Yet another instance of Trojan hose Generic 15.BKQQ

View previous topic View next topic Go down

Yet another instance of Trojan hose Generic 15.BKQQ

Post by swampyankee22 on Thu Nov 26, 2009 4:14 pm

Thanks for this free service! But if anyone can help me get rid of this Trojan there will definitely be some Paypal love!

Here's the ComboFix log: Malwarebytes and SuperAnti-spyware don't seem to find anything at all when they scan but AVG is showing it frequently, seemingly an svchost.exe trojan that hijacks pages, won't let me view technical solution pages and randomly refers following Google searches too (if you go back and search again it will let them through)

Is there any anti-virus/trojan software out there good enough to actually prevent these things? Or will they always be one step ahead of those who help find solutions?




ComboFix 09-11-25.03 - Compaq_Owner 11/25/2009 20:27.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.401 [GMT -5]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\pyrizupuq.bat
c:\documents and settings\All Users\Documents\awunyl.inf
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Compaq_Owner\Application Data\uderucej.vbs
c:\documents and settings\Compaq_Owner\Cookies\ewubyfah.scr
c:\documents and settings\Compaq_Owner\Cookies\ezyfur._sy
c:\documents and settings\Compaq_Owner\Cookies\otukoqusa.sys
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\uvyqi.inf
c:\documents and settings\Compaq_Owner\ntuser.dll
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\scandisk.lnk
c:\recycler\S-1-5-21-3599618336-589856690-2436077665-1012
c:\recycler\S-1-5-21-9959337303-5378144185-711673109-9942
c:\windows\asaj.vbs
c:\windows\azilelypi.scr
c:\windows\system32\__c004CF81.dat
c:\windows\system32\6to4v32.dll
c:\windows\system32\calc.dll
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\system32\dagamami.dll
c:\windows\system32\daqdrv.sys
c:\windows\system32\eq7723.dll
c:\windows\system32\ikycy.vbs
c:\windows\system32\ps2.bat
c:\windows\system32\sshnas.dll
c:\windows\system32\wafatoto.dll
c:\windows\system32\zudawahi.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\Temp\4070480208.exe
c:\windows\TEMP\rundll32.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4
-------\Service_SSHNAS


((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.

2009-11-26 01:22 . 2009-11-26 01:22 46080 ----a-w- C:\nijap.exe
2009-11-26 01:22 . 2009-11-26 01:22 53248 ----a-w- C:\dxtsyxru.exe
2009-11-26 01:22 . 2009-11-26 01:22 12288 ----a-w- C:\jpvedf.exe
2009-11-24 04:19 . 2009-11-24 04:19 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-23 23:59 . 2009-11-23 23:59 -------- d-----w- c:\documents and settings\Erin\Application Data\SUPERAntiSpyware.com
2009-11-23 23:22 . 2009-11-23 23:22 -------- d-----w- c:\documents and settings\Erin\Application Data\Malwarebytes
2009-11-22 23:10 . 2009-11-22 23:10 -------- d-----w- c:\documents and settings\Quinn\Local Settings\Application Data\Apple Computer
2009-11-22 23:09 . 2009-11-22 23:09 79440 ----a-w- c:\documents and settings\Quinn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 01:23 . 2009-08-09 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 12:29 . 2008-12-24 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-25 01:33 . 2009-08-09 18:03 117760 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-25 01:33 . 2009-08-09 18:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 14:37 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-24 04:18 . 2009-11-22 23:08 -------- d-----w- c:\documents and settings\Quinn\Application Data\Gtek
2009-11-03 01:42 . 2009-10-03 12:29 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-24 20:10 . 2008-08-11 18:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-19 20:52 . 2009-02-05 23:32 79440 ----a-w- c:\documents and settings\Lilia Hope\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 12:06 . 2006-02-27 02:03 79440 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 11:59 . 2006-03-13 00:56 79440 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 02:59 . 2009-10-15 02:59 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-13 21:10 . 2009-10-13 21:10 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-06 11:13 . 2006-12-19 02:00 -------- d-----w- c:\program files\PeerGuardian2
2009-10-03 12:41 . 2005-12-02 23:13 -------- d-----w- c:\program files\Common Files\Real
2009-10-03 12:40 . 2009-10-03 12:40 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-03 12:40 . 2003-03-19 11:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-03 12:40 . 2003-02-21 19:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2008-08-16 00:16 . 2008-08-16 00:15 1513959 ----a-w- c:\program files\wordpress-2.6.1.zip
2008-12-20 04:03 . 2006-02-23 12:50 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 04:03 . 2006-02-23 12:50 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 04:03 . 2007-06-30 11:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 04:03 . 2007-06-30 11:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 04:03 . 2006-02-23 12:50 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-03 198160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-2 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-25 01:32 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-11 13:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\SupportSoft\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/11/2009 8:23 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/11/2009 8:23 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/11/2009 8:22 AM 297752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S2 gupdate1c96614b910bed2;Google Update Service (gupdate1c96614b910bed2);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2008 5:12 PM 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S2 moqmw;moqmw;\??\c:\windows\system32\drivers\ydgaqfukz.sys --> c:\windows\system32\drivers\ydgaqfukz.sys [?]
S3 daqdrv;daqdrv;\??\c:\windows\system32\daqdrv.sys --> c:\windows\system32\daqdrv.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 00:59]

2009-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:32]

2009-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:32]

2009-11-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-11-23 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-08-13 13:22]

2009-11-25 c:\windows\Tasks\User_Feed_Synchronization-{72D10B34-5CED-42D0-A5EF-DA7C7F6FDD2F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\a46wawl0.default\
FF - prefs.js: browser.startup.homepage - http:/www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

BHO-{B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - c:\windows\system32\eq7723.dll
BHO-{bacd3b09-56e9-4040-a9ff-ca850b3ad145} - zudawahi.dll
HKLM-Run-kewulabihe - dagamami.dll
HKU-Default-Run-calc - c:\windows\system32\config\SYSTEM~1\ntuser.dll
SharedTaskScheduler-{B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - c:\windows\system32\eq7723.dll
AddRemove-CanonMyPrinter - c:\program files\Canon\MyPrinter\uninst.exe uninst.ini
AddRemove-CanonSolutionMenu - c:\program files\Canon\SolutionMenu\uninst.exe uninst.ini
AddRemove-dBpowerAMP AAC Codec - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dBpowerAMP AAC Codec.dat
AddRemove-dBpowerAMP DirectShow Decoder Codec - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dBpowerAMP DirectShow Decoder Codec.dat
AddRemove-dBpowerAMP FLAC Codec - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dBpowerAMP FLAC Codec.dat
AddRemove-dBpowerAMP Monkeys Audio Codec - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dBpowerAMP Monkeys Audio Codec.dat
AddRemove-dBpowerAMP Mp3 (MPEG Suite 2000 CLI) - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dBpowerAMP Mp3 (MPEG Suite 2000 CLI).dat
AddRemove-dBpowerAMP Music Converter - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
AddRemove-dBpowerAMP Ogg Vorbis Codec - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat
AddRemove-dBpowerAMP Shorten Codec - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dBpowerAMP Shorten Codec.dat
AddRemove-dBpowerAMP Wavpack Codec - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dBpowerAMP Wavpack Codec.dat
AddRemove-dBpowerAMP WMA V9.1 Codec - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dBpowerAMP WMA V9.1 Codec.dat
AddRemove-dMC Power Pack - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dMC Power Pack.dat
AddRemove-Easy-PhotoPrint EX - c:\program files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
AddRemove-Flash Video Save Adapter for FireFox - c:\documents and settings\Compaq_Owner\Desktop\Powerpoint templates\New Folder\Flash Video Save Adapter for Firefox\uninst.exe
AddRemove-PS2 - c:\windows\system32\ps2.exe uninstall
AddRemove-RealPlayer 12.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-25 21:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8614F369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7674f28
\Driver\ACPI -> ACPI.sys @ 0xf74e7cb8
\Driver\atapi -> atapi.sys @ 0xf73ca852
\Driver\iaStor -> iaStor.sys @ 0xf73eeade
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf727cbd4
PacketIndicateHandler -> NDIS.sys @ 0xf7288a21
SendHandler -> NDIS.sys @ 0xf727cd44
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(632)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2340)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTIntrfc.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSHK.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSRES.DLL
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSvcCDA.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-25 21:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-26 02:23

Pre-Run: 24,173,797,376 bytes free
Post-Run: 30,378,586,112 bytes free

- - End Of File - - 4059A42AE11D20B0A8B71EAF46A7D72B

swampyankee22
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-11-26
OS : Windows XP SP3

View user profile

Back to top Go down

Re: Yet another instance of Trojan hose Generic 15.BKQQ

Post by Belahzur on Thu Nov 26, 2009 8:46 pm


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    C:\nijap.exe
    C:\dxtsyxru.exe
    C:\jpvedf.exe

    Driver::
    moqmw
    daqdrv
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Yet another instance of Trojan hose Generic 15.BKQQ

Post by swampyankee22 on Fri Nov 27, 2009 2:03 pm

I did as instructed...(though interestingly after combofix ran the script it rebooted my computer, and when I logged back in, combofix opened on its own and ran/generated the following log (I assume that was all supposed to happen but figured I'd mention it)

Here's the log generated after the computer rebooted

ComboFix 09-11-25.03 - Compaq_Owner 11/27/2009 8:21.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.579 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFscript.txt

FILE ::
"C:\dxtsyxru.exe"
"C:\jpvedf.exe"
"C:\nijap.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dxtsyxru.exe
C:\jpvedf.exe
C:\nijap.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DAQDRV
-------\Service_daqdrv
-------\Service_moqmw


((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.

2009-11-24 04:19 . 2009-11-24 04:19 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-23 23:59 . 2009-11-23 23:59 -------- d-----w- c:\documents and settings\Erin\Application Data\SUPERAntiSpyware.com
2009-11-23 23:22 . 2009-11-23 23:22 -------- d-----w- c:\documents and settings\Erin\Application Data\Malwarebytes
2009-11-22 23:10 . 2009-11-22 23:10 -------- d-----w- c:\documents and settings\Quinn\Local Settings\Application Data\Apple Computer
2009-11-22 23:09 . 2009-11-22 23:09 79440 ----a-w- c:\documents and settings\Quinn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 14:41 . 2008-12-24 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-26 01:23 . 2009-08-09 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 01:33 . 2009-08-09 18:03 117760 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-25 01:33 . 2009-08-09 18:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 14:37 . 2004-08-04 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-24 04:18 . 2009-11-22 23:08 -------- d-----w- c:\documents and settings\Quinn\Application Data\Gtek
2009-11-03 01:42 . 2009-10-03 12:29 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-24 20:10 . 2008-08-11 18:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-19 20:52 . 2009-02-05 23:32 79440 ----a-w- c:\documents and settings\Lilia Hope\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 12:06 . 2006-02-27 02:03 79440 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 11:59 . 2006-03-13 00:56 79440 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 02:59 . 2009-10-15 02:59 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-13 21:10 . 2009-10-13 21:10 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-06 11:13 . 2006-12-19 02:00 -------- d-----w- c:\program files\PeerGuardian2
2009-10-03 12:41 . 2005-12-02 23:13 -------- d-----w- c:\program files\Common Files\Real
2009-10-03 12:40 . 2009-10-03 12:40 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-03 12:40 . 2003-03-19 11:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-03 12:40 . 2003-02-21 19:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-08-16 00:16 . 2008-08-16 00:15 1513959 ----a-w- c:\program files\wordpress-2.6.1.zip
2008-12-20 04:03 . 2006-02-23 12:50 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 04:03 . 2006-02-23 12:50 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 04:03 . 2007-06-30 11:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 04:03 . 2007-06-30 11:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 04:03 . 2006-02-23 12:50 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-06-25 05:32 . 2009-11-27 13:39 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-06-25 05:32 . 2009-11-26 01:57 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-06-24 22:25 . 2009-11-27 13:39 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-06-24 22:25 . 2009-11-26 01:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-06-24 22:25 . 2009-11-27 13:39 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-06-24 22:25 . 2009-11-26 01:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-03 198160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-2 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-25 01:32 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\SupportSoft\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S2 gupdate1c96614b910bed2;Google Update Service (gupdate1c96614b910bed2);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2008 5:12 PM 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 00:59]

2009-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:32]

2009-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:32]

2009-11-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-11-27 c:\windows\Tasks\User_Feed_Synchronization-{72D10B34-5CED-42D0-A5EF-DA7C7F6FDD2F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\a46wawl0.default\
FF - prefs.js: browser.startup.homepage - http:/www.google.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-27 08:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86117369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7674f28
\Driver\ACPI -> ACPI.sys @ 0xf74e7cb8
\Driver\atapi -> atapi.sys @ 0xf73ca852
\Driver\iaStor -> iaStor.sys @ 0xf73eeade
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf727cbd4
PacketIndicateHandler -> NDIS.sys @ 0xf7288a21
SendHandler -> NDIS.sys @ 0xf727cd44
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(620)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1004)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTIntrfc.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSHK.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSRES.DLL
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSvcCDA.EXE
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-27 08:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-27 13:55
ComboFix2.txt 2009-11-26 02:23

Pre-Run: 30,396,616,704 bytes free
Post-Run: 30,482,092,032 bytes free

- - End Of File - - 93F4AC56F8CA8D11C387D926EEE6C6B9

swampyankee22
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-11-26
OS : Windows XP SP3

View user profile

Back to top Go down

Re: Yet another instance of Trojan hose Generic 15.BKQQ

Post by Belahzur on Fri Nov 27, 2009 11:20 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Yet another instance of Trojan hose Generic 15.BKQQ

Post by swampyankee22 on Sun Nov 29, 2009 5:27 pm

No change... Google searches - especially anything related to malware or viruses - is still being hijacked... along with random new windows with random ads (I even uninstalled AVG 9 and disabled internet before running the combo fix run command)

Thanks for your help so far... I'm open to any suggestions:

Here's the latest Combofix log

ComboFix 09-11-25.03 - Compaq_Owner 11/29/2009 11:27.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.576 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
Command switches used :: /u
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-28 05:13 . 2009-11-28 05:13 -------- d-----w- C:\found.001
2009-11-27 19:00 . 2009-11-27 19:00 -------- d-----w- C:\$AVG
2009-11-27 15:56 . 2009-11-29 16:20 -------- d-----w- c:\documents and settings\Quinn.HOMEOFFICE
2009-11-24 04:19 . 2009-11-24 04:19 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-23 23:59 . 2009-11-23 23:59 -------- d-----w- c:\documents and settings\Erin\Application Data\SUPERAntiSpyware.com
2009-11-23 23:22 . 2009-11-23 23:22 -------- d-----w- c:\documents and settings\Erin\Application Data\Malwarebytes
2009-11-22 23:10 . 2009-11-22 23:10 -------- d-----w- c:\documents and settings\Quinn\Local Settings\Application Data\Apple Computer
2009-11-22 23:09 . 2009-11-22 23:09 79440 ----a-w- c:\documents and settings\Quinn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 18:58 . 2008-11-28 16:23 -------- d-----w- c:\program files\AVG
2009-11-27 15:05 . 2004-08-04 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-26 14:41 . 2008-12-24 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-26 01:23 . 2009-08-09 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 01:33 . 2009-08-09 18:03 117760 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-25 01:33 . 2009-08-09 18:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 04:18 . 2009-11-22 23:08 -------- d-----w- c:\documents and settings\Quinn\Application Data\Gtek
2009-11-03 01:42 . 2009-10-03 12:29 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-24 20:10 . 2008-08-11 18:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-19 20:52 . 2009-02-05 23:32 79440 ----a-w- c:\documents and settings\Lilia Hope\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 12:06 . 2006-02-27 02:03 79440 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 11:59 . 2006-03-13 00:56 79440 ----a-w- c:\documents and settings\Erin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 02:59 . 2009-10-15 02:59 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-13 21:10 . 2009-10-13 21:10 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-06 11:13 . 2006-12-19 02:00 -------- d-----w- c:\program files\PeerGuardian2
2009-10-03 12:41 . 2005-12-02 23:13 -------- d-----w- c:\program files\Common Files\Real
2009-10-03 12:40 . 2009-10-03 12:40 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-03 12:40 . 2003-03-19 11:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-03 12:40 . 2003-02-21 19:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-08-16 00:16 . 2008-08-16 00:15 1513959 ----a-w- c:\program files\wordpress-2.6.1.zip
2008-12-20 04:03 . 2006-02-23 12:50 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 04:03 . 2006-02-23 12:50 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 04:03 . 2007-06-30 11:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 04:03 . 2007-06-30 11:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 04:03 . 2006-02-23 12:50 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 01:54 . 2009-07-12 01:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-12 01:32 . 2009-07-12 01:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 06:07 . 2009-07-12 06:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 06:19 . 2009-07-12 06:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2004-08-04 12:00 . 2009-11-27 15:05 96512 c:\windows\system32\dllcache\atapi.sys
- 2004-08-04 12:00 . 2009-11-24 14:37 96512 c:\windows\system32\dllcache\atapi.sys
- 2005-06-25 05:32 . 2009-11-26 01:57 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-06-25 05:32 . 2009-11-29 16:22 81920 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-06-24 22:25 . 2009-11-26 01:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-06-24 22:25 . 2009-11-29 16:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-06-24 22:25 . 2009-11-26 01:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-06-24 22:25 . 2009-11-29 16:22 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-12 06:12 . 2009-07-12 06:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 06:09 . 2009-07-12 06:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 06:08 . 2009-07-12 06:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2009-11-27 18:58 . 2009-11-27 18:58 424448 c:\windows\Installer\1232474.msi
+ 2009-07-12 01:46 . 2009-07-12 01:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-12 01:46 . 2009-07-12 01:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-03 198160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-2 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-25 01:32 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\SupportSoft\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 3:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 74480]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S2 gupdate1c96614b910bed2;Google Update Service (gupdate1c96614b910bed2);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2008 5:12 PM 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - ftsata2_2
.
Contents of the 'Scheduled Tasks' folder

2009-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 00:59]

2009-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:32]

2009-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 04:32]

2009-11-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-11-29 c:\windows\Tasks\User_Feed_Synchronization-{72D10B34-5CED-42D0-A5EF-DA7C7F6FDD2F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\a46wawl0.default\
FF - prefs.js: browser.startup.homepage - http:/www.google.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-29 11:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8610A369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7654f28
\Driver\ACPI -> ACPI.sys @ 0xf74c7cb8
\Driver\atapi -> atapi.sys @ 0xf73aa852
\Driver\iaStor -> iaStor.sys @ 0xf73ceade
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf725cbd4
PacketIndicateHandler -> NDIS.sys @ 0xf7268a21
SendHandler -> NDIS.sys @ 0xf725cd44
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(420)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(484)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3636)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTIntrfc.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSHK.dll
c:\program files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\JBNSRES.DLL
.
Completion time: 2009-11-29 11:51
ComboFix-quarantined-files.txt 2009-11-29 16:50
ComboFix2.txt 2009-11-28 21:11
ComboFix3.txt 2009-11-27 13:55
ComboFix4.txt 2009-11-26 02:23

Pre-Run: 28,134,125,568 bytes free
Post-Run: 29,461,770,240 bytes free

- - End Of File - - A21E35A13C37ADA0C7614157AC2AFACE

swampyankee22
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-11-26
OS : Windows XP SP3

View user profile

Back to top Go down

Re: Yet another instance of Trojan hose Generic 15.BKQQ

Post by Belahzur on Sun Nov 29, 2009 6:43 pm

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Yet another instance of Trojan hose Generic 15.BKQQ

Post by swampyankee22 on Sun Nov 29, 2009 7:43 pm

Thanks

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:38 on 29/11/2009 by Compaq_Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [23:15 03/09/2008] [12:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [02:10 26/11/2009] [15:05 27/11/2009] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [01:36 30/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--- 96512 bytes [12:00 04/08/2004] [15:05 27/11/2009] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [12:00 04/08/2004] [15:05 27/11/2009] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

swampyankee22
Novice
Novice

Status :
Online
Offline

Posts : 7
Joined : 2009-11-26
OS : Windows XP SP3

View user profile

Back to top Go down

Re: Yet another instance of Trojan hose Generic 15.BKQQ

Post by Belahzur on Mon Nov 30, 2009 12:05 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    FCopy::
    C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum