80 replies to this topic

[bar457]

I am getting Avast malware detections telling me I have Win32:Trojan-gen and Win32:Rootkit-gen of which I have moved many to Virus Chest. The result of the malware is that I get about half webpage links re-directed to other advertising sites or telling me: OOPS - there is a page error. Also Avast blocks numerous attempted access to a site called: www.inclabtec.biz.uk.so In addition I get Windows Application Error boxes for different things such as: 0x7c911129 instruction referenced memory at 0x00184d4d. The memory could not be read. Computer runs slow or hangs sometimes. Help cleaning out malwares would be appreciated. thanks and regards bar457 (Barry) DDS report as follows ( I do not know if I have any script blocking, but have not specifically installed any that I know of):- DDS (Ver_09-06-26.01) - NTFSx86 Run by Administrator at 16:30:51.40 on 28/06/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.68 [GMT 1:00] AV: avast! antivirus 4.8.1368 [VPS 100628-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Application Updater\ApplicationUpdater.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Windows Media Player\WMPNetwk.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\Program Files\HPQ\SHARED\HPQWMI.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\POP Peeper\POPPeeper.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\rundll32.exe C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Administrator\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.co.uk/ uInternet Settings,ProxyServer = sbserver:8080 uInternet Settings,ProxyOverride = local.;*.local uURLSearchHooks: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\youtube downloader toolbar\SearchSettings.dll mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,,c:\windows\temp\crypt_backsock.exe,c:\docume~1\admini~1\locals~1 \temp\17f.tmp,c:\docume~1\admini~1\locals~1\temp\1d.tmp BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll BHO: : {206e52e0-d52e-11d4-ad54-0000e86c26f6} - c:\progra~1\freshd~1\freshd~1\FDCatch.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\youtube downloader toolbar\SearchSettings.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\1.0\youtubedownloaderToolbarIE.dll TB: FreshDownload Bar: {ed0e8ca5-42fb-4b18-997b-769e0408e79d} - c:\progra~1\freshd~1\freshd~1\fdiebar.dll TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\1.0\youtubedownloaderToolbarIE.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe uRun: [PopUpStopperFreeEdition] "c:\progra~1\panicw~1\pop-up~1\PSFree.exe" uRun: [POP Peeper] "c:\program files\pop peeper\POPPeeper.exe" -min uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [{F230BC08-4182-CA60-C26A-4F0F5F9A7DBE}] "c:\documents and settings\administrator\application data\ebopaw\koso.exe" uRun: [93b7f60d-dd2e-47c5-887e-49ff2bfa6857_41] rundll32.exe "c:\documents and settings\administrator\application data\93b7f60d-dd2e-47c5-887e- 49ff2bfa6857_41.avi", start mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon mRun: [nonep] c:\windows\temp\23B.tmp dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {DDDD6D68-CF2E-4E7A-A8DF-43DF07C586F0} - c:\program files\freshdevices\freshdownload\fd.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 4\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 4\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox 3 beta 4\greprefs\all.js - pref("security.fileuri.origin_policy", 2); c:\program files\mozilla firefox 3 beta 4\defaults\pref\firefox.js - pref("browser.places.importBookmarksHTML", true); c:\program files\mozilla firefox 3 beta 4\defaults\pref\firefox.js - pref("browser.places.createdSmartBookmarks", false); ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-15 64288] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-1 114768] R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2009-11-17 4064] R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2010-2-8 380928] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-1 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-1 138680] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-1 254040] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-1 352920] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384] S1 Klif;KLIF driver;c:\windows\system32\drivers\klif.sys --> c:\windows\system32\drivers\klif.sys [?] S1 Klmc;KLMC driver;c:\windows\system32\drivers\klmc.sys --> c:\windows\system32\drivers\klmc.sys [?] S2 PlugPlayRasAuto;Plug and Play PlugPlayRasAuto;c:\windows\system32\1028p.exe srv --> c:\windows\system32\1028p.exe srv [?] S4 kavsvc;Kaspersky Anti-Virus Service; [x] =============== Created Last 30 ================ 2010-06-24 11:40 64,686 a--sh--- c:\windows\system32\alrsvcy.sys 2010-06-15 17:11 15,880 a------- c:\windows\system32\lsdelete.exe 2010-06-15 16:43 64,288 a------- c:\windows\system32\drivers\Lbd.sys 2010-06-15 16:37 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-06-15 16:36 <DIR> --d----- c:\program files\Lavasoft 2010-06-10 11:00 3,246 a------- c:\windows\system32\wbem\Outlook_01cb0883c91e24c8.mof 2010-06-10 10:12 743,424 -------- c:\windows\system32\dllcache\iedvtool.dll 2010-06-10 09:11 0 a------- c:\windows\system32\ahuia.sys 2010-06-04 10:27 773 a--s---- c:\windows\system32\3657029765.dat 2010-06-04 10:17 4 a------- c:\docume~1\admini~1\applic~1\dhxiuw.dat ==================== Find3M ==================== 2010-05-05 14:30 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe 2010-05-02 06:22 1,851,264 a------- c:\windows\system32\win32k.sys 2010-05-02 06:22 1,851,264 -------- c:\windows\system32\dllcache\win32k.sys 2010-04-20 06:30 285,696 a------- c:\windows\system32\atmfd.dll 2010-04-20 06:30 285,696 -------- c:\windows\system32\dllcache\atmfd.dll 2010-04-06 04:52 2,462,720 a------- c:\windows\system32\dllcache\WMVCore.dll 2009-11-11 14:08 60,744 a------- c:\documents and settings\administrator\g2mdlhlpx.exe ============= FINISH: 16:33:02.95 ===============

[IndiGenus]

Hello Barry and welcome to the forums here at WTT.



Identity Theft

It looks like you have been infected by a few Backdoor Trojans.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we cannot guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found here.

I suggest you do the following immediately:

• Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
• DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities. I must remind you that i cannot guarantee that your computer will be completely clean afterwards since we have no way of knowing what has been done to it.

To help you make your decision, here are a few related articles that i suggest you read:

• Danger: Remote Access Trojans.
• When should I re-format? How should I reinstall?
• How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud?

Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

[bar457]

Hello Indigenus Thanks for your reply. I have had no more Avast virus warnings or error boxes since my last posting, although I am still getting web re-directs when clicking links, mostly to an advertising site page called www.road-traffic.com which offers other sites to look at. Also no more detection of trying to access site: www.inclabtec.biz.uk I forgot to say that I could not get System Restore to work with several restore dates I tried. Also when I tried to run a HijackThis scan, it displayed everything except 01 items, as it said a hosts file has invalid linebreaks and these items could not be reported. I have checked my Avast virus chest files and can see that the Rootkit-gen malware was actually back in 2008, so we can discount that. Many of the detected malware files in my Avast virus chest have been in temp or Temp internet files, so these will have been removed when running CleanUp software. Most of them were Win32:malware- gen . I do not have any personal sensitive info on the computer such as bank account details, etc, so would like to go for the help with clean up rather than re-format . I know that I need to follow your instructions exactly and will do. Hope I do not need to turn off the antivirus and firewall as I worry that I may be still under attack! cheers..............bar457 Your help in wiping these little suckers will be much appreciated.

[IndiGenus]

Okay good enough....

Hope I do not need to turn off the antivirus and firewall as I worry that I may be still under attack

You will need to turn off the AV, but not your Firewall. It's only temporary and won't be for long, do don''t worry.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Edited by IndiGenus, 29 June 2010 - 04:09 PM.

[bar457]

Hi Indigenus Ok, I ran Combofix which completed ok and installed the Windows XP Recovery Module. It then started the restart process a message showed saying :- PV.cfxxe-DLL Initialisation Failed, because unit was shutting down. It required me to click OK to progress. On restarting, I entered the User Name/ password details and it started to progress, but very quickly a black screen appeared with the message: Non-system disk or disk error, replace and strike any key when ready (with cursor flashing underneath) the computer is stuck there and I am messaging you from another computer - hope you know what to do here !! ps. I did not get an email advising I had a reply on your site, I went and looked today as I thought it was taking a while to hear and there was your reply (still no email at time of posting). thanks bar457

[IndiGenus]

Have you tried rebooting again? If not please do so. Also try booting to Safe Mode if that doesn't work. Press F8 on start up then select Safe Mode from the menu.

ps. I did not get an email advising I had a reply on your site, I went and looked today as I thought it was taking a while to hear and there was your reply (still no email at time of posting).

Make sure to check your Junk or Spam folders if you have filters on.

Also make sure you have email notification on in the forum Control Panel.

[bar457]

Indigenus Good news, after couple of attempts, a power down and restart worked. -------------------- Had RUNDLL : Error message Error loading : C:\\Docs & Settings\Administrator\Applications Data\93b7f60d-dd2e-47c5-887e-49ff2bfa6857-42.avi module could not be found. -------------------- Also cannot find ComboFix report file .txt looked everywhere in C:\ComboFix but not to be seen, and not on desktop, so think we may have lost it - any ideas? ps. Got the reply email straight away this time, so seems to be working again. bar457

[IndiGenus]

I would really like to see another go with combofix. Looks like it did part of what it needed to but didn't finish for some reason.

[bar457]

Indigenus Difficulty running Combofix again, first it kept telling me Avast online scanner was detected running even though I had disabled all parts of it and I am pretty sure it was not, in the end I have uninstalled Avast just to be safe. Then I tried to run ComboFix and it said a newer version was available and I should update, so I clicked for that but it did not install. So I decided to run the old version I had, but now that will not run and just tells me: ComboFix has encountered a problem and needs to close. I cannot get past that. So I tried to delete it so I could download it again by RUN: combofix /uninstall or combofix /u but neither would work and I just got the same message that it had encountered a problem and needed to close. It would be good to run it again as it has already made a massive difference and the computer runs like greased lightning. What steps should we take? bar457

[IndiGenus]

EDIT: Removed DDS instructions to include new combofix instructions.

It has been reported that there are issues with the version at bleepingcomputer. Please delete the copy you have and download a copy from the link below.

http://www.forospywa...Bs/ComboFix.exe

Edited by IndiGenus, 02 July 2010 - 08:48 AM.

[bar457]

Can you tell me how to delete it, as I said in my last message I have tried to uninstall and it would not work ? bar457

[bar457]

Indigenus Ok, I have been looking further and it appears that the relating files have been removed from within the C:\ ComboFix . However, the folder is still present and now contains a duplicate of all the 'My Computer' folders. This of course contains another C:\ folder which includes another ComboFix folder. This contains another duplicate of all the 'My Computer' folders and so on - this repeats itself as you go on opening the Combofix folders It seems the 'My Computer' in Explorer has been compromised with this duplication error within the Combofix folder. I am thinking maybe we should leave this alone and not try to run a new download of ComboFix and trust the previous run has done it's job. It did produce a report file at the end of it's scan but this appeared to get lost in the aborted restart. Would you have planned to run any other removal or cleanup tools following ComboFix, perhaps we should pick up from there, would you need me to run any other reports for viewing at this point. What do you think? bar 457

[IndiGenus]

Can you tell me how to delete it, as I said in my last message I have tried to uninstall and it would not work ?

bar457

Just simply right click on it and select delete. Or drag it to the recycling bin. We'll uninstall it when were done. Yes, I'd like to run the new version.

[bar457]

Ok, here is the log from the new version, it did not restart the computer as I expected, but left the log on view so I created a folder and saved it:-


ComboFix 10-07-01.02 - Administrator 02/07/2010 19:50:59.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.248 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix1.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Ebopaw\koso.exe
c:\documents and settings\Administrator\Application Data\Yxfehe
c:\documents and settings\Administrator\Application Data\Yxfehe\xylyd.exe
.
---- Previous Run -------
.
c:\docume~1\ADMINI~1\LOCALS~1\Temp\d1e7f579-db2f-424e-8a42-749f6b4bf62c\wrk21.tmp_42
c:\documents and settings\Administrator\Application Data\93b7f60d-dd2e-47c5-887e-49ff2bfa6857_42.avi
c:\documents and settings\Administrator\Application Data\Ebopaw\koso.exe
c:\documents and settings\Administrator\Application Data\Obutq\ekma.exe
c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\documents and settings\Administrator\Local Settings\Temp\d1e7f579-db2f-424e-8a42-749f6b4bf62c\wrk21.tmp_42
c:\program files\Internet Explorer\config.dat
c:\program files\YouTube Downloader Toolbar\IE\1.0\yoUTubedownloadertoolbarie.dll
c:\program files\YouTube Downloader Toolbar\SeARchsettings.dll
c:\windows\system32\1028p.exe
c:\windows\system32\3657029765.dat
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\sdra64.exe
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PASSWORD
-------\Legacy_PLUGPLAYRASAUTO
-------\Service_PlugPlayRasAuto


((((((((((((((((((((((((( Files Created from 2010-06-02 to 2010-07-02 )))))))))))))))))))))))))))))))
.

2010-06-24 10:40 . 2010-07-01 14:08 4625422 --sha-w- c:\windows\system32\alrsvcy.sys
2010-06-15 16:11 . 2010-06-15 15:43 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-15 15:43 . 2010-06-15 15:42 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-15 15:37 . 2010-06-24 11:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-15 15:37 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-15 15:36 . 2010-06-15 15:38 -------- d-----w- c:\program files\Lavasoft
2010-06-10 09:12 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-10 08:11 . 2010-06-29 07:58 0 ----a-w- c:\windows\system32\ahuia.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 14:54 . 2010-01-27 12:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\POP Peeper
2010-07-02 12:19 . 2007-09-29 17:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Siukp
2010-07-01 14:45 . 2010-02-16 19:03 -------- d-----w- c:\program files\YouTube Downloader Toolbar
2010-07-01 01:27 . 2009-05-25 16:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Beif
2010-06-24 11:14 . 2008-01-05 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ebopaw
2010-06-22 17:55 . 2005-10-01 07:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Horio
2010-06-14 10:51 . 2008-03-09 18:30 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 3
2010-06-04 09:17 . 2010-06-04 09:17 4 ----a-w- c:\documents and settings\Administrator\Application Data\dhxiuw.dat
2010-05-23 20:16 . 2010-05-23 20:16 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4d2c054a-n\msvcr71.dll
2010-05-23 20:16 . 2010-05-23 20:16 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-21d05d91-n\decora-sse.dll
2010-05-23 20:16 . 2010-05-23 20:16 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4d2c054a-n\msvcp71.dll
2010-05-23 20:16 . 2010-05-23 20:16 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4d2c054a-n\jmc.dll
2010-05-23 20:16 . 2010-05-23 20:16 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-21d05d91-n\decora-d3d.dll
2010-05-06 10:41 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 08:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-22 12:46 . 2009-11-10 18:50 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-20 05:30 . 2004-08-04 08:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 12:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-30 39408]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2010-01-12 1490944]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 88363]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-08 344064]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-03 122939]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-11-12 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-19 233534]
"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-11-21 790528]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 1048576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-10-26 184320]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2005-9-1 184320]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
2010-02-08 12:37 975360 ----a-w- c:\program files\YouTube Downloader Toolbar\SearchSettings.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [15/06/2010 16:43 64288]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [17/11/2009 00:44 4064]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [08/02/2010 13:23 380928]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [03/05/2004 17:26 80384]
S1 Klmc;KLMC driver;c:\windows\system32\Drivers\klmc.sys --> c:\windows\system32\Drivers\klmc.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1352832]
.
Contents of the 'Scheduled Tasks' folder

2010-07-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:42]

2010-07-01 c:\windows\Tasks\{FA758EFE-AE36-425B-A409-37236371032C}_NX8220_Administrator.job
- c:\windows\system32\mobsync.exe [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = sbserver:8080
uInternet Settings,ProxyOverride = local.;*.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{DDDD6D68-CF2E-4E7A-A8DF-43DF07C586F0} - c:\program files\FreshDevices\FreshDownload\fd.exe
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\sy0rkrb4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3 Beta 4\greprefs\all.js - pref("security.fileuri.origin_policy", 2);
c:\program files\Mozilla Firefox 3 Beta 4\defaults\pref\firefox.js - pref("browser.places.importBookmarksHTML", true);
c:\program files\Mozilla Firefox 3 Beta 4\defaults\pref\firefox.js - pref("browser.places.createdSmartBookmarks", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{F230BC08-4182-CA60-C26A-4F0F5F9A7DBE} - c:\documents and settings\Administrator\Application Data\Ebopaw\koso.exe
HKCU-Run-93b7f60d-dd2e-47c5-887e-49ff2bfa6857_42 - c:\documents and settings\Administrator\Application Data\93b7f60d-dd2e-47c5-887e-49ff2bfa6857_42.avi
HKCU-Run-{672FC0DA-DF94-82F2-401B-4D1794AC3C54} - c:\documents and settings\Administrator\Application Data\Yxfehe\xylyd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-02 20:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?7?6?5??????? ?4?B?????????????hLC? ??????

scanning hidden files ...


c:\documents and settings\Administrator\Start Menu\Programs\Startup\ntuser_mssec.exe 61440 bytes executable
C:\ntuser_mssec.exe 56832 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3157458898-1794876567-261060495-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,00,44,f0,2e,f2,11,3c,45,90,09,b2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,8f,a7,2d,74,b1,07,40,b6,91,da,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,00,44,f0,2e,f2,11,3c,45,90,09,b2,\

[HKEY_USERS\S-1-5-21-3157458898-1794876567-261060495-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Micro Focus\ASLMF]
@Denied: (C D) (Everyone)
"status"="0"
"ASLMFDIR"="c:\\Program Files\\SYSPRO60\\base"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-02 20:15:05
ComboFix-quarantined-files.txt 2010-07-02 19:14

Pre-Run: 7,994,425,344 bytes free
Post-Run: 7,955,951,616 bytes free

- - End Of File - - 7435867F2CC95F8B5E63858C20A9B9BB

[IndiGenus]

We need to make sure all hidden files are showing so please:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Please go to http://www.virustota.../en/indexf.html
click on Browse, and upload the following file for analysis:

C:\WINDOWS\SYSTEM32\ahuia.sys

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Or you can copy the link to the VT results page if that is easier.

Repeat for this file also:

c:\windows\system32\alrsvcy.sys