Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with SDBot trojans or just false positives?


  • This topic is locked This topic is locked
32 replies to this topic

#1 artful dodger

artful dodger

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 31 August 2010 - 05:32 AM

Hi there!

I'm facing the exact same problem on two computers -- a laptop under XP and a desktop under Vista...

There are no symptoms on the XP laptop, but there are strange things happening on the desktop Vista.

Let's start with the laptop.

I use the Bitdefender online scanner once a week and I run Spybot and Malware bytes regularly also.

The new Bitdefender is so fast that I'm not sure its reliable, so I tried the Kaspersky online scan for a change.

Three hours later it told me that I had 2 infections of Backdoor.Win32.SdBot.qzd in a Movie Magic Screenwriter file.

I googled the Trojan, and found that quite a few people who had it also had it in this same Movie Magic Screenwriter file. (and it's in the same place on my other computer.)

Movie Magic is a script formatting program that needs online validation for it's installs, so I checked on their site:

It appears that a number of anti-virus programs, are flagging parts of Screenwriter as a Trojan or virus, usually "IRC/BackDoor.SdBot4.QPE", but this can vary. Please be assured that the program did not ship or download with any Trojans or viruses.

It is a false positive.

We received confirmation of this in a letter dated April 9, 2010 from a support representative from AVG. Please update your AVG anti-virus as soon as possible, as this problem has been fixed in the latest virus definitions update.


So just to be sure, I ran AVG, Malwarebytes, Spybot in SAFE mode, with no threats detected.

But then I ran a PANDA online scan, and it also flags the trojan, and another virus (see below):

Threats (2)

Bck/Sdbot.JED.... Virus
Not disinfectable

1. c:\windows\downloaded installations\{9a599b54...nwriter 6.msi[unk_0107][netpub.exe]
2. c:\windows\downloaded installations\{f82cdc8d...nwriter 6.msi[unk_0107][netpub.exe]


Trj/Agent.LIZ Virus


1. c:\windows\jestertb.dll

According to one of the security sites:
It avoids being detected by the user by using the following techniques:

* Techniques included in its code to hide its files and processes while it is active.
* It terminates processes belonging to several security tools, such as antivirus programs and firewalls, so they cannot warn the user of the presence of this malware on the computer.
* It deletes the original file from which it was run once it is installed on the computer.
* It modifies system permissions in order to hide itself.


It uses the following techniques to impede detection by antivirus companies:

* It terminates its own execution if it detects that it is being executed in a virtual machine environment, such as VMWare or VirtualPC.
* It prevents scanning tools from running, such as Windows Registry Editor, FileMonitor, etc.
* Its code is encrypted and it is only decrypted when it is going to run. Because of this, its code is not legible through a memory dump.
* It terminates its own execution if it detects that a debugging program is active.




I'd noticed that I was having trouble running the online scanners, so then I downloaded the free version of Superantispyware -- updated it, then rebooted and ran it in safe mode. It didn't detect anything.

(I have more problems on the other computer, but let's deal with that later... wacko.gif blink.gif )

I ran an online trojan scan from windowsecurity that didn't find anything.
I ran rkill and Stinger, with no result.

And so now I'm here! Many thanks for your help and your patience, better safe than sorry...


Simon



The DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Simon at 10:21:21,84 on 31/08/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.2038.1410 [GMT 2:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\Fichiers communs\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Simon\Mes documents\Computer related\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [MagicSpeed] c:\program files\samsungodd\magic speed\MagicSL.exe /autorun
mRun: [SUPBackGround] c:\program files\samsung\samsung update plus\SUPBackGround.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Envoyer au périphérique &Bluetooth... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fichie~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\program files\dvdidle pro\DVDShell.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\fichiers communs\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\simon\applic~1\mozilla\firefox\profiles\0gohvbjk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/|http://fr.yahoo.com/|http://www.elitemail.org/mail/?UDm=503;Ust=29921057!b61141af|http://www.facebook.com/home.php
FF - component: c:\documents and settings\simon\application data\mozilla\firefox\profiles\0gohvbjk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\simon\application data\mozilla\firefox\profiles\0gohvbjk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: d:\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-22 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-8-30 28552]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2008-10-28 4300]
R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [2009-1-15 29156]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2008-10-28 238464]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 1352832]
S2 MLPTDR_N;MLPTDR_N;c:\windows\system32\MLPTDR_N.SYS [2009-8-10 18848]
S3 Dvd43;Dvd43;c:\windows\system32\drivers\Dvd43.sys [2009-1-10 35296]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-10-30 19840]

=============== Created Last 30 ================

2010-08-31 08:18:41 0 ----a-w- c:\documents and settings\simon\defogger_reenable
2010-08-30 12:54:07 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-08-30 12:53:25 0 d-----w- c:\program files\Panda Security

==================== Find3M ====================

2010-08-15 15:21:47 90672 ----a-w- c:\windows\system32\perfc00C.dat
2010-08-15 15:21:47 526546 ----a-w- c:\windows\system32\perfh00C.dat
2010-07-27 16:04:14 35296 ----a-w- c:\windows\system32\drivers\Dvd43.sys
2010-07-17 03:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-06 17:28:45 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-30 12:32:14 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:17:24 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:17:23 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:17:23 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-24 09:02:32 1852032 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 22:02:54 97364760 ----a-w- c:\program files\Ad-AwareInstaller.exe
2010-06-17 14:03:10 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:42:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-01-10 18:32:57 3165824 ----a-w- c:\program files\ccsetup215.exe
2009-01-08 07:05:45 51460046 ----a-w- c:\program files\MovieMagicScreenwriter6.exe

============= FINISH: 10:21:41,51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:42 AM

Posted 08 September 2010 - 05:59 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:42 AM

Posted 12 September 2010 - 06:24 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:42 AM

Posted 13 September 2010 - 04:29 PM

Reopened at user's request

-----------------------------------------

It doesn't seem to be a false positive but a real detection of a trojan. I would suggest that your antivirus dealt with it and the second scan found the virus in the quarantine folder. This explained why tools like MBAM did not find it.

Have you been able to locate the files from the Panda filepaths below?


Edited by m0le, 13 September 2010 - 04:29 PM.

Posted Image
m0le is a proud member of UNITE

#5 artful dodger

artful dodger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 14 September 2010 - 03:02 PM

Hi m0le,

Thanks for your help with these trojans and other pests.

I ran Panda online scan again, and they are still there, although one (Bck/Sdbot.JED.worm) has moved locations.

Below the 30 August scan and today's one (I am also attaching them -- might be easier for you to read.)

;************************************************************************************************
ANALYSIS: 2010-08-30 18:43:20
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Lavasoft Ad-Watch Live! Anti-Virus No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00048354 adware/flashtrack Adware No 0 Yes No c:\program files\flt
00538294 Trj/Agent.LIZ Virus/Trojan No 0 Yes No c:\windows\jestertb.dll
06419169 Bck/Sdbot.JED.worm Virus/Trojan No 1 No No c:\windows\downloaded installations\{90f42154-37ba-4079-85a2-7b2db7ea6a01}\movie magic screenwriter 6.msi[unk_0107][netpub.exe]
06419169 Bck/Sdbot.JED.worm Virus/Trojan No 1 Yes No c:\program files\write brothers, inc\movie magic screenwriter 6\netpub.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;==============================================================================

;***********************************************************************************************************************************************************************************


ANALYSIS: 2010-09-14 14:14:50
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Lavasoft Ad-Watch Live! Anti-Virus No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00048354 adware/flashtrack Adware No 0 Yes No c:\program files\flt
00538294 Trj/Agent.LIZ Virus/Trojan No 0 Yes No c:\windows\jestertb.dll
06419169 Bck/Sdbot.JED.worm Virus/Trojan No 1 No No c:\windows\downloaded installations\{90f42154-37ba-4079-85a2-7b2db7ea6a01}\movie magic screenwriter 6.msi[unk_0107][netpub.exe]
06419169 Bck/Sdbot.JED.worm Virus/Trojan No 1 Yes No c:\system volume information\_restore{a21932bc-6dda-42a7-ace0-57b149ca8d0a}\rp245\a0033185.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description



M0le: I also ran Ad-aware in safe mode and SAS, and neither flagged anything.

I've located the file c:\program files\flt using explorer but don't seem to be able to find the others.

What now?

Many thanks...



Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:42 AM

Posted 14 September 2010 - 06:30 PM

Okay, that last scan has identified the trojan that is causing this.


Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 artful dodger

artful dodger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 15 September 2010 - 02:06 AM

Hi m0le,

Thanks a lot. Here is the combofix log (sorry, my XP is a French version so the log is in French.)

ComboFix 10-09-14.01 - Simon 15/09/2010 8:51.1.2 - x86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.2038.1292 [GMT 2:00]
Lancé depuis: c:\documents and settings\Simon\Mes documents\Computer related\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\jestertb.dll
c:\windows\SEC
c:\windows\SEC\DelMt.cmd
c:\windows\SEC\JRE150.exe
c:\windows\SEC\Marker.exe
c:\windows\SEC\MEMIO.sys
c:\windows\SEC\MEMIO.vxd
c:\windows\SEC\MP10FRN.exe
c:\windows\SEC\SECINSTALL.EXE
c:\windows\SEC\SECINSTALL.INI
c:\windows\SEC\StartMem.exe
D:\install.exe

.
((((((((((((((((((((((((((((( Fichiers créés du 2010-08-15 au 2010-09-15 ))))))))))))))))))))))))))))))))))))
.

2010-09-14 12:24 . 2010-09-14 12:24 63488 ----a-w- c:\documents and settings\Administrateur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-14 12:23 . 2010-09-14 12:23 52224 ----a-w- c:\documents and settings\Administrateur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-14 12:23 . 2010-09-14 12:23 117760 ----a-w- c:\documents and settings\Administrateur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-14 12:21 . 2010-09-14 12:22 -------- d-----w- c:\documents and settings\Administrateur
2010-09-11 22:01 . 2010-09-14 12:20 1003312 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-09-11 21:52 . 2010-08-25 14:25 614544 ----a-w- c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\0gohvbjk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-09-11 21:52 . 2010-08-25 14:25 314816 ----a-w- c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\0gohvbjk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-09-11 17:41 . 2010-09-11 17:42 -------- d-----w- c:\program files\BBSAK
2010-09-11 14:17 . 2010-09-11 14:17 26694 ----a-r- c:\documents and settings\Simon\Application Data\Microsoft\Installer\{CD7C9B20-D251-4504-B280-7CD2ABEA7B1A}\BlackBerry.exe
2010-09-10 08:39 . 2010-09-14 07:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-10 05:59 . 2010-09-10 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-09-05 22:08 . 2010-09-14 12:18 63488 ----a-w- c:\documents and settings\Simon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-05 22:08 . 2010-09-05 22:08 52224 ----a-w- c:\documents and settings\Simon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-05 22:08 . 2010-09-14 12:18 117760 ----a-w- c:\documents and settings\Simon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-05 22:07 . 2010-09-05 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-05 22:07 . 2010-09-05 22:07 -------- d-----w- c:\documents and settings\Simon\Application Data\SUPERAntiSpyware.com
2010-09-05 22:06 . 2010-09-05 22:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-05 17:40 . 2010-07-06 17:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-30 12:54 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-08-30 12:53 . 2010-08-30 12:53 -------- d-----w- c:\program files\Panda Security
2010-08-17 14:15 . 2010-08-17 14:15 -------- d-----w- c:\program files\Fichiers communs\Skype

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 17:07 . 2008-10-28 22:19 90672 ----a-w- c:\windows\system32\perfc00C.dat
2010-09-14 17:07 . 2008-10-28 22:19 526546 ----a-w- c:\windows\system32\perfh00C.dat
2010-09-14 12:22 . 2010-09-14 12:22 -------- d-----w- c:\documents and settings\Administrateur\Application Data\SUPERAntiSpyware.com
2010-09-10 06:07 . 2009-01-05 18:14 -------- d-----w- c:\documents and settings\Simon\Application Data\Research In Motion
2010-09-10 06:01 . 2009-01-05 18:12 -------- d-----w- c:\program files\Fichiers communs\Research In Motion
2010-09-10 05:59 . 2009-01-05 18:12 -------- d-----w- c:\program files\Research In Motion
2010-09-10 05:49 . 2009-01-05 18:14 256 ----a-w- c:\windows\system32\pool.bin
2010-08-30 10:11 . 2009-11-20 10:52 -------- d-----w- c:\documents and settings\Simon\Application Data\QuickScan
2010-08-19 11:02 . 2009-01-11 15:33 -------- d-----w- c:\documents and settings\Simon\Application Data\Skype
2010-08-18 08:29 . 2009-01-11 15:38 -------- d-----w- c:\documents and settings\Simon\Application Data\skypePM
2010-08-17 15:08 . 2009-06-28 14:29 -------- d-----w- c:\documents and settings\Simon\Application Data\Media Player Classic
2010-08-15 15:37 . 2009-01-06 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-15 15:15 . 2008-10-28 16:48 -------- d-----w- c:\program files\Fichiers communs\Java
2010-08-15 15:14 . 2008-10-28 16:48 -------- d-----w- c:\program files\Java
2010-08-15 14:45 . 2010-08-15 14:45 503808 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-185a6574-n\msvcp71.dll
2010-08-15 14:45 . 2010-08-15 14:45 499712 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-185a6574-n\jmc.dll
2010-08-15 14:45 . 2010-08-15 14:45 348160 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-185a6574-n\msvcr71.dll
2010-08-15 14:45 . 2010-08-15 14:45 12800 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1cdc0042-n\decora-d3d.dll
2010-08-15 14:45 . 2010-08-15 14:45 61440 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1cdc0042-n\decora-sse.dll
2010-08-11 10:44 . 2010-08-11 10:44 507904 ----a-r- c:\windows\system32\btwapi.dll
2010-07-27 16:04 . 2009-01-10 20:14 35296 ----a-w- c:\windows\system32\drivers\Dvd43.sys
2010-07-17 03:00 . 2010-05-02 14:49 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-13 09:20 . 2010-07-13 09:20 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-06 17:29 . 2010-07-08 07:05 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}\Ad-AwareInstall.exe
2010-07-06 17:28 . 2010-06-21 22:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-30 12:32 . 2008-10-28 22:19 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:17 . 2008-10-28 22:19 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:17 . 2008-10-28 22:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:17 . 2008-10-28 22:19 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-24 09:02 . 2008-10-28 22:19 1852032 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 22:09 . 2010-06-21 22:09 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-21 22:02 . 2010-06-21 21:59 97364760 ----a-w- c:\program files\Ad-AwareInstaller.exe
2010-06-21 15:27 . 2008-10-28 22:19 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-10-28 22:19 80384 ----a-w- c:\windows\system32\iccvid.dll
2009-01-10 18:32 . 2009-01-10 18:32 3165824 ----a-w- c:\program files\ccsetup215.exe
2009-01-08 07:05 . 2009-01-08 07:05 51460046 ----a-w- c:\program files\MovieMagicScreenwriter6.exe
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-20 659456]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-07 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-14 151552]
"MagicSpeed"="c:\program files\SamsungODD\Magic Speed\MagicSL.exe" [2004-01-12 214016]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2010-04-20 300912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\program files\DVDIdle Pro\DVDShell.dll" [2004-10-09 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^BTTray.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^DVD@ccess.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\DVD@ccess.lnk
backup=c:\windows\pss\DVD@ccess.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Simon^Menu Démarrer^Programmes^Démarrage^DeskDancer.lnk]
path=c:\documents and settings\Simon\Menu Démarrer\Programmes\Démarrage\DeskDancer.lnk
backup=c:\windows\pss\DeskDancer.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Simon^Menu Démarrer^Programmes^Démarrage^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Simon\Menu Démarrer\Programmes\Démarrage\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 21:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVD43]
2006-10-26 23:58 260096 ----a-w- c:\progra~1\DVDIDL~1\DVDIdlePro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 14:33 141624 ----a-w- D:\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KONICA MINOLTA PagePro 1300WStatusDisplay]
2004-11-18 16:39 147456 ----a-w- c:\windows\system32\MSTMON_N.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 09:16 2363392 ----a-w- c:\program files\Fichiers communs\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-02-18 07:28 137752 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Samsung\\Samsung Magic Doctor\\MagicDoctor.exe"=
"c:\\Program Files\\Samsung\\Samsung Update Plus\\SupClientApp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [22/06/2010 00:09 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [30/08/2010 14:54 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 20:41 67656]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [28/10/2008 18:48 4300]
R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [15/01/2009 17:34 29156]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [14/01/2008 20:01 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [28/10/2008 18:52 238464]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [06/07/2010 19:28 1355928]
S2 MLPTDR_N;MLPTDR_N;c:\windows\system32\MLPTDR_N.SYS [10/08/2009 12:54 18848]
S3 Dvd43;Dvd43;c:\windows\system32\drivers\Dvd43.sys [10/01/2009 22:14 35296]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [30/10/2006 15:29 19840]

--- Autres Services/Pilotes en mémoire ---

*Deregistered* - Lavasoft Kernexplorer

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 09:14 451872 ----a-w- c:\program files\Fichiers communs\LightScribe\LSRunOnce.exe
.
Contenu du dossier 'Tâches planifiées'

2010-09-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 17:54]

2010-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Envoyer au périphérique &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\0gohvbjk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/|http://fr.yahoo.com/|http://www.elitemail.org/mail/?UDm=503;Ust=29921057!b61141af|http://www.facebook.com/home.php
FF - component: c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\0gohvbjk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\0gohvbjk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Fichiers communs\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: d:\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-15 08:56
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Heure de fin: 2010-09-15 08:58:12
ComboFix-quarantined-files.txt 2010-09-15 06:58

Avant-CF: 9 591 607 296 octets libres
Après-CF: 9 948 741 632 octets libres

WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP dition familiale" /noexecute=optin /fastdetect

- - End Of File - - 44FFC0EF0670F36C50868148631D362D


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:42 AM

Posted 15 September 2010 - 06:48 PM

Sacre bleu, that was tough tongue.gif

Combofix has removed the jestertb trojan (Google trojan.agent for more about this pest)

Please rerun the Combofix program, as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please then run ESET's online scanner
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#9 artful dodger

artful dodger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 16 September 2010 - 11:09 AM

Sacrebleu encore mister m0le, welcome to France!

So combofix has this to say:


ComboFix 10-09-14.01 - Simon 16/09/2010 9:36.2.2 - x86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.2038.1453 [GMT 2:00]
Lancé depuis: c:\documents and settings\Simon\Mes documents\Computer related\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\Simon\Mes documents\Computer related\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((( Fichiers créés du 2010-08-16 au 2010-09-16 ))))))))))))))))))))))))))))))))))))
.

2010-09-14 12:24 . 2010-09-14 12:24 63488 ----a-w- c:\documents and settings\Administrateur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-14 12:23 . 2010-09-14 12:23 52224 ----a-w- c:\documents and settings\Administrateur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-14 12:23 . 2010-09-14 12:23 117760 ----a-w- c:\documents and settings\Administrateur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-14 12:21 . 2010-09-14 12:22 -------- d-----w- c:\documents and settings\Administrateur
2010-09-11 22:01 . 2010-09-14 12:20 1003312 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-09-11 21:52 . 2010-08-25 14:25 614544 ----a-w- c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\0gohvbjk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-09-11 21:52 . 2010-08-25 14:25 314816 ----a-w- c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\0gohvbjk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-09-11 17:41 . 2010-09-11 17:42 -------- d-----w- c:\program files\BBSAK
2010-09-11 14:17 . 2010-09-11 14:17 26694 ----a-r- c:\documents and settings\Simon\Application Data\Microsoft\Installer\{CD7C9B20-D251-4504-B280-7CD2ABEA7B1A}\BlackBerry.exe
2010-09-10 08:39 . 2010-09-14 07:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-10 05:59 . 2010-09-10 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-09-05 22:08 . 2010-09-14 12:18 63488 ----a-w- c:\documents and settings\Simon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-05 22:08 . 2010-09-05 22:08 52224 ----a-w- c:\documents and settings\Simon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-05 22:08 . 2010-09-14 12:18 117760 ----a-w- c:\documents and settings\Simon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-05 22:07 . 2010-09-05 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-05 22:07 . 2010-09-05 22:07 -------- d-----w- c:\documents and settings\Simon\Application Data\SUPERAntiSpyware.com
2010-09-05 22:06 . 2010-09-05 22:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-05 17:40 . 2010-07-06 17:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-30 12:54 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-08-30 12:53 . 2010-08-30 12:53 -------- d-----w- c:\program files\Panda Security
2010-08-17 14:15 . 2010-08-17 14:15 -------- d-----w- c:\program files\Fichiers communs\Skype

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 17:07 . 2008-10-28 22:19 90672 ----a-w- c:\windows\system32\perfc00C.dat
2010-09-14 17:07 . 2008-10-28 22:19 526546 ----a-w- c:\windows\system32\perfh00C.dat
2010-09-14 12:22 . 2010-09-14 12:22 -------- d-----w- c:\documents and settings\Administrateur\Application Data\SUPERAntiSpyware.com
2010-09-10 06:07 . 2009-01-05 18:14 -------- d-----w- c:\documents and settings\Simon\Application Data\Research In Motion
2010-09-10 06:01 . 2009-01-05 18:12 -------- d-----w- c:\program files\Fichiers communs\Research In Motion
2010-09-10 05:59 . 2009-01-05 18:12 -------- d-----w- c:\program files\Research In Motion
2010-09-10 05:49 . 2009-01-05 18:14 256 ----a-w- c:\windows\system32\pool.bin
2010-08-30 10:11 . 2009-11-20 10:52 -------- d-----w- c:\documents and settings\Simon\Application Data\QuickScan
2010-08-19 11:02 . 2009-01-11 15:33 -------- d-----w- c:\documents and settings\Simon\Application Data\Skype
2010-08-18 08:29 . 2009-01-11 15:38 -------- d-----w- c:\documents and settings\Simon\Application Data\skypePM
2010-08-17 15:08 . 2009-06-28 14:29 -------- d-----w- c:\documents and settings\Simon\Application Data\Media Player Classic
2010-08-15 15:37 . 2009-01-06 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-15 15:15 . 2008-10-28 16:48 -------- d-----w- c:\program files\Fichiers communs\Java
2010-08-15 15:14 . 2008-10-28 16:48 -------- d-----w- c:\program files\Java
2010-08-15 14:45 . 2010-08-15 14:45 503808 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-185a6574-n\msvcp71.dll
2010-08-15 14:45 . 2010-08-15 14:45 499712 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-185a6574-n\jmc.dll
2010-08-15 14:45 . 2010-08-15 14:45 348160 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-185a6574-n\msvcr71.dll
2010-08-15 14:45 . 2010-08-15 14:45 12800 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1cdc0042-n\decora-d3d.dll
2010-08-15 14:45 . 2010-08-15 14:45 61440 ----a-w- c:\documents and settings\Simon\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1cdc0042-n\decora-sse.dll
2010-08-11 10:44 . 2010-08-11 10:44 507904 ----a-r- c:\windows\system32\btwapi.dll
2010-07-27 16:04 . 2009-01-10 20:14 35296 ----a-w- c:\windows\system32\drivers\Dvd43.sys
2010-07-17 03:00 . 2010-05-02 14:49 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-13 09:20 . 2010-07-13 09:20 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-06 17:29 . 2010-07-08 07:05 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}\Ad-AwareInstall.exe
2010-07-06 17:28 . 2010-06-21 22:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-30 12:32 . 2008-10-28 22:19 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:17 . 2008-10-28 22:19 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:17 . 2008-10-28 22:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:17 . 2008-10-28 22:19 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-24 09:02 . 2008-10-28 22:19 1852032 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 22:09 . 2010-06-21 22:09 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-21 22:02 . 2010-06-21 21:59 97364760 ----a-w- c:\program files\Ad-AwareInstaller.exe
2010-06-21 15:27 . 2008-10-28 22:19 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2009-01-10 18:32 . 2009-01-10 18:32 3165824 ----a-w- c:\program files\ccsetup215.exe
2009-01-08 07:05 . 2009-01-08 07:05 51460046 ----a-w- c:\program files\MovieMagicScreenwriter6.exe
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-25 2424560]
"AdobeUpdater"="c:\program files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe" [2009-01-16 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-20 659456]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-07 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-14 151552]
"MagicSpeed"="c:\program files\SamsungODD\Magic Speed\MagicSL.exe" [2004-01-12 214016]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2010-04-20 300912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\program files\DVDIdle Pro\DVDShell.dll" [2004-10-09 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^BTTray.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^DVD@ccess.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\DVD@ccess.lnk
backup=c:\windows\pss\DVD@ccess.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Simon^Menu Démarrer^Programmes^Démarrage^DeskDancer.lnk]
path=c:\documents and settings\Simon\Menu Démarrer\Programmes\Démarrage\DeskDancer.lnk
backup=c:\windows\pss\DeskDancer.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Simon^Menu Démarrer^Programmes^Démarrage^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Simon\Menu Démarrer\Programmes\Démarrage\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 21:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVD43]
2006-10-26 23:58 260096 ----a-w- c:\progra~1\DVDIDL~1\DVDIdlePro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 14:33 141624 ----a-w- D:\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KONICA MINOLTA PagePro 1300WStatusDisplay]
2004-11-18 16:39 147456 ----a-w- c:\windows\system32\MSTMON_N.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 09:16 2363392 ----a-w- c:\program files\Fichiers communs\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-02-18 07:28 137752 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Samsung\\Samsung Magic Doctor\\MagicDoctor.exe"=
"c:\\Program Files\\Samsung\\Samsung Update Plus\\SupClientApp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [22/06/2010 00:09 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [30/08/2010 14:54 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 20:41 67656]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [28/10/2008 18:48 4300]
R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [15/01/2009 17:34 29156]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [14/01/2008 20:01 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [28/10/2008 18:52 238464]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [06/07/2010 19:28 1355928]
S2 MLPTDR_N;MLPTDR_N;c:\windows\system32\MLPTDR_N.SYS [10/08/2009 12:54 18848]
S3 Dvd43;Dvd43;c:\windows\system32\drivers\Dvd43.sys [10/01/2009 22:14 35296]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [30/10/2006 15:29 19840]

--- Autres Services/Pilotes en mémoire ---

*Deregistered* - Lavasoft Kernexplorer

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 09:14 451872 ----a-w- c:\program files\Fichiers communs\LightScribe\LSRunOnce.exe
.
Contenu du dossier 'Tâches planifiées'

2010-09-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 17:54]

2010-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Envoyer au périphérique &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\0gohvbjk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/|http://fr.yahoo.com/|http://www.elitemail.org/mail/?UDm=503;Ust=29921057!b61141af|http://www.facebook.com/home.php
FF - component: c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\0gohvbjk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Simon\Application Data\Mozilla\Firefox\Profiles\0gohvbjk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Fichiers communs\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: d:\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés:

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(3332)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\fr-fr\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\fr-fr\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Heure de fin: 2010-09-16 09:43:53
ComboFix-quarantined-files.txt 2010-09-16 07:43
ComboFix2.txt 2010-09-15 06:58

Avant-CF: 9 983 311 872 octets libres
Après-CF: 9 973 682 176 octets libres

- - End Of File - - 24064FF5DAA69546E76EF9A912DC1CF8




I then ran ESET online scan -- nothing detected.

FYI
-- I haven't turned off nor rebooted my computer since we started.
-- When I ran combofix it asked to download the new version to update, which seemed suspicious so I declined...


Simon crazy.gif

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:42 AM

Posted 16 September 2010 - 04:54 PM

QUOTE
When I ran combofix it asked to download the new version to update, which seemed suspicious so I declined...


I like your suspicious nature but in this case it was a legitimate update. I see no reason at this stage to update and run it again.

Reboot the PC now. How is the PC running?

Edited by m0le, 16 September 2010 - 04:55 PM.

Posted Image
m0le is a proud member of UNITE

#11 artful dodger

artful dodger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 17 September 2010 - 06:07 PM

Hey m0le! clapping.gif

Hope you're having a good Friday night, wherever you may be... Enjoy!

I'm afraid we're sort of back where we started:

-- I rebooted.
-- I ran ESET online, and it found nothing.
-- I ran MABw and it found nothing.
-- I ran Adaware in safe mode (6 hours!) and it found nothing.

--So I finally ran PANDA ONLINE (Kasperxky is down) and it FOUND three problems:
(log also attached)

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-09-17 07:22:32
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Lavasoft Ad-Watch Live! Anti-Virus No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00048354 adware/flashtrack Adware No 0 Yes No c:\program files\flt
00538294 Trj/Agent.LIZ Virus/Trojan No 0 Yes No c:\system volume information\_restore{a21932bc-6dda-42a7-ace0-57b149ca8d0a}\rp252\a0033737.dll
00538294 Trj/Agent.LIZ Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\jestertb.dll.vir
06419169 Bck/Sdbot.JED.worm Virus/Trojan No 1 No No c:\windows\downloaded installations\{90f42154-37ba-4079-85a2-7b2db7ea6a01}\movie magic screenwriter 6.msi[unk_0107][netpub.exe]
06419169 Bck/Sdbot.JED.worm Virus/Trojan No 1 Yes No c:\system volume information\_restore{a21932bc-6dda-42a7-ace0-57b149ca8d0a}\rp245\a0033185.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================


So what is this sneaky Trojan up to and how do we kill it? Them?

Thanks again,


Simon

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:42 AM

Posted 17 September 2010 - 07:05 PM

No, we're doing fine.

QUOTE
c:\program files\flt
c:\system volume information\_restore{a21932bc-6dda-42a7-ace0-57b149ca8d0a}\rp252\a0033737.dll
c:\qoobox\quarantine\c\windows\jestertb.dll.vir
c:\windows\downloaded installations\{90f42154-37ba-4079-85a2-7b2db7ea6a01}\movie magic screenwriter 6.msi
c:\system volume information\_restore{a21932bc-6dda-42a7-ace0-57b149ca8d0a}\rp245\a0033185.exe



This is the list from Panda. There are two things to remove and the rest will be gone when we uninstall Combofix.


First please run OTM

We need to execute an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :Files
    c:\program files\flt
    c:\windows\downloaded installations\{90f42154-37ba-4079-85a2-7b2db7ea6a01}\movie magic screenwriter 6.msi
  4. Push the large button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.


Next please uninstall Combofix

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Disable any realtime antivirus or antispyware programs.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Now please rerun your Panda scan.
Posted Image
m0le is a proud member of UNITE

#13 artful dodger

artful dodger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 19 September 2010 - 10:53 AM

Hello m0le,

Here is the OTM log:

========== FILES ==========
c:\program files\FLT\2000\Xtras folder moved successfully.
c:\program files\FLT\2000\Plugins\Xtras folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\Voice folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\System\ToolTips folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\System folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\Start folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\Splash folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\Settings folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\NavBar folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\Machine folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\Login folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\Kernel folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\InputMethods folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\Help folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\End folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\Credits folder moved successfully.
c:\program files\FLT\2000\Plugins\Components\Config folder moved successfully.
c:\program files\FLT\2000\Plugins\Components folder moved successfully.
c:\program files\FLT\2000\Plugins folder moved successfully.
c:\program files\FLT\2000\Lib\Trs\Machine folder moved successfully.
c:\program files\FLT\2000\Lib\Trs folder moved successfully.
c:\program files\FLT\2000\Lib\Titles folder moved successfully.
c:\program files\FLT\2000\Lib\Themes\Standard folder moved successfully.
c:\program files\FLT\2000\Lib\Themes folder moved successfully.
c:\program files\FLT\2000\Lib\Locale\SVE folder moved successfully.
c:\program files\FLT\2000\Lib\Locale\FRA folder moved successfully.
c:\program files\FLT\2000\Lib\Locale\ESP folder moved successfully.
c:\program files\FLT\2000\Lib\Locale\ENG folder moved successfully.
c:\program files\FLT\2000\Lib\Locale\DEU folder moved successfully.
c:\program files\FLT\2000\Lib\Locale folder moved successfully.
c:\program files\FLT\2000\Lib\Fonts folder moved successfully.
c:\program files\FLT\2000\Lib\FltOe\Text folder moved successfully.
c:\program files\FLT\2000\Lib\FltOe folder moved successfully.
c:\program files\FLT\2000\Lib folder moved successfully.
c:\program files\FLT\2000\Data\Profiles\SIMON folder moved successfully.
c:\program files\FLT\2000\Data\Profiles\Guest folder moved successfully.
c:\program files\FLT\2000\Data\Profiles folder moved successfully.
c:\program files\FLT\2000\Data\Patches\Volumes folder moved successfully.
c:\program files\FLT\2000\Data\Patches folder moved successfully.
c:\program files\FLT\2000\Data\Lessons folder moved successfully.
c:\program files\FLT\2000\Data\Config folder moved successfully.
c:\program files\FLT\2000\Data\Cache folder moved successfully.
c:\program files\FLT\2000\Data folder moved successfully.
c:\program files\FLT\2000 folder moved successfully.
c:\program files\FLT folder moved successfully.
c:\windows\downloaded installations\{90f42154-37ba-4079-85a2-7b2db7ea6a01}\Movie Magic Screenwriter 6.msi moved successfully.

OTM by OldTimer - Version 3.1.16.1 log created on 09192010_124952

I then ran Panda again. Still infected... but we're down to one.

Here is the log:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-09-19 17:48:50
PROTECTIONS: 1
MALWARE: 1
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Lavasoft Ad-Watch Live! Anti-Virus No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
06419169 Bck/Sdbot.JED.worm Virus/Trojan No 1 No No c:\_otm\movedfiles\09192010_124952\c_windows\downloaded installations\{90f42154-37ba-4079-85a2-7b2db7ea6a01}\movie magic screenwriter 6.msi[unk_0107][netpub.exe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:42 AM

Posted 19 September 2010 - 02:18 PM

No, we're down to zero. Look where that file is:

c:\_otm\movedfiles\09192010_124952\c_windows\downloaded installations\{90f42154-37ba-4079-85a2-7b2db7ea6a01}\movie magic screenwriter 6.msi[unk_0107][netpub.exe]

It's in the OTM quarantine. smile.gif

How is the PC running now?
Posted Image
m0le is a proud member of UNITE

#15 artful dodger

artful dodger
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 20 September 2010 - 02:23 AM

PC is running fine, but it never had any symptoms to begin with...

Should I delete the quarantined file in OTM?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users