\VisorUsb.sys [2003-9-5 19968]

=============== Created Last 30 ================

2010-06-08 07:34:38 98816 ----a-w- c:\windows\sed.exe
2010-06-08 07:34:38 77312 ----a-w- c:\windows\MBR.exe
2010-06-08 07:34:38 256512 ----a-w- c:\windows\PEV.exe
2010-06-08 07:34:38 161792 ----a-w- c:\windows\SWREG.exe
2010-05-30 03:01:03 0 d-----w- c:\docume~1\joonoh~1\applic~1\Street-Ads
2010-05-30 03:01:03 0 d-----w- c:\docume~1\joonoh~1\applic~1\Sky-Banners

==================== Find3M ====================

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2003-08-29 18:12:00 61440 -c--a-w- c:\windows\inf\i386\Viz7300.dll
2003-08-29 18:12:00 17376 -c--a-w- c:\windows\inf\i386\Gt680x.sys
2004-09-24 23:39:00 56 -csh--r- c:\windows\system32\EC0BEE9A4D.sys

============= FINISH: 9:28:37.29 ===============

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:30 PM

Posted 14 June 2010 - 09:41 PM

... and how's your comptuer running? Any more problems/symptoms left? smile.gif
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 june2010

june2010
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 15 June 2010 - 05:05 AM

So far, so good. I'll let you know if anything happens again. Thanks for your help. Let me know if there is anything else I should do.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users