Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winlogon.exe and explorer.exe virus


  • This topic is locked This topic is locked
28 replies to this topic

#1 lokii99

lokii99

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 07 September 2010 - 07:55 PM

I originally posted this here (http://www.bleepingcomputer.com/forums/topic345572.html
), but have moved it to this forum:

Hi all,

I started getting a problem that I can't seem to get around. AVG started throwing warnings telling me that C:WINDOWSsystem32winlogon.exe and C:WINDOWSexlorer.exe were viruses. It identifies it as WIN32/Patched.FM. The resident shield was coming up every few seconds to warn me about it, but that stopped about 2 days ago. Now my computer is freezing if I try to run anything that takes alot of memory. I ran the gmer.exe program and was able to get the scan completed after 5 hours or so. But I can't save the file, it freezes whenever I try to save it to my desktop. I tried to take a screenshot and copy it into photoshop, but photoshop can't run at the same time as gmer.exe. Again it feels like the computer is running out of memory having both files open.

Ok, I just tried to copy and paste my dds.txt, but it keeps giving me an error for some reason saying it can't connect to the server. so I'll upload the dds.txt instead

Any help would be appreciated

Thanks,
Iain


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 15:34:50.81 on Mon 09/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2368 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Autodesk\SketchBookPro2010\SketchBookSnapshot.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Seagate\SeagateManager\Backup\MaxBackServiceInt.exe
C:\Program Files\Seagate\SeagateManager\ManagerApp\stxmanager.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: adShotHlpr Object: {0d55ac31-dd56-4b33-b769-97b8ddb8190d} - c:\windows\system32\wsbop.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: moigh Object: {ccd0a908-df5a-4a87-ab4c-12c66a8334e4} - c:\windows\system32\ssbop.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Hmuvevezuyocadis] rundll32.exe "c:\windows\atelopoci.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sketch~1.lnk - c:\program files\autodesk\sketchbookpro2010\SketchBookSnapshot.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229209624765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\57b2k4hn.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.msn.com/?st=1
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {26581014-4CE9-4F53-A149-C9FE64204EF0} - c:\documents and settings\administrator\local settings\application data\{26581014-4CE9-4F53-A149-C9FE64204EF0}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-6 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-6 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-6 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-10-7 61424]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-6 297752]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-12-12 3032360]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-8-10 4949288]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-12-12 16168]

=============== Created Last 30 ================

2010-08-19 23:20:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-19 23:20:22 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-08-19 23:20:14 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-19 23:03:39 0 d-----w- c:\program files\Trend Micro
2010-08-19 03:03:29 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-08-19 02:58:31 0 d-----w- c:\windows\ERUNT
2010-08-19 02:51:43 0 d-----w- C:\SDFix
2010-08-19 02:30:19 0 d-----w- c:\program files\Yahoo!
2010-08-19 02:30:17 0 d-----w- c:\program files\CCleaner
2010-08-18 00:40:48 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-14 15:25:34 120 ----a-w- c:\windows\Jbazamewobeyitam.dat
2010-08-14 15:25:34 0 ----a-w- c:\windows\Kduriyiyimevocog.bin
2010-08-14 15:24:06 5 ----a-w- C:\zrpt.xml
2010-08-14 15:23:47 0 d-----w- c:\docume~1\admini~1\applic~1\15815FB150F89D00FD0C0B4D7BCB787A
2010-08-11 01:14:08 1744515 ------w- c:\windows\system32\WacomTablet.znc
2010-08-11 01:14:02 7731496 ------w- c:\windows\system32\WacomTablet.cpl
2010-08-11 01:13:50 409896 ------w- c:\windows\system32\Wacom_Tablet.dll
2010-08-11 01:13:45 4949288 ------w- c:\windows\system32\Wacom_Tablet.exe

==================== Find3M ====================

2010-07-07 23:01:13 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2008-12-05 06:28:52 8 --sh--r- c:\windows\system32\4C398540F7.sys
2010-03-27 02:14:40 1056 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 15:38:00.92 ===============

Attached Files

  • Attached File  DDS.zip   6.65KB   4 downloads

Edited by Noviciate, 08 September 2010 - 02:15 PM.
Merged replies ~Pandy


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:50 PM

Posted 08 September 2010 - 02:16 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 lokii99

lokii99
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 08 September 2010 - 07:01 PM

Thanks for the help so far. I got ComboFix to run. Here's the log it made.


ComboFix 10-09-08.01 - Administrator 09/08/2010 19:29:52.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2780 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\malware_removal_attempt\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\Administrator\Local Settings\Application Data\{26581014-4CE9-4F53-A149-C9FE64204EF0}
c:\documents and settings\Administrator\Local Settings\Application Data\{26581014-4CE9-4F53-A149-C9FE64204EF0}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{26581014-4CE9-4F53-A149-C9FE64204EF0}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{26581014-4CE9-4F53-A149-C9FE64204EF0}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{26581014-4CE9-4F53-A149-C9FE64204EF0}\install.rdf
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\admin.txt
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\uses32.dat
C:\Thumbs.db
c:\windows\atelopoci.dll

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
.

2010-08-19 23:20 . 2010-09-06 13:47 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-19 23:20 . 2010-08-19 23:20 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-19 23:20 . 2010-09-06 13:47 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-19 23:20 . 2010-08-19 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-19 23:20 . 2010-08-19 23:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-08-19 23:20 . 2010-09-06 13:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-19 23:03 . 2010-08-19 23:03 -------- d-----w- c:\program files\Trend Micro
2010-08-19 03:03 . 2010-08-19 03:03 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-08-19 02:58 . 2010-08-19 02:58 -------- d-----w- c:\windows\ERUNT
2010-08-19 02:51 . 2010-08-19 03:56 -------- d-----w- C:\SDFix
2010-08-19 02:30 . 2010-09-06 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-08-19 02:30 . 2010-08-19 02:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2010-08-19 02:30 . 2010-08-19 02:30 -------- d-----w- c:\program files\Yahoo!
2010-08-19 02:30 . 2010-08-19 02:30 -------- d-----w- c:\program files\CCleaner
2010-08-18 00:41 . 2010-08-18 00:41 -------- d-----w- c:\program files\Common Files\Java
2010-08-18 00:40 . 2010-08-18 00:40 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-77407a8e-n\decora-sse.dll
2010-08-18 00:40 . 2010-08-18 00:40 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2e2d572d-n\msvcp71.dll
2010-08-18 00:40 . 2010-08-18 00:40 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2e2d572d-n\jmc.dll
2010-08-18 00:40 . 2010-08-18 00:40 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2e2d572d-n\msvcr71.dll
2010-08-18 00:40 . 2010-08-18 00:40 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-77407a8e-n\decora-d3d.dll
2010-08-18 00:40 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-17 00:23 . 2010-08-17 00:23 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-08-14 15:25 . 2010-09-08 02:47 120 ----a-w- c:\windows\Jbazamewobeyitam.dat
2010-08-14 15:25 . 2010-09-07 11:33 0 ----a-w- c:\windows\Kduriyiyimevocog.bin
2010-08-14 15:23 . 2010-08-14 18:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\15815FB150F89D00FD0C0B4D7BCB787A
2010-08-11 01:13 . 2010-02-01 22:45 409896 ------w- c:\windows\system32\Wacom_Tablet.dll
2010-08-11 01:13 . 2010-02-01 22:45 4949288 ------w- c:\windows\system32\Wacom_Tablet.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-08 23:29 . 2008-12-12 04:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\WTablet
2010-09-08 01:32 . 2008-12-04 05:46 -------- d-----w- c:\program files\Steam
2010-09-06 20:45 . 2009-01-31 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-09-06 18:06 . 2008-12-05 02:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-09-06 15:19 . 2008-12-05 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-09-06 13:55 . 2008-12-27 19:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-09-06 13:49 . 2009-02-07 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-19 02:39 . 2008-12-13 06:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2010-08-18 00:58 . 2008-12-05 06:14 -------- d-----w- c:\program files\Autodesk
2010-08-18 00:40 . 2009-01-24 13:24 -------- d-----w- c:\program files\Java
2010-08-15 00:59 . 2009-02-07 17:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-11 03:09 . 2008-11-26 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-11 01:13 . 2008-12-12 04:51 -------- d-----w- c:\program files\Tablet
2010-07-14 03:18 . 2009-11-27 11:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-07-13 23:37 . 2010-07-13 23:37 -------- d-----w- c:\program files\TabletPlugins
2010-07-07 23:01 . 2010-07-07 23:01 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-06-30 12:31 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-27 01:37 . 2010-06-27 01:37 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-26 04:18 . 2010-06-26 04:18 12124624 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\AdobeAIRInstaller.exe
2010-06-26 04:18 . 2010-06-26 04:18 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-24 12:22 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-14 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-14 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-11-26 22:30 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2008-12-05 06:28 . 2008-12-05 06:28 8 --sh--r- c:\windows\system32\4C398540F7.sys
2010-03-27 02:14 . 2008-12-05 06:28 1056 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-14 . CBF8C5D23B22BF72AF45E522CF90EAA5 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . EC771A80356F2A3E0436C721F2C48E78 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-07 136176]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-06 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-03-30 624248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-03-16 1040384]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SketchBook Snapshot.lnk - c:\program files\Autodesk\SketchBookPro2010\SketchBookSnapshot.exe [2009-2-23 708608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 01:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Alias SketchBook Snapshot.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Alias SketchBook Snapshot.lnk
backup=c:\windows\pss\Alias SketchBook Snapshot.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2008-10-08 01:31 75048 ----a-w- c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-08-08 12:11 490952 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
2007-12-14 16:36 50472 ------w- c:\program files\CyberLink\PowerDVD8\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
2008-03-21 01:23 83240 ------w- c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Steam\\steamapps\\biglokii\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\UDK\\Binaries\\Win32\\UDK.exe"=
"c:\\UDK\\Binaries\\SwarmAgent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/6/2009 12:18 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/6/2009 12:19 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [10/7/2008 9:31 PM 61424]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/6/2009 12:18 AM 297752]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [12/12/2008 12:51 AM 3032360]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [8/10/2010 9:13 PM 4949288]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [12/12/2008 12:51 AM 16168]
S2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 5:36 PM 86016]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/7/2008 3:34 PM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-179605362-682003330-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-07 17:29]

2010-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-179605362-682003330-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-07 17:29]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\57b2k4hn.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.msn.com/?st=1
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\TabletPlugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{0D55AC31-DD56-4B33-B769-97B8DDB8190D} - c:\windows\system32\wsbop.dll
BHO-{CCD0A908-DF5A-4A87-AB4C-12C66A8334E4} - c:\windows\system32\ssbop.dll
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-Hmuvevezuyocadis - c:\windows\atelopoci.dll
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-_{05D60953-9012-44DF-A1A6-9DD97AD6580A} - c:\program files\Corel\Corel Painter X\MSILauncher {05D60953-9012-44DF-A1A6-9DD97AD6580A}



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-08 19:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-179605362-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,a5,e2,b5,41,17,71,4f,98,66,81,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,a5,e2,b5,41,17,71,4f,98,66,81,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-09-08 19:42:15
ComboFix-quarantined-files.txt 2010-09-08 23:42

Pre-Run: 94,994,878,464 bytes free
Post-Run: 95,461,535,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A70DF7A2686CDA0FB7B2A087FBC0F8A9


#4 lokii99

lokii99
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 08 September 2010 - 07:03 PM

The computer's running ok for now, I haven't tried anything too intensive on it so far. I'll try getting the gmer.exe scan and log again tonight. AVG is still picking up the virus on winlogon.exe. On the plus side, the browser redirect problem I was having seems to be fixed smile.gif

-Iain

Edited by lokii99, 09 September 2010 - 08:19 AM.


#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:50 PM

Posted 09 September 2010 - 01:56 PM

Good evening. smile.gif

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop:
  • Linky #1
  • Linky #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    CODE
    :filefind
    explorer.*
    winlogon.*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan - the log can also be found on your Desktop entitled SystemLook.txt
  • Please post the contents of this log in your next reply.

So long, and thanks for all the fish.

 

 


#6 lokii99

lokii99
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 10 September 2010 - 07:18 AM

Got both scans finished successfully. Here's the results for eset:


C:\Qoobox\Quarantine\C\WINDOWS\atelopoci.dll.vir a variant of Win32/Cimag.CK trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\disk.sys.vir Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{8CCFB7DD-5865-4820-BA57-DF8CEA767E4A}\RP11\A0020725.dll a variant of Win32/Cimag.CK trojan
C:\System Volume Information\_restore{8CCFB7DD-5865-4820-BA57-DF8CEA767E4A}\RP8\A0001162.exe Win32/Adware.Lifze application
C:\System Volume Information\_restore{8CCFB7DD-5865-4820-BA57-DF8CEA767E4A}\RP9\A0004360.exe Win32/Adware.Lifze.O application
C:\WINDOWS\explorer.exe Win32/Bamital.DX trojan
C:\WINDOWS\system32\hlp.dat Win32/Bamital.DT trojan
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.DX trojan
C:\_Install_Files\Clone DVD + AnyDVD + Crack & Serial\AnyDVD\SetupAnyDVD2004.exe probably a variant of Win32/Adware.Agent.EQTHDWD application
Operating memory Win32/Bamital.DX trojan


Here's the results for systemlook:

SystemLook 04.09.10 by jpshortstuff
Log created at 07:47 on 10/09/2010 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.*"
C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip --a---- 20394 bytes [02:48 07/03/2006] [02:48 07/03/2006] B469409C2B2A33C542190B720E11BD79
C:\Program Files\Steam\steamapps\biglokii\team fortress 2\tf\materials\models\items\safarihat\explorer.vmt --a---- 970 bytes [19:27 29/11/2009] [19:27 29/11/2009] 33B8AF7BD42BD3669C3A68CBC24848C5
C:\Program Files\Steam\steamapps\biglokii\team fortress 2\tf\materials\models\items\safarihat\explorer.vtf --a---- 1048664 bytes [19:27 29/11/2009] [19:27 29/11/2009] AB0A38F6AEFF7DEE0CE994C75C35EF31
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [12:00 14/04/2008] [12:00 14/04/2008] EC771A80356F2A3E0436C721F2C48E78
C:\WINDOWS\explorer.scf --a--c- 80 bytes [12:00 14/04/2008] [12:00 14/04/2008] A3975A7D2C98B30A2AE010754FFB9392

Searching for "winlogon.*"
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [12:00 14/04/2008] [12:00 14/04/2008] CBF8C5D23B22BF72AF45E522CF90EAA5

-= EOF =-


Thanks again,
Iain




#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:50 PM

Posted 10 September 2010 - 01:54 PM

Good evening. smile.gif

As you may have noticed from the ESET results, you have an infection called Bamital. To remove this requires two system files to be replaced that have been infected, and unfortunately you don't appear to have any back-up files that would be of use on your system.
Do you have access to another Windows XP Pro Service Pack 3 machine that you could acquire these two files from?

So long, and thanks for all the fish.

 

 


#8 lokii99

lokii99
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 10 September 2010 - 02:22 PM

I can get the files from my girlfriend's laptop, is it just a simple matter of copying the new files over the infected ones. Do I need to copy anything else other then the 2 listed below?

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe

*I just tried looking for
C:\WINDOWS\system32\hlp.dat
on my girlfriend's computer and it can't be found, i assume it's safe to say I can delete this from my infected system?

-Iain

Edited by lokii99, 10 September 2010 - 02:37 PM.


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:50 PM

Posted 10 September 2010 - 05:11 PM

QUOTE
i assume it's safe to say I can delete this from my infected system?

That depends on whether you want to bork your PC or not - it stays until the other two files have been swapped over.
Please make sure that the two files in question are the same version numbers as the ones on your machine - right click each and select Properties:

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe


Once you've got them, you need to place them in the root of your machine to give the following:

C:\explorer.exe
C:\winlogon.exe


Once you've done that, let me know. As they are system files, it isn't as simple as just copy and pasting.

So long, and thanks for all the fish.

 

 


#10 lokii99

lokii99
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 10 September 2010 - 05:35 PM

Whew!l, glad I asked before doing anything.

Ok, I've got the files and the version numbers match the ones on the infected machine. I've copied the clean explorer.exe and winlogon.exe files into the root of C:\

-Iain

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:50 PM

Posted 11 September 2010 - 01:33 PM

Good evening. smile.gif

Read through the following instructions to be sure that you understand what is required and if you are unclear about anything at all, ask BEFORE you begin:
  • Restart your computer.
  • Before Windows loads, you will be prompted to choose which Operating System to start.
  • Use the up/down arrow keys to select Microsoft Windows Recovery Console.
  • You need to tell the PC which Windows installation to access (there may be more than one) - select the C:\Windows option and press <ENTER>.
You now need to enter the following two commands, one at a time, pressing <ENTER> after each, ensuring that you do so exactly as shown:
    ren explorer.exe explorer.old
    copy c:\explorer.exe c:\windows\explorer.exe
After entering the final command you should see the message 1 file(s) copied which indicates that it has been successful. If you do not see this message, enter the copy command again checking that you have done so correctly. If you still do not see the message, you need to enter the following command:
    ren explorer.old explorer.exe
This will restore the infected file so that your system will function correctly on reboot.

* If you are prompted that you are about to overwrite a file when you enter the copy command, you need to select No as something hasn't gone correctly.

If the file isn't successfully copied you should exit the Recovery Console - see bottom of post. If all goes well however, run the following set of three commands:
    cd system32
    ren winlogon.exe winlogon.old
    copy c:\winlogon.exe c:\windows\system32\winlogon.exe
Again you should see the 1 file(s) copied message - if you don't, you should repeat the copy command and if that doesn't work you need to enter the following command:
    ren winlogon.old winlogon.exe
Again, if you are prompted that you are about to overwrite a file when you enter the copy command, you need to select No

Once you have complete both sets of commands, or if you had issues with the first set, enter the following command to exit the Recovery Console:
    exit - this will reboot your system as normal.

Let me know how you get on.

So long, and thanks for all the fish.

 

 


#12 lokii99

lokii99
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 11 September 2010 - 08:43 PM

*Sign, unfortunately, I've no got a bigger problem to take care of first. This morning, I turned my computer on and it's gone into an continuous bootup loop. I pressed F8 and told it to stop rebooting upon system failure, so I could figure out what was going on. I got a blue screen telling me my kernel32.dll was missing or corrupt. After googling this problem it seems like an easy fix using the recovery console to replace it from your installation disc, ....which I can't find. I spent the whole afternoon tearing apart the house to try and find it, but it looks like the installation cd is gone. I'm gonna see if some friends have a disc I can use, but other then that I'm out of ideas. I might have to bite the bullet and pay for another copy of windows.

I've booted up my computer with Ubuntu at the moment, I don't suppose there's way I can just copy the kernel32.dll from my girlfriends computer onto a usb stick and paste it onto my computer is there?

Thanks for your help Noviciate

-Iain

#13 lokii99

lokii99
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 11 September 2010 - 08:52 PM

I just looked in my C:\Windows\System32 folder and found a kernel32.old which it says is a backup version. There's no other version in that folder. Can I use the backup version to create a new kernel32.dll?

Thanks,
Iain

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:50 PM

Posted 12 September 2010 - 03:11 PM

Good evening.

There are two identical copies of kernel32.dll on my system, so take a peek at the following locations and tell me if you've got one in either or both locations:

C:\WINDOWS\system32\dllcache
C:\WINDOWS\ServicePackFiles\i386

So long, and thanks for all the fish.

 

 


#15 lokii99

lokii99
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 12 September 2010 - 03:48 PM

Hi again Noviciate

I booted up using Ubuntu again and was able to find the kernel32.dll in the first folder you mentioned (C:\WINDOWS\system32\dllcache).

I don't have the second folder you mentioned (C:\WINDOWS\ServicePackFiles\i386).

-Iain




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users