Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91819 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Can't run anti-spyware + rogue infection


  • This topic is locked This topic is locked
25 replies to this topic

#1 nffc86

nffc86

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 03 October 2009 - 08:37 AM

Hello, last night my computer became infected with the Antivirus 2010 rogue malware, I appear to have gotten rid of it by the help of SD Fix, however, Super Anti Spyware nor Malwarebyte's AntiMalware will work still, stating I do not have the permissions to run them, when I do. I have run RootRepeal and this is what the log.txt shows below. My AVG doesn't appear to be letting me start a scan either. Please help as I want to make sure I have gotten rid of any more nasties lurking on my laptop! ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/03 15:26 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xA9C39000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7A92000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA8621000 Size: 49152 File Visible: No Signed: - Status: - Name: SKYNETbqbuypib.sys Image Path: C:\WINDOWS\system32\drivers\SKYNETbqbuypib.sys Address: 0xA9F5C000 Size: 151552 File Visible: - Signed: - Status: Hidden from the Windows API! Name: win32k.sys:1 Image Path: C:\WINDOWS\win32k.sys:1 Address: 0xF77D4000 Size: 20480 File Visible: No Signed: - Status: - Name: win32k.sys:2 Image Path: C:\WINDOWS\win32k.sys:2 Address: 0xA9D5A000 Size: 61440 File Visible: No Signed: - Status: - Hidden Services ------------------- Service Name: SKYNEToppfakdv Image Path: C:\WINDOWS\system32\drivers\SKYNETbqbuypib.sys Service Name: UACd.sys Image Path: C:\WINDOWS\system32\drivers\UAChrxoirrslk.sys ==EOF==

    Advertisements

Register to Remove


#2 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 03 October 2009 - 12:37 PM

Hi nffc86, welcome to the forum.

To make cleaning this machine easier
  • Please do not uninstall/install any programs unless asked to
    It is more difficult when files/programs are appearing in/disappearing from the logs.
  • Please do not run any scans other than those requested
  • Please follow all instructions in the order posted
  • All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
  • Do not attach any logs/reports, etc.. unless specifically requested to do so.
  • If you have problems with or do not understand the instructions, Please ask before continuing.
  • Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

NEXT

Download and run Win32kDiag:
  • Download Win32kDiag from any of the following locations and save it to your Desktop.
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
    • To ensure the entire contents are copied, right click anywhere in the notepad and click Select All
    • Right click the highlited text and click copy

Please post back with
  • exehelper log
  • Win32kDiag log
Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#3 nffc86

nffc86

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 03 October 2009 - 01:10 PM

exeHelper by Raktor - 09 Build 20090925 Run at 20:02:59 on 10/03/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Deleting file C:\WINDOWS\system32\AVR09.exe Deleting file C:\WINDOWS\system32\winupdate.exe Deleting file C:\WINDOWS\system32\winhelper.dll Deleting file C:\Documents and Settings\Helen Melon\Desktop\AntivirusPro_2010.lnk Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- Running from: C:\Documents and Settings\Helen Melon\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\Helen Melon\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB890046\KB890046 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\A3W_DATA\A3W_DATA Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E8.tmp\ZAP1E8.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP23D.tmp\ZAP23D.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP32B.tmp\ZAP32B.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP354.tmp\ZAP354.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Debug\UserMode\UserMode Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Minidump\Minidump Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\mui\mui Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PIF\PIF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\security\logs\logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\eventlog.dll ------------------------------------------------------------------------------------- I did not get anything which said press any key at the end of running Win32Diag, but I am posting the log anyway

#4 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 03 October 2009 - 03:57 PM

Hi nffc86

It looks like Win32Diag may have stalled. It did show us somethings we will need to take of.

We will run Win32Diag a little diferently, it will remove somethings for us this time.

Click your start button click run. Cop and paste the following line into the run box and click OK.
"%userprofile%\desktop\win32kdiag.exe" -f -r

Please be patient and let the tool complete.

Next

Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Download peek.bat
  • Double-click peek.bat to run it.
  • A black Command Prompt window will appear shortly: the program is running.
  • When it's finished, a log will be saved at C:\log.txt
  • Please post it's contents in your next reply

Please post back with
  • Win32Diag log
  • Log.txt

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#5 nffc86

nffc86

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 03 October 2009 - 04:48 PM

Here is the Win32kDiag txt Running from: C:\Documents and Settings\Helen Melon\desktop\win32kdiag.exe Log file at : C:\Documents and Settings\Helen Melon\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB890046\KB890046 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB890046\KB890046 Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945 Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281 Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899 Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213 Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760 Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496 Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454 Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729 Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Found mount point : C:\WINDOWS\A3W_DATA\A3W_DATA Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\A3W_DATA\A3W_DATA Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\addins\addins Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E8.tmp\ZAP1E8.tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E8.tmp\ZAP1E8.tmp Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP23D.tmp\ZAP23D.tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP23D.tmp\ZAP23D.tmp Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP32B.tmp\ZAP32B.tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP32B.tmp\ZAP32B.tmp Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP354.tmp\ZAP354.tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP354.tmp\ZAP354.tmp Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\temp\temp Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\tmp\tmp Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Config\Config Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Found mount point : C:\WINDOWS\Debug\UserMode\UserMode Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\chsime\applets\applets Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imejp\applets\applets Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imejp98\imejp98 Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\shared\res\res Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0 Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\java\classes\classes Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\java\trustlib\trustlib Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Found mount point : C:\WINDOWS\Minidump\Minidump Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Minidump\Minidump Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo Found mount point : C:\WINDOWS\mui\mui Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\mui\mui Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Found mount point : C:\WINDOWS\PIF\PIF Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\PIF\PIF Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState Found mount point : C:\WINDOWS\security\logs\logs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\security\logs\logs Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Cannot access: C:\WINDOWS\system32\eventlog.dll Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll [1] 2008-04-14 01:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation) [1] 2008-04-14 01:11:53 61952 C:\WINDOWS\system32\eventlog.dll () [2] 2008-04-14 01:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\AGBGP88U\AGBGP88U Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\AGBGP88U\AGBGP88U Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OR2LLM8V\OR2LLM8V Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OR2LLM8V\OR2LLM8V Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Q197HNDE\Q197HNDE Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Q197HNDE\Q197HNDE Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\U2TW1Q0D\U2TW1Q0D Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\U2TW1Q0D\U2TW1Q0D Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Finished! Here is the log.txt Volume in drive C is VAIO Volume Serial Number is 54A5-8EF0 Directory of C:\WINDOWS\ServicePackFiles\i386 14/04/2008 01:12 181,248 scecli.dll Directory of C:\WINDOWS\ServicePackFiles\i386 14/04/2008 01:12 407,040 netlogon.dll Directory of C:\WINDOWS\ServicePackFiles\i386 14/04/2008 01:11 56,320 eventlog.dll 3 File(s) 644,608 bytes Directory of C:\WINDOWS\system32 14/04/2008 01:12 181,248 scecli.dll Directory of C:\WINDOWS\system32 14/04/2008 01:12 407,040 netlogon.dll Directory of C:\WINDOWS\system32 14/04/2008 01:11 61,952 eventlog.dll 3 File(s) 650,240 bytes Total Files Listed: 6 File(s) 1,294,848 bytes 0 Dir(s) 11,803,160,576 bytes free

#6 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 03 October 2009 - 05:13 PM

Hi nffc86,

Your system has been infected by one or more Rootkits/Backdoor Trojans.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits.

More information on Remote Access Trojans can be found here.

I strongly suggest you do the following immediately:
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
I suggest you read:


I need you to make a batchfile.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

    @echo off
    sc config eventlog start= disabled
    del %0

    In Notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "fix.bat"
  • Click Save
It should look like this: Posted Image

Double click on fix.bat & allow it to run.

It won't take long to run. There won't be a log or anything from it, you may see a black screen briefly flash on your screen.

Reboot your computer and proceed.

Please read through the instructions to familarize youself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
    -Tools->Options->Main tab
    -Set to "Always ask me where to Save the files".
  • During the download, before you save it to your desktop, rename Combofix to jgh.exe

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • Double click on the renamed ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b]

Please post back with
  • combofix log
How is the computer?

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#7 nffc86

nffc86

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 03 October 2009 - 06:20 PM

ComboFix 09-10-01.05 - Helen Melon 04/10/2009 1:02.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.608 [GMT 1:00]
Running from: c:\documents and settings\Helen Melon\Desktop\jgh.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ojyf.reg
c:\documents and settings\All Users\Application Data\upirumifug.inf
c:\documents and settings\ALLUSE~\Google
c:\documents and settings\Helen Melon\Application Data\jove.reg
c:\documents and settings\Helen Melon\Application Data\lizkavd.exe
c:\documents and settings\Helen Melon\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Helen Melon\Application Data\vulebubume.inf
c:\documents and settings\Helen Melon\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Helen Melon\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Helen Melon\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
C:\p2hhr.bat
c:\program files\Common Files\ipojow.com
c:\recycler\S-1-5-21-2626753545-2741395014-3987291170-1003
c:\recycler\S-1-5-21-3610190352-1894798032-2927353088-1003
c:\recycler\S-1-5-21-4272118574-3248610337-857847958-1003
c:\windows\ahubynin.dl
c:\windows\cosohyqibu.pif
c:\windows\eravoky.ban
c:\windows\ibahehujuk._dl
c:\windows\Installer\1a1aca3.msp
c:\windows\Installer\6372cd.msp
c:\windows\Installer\b2aecc.msp
c:\windows\myxohece.bat
c:\windows\nuhy.dll
c:\windows\system32\drivers\SKYNETbqbuypib.sys
c:\windows\system32\drivers\UAChrxoirrslk.sys
c:\windows\system32\gazifunu.inf
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\nsprs.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
c:\windows\system32\SKYNETmlwapboe.dll
c:\windows\system32\SKYNETnnowxrsm.dll
c:\windows\system32\SKYNETrjoehelu.dat
c:\windows\system32\SKYNETwfvpijtv.dll
c:\windows\system32\SKYNETxmqsnswe.dat
c:\windows\system32\UAChoykrhvtnl.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACltyblwhdnq.dll
c:\windows\system32\UACqowyerbnep.dll
c:\windows\system32\UACrsbvpwmeta.log
c:\windows\system32\UACtqtyikfwfv.dll
c:\windows\system32\UACwrbilvkjsr.db
c:\windows\system32\UACypixmkmodm.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\vixa.reg

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNEToppfakdv
-------\Legacy_SKYNEToppfakdv
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-04 00:08 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-03 13:09 . 2009-10-03 13:09 -------- d-----w- c:\windows\ERUNT
2009-10-03 13:01 . 2009-10-03 13:09 -------- d-----w- C:\SDFix
2009-10-03 12:56 . 2009-10-03 12:56 -------- d-----w- C:\_OTM
2009-10-03 12:32 . 2009-10-03 12:32 293 ----a-w- C:\MGlogs.zip
2009-10-03 12:32 . 2009-10-03 12:32 -------- d-----w- C:\MGtools
2009-10-03 12:05 . 2009-10-03 12:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-03 02:26 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-03 02:26 . 2009-08-24 13:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-03 02:26 . 2009-08-19 10:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-03 02:25 . 2009-10-03 02:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-03 02:25 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-03 02:25 . 2009-10-03 02:29 -------- d-----w- c:\program files\Spyware Doctor
2009-10-03 02:25 . 2009-10-03 02:25 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\PC Tools
2009-10-03 02:25 . 2009-10-03 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-03 02:25 . 2009-10-03 02:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-03 02:00 . 2009-10-03 02:00 256 ----a-w- c:\windows\system32\nk.dat
2009-10-03 01:58 . 2009-10-03 01:58 45 ----a-w- c:\windows\system32\ca.dat
2009-10-03 01:50 . 2009-10-03 01:50 1 ----a-w- c:\windows\system32\xd.dat
2009-10-03 01:50 . 2009-10-03 01:50 1 ----a-w- c:\windows\system32\jc.dat
2009-10-03 01:50 . 2009-10-03 01:50 1 ----a-w- c:\windows\system32\idm.dat
2009-10-03 01:50 . 2009-10-03 01:50 1 ----a-w- c:\windows\system32\c2d.dat
2009-10-03 01:49 . 2009-10-03 01:49 46080 ----a-w- c:\windows\system32\nspr02.dll
2009-10-03 01:48 . 2009-10-03 01:48 -------- d-sh--w- c:\documents and settings\Helen Melon\PrivacIE
2009-10-03 01:48 . 2009-10-03 01:48 46080 ----a-w- c:\windows\system32\nspr01.dll
2009-10-03 01:39 . 2009-10-03 01:39 199868 ----a-w- C:\hufa.exe
2009-10-03 01:39 . 2009-10-03 01:39 19456 ----a-w- C:\erupquii.exe
2009-10-03 01:39 . 2009-10-03 01:39 5632 ----a-w- C:\efbcmkj.exe
2009-10-03 01:39 . 2009-10-03 01:39 45568 ----a-w- C:\oaksorc.exe
2009-10-03 00:48 . 2009-10-03 00:50 -------- d-----w- c:\program files\Wise Registry Cleaner
2009-10-03 00:42 . 2009-10-03 01:04 -------- d-----w- c:\program files\Wise Disk Cleaner
2009-09-28 23:26 . 2009-10-03 01:29 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\vlc
2009-09-28 23:24 . 2009-09-28 23:24 -------- d-----w- c:\program files\VideoLAN
2009-09-25 21:56 . 2009-09-25 21:56 11264 ----a-w- c:\windows\system32\lpomf.dll
2009-09-19 23:31 . 2009-09-19 23:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-19 19:10 . 2009-09-19 19:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-19 19:08 . 2009-10-03 14:21 0 ----a-w- c:\windows\win32k.sys
2009-09-19 01:30 . 2009-09-19 01:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-19 01:21 . 2009-09-19 01:21 1 ----a-w- c:\windows\system32\q1.dat
2009-09-19 01:03 . 2009-09-19 01:08 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\Spotify
2009-09-19 01:03 . 2009-09-19 01:04 -------- d-----w- c:\documents and settings\Helen Melon\Local Settings\Application Data\Spotify
2009-09-19 01:03 . 2009-09-19 01:03 -------- d-----w- c:\program files\Spotify
2009-09-16 23:19 . 2009-09-19 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-15 22:45 . 2009-09-15 22:45 44032 ----a-w- c:\windows\system32\yxhl0.dll
2009-09-11 00:46 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 00:09 . 2007-07-09 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-10-03 12:57 . 2009-08-16 16:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 12:39 . 2009-08-14 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-03 01:49 . 2009-10-03 01:49 16609 ----a-w- c:\documents and settings\Helen Melon\Application Data\howyreqyce.dat
2009-10-03 01:49 . 2009-10-03 01:49 17136 ----a-w- c:\program files\Common Files\cuhupodi.lib
2009-10-03 01:07 . 2006-02-22 18:21 -------- d-----w- c:\program files\Java
2009-09-27 23:36 . 2009-08-14 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-26 19:08 . 2006-07-30 14:02 49544 ----a-w- c:\documents and settings\Helen Melon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 19:08 . 2008-01-22 20:41 -------- d-----w- c:\program files\Windows Live
2009-09-12 17:53 . 2009-01-06 00:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 13:54 . 2009-08-16 16:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-08-16 16:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-26 00:27 . 2007-11-17 16:45 -------- d-----w- c:\program files\DivX
2009-08-26 00:26 . 2009-08-26 00:26 4780600 ----a-w- C:\DivXWebPlayerInstaller.exe
2009-08-23 14:45 . 2008-12-25 00:07 -------- d-----w- c:\program files\Kontiki
2009-08-23 13:59 . 2009-08-23 13:59 267152 ----a-w- C:\zaSetup_en.exe
2009-08-22 16:14 . 2009-08-22 16:14 -------- d-----w- c:\program files\MSBuild
2009-08-22 16:13 . 2009-08-22 16:13 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 16:07 . 2009-08-22 16:07 -------- d-----w- c:\program files\MSXML 6.0
2009-08-17 00:15 . 2009-08-17 00:15 1144168 ----a-w- C:\wlsetup-custom.exe
2009-08-16 18:45 . 2009-08-16 18:45 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\Malwarebytes
2009-08-16 17:01 . 2009-08-16 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-16 17:01 . 2009-08-16 16:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-16 16:59 . 2009-08-16 16:59 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\SUPERAntiSpyware.com
2009-08-16 16:59 . 2007-08-20 14:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-16 16:59 . 2009-08-16 16:57 6881824 ----a-w- C:\SAS.exe
2009-08-16 16:54 . 2009-08-16 16:54 1343913 ----a-w- C:\MGtools.exe
2009-08-16 16:54 . 2009-08-16 16:54 464491 ----a-w- C:\RootRepeal.zip
2009-08-16 16:51 . 2009-08-16 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 16:30 . 2009-08-16 16:30 -------- d-----w- c:\program files\CCleaner
2009-08-16 16:28 . 2009-08-16 16:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-15 00:26 . 2009-08-15 00:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-15 00:25 . 2009-08-15 00:25 -------- d-----w- c:\program files\Lavasoft
2009-08-14 23:53 . 2009-08-14 23:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 05:58 . 2009-10-03 02:26 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-14 00:14 . 2009-08-14 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 00:14 . 2009-08-14 00:14 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-14 00:14 . 2009-08-14 00:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 00:14 . 2007-08-20 14:22 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 00:14 . 2009-08-14 00:14 -------- d-----w- c:\program files\AVG
2009-08-14 00:10 . 2009-08-14 00:10 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\AVG8
2009-08-05 09:01 . 2006-02-22 03:32 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2006-02-22 03:32 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-02-22 03:33 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2CEB3AB-FEEC-45F5-8ADE-B2C33A60D85D}]
2009-10-03 01:49 46080 ----a-w- c:\windows\system32\nspr02.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe" [2009-08-05 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-05 282624]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-05 180269]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2004-07-06 40960]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-19 184320]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-14 2007832]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-06-29 14720000]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2002-03-14 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 17:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [15/08/2009 01:26 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [03/10/2009 03:26 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [14/08/2009 01:14 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [14/08/2009 01:14 108552]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [06/07/2004 15:07 45627]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [14/08/2009 01:14 297752]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [14/08/2009 01:14 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1028432]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\HELENM~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\HELENM~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 P1001VID;Creative WebCam (WDM);c:\windows\system32\drivers\P1001Vid.sys [02/08/2006 14:09 395224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [03/10/2009 03:25 348824]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{69504635-DE84-4739-8D13-2B5C5616807F}]
rundll32 nspr02.dll,laspi
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 00:26]

2009-10-03 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-10-03 12:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: lpomf.dll
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Helen Melon\Application Data\Mozilla\Firefox\Profiles\964kqff7.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 01:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,f3,9f,ef,fd,77,c2,4b,92,c1,80,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,f3,9f,ef,fd,77,c2,4b,92,c1,80,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\lpomf.dll

- - - - - - - > 'explorer.exe'(1392)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Kontiki\KService.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-04 1:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 00:17

Pre-Run: 11,674,963,968 bytes free
Post-Run: 11,817,783,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

361 --- E O F --- 2009-09-13 02:01

#8 nffc86

nffc86

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 03 October 2009 - 06:23 PM

I am still having problems with AVG not letting me run a scan and my other antispyware still refuses to work and/or says I do not have permissions to run them

Edited by nffc86, 03 October 2009 - 06:25 PM.


#9 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 03 October 2009 - 10:34 PM

Hi nffc86,

Let's clear up the rest of this then work on the permissions.

We need some file informantion
  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path, one at a time into the "Suspicious files to scan" box on the top of the page:

    c:\windows\system32\nspr02.dll
    c:\windows\system32\nspr01.dll

  • Please ensure the scan has completed and the results are saved before submitting the next one.
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

We will be using Combofix again but will run it differently.

Please read through these instructions to familarize yourself with what to expect when this tool runs


Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the all of the text in the code box below into the Notepad, (including the URL). Do Not copy the word CODE

http://forums.whatthetech.com/Can_t_run_anti_spyware_rogue_infection_t107359.html&pid=600555#entry600555

Collect::[4]
c:\windows\system32\nk.dat
c:\windows\system32\ca.dat
c:\windows\system32\xd.dat
c:\windows\system32\jc.dat
c:\windows\system32\idm.dat
c:\windows\system32\c2d.dat
C:\hufa.exe
C:\erupquii.exe
C:\efbcmkj.exe
C:\oaksorc.exe
c:\windows\system32\lpomf.dll
c:\windows\win32k.sys
c:\windows\system32\q1.dat
c:\windows\system32\yxhl0.dll
c:\documents and settings\Helen Melon\Application Data\howyreqyce.dat
c:\program files\Common Files\cuhupodi.lib
c:\windows\system32\nspr01.dll
c:\windows\system32\nspr02.dll

DirLook::
c:\documents and settings\Helen Melon\PrivacIE

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2CEB3AB-FEEC-45F5-8ADE-B2C33A60D85D}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{69504635-DE84-4739-8D13-2B5C5616807F}]

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Posted Image

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Let's see what we may have to reset permissions on

  • Right click the attached file user.zip
  • Select Save target as
  • Set the Save in box to Desktop
Attached File  user.zip   45.33KB   204 downloads

  • Extract the files to your desktop
  • Locate run.bat and double click it to run it
  • Please be patient and let it run
  • When it's finished, a log will be saved at C:\junction.txt
  • Please post it's contents in your next reply

Please post back with
  • VirScan results
  • combofix log
  • junction.txt
Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#10 nffc86

nffc86

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 04 October 2009 - 08:49 AM

VirSCAN.org Scanned Report :
Scanned time : 2009/10/04 15:11:54 (BST)
Scanner results: 27% Scanner(10/37) found malware!
File Name : nspr02.dll
File Size : 46080 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : efd59b047ce5b6590ce2d666c7fa0527
SHA1 : 7b684c2484f6bd7fdc5ecf2e3d6774df58f441cf
Online report : http://virscan.org/r...a385d3dedb.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091004083115 2009-10-04 4.12 Trojan-Downloader.Win32.BHO!IK
AhnLab V3 2009.10.04.00 2009.10.04 2009-10-04 0.81 -
AntiVir 8.2.1.33 7.1.6.68 2009-10-02 0.46 TR/Ambler.J
Antiy 2.0.18 20091003.2955253 2009-10-03 0.02 -
Arcavir 2009 200910020826 2009-10-02 0.07 -
Authentium 5.1.1 200910031310 2009-10-03 1.19 -
AVAST! 4.7.4 091003-0 2009-10-03 0.01 -
AVG 8.5.288 270.14.3/2413 2009-10-04 0.56 -
BitDefender 7.81008.4313294 7.28072 2009-10-04 3.69 Trojan.Generic.2499596
CA (VET) 9.0.0.143 31.6.6773 2009-10-03 14.46 -
ClamAV 0.95.2 9865 2009-10-03 0.05 -
Comodo 3.11 2511 2009-10-04 0.83 -
CP Secure 1.3.0.5 2009.09.30 2009-09-30 0.12 -
Dr.Web 4.44.0.9170 2009.10.04 2009-10-04 5.55 Trojan.PWS.Banker.31065
F-Prot 4.4.4.56 20091003 2009-10-03 1.17 W32/Ambler.C.gen!Eldorado (generic, not disinfectable)
F-Secure 7.02.73807 2009.10.03.02 2009-10-03 8.65 Trojan-Spy:W32/Ambler.gen!A [FSE]
Fortinet 2.81-3.120 10.904 2009-10-04 0.19 PossibleThreat
GData 19.8212/19.498 20091004 2009-10-04 7.93 -
ViRobot 20091002 2009.10.02 2009-10-02 0.44 -
Ikarus T3.1.01.72 2009.10.04.73928 2009-10-04 4.25 Trojan-Downloader.Win32.BHO
JiangMin 11.0.800 2009.10.04 2009-10-04 8.88 -
Kaspersky 5.5.10 2009.10.04 2009-10-04 0.18 -
KingSoft 2009.2.5.15 2009.10.4.19 2009-10-04 0.70 -
McAfee 5.3.00 5760 2009-10-03 3.46 -
Microsoft 1.5101 2009.10.04 2009-10-04 9.27 TrojanSpy:Win32/Ambler.J
Norman 6.01.09 6.01.00 2009-09-16 1.93 -
Panda 9.05.01 2009.10.04 2009-10-04 3.48 -
Trend Micro 8.700-1004 6.504.02 2009-10-04 0.05 -
Quick Heal 10.00 2009.10.03 2009-10-03 1.58 -
Rising 20.0 21.49.22.00 2009-09-30 1.32 -
Sophos 2.90.1 4.45 2009-10-04 3.59 Mal/Ambler-B
Sunbelt 5427 5427 2009-10-02 6.30 -
Symantec 1.3.0.24 20091003.004 2009-10-03 0.53 -
nProtect 20090930.01 5696930 2009-09-30 15.69 -
The Hacker 6.5.0.2 v00028 2009-10-03 1.26 -
VBA32 3.12.10.11 20091003.1357 2009-10-03 2.12 -
VirusBuster 4.5.11.10 10.112.57/1940742 2009-10-03 2.77 -





ComboFix 09-10-01.05 - Helen Melon 04/10/2009 15:29.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.525 [GMT 1:00]
Running from: c:\documents and settings\Helen Melon\Desktop\jgh.exe
Command switches used :: c:\documents and settings\Helen Melon\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

file zipped: c:\documents and settings\Helen Melon\Application Data\howyreqyce.dat
file zipped: C:\efbcmkj.exe
file zipped: C:\erupquii.exe
file zipped: C:\hufa.exe
file zipped: C:\oaksorc.exe
file zipped: c:\program files\Common Files\cuhupodi.lib
file zipped: c:\windows\system32\c2d.dat
file zipped: c:\windows\system32\ca.dat
file zipped: c:\windows\system32\idm.dat
file zipped: c:\windows\system32\jc.dat
file zipped: c:\windows\system32\lpomf.dll
file zipped: c:\windows\system32\nk.dat
file zipped: c:\windows\system32\nspr01.dll
file zipped: c:\windows\system32\nspr02.dll
file zipped: c:\windows\system32\q1.dat
file zipped: c:\windows\system32\xd.dat
file zipped: c:\windows\system32\yxhl0.dll
file zipped: c:\windows\win32k.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Helen Melon\Application Data\howyreqyce.dat
C:\efbcmkj.exe
C:\erupquii.exe
C:\hufa.exe
C:\oaksorc.exe
c:\program files\Common Files\cuhupodi.lib
c:\windows\system32\c2d.dat
c:\windows\system32\ca.dat
c:\windows\system32\idm.dat
c:\windows\system32\jc.dat
c:\windows\system32\lpomf.dll
c:\windows\system32\nk.dat
c:\windows\system32\nspr01.dll
c:\windows\system32\nspr02.dll
c:\windows\system32\q1.dat
c:\windows\system32\xd.dat
c:\windows\system32\yxhl0.dll
c:\windows\win32k.sys

.
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-04 00:08 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-03 13:09 . 2009-10-03 13:09 -------- d-----w- c:\windows\ERUNT
2009-10-03 13:01 . 2009-10-03 13:09 -------- d-----w- C:\SDFix
2009-10-03 12:56 . 2009-10-03 12:56 -------- d-----w- C:\_OTM
2009-10-03 12:32 . 2009-10-03 12:32 293 ----a-w- C:\MGlogs.zip
2009-10-03 12:32 . 2009-10-03 12:32 -------- d-----w- C:\MGtools
2009-10-03 12:05 . 2009-10-03 12:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-03 02:26 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-03 02:26 . 2009-08-24 13:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-03 02:26 . 2009-08-19 10:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-03 02:25 . 2009-10-03 02:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-03 02:25 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-03 02:25 . 2009-10-03 02:29 -------- d-----w- c:\program files\Spyware Doctor
2009-10-03 02:25 . 2009-10-03 02:25 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\PC Tools
2009-10-03 02:25 . 2009-10-03 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-03 02:25 . 2009-10-03 02:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-03 01:48 . 2009-10-03 01:48 -------- d-sh--w- c:\documents and settings\Helen Melon\PrivacIE
2009-10-03 00:48 . 2009-10-03 00:50 -------- d-----w- c:\program files\Wise Registry Cleaner
2009-10-03 00:42 . 2009-10-03 01:04 -------- d-----w- c:\program files\Wise Disk Cleaner
2009-09-28 23:26 . 2009-10-03 01:29 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\vlc
2009-09-28 23:24 . 2009-09-28 23:24 -------- d-----w- c:\program files\VideoLAN
2009-09-19 23:31 . 2009-09-19 23:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-19 19:10 . 2009-09-19 19:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-19 01:30 . 2009-09-19 01:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-19 01:03 . 2009-09-19 01:08 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\Spotify
2009-09-19 01:03 . 2009-09-19 01:04 -------- d-----w- c:\documents and settings\Helen Melon\Local Settings\Application Data\Spotify
2009-09-19 01:03 . 2009-09-19 01:03 -------- d-----w- c:\program files\Spotify
2009-09-16 23:19 . 2009-09-19 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-11 00:46 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 14:35 . 2007-07-09 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-10-03 12:57 . 2009-08-16 16:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 12:39 . 2009-08-14 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-03 01:07 . 2006-02-22 18:21 -------- d-----w- c:\program files\Java
2009-09-27 23:36 . 2009-08-14 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-26 19:08 . 2006-07-30 14:02 49544 ----a-w- c:\documents and settings\Helen Melon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 19:08 . 2008-01-22 20:41 -------- d-----w- c:\program files\Windows Live
2009-09-12 17:53 . 2009-01-06 00:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 13:54 . 2009-08-16 16:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-08-16 16:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-26 00:27 . 2007-11-17 16:45 -------- d-----w- c:\program files\DivX
2009-08-26 00:26 . 2009-08-26 00:26 4780600 ----a-w- C:\DivXWebPlayerInstaller.exe
2009-08-23 14:45 . 2008-12-25 00:07 -------- d-----w- c:\program files\Kontiki
2009-08-23 13:59 . 2009-08-23 13:59 267152 ----a-w- C:\zaSetup_en.exe
2009-08-22 16:14 . 2009-08-22 16:14 -------- d-----w- c:\program files\MSBuild
2009-08-22 16:13 . 2009-08-22 16:13 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 16:07 . 2009-08-22 16:07 -------- d-----w- c:\program files\MSXML 6.0
2009-08-17 00:15 . 2009-08-17 00:15 1144168 ----a-w- C:\wlsetup-custom.exe
2009-08-16 18:45 . 2009-08-16 18:45 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\Malwarebytes
2009-08-16 17:01 . 2009-08-16 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-16 17:01 . 2009-08-16 16:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-16 16:59 . 2009-08-16 16:59 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\SUPERAntiSpyware.com
2009-08-16 16:59 . 2007-08-20 14:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-16 16:59 . 2009-08-16 16:57 6881824 ----a-w- C:\SAS.exe
2009-08-16 16:54 . 2009-08-16 16:54 1343913 ----a-w- C:\MGtools.exe
2009-08-16 16:54 . 2009-08-16 16:54 464491 ----a-w- C:\RootRepeal.zip
2009-08-16 16:51 . 2009-08-16 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 16:30 . 2009-08-16 16:30 -------- d-----w- c:\program files\CCleaner
2009-08-16 16:28 . 2009-08-16 16:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-15 00:26 . 2009-08-15 00:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-15 00:25 . 2009-08-15 00:25 -------- d-----w- c:\program files\Lavasoft
2009-08-14 23:53 . 2009-08-14 23:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 05:58 . 2009-10-03 02:26 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-14 00:14 . 2009-08-14 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 00:14 . 2009-08-14 00:14 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-14 00:14 . 2009-08-14 00:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 00:14 . 2007-08-20 14:22 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 00:14 . 2009-08-14 00:14 -------- d-----w- c:\program files\AVG
2009-08-14 00:10 . 2009-08-14 00:10 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\AVG8
2009-08-05 09:01 . 2006-02-22 03:32 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2006-02-22 03:32 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-02-22 03:33 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Helen Melon\PrivacIE ----

2009-10-03 01:48 . 2009-10-03 01:57 32768 --sha-w- c:\documents and settings\Helen Melon\PrivacIE\index.dat


((((((((((((((((((((((((((((( SnapShot@2009-10-04_00.11.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-04 14:37 . 2009-10-04 14:37 16384 c:\windows\Temp\Perflib_Perfdata_7ec.dat
+ 2009-10-04 14:37 . 2009-10-04 14:37 16384 c:\windows\Temp\Perflib_Perfdata_7bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe" [2009-08-05 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-05 282624]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-05 180269]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2004-07-06 40960]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-19 184320]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-14 2007832]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-06-29 14720000]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2002-03-14 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 17:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [15/08/2009 01:26 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [03/10/2009 03:26 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [14/08/2009 01:14 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [14/08/2009 01:14 108552]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [06/07/2004 15:07 45627]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [14/08/2009 01:14 297752]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [14/08/2009 01:14 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1028432]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\HELENM~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\HELENM~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 P1001VID;Creative WebCam (WDM);c:\windows\system32\drivers\P1001Vid.sys [02/08/2006 14:09 395224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [03/10/2009 03:25 348824]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 00:26]

2009-10-03 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-10-03 12:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Helen Melon\Application Data\Mozilla\Firefox\Profiles\964kqff7.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{A249BC15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
BHO-{C2CEB3AB-FEEC-45F5-8ADE-B2C33A60D85D} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 15:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(4032)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Kontiki\KService.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-04 15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 14:43
ComboFix2.txt 2009-10-04 00:17

Pre-Run: 11,775,537,152 bytes free
Post-Run: 11,734,605,824 bytes free

304 --- E O F --- 2009-09-13 02:01






Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\AVG\AVG8\avgcsrvx.exe: Access is denied.


.

...

...

...


Failed to open \\?\c:\\Program Files\Lavasoft\Ad-Aware\AAWService.exe: Access is denied.


..
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.


.

...

...

...

...

...

...

...
Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe: Access is denied.



Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe: Access is denied.




...

.
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.


..

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.

...

...

...

...

...

...

...

...

...

...

...

...

...

    Advertisements

Register to Remove


#11 nffc86

nffc86

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 04 October 2009 - 08:53 AM

Please note when I tried to put the second one of the two into virscan it told me I already had submitted it on a user and didn't let me rescan, I double checked to make sure I had put the right one into upload and I had done it correctly

#12 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 04 October 2009 - 10:16 AM

Hi nffc86,

That's ok, we got the information we needed.

Before we reset the permissions there is one file that needs to be removed.

We'll use a CFScript similar to last time.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

File::
c:\Program Files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon.

Next

Please visit this site and follow the instructions for uploading the [4]-Submit_2009-xx-xx@xx.xx.zip file.

The x's are a date and time stamp. Use the browse button to navigate to

C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip


Next, in Windows Explorer, navigate to this folder C:\Qoobox

In the right hand panel please locate this file Add-Remove Programs.txt
Please post the contents of that file.

Please post back with
  • combofix log
  • Add-Remove programsl list
Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#13 nffc86

nffc86

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 04 October 2009 - 10:47 AM

ComboFix 09-10-01.05 - Helen Melon 04/10/2009 17:31.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.498 [GMT 1:00]
Running from: c:\documents and settings\Helen Melon\Desktop\jgh.exe
Command switches used :: c:\documents and settings\Helen Melon\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\program files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-04 00:08 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-03 13:09 . 2009-10-03 13:09 -------- d-----w- c:\windows\ERUNT
2009-10-03 13:01 . 2009-10-03 13:09 -------- d-----w- C:\SDFix
2009-10-03 12:56 . 2009-10-03 12:56 -------- d-----w- C:\_OTM
2009-10-03 12:32 . 2009-10-03 12:32 293 ----a-w- C:\MGlogs.zip
2009-10-03 12:32 . 2009-10-03 12:32 -------- d-----w- C:\MGtools
2009-10-03 12:05 . 2009-10-03 12:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-03 02:26 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-03 02:26 . 2009-08-24 13:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-03 02:26 . 2009-08-19 10:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-03 02:25 . 2009-10-03 02:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-03 02:25 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-03 02:25 . 2009-10-03 02:29 -------- d-----w- c:\program files\Spyware Doctor
2009-10-03 02:25 . 2009-10-03 02:25 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\PC Tools
2009-10-03 02:25 . 2009-10-03 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-03 02:25 . 2009-10-03 02:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-03 01:48 . 2009-10-03 01:48 -------- d-sh--w- c:\documents and settings\Helen Melon\PrivacIE
2009-10-03 00:48 . 2009-10-03 00:50 -------- d-----w- c:\program files\Wise Registry Cleaner
2009-10-03 00:42 . 2009-10-03 01:04 -------- d-----w- c:\program files\Wise Disk Cleaner
2009-09-28 23:26 . 2009-10-03 01:29 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\vlc
2009-09-28 23:24 . 2009-09-28 23:24 -------- d-----w- c:\program files\VideoLAN
2009-09-19 23:31 . 2009-09-19 23:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-19 19:10 . 2009-09-19 19:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-19 01:30 . 2009-09-19 01:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-19 01:03 . 2009-09-19 01:08 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\Spotify
2009-09-19 01:03 . 2009-09-19 01:04 -------- d-----w- c:\documents and settings\Helen Melon\Local Settings\Application Data\Spotify
2009-09-19 01:03 . 2009-09-19 01:03 -------- d-----w- c:\program files\Spotify
2009-09-16 23:19 . 2009-09-19 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-11 00:46 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 16:36 . 2009-08-16 16:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-04 16:36 . 2007-07-09 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-10-03 12:57 . 2009-08-16 16:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 12:39 . 2009-08-14 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-03 01:07 . 2006-02-22 18:21 -------- d-----w- c:\program files\Java
2009-09-27 23:36 . 2009-08-14 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-26 19:08 . 2006-07-30 14:02 49544 ----a-w- c:\documents and settings\Helen Melon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 19:08 . 2008-01-22 20:41 -------- d-----w- c:\program files\Windows Live
2009-09-12 17:53 . 2009-01-06 00:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 13:54 . 2009-08-16 16:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-08-16 16:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-26 00:27 . 2007-11-17 16:45 -------- d-----w- c:\program files\DivX
2009-08-26 00:26 . 2009-08-26 00:26 4780600 ----a-w- C:\DivXWebPlayerInstaller.exe
2009-08-23 14:45 . 2008-12-25 00:07 -------- d-----w- c:\program files\Kontiki
2009-08-23 13:59 . 2009-08-23 13:59 267152 ----a-w- C:\zaSetup_en.exe
2009-08-22 16:14 . 2009-08-22 16:14 -------- d-----w- c:\program files\MSBuild
2009-08-22 16:13 . 2009-08-22 16:13 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 16:07 . 2009-08-22 16:07 -------- d-----w- c:\program files\MSXML 6.0
2009-08-17 00:15 . 2009-08-17 00:15 1144168 ----a-w- C:\wlsetup-custom.exe
2009-08-16 18:45 . 2009-08-16 18:45 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\Malwarebytes
2009-08-16 17:01 . 2009-08-16 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-16 16:59 . 2009-08-16 16:59 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\SUPERAntiSpyware.com
2009-08-16 16:59 . 2007-08-20 14:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-16 16:59 . 2009-08-16 16:57 6881824 ----a-w- C:\SAS.exe
2009-08-16 16:54 . 2009-08-16 16:54 1343913 ----a-w- C:\MGtools.exe
2009-08-16 16:54 . 2009-08-16 16:54 464491 ----a-w- C:\RootRepeal.zip
2009-08-16 16:51 . 2009-08-16 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 16:30 . 2009-08-16 16:30 -------- d-----w- c:\program files\CCleaner
2009-08-16 16:28 . 2009-08-16 16:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-15 00:26 . 2009-08-15 00:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-15 00:25 . 2009-08-15 00:25 -------- d-----w- c:\program files\Lavasoft
2009-08-14 23:53 . 2009-08-14 23:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 05:58 . 2009-10-03 02:26 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-14 00:14 . 2009-08-14 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 00:14 . 2009-08-14 00:14 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-14 00:14 . 2009-08-14 00:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 00:14 . 2007-08-20 14:22 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 00:14 . 2009-08-14 00:14 -------- d-----w- c:\program files\AVG
2009-08-14 00:10 . 2009-08-14 00:10 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\AVG8
2009-08-05 09:01 . 2006-02-22 03:32 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2006-02-22 03:32 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-02-22 03:33 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-04_00.11.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-04 14:37 . 2009-10-04 14:37 16384 c:\windows\Temp\Perflib_Perfdata_7ec.dat
+ 2009-10-04 14:37 . 2009-10-04 14:37 16384 c:\windows\Temp\Perflib_Perfdata_7bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-05 282624]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-05 180269]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2004-07-06 40960]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-19 184320]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-14 2007832]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-06-29 14720000]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2002-03-14 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 17:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [15/08/2009 01:26 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [03/10/2009 03:26 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [14/08/2009 01:14 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [14/08/2009 01:14 108552]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [06/07/2004 15:07 45627]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [14/08/2009 01:14 297752]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [14/08/2009 01:14 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1028432]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\HELENM~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\HELENM~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 P1001VID;Creative WebCam (WDM);c:\windows\system32\drivers\P1001Vid.sys [02/08/2006 14:09 395224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [03/10/2009 03:25 348824]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 00:26]

2009-10-03 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-10-03 12:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Helen Melon\Application Data\Mozilla\Firefox\Profiles\964kqff7.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 17:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-10-04 17:39
ComboFix-quarantined-files.txt 2009-10-04 16:39
ComboFix2.txt 2009-10-04 14:43
ComboFix3.txt 2009-10-04 00:17

Pre-Run: 11,740,499,968 bytes free
Post-Run: 11,726,290,944 bytes free

235 --- E O F --- 2009-09-13 02:01







Add-Remove Programs List





Ad-Aware
Adobe Acrobat Reader 3.01
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
Apple Software Update
AVG Free 8.5
BBC iPlayer Download Manager
BioWare Premium Module: Neverwinter Nights - Kingmaker
BioWare Premium Module: Neverwinter Nights - ShadowGuard
BioWare Premium Module: Neverwinter Nights - Witch's Wake
CCleaner (remove only)
Click to DVD 2.0.03 Menu Data
Click to DVD 2.5.20
Creative WebCam Control
Creative WebCam Driver
Diablo II
Disc2Phone
DivX Web Player
Driving Test Complete
DVgate Plus
GameSpy Arcade
Google AFE
Google Earth
Google Talk (remove only)
Google Toolbar for Internet Explorer
HDAUDIO SoftV92 Data Fax Modem with SmartCP
Hero Editor V0.96
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
HP Deskjet 3740
HP Software Update
Image Converter 2 Plus
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterVideo WinDVD for VAIO
LAN-Express AS IEEE 802.11 Wireless LAN
LG PC Suite
LG USB Modem driver
Malwarebytes' Anti-Malware
mCore
mDriver
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Live Add-in 1.3
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (VAIO_VEDB)
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
mMHouse
Mozilla Firefox (3.5.3)
mPfMgr
mProSafe
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
mWlsSafe
mXML
OpenMG Limited Patch 4.4-06-13-19-01
OpenMG Secure Module 4.4.00
Picasa 2
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Roxio DigitalMedia Audio
Roxio DigitalMedia Copy
Roxio DigitalMedia Data
SafeGuard® PrivateDisk 1.00.6 - Try and Buy Version
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Segoe UI
Setting Utility Series
SonicStage 3.4
Sony MP4 Shared Library
Sony USB Mouse
Sony Utilities DLL
Sony Video Shared Library
Spotify
SPSS 14.0 for Windows
Spybot - Search & Destroy
Spyware Doctor 6.1
SUPERAntiSpyware Free Edition
Symantec KB-DocID:2003093015493306
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
VAIO Control Center
VAIO Entertainment Platform
VAIO Event Service
VAIO Hardware Diagnostics
VAIO Long Battery Life Wallpaper
VAIO Media 5.0
VAIO Media AC3 Decoder 1.0
VAIO Media Integrated Server 5.0
VAIO Media Redistribution 5.0
VAIO Media Registration Tool 5.0
VAIO Online Registration (English)
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Cozy Screen SD Wide Contents
VAIO Power Management
VAIO Product Survey
VAIO Sea Wallpaper
VAIO Starfish Wallpaper
VAIO Update 2
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.2
VOR
VPS
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
WinUAE 1.4.2
Wireless LAN Starter
Wise Disk Cleaner 4.81
Wise Registry Cleaner 4 Free 4.83
ZoneAlarm Spy Blocker



I have also successfully submitted the thing that you asked me to on Bleeping Computer

#14 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 04 October 2009 - 11:05 AM

Hi nffc86,

I have also successfully submitted the thing that you asked me to on Bleeping Computer

Thank you.

Please download Inherit by sUBs and save it to your Desktop.

Click your start button, click run. Copy and paste the following commands, one at a time, into the run box clicking OK after each line. Wait a bit between lines.

"%userprofile%\desktop\Inherit.exe" "c:\Program Files\AVG\AVG8\avgcsrvx.exe"

"%userprofile%\desktop\Inherit.exe" "c:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"

"%userprofile%\desktop\Inherit.exe" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

"%userprofile%\desktop\Inherit.exe" c:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"


You should be able to run the programs now.


You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back with the MBAM log.

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#15 nffc86

nffc86

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 04 October 2009 - 11:34 AM

Malwarebytes' Anti-Malware 1.41 Database version: 2905 Windows 5.1.2600 Service Pack 3 04/10/2009 18:28:06 mbam-log-2009-10-04 (18-28-06).txt Scan type: Quick Scan Objects scanned: 114723 Time elapsed: 9 minute(s), 0 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 7 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{c3d409df-0316-4fc0-89e2-dbdd885232a0} (Password.Stealer) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c3d409df-0316-4fc0-89e2-dbdd885232a0} (Password.Stealer) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4AA9S564\flash_stream-viewer.v.45032[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users