Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Desktoplayer.exe, <filename>srv.exe Virus


  • This topic is locked This topic is locked
119 replies to this topic

#1 GerrySantos

GerrySantos

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 30 July 2010 - 09:26 PM

Thanks Orange Blossom for replying on my post (http://www.bleepingcomputer.com/forums/topic335730.html). As per your request, I am creating a new post together with the logs from DDS and GMER.

Again, below are the problems I am having with my laptop:

The problem started when my browser started redirecting me to sites that I did not select from the search result list. It happens on both Yahoo and Google search. 90% of the time, I will be redirected.

I've downloaded anti-malware/spyware programs like MalwareBytes and Lavasoft's AdAware, I ran the programs and they were able to clean/quarantined some files. But the problem did not go away. I even disabled some of the add-ons that I have on my IE.

Then, I ran HijackThis and found that there is an issue with my UserInit registry entry. "C:\Program Files\Microsoft\Destoplayer.exe" is being added on the string. It keeps coming back even I removed it from the string. I also cannot delete c:\Program Files\Microsoft\Destoplayer.exe.

I then downloaded Process Explorer. With this tool, I was able to delete c:\Program Files\Microsoft\Destoplayer.exe. I then created a dummy file with 0 bytes in it in the same folder with the same filename (Desktoplayer.exe). And then I checked Userinit. "c:\Program Files\Microsoft\Destoplayer.exe" is now gone but it added <filename>srv.exe on the string. The <filename> is same as any .exe file under my "Program Files" folder. And I discovered the virus is also creating other <filename>srv.exe files in other folder in "C:\Program Files". I can delete some of them but one file can't be allowed to be deleted. But with the help of Process Explorer, by closing the handle of that srv.exe file, I was able to delete it. It now allows me to modify the Userinit registry entry. but everything COMES BACK once I rebooted. Even if I cleaned/removed the files from Safe Mode, they still coming back. During this time, I also noticed that my laptop is becoming very slow.

Below are some of the things that I observed during the time I was working on the problem:

1. After removing the srv files and rebooted on Safe Mode, and bring up Task Manager, I noticed that srv files are not there anymore and it allows me to modify Userinit and it's not appending anything on the string value. But since I have to check if there are any srv.exe files in the system, I have to bring up Windows Explorer. Once Explorer is up, the virus creates ExplorerSrv.exe in Windows Folder. Again, this can only be deleted after closing the handle from Process Explorer. After deleting the file, I can now modify UserInit again. I also noticed that while doing this in Safe Mode, IE keeps showing up. I have to close them so I can continue working.

2. When I rebooted in Normal Mode, and bring up Task Manager, I can see the new <filename>srv.exe files in Task Manager. Some of them just go away, some I have to delete from the Task Manager itself. These <filename>srv.exe files are then again created inside the folders in "c:\Program Files". They're being created with the same name and in the same folder as the "Services" being executed when I logged on. I can also see IExplorer.exe in Task Manager even thought IE is not showing up. Again, I can delete most of them, and at least one, I have to kill from the Process Explorer before I can delete. Userinit is modified again with the new appended srv.exe file. I can modify the userinit after I have deleted all <filename>srv.exe files were deleted.

But everything is back when I reboot again.

I don't see anything wrong in "BootExecute" entry in the registry. And since "Services" comes first before user enters the password, I suspect the problem is the "Services" entry, either in msconfig or Registry. But I do not know which ones are legitimate.

I have already reset IE.

I have already spent so many hours trying to fixed the problem but to no avail. Any help that you can extend is greatly appreciated. I'm not sure if the redirect was fixed since I stopped using the internet from that machine since I discovered the Desktoplayer.exe.

Thank you very much for your immediate attention regarding this matter.


As per your instruction, I followed the Guide, starting with #6.

CD Emulation Software was disabled using DeFogger.

Here is the DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 10:15:07.28 on Fri 07/30/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.269 [GMT -4:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Canon\BJPV\TVMon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Owner.LISSALOWE\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6448
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\adobe\acrobat 7.0\reader\acrord32infosrv.exe,c:\progra~1\symant~1\symant~1\rtvscansrv.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: &Google: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\progra~1\google\GOOGLE~1.DLL
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [{A056F4DE-9476-65FD-9028-4A236B223BB3}] "c:\documents and settings\owner.lissalowe\application data\qiemzo\tebin.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [BJPD HID Control] c:\program files\canon\bjpv\TVMon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mPolicies-system: EnableLUA = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ckpNotify - ckpNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-23 64288]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-4-15 2235760]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2008-3-16 47504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 1352832]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-8-11 30720]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-9-2 671744]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2008-3-16 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2008-3-16 673872]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-8-11 221184]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100716.004\NAVENG.sys [2010-7-16 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100716.004\NAVEX15.sys [2010-7-16 1362608]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [2006-6-17 5120]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-9-28 24652]

=============== Created Last 30 ================

2010-07-30 14:01:47 0 ----a-w- c:\documents and settings\owner.lissalowe\defogger_reenable
2010-07-30 13:58:49 45568 ----a-w- c:\windows\ExplorerSrv.exe
2010-07-26 21:48:37 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-26 03:31:40 0 d-----w- c:\program files\Microsoft
2010-07-26 01:52:31 2148 ----a-w- c:\windows\system32\wpa.dbl
2010-07-23 18:21:39 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-23 13:55:59 59904 -c--a-w- c:\windows\system32\dllcache\regsvc.dll
2010-07-23 13:55:59 59904 ----a-w- c:\windows\system32\regsvc.dll
2010-07-20 23:24:31 24576 ----a-w- c:\windows\system32\userinitnew.exe
2010-07-20 17:32:03 74752 -c--a-w- c:\windows\system32\dllcache\spoolss.dll
2010-07-20 17:32:03 74752 ----a-w- c:\windows\system32\spoolss.dll
2010-07-18 13:16:18 38 ----a-w- c:\windows\KillJobs.bat
2010-07-18 13:14:10 58368 ----a-w- c:\windows\jt.exe
2010-07-18 02:33:32 4467 ----a-w- c:\windows\wininit.ini
2010-07-18 01:42:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-11 22:30:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-11 21:20:03 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}

==================== Find3M ====================

2010-07-20 05:07:23 749568 ----a-w- C:\StubInstaller.exe
2010-07-06 17:28:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-27 03:00:01 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-23 17:55:01 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 10:27:47.96 ===============


Thanks again for the attention on this issue.

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:30 PM

Posted 06 August 2010 - 09:37 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



==================================


It's been a week since you last posted the reports needed, please run another DDS and GMER scan. Post the new DDS report and attach the attach.txt of DDS, also attach the new GMER result. Thank you.


We're so sorry for the delay.
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 GerrySantos

GerrySantos
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 06 August 2010 - 11:40 AM

Thank you Sempai for the reply.

Just to let you know that I have not used the laptop since I posted my last log. Turned it off immediately after I ran DDS and GMER. I'm using a different PC when posting in the forum and surfing the Net. So i would like to know if you still need me to run DDS and GMER and post the log.

Please advise.

Thanks, again.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:30 PM

Posted 06 August 2010 - 11:57 AM

Hi,

No need for a new scan. Let's begin by doing the following:


1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Lavasoft Ad-Watch Live! (with AV) or Symantec AntiVirus Client.



2. We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 GerrySantos

GerrySantos
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 06 August 2010 - 12:37 PM

Done.

Lavasoft Ad-Aware was uninstalled and Tea Time and SD Helper resident programs were disabled.
Please advise on what to do next.

Thanks.


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:30 PM

Posted 06 August 2010 - 12:42 PM

Viewpoint Warning:
I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player


==========================================



One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.


==========================================



Please do this instruction only if you do not wish to reformat.


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 GerrySantos

GerrySantos
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 06 August 2010 - 07:24 PM

Hi Sempai,

Downloaded combofix. After it installed the Recovery Console, it started scanning my computer.
I left it running and for almost two hours, the screen never changed. It got stuck on:


Scanning for infected files.....
....
..... may easily double.

Is this normal? I will terminate the program 2 hours after I posted this message. Let me know then if you want me to run it again.


Thanks.




#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:30 PM

Posted 06 August 2010 - 08:45 PM

Hi,

No, that is not normal.

Please run ComboFix in safe mode. Kindly monitor it while running, if it reboots your PC during its run... please make sure to reboot it again in safe mode to complete the process.

How to boot in safe mode -> http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 GerrySantos

GerrySantos
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 06 August 2010 - 09:16 PM

OK, I'll terminate the program now and reboot in safe mode.
I'll post the result as soon as it's done.
Thanks, again Semp.

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:30 PM

Posted 06 August 2010 - 09:30 PM

You're welcome. Let's wait and see the result of ComboFix.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 GerrySantos

GerrySantos
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 06 August 2010 - 10:31 PM

Combofix did not reboot.
Here is the log.




ComboFix 10-08-06.01 - Owner 08/06/2010 22:29:43.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.610 [GMT -4:00]
Running from: c:\documents and settings\Owner.LISSALOWE\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner.LISSALOWE\Application Data\Roqoa\oqqu.exe
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\program files\Shared
C:\Thumbs.db
c:\windows\system32\Thumbs.db
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
.

2010-08-06 21:52 . 2010-08-06 21:52 -------- d-----w- c:\program files\riva
2010-07-30 13:58 . 2010-08-06 21:49 45568 ----a-w- c:\windows\ExplorerSrv.exe
2010-07-27 21:39 . 2010-07-27 21:39 -------- d-----w- c:\program files\Windows Defender
2010-07-26 21:48 . 2010-07-27 01:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-26 03:31 . 2010-08-07 02:41 -------- d-----w- c:\program files\Microsoft
2010-07-23 18:21 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-23 13:55 . 2004-08-10 19:00 59904 -c--a-w- c:\windows\system32\dllcache\regsvc.dll
2010-07-23 13:55 . 2004-08-10 19:00 59904 ----a-w- c:\windows\system32\regsvc.dll
2010-07-20 23:24 . 2004-08-10 19:00 24576 ----a-w- c:\windows\system32\userinitnew.exe
2010-07-20 17:32 . 2004-08-10 19:00 74752 -c--a-w- c:\windows\system32\dllcache\spoolss.dll
2010-07-20 17:32 . 2004-08-10 19:00 74752 ----a-w- c:\windows\system32\spoolss.dll
2010-07-18 13:16 . 2010-07-22 04:55 38 ----a-w- c:\windows\KillJobs.bat
2010-07-18 13:14 . 1999-03-22 17:01 58368 ----a-w- c:\windows\jt.exe
2010-07-18 01:42 . 2010-07-27 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-11 21:29 . 2010-08-06 17:25 -------- dc----w- c:\windows\system32\DRVSTORE
2010-07-11 21:22 . 2010-07-11 21:22 -------- d-----w- c:\documents and settings\Owner.LISSALOWE\Local Settings\Application Data\Sunbelt Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-07 02:41 . 2007-07-29 19:53 -------- d-----w- c:\documents and settings\Owner.LISSALOWE\Application Data\Roqoa
2010-08-06 21:52 . 2009-03-01 07:20 -------- d-----w- c:\documents and settings\Owner.LISSALOWE\Application Data\Cyhyup
2010-08-06 21:47 . 2006-09-27 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-08-06 21:47 . 2006-09-27 06:56 -------- d-----w- c:\program files\Viewpoint
2010-08-06 17:25 . 2010-06-22 02:24 -------- d-----w- c:\program files\Lavasoft
2010-08-06 17:25 . 2009-02-09 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-27 12:07 . 2006-09-27 06:45 -------- d-----w- c:\program files\Google
2010-07-27 11:32 . 2010-06-22 23:59 -------- d-----w- c:\program files\wham
2010-07-23 02:29 . 2006-09-27 06:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-22 12:49 . 2008-02-15 03:58 -------- d-----w- c:\program files\Norton Security Scan
2010-07-20 05:07 . 2005-10-31 15:56 749568 ----a-w- C:\StubInstaller.exe
2010-07-20 03:56 . 2009-05-21 01:20 -------- d-----w- c:\program files\QuickTime
2010-07-20 03:28 . 2007-03-28 01:49 -------- d-----w- c:\program files\ItsDeductible2006
2010-07-19 21:10 . 2009-03-15 23:46 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2010-07-06 23:57 . 2010-07-06 23:57 -------- d-----w- c:\documents and settings\Lissa\Application Data\Malwarebytes
2010-06-27 03:06 . 2010-06-27 03:06 388096 ----a-r- c:\documents and settings\Owner.LISSALOWE\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-27 03:06 . 2010-06-27 03:06 -------- d-----w- c:\program files\Trend Micro
2010-06-27 03:00 . 2010-06-27 03:00 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-23 17:55 . 2010-06-23 17:55 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-23 11:01 . 2010-06-23 01:25 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-06-23 03:48 . 2010-06-23 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-06-22 23:21 . 2010-06-22 16:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-22 00:57 . 2006-10-22 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2010-06-22 00:57 . 2006-10-22 14:13 -------- d-----w- c:\program files\Yahoo!
2010-06-22 00:56 . 2006-10-22 16:48 -------- d--h--r- c:\documents and settings\Owner.LISSALOWE\Application Data\yahoo!
2010-06-22 00:50 . 2008-10-22 01:59 -------- d-----w- c:\program files\Verizon
2010-06-14 14:30 . 2006-06-17 09:38 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-10 23:11 . 2010-02-22 17:23 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-05-10 23:11 . 2010-02-22 17:23 39 ----a-w- c:\windows\system32\rp_rules.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2010-07-20 245760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-12 1236992]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2010-07-29 131072]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2010-07-20 507904]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2010-07-21 266240]
"BJPD HID Control"="c:\program files\Canon\BJPV\TVMon.exe" [2010-07-26 94208]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

c:\documents and settings\Lissa\Start Menu\Programs\Startup\
ukib.exe [2010-7-27 143360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2008-03-16 17:41 24681 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
backup=c:\windows\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.LISSALOWE^Start Menu^Programs^Startup^dudo.exe]
path=c:\documents and settings\Owner.LISSALOWE\Start Menu\Programs\Startup\dudo.exe
backup=c:\windows\pss\dudo.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-03 00:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-07-26 17:21 462848 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2008-02-13 17:03 2065648 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOLService"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"YahooAUService"=2 (0x2)
"WinVNC4"=2 (0x2)
"ose"=3 (0x3)
"IntuitUpdateService"=2 (0x2)
"gupdate"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\EA SPORTS\\FIFA 07\\fifa07.exe"=
"c:\\Program Files\\Verizon\\Verizon Media Manager\\Release\\Verizon Media Manager.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [4/15/2007 11:35 PM 2235760]
S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [3/16/2008 1:43 PM 47504]
S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [3/16/2008 1:43 PM 121136]
S2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [3/16/2008 1:43 PM 673872]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [6/17/2006 5:23 AM 5120]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 5:16 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 21:16]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 21:16]

2010-08-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6448
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{A056F4DE-9476-65FD-9028-4A236B223BB3} - c:\documents and settings\Owner.LISSALOWE\Application Data\Roqoa\oqqu.exe
Notify-WgaLogon - (no file)
AddRemove-Lavasoft VX2 Cleaner - c:\progra~1\Lavasoft\Ad-Aware\Plugins\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 22:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]
"ImagePath"="cardspace"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(240)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-06 22:50:15
ComboFix-quarantined-files.txt 2010-08-07 02:49

Pre-Run: 47,831,769,088 bytes free
Post-Run: 47,850,864,640 bytes free

- - End Of File - - 1EE86EB68ECD229C72AFD0ACD96F8E64


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:30 PM

Posted 06 August 2010 - 11:40 PM

Thanks for the logs.

Can you tell me what is this file -> c:\windows\system32\userinitnew.exe


================================


1. Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    dudo.exe
    ukib.exe
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply




2. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
KillAll::

File::
c:\windows\ExplorerSrv.exe

Folder::
c:\documents and settings\Owner.LISSALOWE\Application Data\Roqoa
c:\documents and settings\Owner.LISSALOWE\Application Data\Cyhyup
c:\program files\Lavasoft
c:\documents and settings\All Users\Application Data\Lavasoft

DDS::
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

DirLook::
c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 GerrySantos

GerrySantos
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 07 August 2010 - 06:56 AM

Userinitnew.exe was just a copy of userinit.exe.
When I first discovered that there was a problem on Userinit in the registry, I've tried renaming userinit.exe, but when I reboot, my PC recreated the file. Then I renamed the newly created file to userinitnew.exe then renamed the backup back to userinit.exe after discovering that this is a valid file.

I will download the tools you suggested and scan again. Will let youknow when it's done.

Thanks.


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:30 PM

Posted 07 August 2010 - 07:43 AM

thumbup2.gif

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 GerrySantos

GerrySantos
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 07 August 2010 - 07:54 AM

Hi Semp,

Here's the result of Lookup:


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:11 on 07/08/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "dudo.exe"
No files found.

Searching for "ukib.exe"
C:\Documents and Settings\Lissa\Start Menu\Programs\Startup\ukib.exe --a--- 143360 bytes [23:19 27/07/2010] [23:19 27/07/2010] 866747DD09940612C67E323E9B6F245D

-=End Of File=-


Combofix rebooted my pc after scanning and here is the log:

ComboFix 10-08-06.01 - Owner 08/07/2010 8:20.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.474 [GMT -4:00]
Running from: c:\documents and settings\Owner.LISSALOWE\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.LISSALOWE\Desktop\CFScript.txt

FILE ::
"c:\windows\ExplorerSrv.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Lavasoft
c:\documents and settings\All Users\Application Data\Lavasoft\License\adaware.da2
c:\documents and settings\All Users\Application Data\Lavasoft\License\guid.dat
c:\documents and settings\Owner.LISSALOWE\Application Data\Cyhyup
c:\documents and settings\Owner.LISSALOWE\Application Data\Roqoa
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Lavasoft
c:\program files\Lavasoft\Email Scanner\Thumbs.db
c:\program files\Microsoft\DesktopLayer.exe
c:\windows\ExplorerSrv.exe
c:\program files\Microsoft\DesktopLayer.exe . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
.

2010-08-06 21:52 . 2010-08-06 21:52 -------- d-----w- c:\program files\riva
2010-07-27 21:39 . 2010-07-27 21:39 -------- d-----w- c:\program files\Windows Defender
2010-07-26 21:48 . 2010-07-27 01:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-26 03:31 . 2010-08-07 12:29 -------- d-----w- c:\program files\Microsoft
2010-07-23 18:21 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-23 13:55 . 2004-08-10 19:00 59904 -c--a-w- c:\windows\system32\dllcache\regsvc.dll
2010-07-23 13:55 . 2004-08-10 19:00 59904 ----a-w- c:\windows\system32\regsvc.dll
2010-07-20 23:24 . 2004-08-10 19:00 24576 ----a-w- c:\windows\system32\userinitnew.exe
2010-07-20 17:32 . 2004-08-10 19:00 74752 -c--a-w- c:\windows\system32\dllcache\spoolss.dll
2010-07-20 17:32 . 2004-08-10 19:00 74752 ----a-w- c:\windows\system32\spoolss.dll
2010-07-18 13:16 . 2010-07-22 04:55 38 ----a-w- c:\windows\KillJobs.bat
2010-07-18 13:14 . 1999-03-22 17:01 58368 ----a-w- c:\windows\jt.exe
2010-07-18 01:42 . 2010-07-27 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-11 21:29 . 2010-08-06 17:25 -------- dc----w- c:\windows\system32\DRVSTORE
2010-07-11 21:22 . 2010-07-11 21:22 -------- d-----w- c:\documents and settings\Owner.LISSALOWE\Local Settings\Application Data\Sunbelt Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 21:47 . 2006-09-27 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-08-06 21:47 . 2006-09-27 06:56 -------- d-----w- c:\program files\Viewpoint
2010-07-27 12:07 . 2006-09-27 06:45 -------- d-----w- c:\program files\Google
2010-07-27 11:32 . 2010-06-22 23:59 -------- d-----w- c:\program files\wham
2010-07-23 02:29 . 2006-09-27 06:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-22 12:49 . 2008-02-15 03:58 -------- d-----w- c:\program files\Norton Security Scan
2010-07-20 05:07 . 2005-10-31 15:56 749568 ----a-w- C:\StubInstaller.exe
2010-07-20 03:56 . 2009-05-21 01:20 -------- d-----w- c:\program files\QuickTime
2010-07-20 03:28 . 2007-03-28 01:49 -------- d-----w- c:\program files\ItsDeductible2006
2010-07-19 21:10 . 2009-03-15 23:46 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2010-07-06 23:57 . 2010-07-06 23:57 -------- d-----w- c:\documents and settings\Lissa\Application Data\Malwarebytes
2010-06-27 03:06 . 2010-06-27 03:06 388096 ----a-r- c:\documents and settings\Owner.LISSALOWE\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-27 03:06 . 2010-06-27 03:06 -------- d-----w- c:\program files\Trend Micro
2010-06-27 03:00 . 2010-06-27 03:00 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-23 17:55 . 2010-06-23 17:55 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-23 11:01 . 2010-06-23 01:25 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-06-23 03:48 . 2010-06-23 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-06-22 23:21 . 2010-06-22 16:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-22 00:57 . 2006-10-22 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2010-06-22 00:57 . 2006-10-22 14:13 -------- d-----w- c:\program files\Yahoo!
2010-06-22 00:56 . 2006-10-22 16:48 -------- d--h--r- c:\documents and settings\Owner.LISSALOWE\Application Data\yahoo!
2010-06-22 00:50 . 2008-10-22 01:59 -------- d-----w- c:\program files\Verizon
2010-06-14 14:30 . 2006-06-17 09:38 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-10 23:11 . 2010-02-22 17:23 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-05-10 23:11 . 2010-02-22 17:23 39 ----a-w- c:\windows\system32\rp_rules.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54} ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2010-07-20 245760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-12 1236992]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2010-07-29 131072]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2010-07-20 507904]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2010-07-21 266240]
"BJPD HID Control"="c:\program files\Canon\BJPV\TVMon.exe" [2010-07-26 94208]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

c:\documents and settings\Lissa\Start Menu\Programs\Startup\
ukib.exe [2010-7-27 143360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2008-03-16 17:41 24681 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
backup=c:\windows\pss\Microtek Scanner Finder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.LISSALOWE^Start Menu^Programs^Startup^dudo.exe]
path=c:\documents and settings\Owner.LISSALOWE\Start Menu\Programs\Startup\dudo.exe
backup=c:\windows\pss\dudo.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-03 00:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-07-26 17:21 462848 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2008-02-13 17:03 2065648 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOLService"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"YahooAUService"=2 (0x2)
"WinVNC4"=2 (0x2)
"ose"=3 (0x3)
"IntuitUpdateService"=2 (0x2)
"gupdate"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\EA SPORTS\\FIFA 07\\fifa07.exe"=
"c:\\Program Files\\Verizon\\Verizon Media Manager\\Release\\Verizon Media Manager.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [4/15/2007 11:35 PM 2235760]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [3/16/2008 1:43 PM 47504]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [3/16/2008 1:43 PM 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [3/16/2008 1:43 PM 673872]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [6/17/2006 5:23 AM 5120]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 5:16 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 21:16]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 21:16]

2010-08-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6448
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-07 08:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]
"ImagePath"="cardspace"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1828)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-08-07 08:38:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-07 12:38
ComboFix2.txt 2010-08-07 02:50

Pre-Run: 47,839,047,680 bytes free
Post-Run: 47,828,250,624 bytes free

- - End Of File - - BAB437451D551FF5D3BEAC2450FF161E







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users