Infected

View previous topic View next topic Go down

Infected

Post by Pauliwood on 30th December 2009, 3:49 pm

Good day everyone,

Hoping someone can provide some assistance so I can restore an infected system back to a point where I can at least backup data in case a fresh install/restore is needed.


Currently, when the PC boots up using Windows XP, in normal mode, I am unable to run any .exe programs that will provide virus or malware scanning. After a few mouse clicks, the PC locks up.

I was able to install Ad Adware and run a scan, however it found nothing.
Super Anti Spyware gives me an error upon running the install file and Malware Bytes Anti Malware will no even start the setup process. Once I click and .exe file, I am not able to click on anything else, and I need to power down and re-boot.

I can run CC Cleaner, and was able to disable some programs at startup, nothing that looked malicious enough to prevent the PC from working.

Not sure if Hi-jack this will even load or run, willing to try it. What shall I do to help you folks, help me?

Please advise, thank you.

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 30th December 2009, 8:21 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 31st December 2009, 12:14 am

Thanks so much Belahzur,

Just an update to what I've been able to do.

I ran TDSSKiller, and that was able to delete a hȋdden root kit, i am kicking myself for not writing down what it was. Something like H8S or HS8.

Anyhow, once I got that out, the gloves came off. I was able to install and run Super AntiSpyware which removed 12 pieces of malware., was able to run Avira, which removed 6 viruses and 1 threat, installed Spybot, updated, and imunized, then ran a scan, which deleted another 10+ threats.

Also, something changed IE to try and use a Proxy, I changed that back to obtain IP automatically. I also ran a file to stop the AutoRun feature of Windows.
I will check my version of Java, and ensure it is up to date and from SUN and not MS.

I will be uninstalling Norton 360, so I only have 1 Anti-Virus, and installing PC Tools firewall and McAfee Site Advisor.

I have also limited the kids accounts, so they are no longer administrators.

I updated windows, had 1 critical update.

I will remove Norton, then run Hijack This to ensure I've removed everything, thanks again!

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 31st December 2009, 5:38 am

Here is my log file, thanks again for your help !!


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:36:51 AM, on 12/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: ector-2009.com
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - [You must be registered and logged in to see this link.]
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [You must be registered and logged in to see this link.]
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: c:\windows\system32\poludenu.dll C:\WINDOWS\system32\fuyavure.dll c:\windows\system32\takobazi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9f0398c257c1e) (gupdate1c9f0398c257c1e) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 7169 bytes

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 31st December 2009, 4:46 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O1 - Hosts: ::1 localhost
    O1 - Hosts: ector-2009.com
    O2 - BHO: (no name) - MRI_DISABLED - (no file)
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O20 - AppInit_DLLs: c:\windows\system32\poludenu.dll C:\WINDOWS\system32\fuyavure.dll c:\windows\system32\takobazi.dll
    O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 31st December 2009, 6:30 pm

thank you for your help, here is my Malware Bytes log file.

Malwarebytes' Anti-Malware 1.43
Database version: 3462
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/31/2009 1:15:35 PM
mbam-log-2009-12-31 (13-15-31).txt

Scan type: Quick Scan
Objects scanned: 156702
Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: at1r40.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\at1r40.dll (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Ryan\Local Settings\Temp\H8SRT90ad.tmp (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> No action taken.
C:\WINDOWS\system32\H8SRTbivomfpxmf.dat (Rootkit.TDSS) -> No action taken.


Program did say I needed to re-boot to clean 1 file, which I did, and then came back here to post the log file.

~Pauliwood

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 31st December 2009, 6:31 pm

MBAM says no action taken, guess you took that log before removing the items found.

We need to go deeper.

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 31st December 2009, 10:16 pm

here you go, and yes, i copied the log before i actually clicked to remove the malware, sorry bout that.

This gmer proggie really bogged down the pc, to the point where the pc froze while trying to save the text file. surprised i was able to save it, is that normal after running gmer ??

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-31 16:43:18
Windows 5.1.2600 Service Pack 3
Running: ygxioy9v.exe; Driver: C:\DOCUME~1\MARKBE~1\LOCALS~1\Temp\awpcifod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwAllocateVirtualMemory [0x980C9752]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwAssignProcessToJobObject [0x980C9440]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwConnectPort [0x980C9482]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwCreateFile [0x980C9530]
SSDT 9AD8AF46 ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwCreateProcess [0x980C9DD8]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwCreateProcessEx [0x980C9E64]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwCreateThread [0x980C9EF4]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwDebugActiveProcess [0x980C9580]
SSDT 9AD8AF4B ZwDeleteKey
SSDT 9AD8AF55 ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwDuplicateObject [0x980C95C2]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwLoadDriver [0x980C9606]
SSDT 9AD8AF5A ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwOpenKey [0x980C9648]
SSDT 9AD8AF28 ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwOpenSection [0x980C968A]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwOpenThread [0x980C96CC]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwProtectVirtualMemory [0x980C979A]
SSDT 9AD8AF64 ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwRequestWaitReplyPort [0x980C970E]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwRestoreKey [0x980C97DC]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwResumeThread [0x980C9824]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSecureConnectPort [0x980C98B4]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSetValueKey [0x980C9866]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSuspendProcess [0x980C9958]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSystemDebugControl [0x980C999A]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwTerminateProcess [0x980C99DC]
SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwWriteVirtualMemory [0x980C9A2A]

---- Kernel code sections - GMER 1.0.15 ----

? cqtlq.sys The system cannot find the file specified. !
init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0x9F8BE280]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eufs.sys (File System Filter Driver/CHENGDU YIWO Tech Development Co., Ltd)
AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 eubakup.sys (Disk Backup Driver/CHENGDU YIWO Tech Development Co., Ltd)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 eubakup.sys (Disk Backup Driver/CHENGDU YIWO Tech Development Co., Ltd)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 eubakup.sys (Disk Backup Driver/CHENGDU YIWO Tech Development Co., Ltd)
AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

Device \FileSystem\Fastfat \Fat 97157D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTewbmkltars.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTewbmkltars.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTcspulgixri.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTbivomfpxmf.dat
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTurxxnejmnt.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{C1BFB3EF-A754-4642-AF1B-9095D0788AF9}\InprocServer32@ C:\WINDOWS\system32\cewmd.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{C1BFB3EF-A754-4642-AF1B-9095D0788AF9}\InprocServer32@ThreadingModel apartment

---- EOF - GMER 1.0.15 ----

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 31st December 2009, 10:17 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 31st December 2009, 11:16 pm

wow, you're quick to respond, thank you!

Ok, did as you said, as well as taking down my firewall.

Here is my log file:

ComboFix 09-12-31.06 - Mark Bengston 12/31/2009 17:36:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1526 [GMT -5:00]
Running from: c:\documents and settings\Mark Bengston\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\alisud.inf
c:\documents and settings\All Users\Documents\bore.inf
c:\windows\kb913800.exe
c:\windows\system32\Data
c:\windows\system32\drivers\1028_DELL_XPS_Dell DXP061 .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DXP061 .MRK

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-31 17:09 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 17:09 . 2009-12-31 17:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 17:09 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 12:22 . 2009-12-02 17:21 20616 ----a-w- c:\windows\system32\drivers\eufs.sys
2009-12-31 12:22 . 2009-12-02 17:20 14216 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2009-12-31 12:22 . 2009-12-02 17:20 26248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2009-12-31 12:22 . 2009-12-02 17:20 122504 ----a-w- c:\windows\system32\drivers\EuDisk.sys
2009-12-31 12:22 . 2009-12-31 12:22 -------- d-----w- c:\program files\EASEUS
2009-12-31 05:35 . 2009-12-31 05:35 388096 ----a-r- c:\documents and settings\Mark Bengston\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-31 05:35 . 2009-12-31 05:35 -------- d-----w- c:\program files\TrendMicro
2009-12-31 05:27 . 2009-12-31 05:28 -------- d-----w- c:\documents and settings\Mark Bengston\Application Data\PCToolsFirewallPlus
2009-12-31 05:24 . 2009-12-31 05:24 -------- d-----w- c:\documents and settings\Mark Bengston\Application Data\IObit
2009-12-31 05:24 . 2009-12-31 05:24 -------- d-----w- c:\program files\IObit
2009-12-31 05:24 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-31 05:24 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-31 05:24 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-31 05:23 . 2009-12-31 05:24 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-31 05:23 . 2009-11-24 13:54 56512 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2009-12-31 05:23 . 2009-11-10 22:11 70408 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2009-12-31 05:23 . 2009-08-14 18:44 32552 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2009-12-31 05:23 . 2009-10-16 21:55 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2009-12-31 05:23 . 2009-12-31 05:28 -------- d-----w- c:\program files\PC Tools Firewall Plus
2009-12-31 05:13 . 2009-12-31 05:13 -------- d-----w- c:\program files\VS Revo Group
2009-12-31 05:10 . 2009-12-31 05:10 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-31 05:09 . 2009-12-31 05:26 -------- d-----w- c:\program files\McAfee
2009-12-31 05:09 . 2009-12-31 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-30 19:56 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-12-30 19:46 . 2009-12-31 05:30 52224 ----a-w- c:\documents and settings\Mark Bengston\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-30 19:45 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-30 19:36 . 2009-12-30 19:36 -------- d-----w- c:\documents and settings\Mark Bengston\Local Settings\Application Data\{F966A3C4-4FBE-4F5E-A572-F788B95B09AD}
2009-12-30 19:33 . 2009-12-30 19:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-12-30 18:41 . 2009-12-31 05:30 117760 ----a-w- c:\documents and settings\Mark Bengston\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-30 17:18 . 2009-12-30 17:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-30 16:04 . 2009-12-30 16:04 -------- d-----w- c:\program files\Uniblue
2009-12-30 13:20 . 2009-12-30 13:20 -------- d-sh--w- c:\documents and settings\Admin\IECompatCache
2009-12-30 13:19 . 2009-12-30 13:19 -------- d-sh--w- c:\documents and settings\Admin\PrivacIE
2009-12-30 13:17 . 2009-12-30 13:17 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\{36C2655B-7C3D-41E4-AA12-2B748564664C}
2009-12-30 03:54 . 2009-12-31 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-30 03:24 . 2009-12-30 03:24 -------- d-sh--w- c:\documents and settings\Admin\IETldCache
2009-12-30 02:59 . 2009-12-30 02:59 -------- d-----w- c:\documents and settings\Mark Bengston\Local Settings\Application Data\{6EA53344-47D9-471A-95D1-88B5DEA0C28E}
2009-12-30 02:33 . 2009-12-31 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-30 02:33 . 2009-12-30 19:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-30 02:24 . 2009-12-30 02:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2009-12-30 02:02 . 2009-12-30 02:02 -------- d-----w- c:\documents and settings\Kim\Local Settings\Application Data\{606834A8-ABF4-4384-B0D6-DE3ED254F4D9}
2009-12-30 01:47 . 2009-12-31 22:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-30 01:30 . 2009-11-25 16:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-30 01:30 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-30 01:30 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-12-30 01:30 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-12-30 01:30 . 2009-12-30 01:30 -------- d-----w- c:\program files\Avira
2009-12-30 01:30 . 2009-12-30 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-30 01:28 . 2009-12-31 05:31 -------- d-----w- c:\program files\SpywareBlaster
2009-12-28 19:29 . 2009-12-28 19:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-12-28 03:43 . 2009-12-28 03:43 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\{C4F406BB-2D3A-408B-B19C-6CB3955D2192}
2009-12-27 22:42 . 2009-12-27 22:42 -------- d-----w- c:\documents and settings\Kim\Local Settings\Application Data\{737F58CA-9071-40AA-AB2F-63975219D8EA}
2009-12-26 13:28 . 2009-12-26 13:28 -------- d-----w- c:\documents and settings\Kim\Local Settings\Application Data\{AF1B3379-8E1E-43F6-B406-D1A5484E72E0}
2009-12-25 16:22 . 2009-12-25 16:22 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\{3A279311-79E7-4EBC-A240-2051153BEDF7}
2009-12-22 13:37 . 2009-12-22 13:37 -------- d-----w- c:\documents and settings\Mark Bengston\Local Settings\Application Data\{2AC08518-8D90-4E22-B93D-F04211A76C6F}
2009-12-22 00:22 . 2009-12-22 00:22 -------- d-----w- c:\documents and settings\Brittany\Local Settings\Application Data\{B9C96AF4-FF6D-45F2-996C-F3099B3358A6}
2009-12-21 17:26 . 2009-12-21 17:26 -------- d-----w- c:\documents and settings\Kim\Local Settings\Application Data\{8028AEC6-9285-44DE-A508-2BD51A4973CA}
2009-12-20 12:25 . 2009-12-20 12:26 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Temp
2009-12-16 13:34 . 2009-12-16 13:34 -------- d-----w- c:\documents and settings\Harley\Local Settings\Application Data\{7986657D-D94D-4364-BAD7-14D9EBC5D909}
2009-12-15 12:25 . 2009-12-15 12:25 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\{8F5BF2E5-67A3-4E3C-B10A-F2E1BE68B163}
2009-12-12 12:55 . 2009-12-12 12:55 -------- d-----w- c:\documents and settings\Mark Bengston\Local Settings\Application Data\{47F52104-6423-4E02-AB7E-D623A548E3DB}
2009-12-11 01:53 . 2009-12-30 13:17 0 ----a-w- c:\windows\Wkejuc.bin
2009-12-11 01:53 . 2009-12-29 06:51 120 ----a-w- c:\windows\Ylapobunit.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 05:26 . 2009-06-15 12:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-31 05:22 . 2009-06-15 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-30 19:57 . 2009-12-30 19:57 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-12-30 19:57 . 2009-12-30 19:57 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-12-30 19:33 . 2008-01-15 18:45 -------- d-----w- c:\program files\DIGStream
2009-12-30 18:40 . 2008-08-30 11:53 -------- d-----w- c:\documents and settings\Mark Bengston\Application Data\SUPERAntiSpyware.com
2009-12-30 17:19 . 2009-04-19 22:46 117760 ----a-w- c:\documents and settings\Kim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-30 17:18 . 2008-08-24 22:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-30 01:08 . 2008-08-25 01:24 -------- d-----w- c:\program files\CCleaner
2009-12-30 01:06 . 2008-01-27 23:11 -------- d-----w- c:\program files\Google
2009-12-30 01:05 . 2008-01-19 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-30 00:45 . 2008-01-15 19:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-21 15:16 . 2008-01-20 15:59 32752 ----a-w- c:\documents and settings\Harley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-18 18:05 . 2009-12-18 18:04 -------- d-----w- c:\documents and settings\Kim\Application Data\Creative
2009-11-27 19:43 . 2008-11-18 23:45 -------- d-----w- c:\documents and settings\Mark Bengston\Application Data\Apple Computer
2009-11-21 15:51 . 2004-08-10 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-30 00:12 . 2008-01-15 19:40 32752 ----a-w- c:\documents and settings\Mark Bengston\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:45 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-10 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-10 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 15:38 . 2008-01-24 21:27 32752 ----a-w- c:\documents and settings\Brittany\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 13:38 . 2004-08-10 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
2008-09-11 17:23 . 2008-09-11 17:23 14591 ----a-w- c:\program files\Common Files\majulidij.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-11-27 2971608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-08-24 22:48 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-02 22:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-10-31 15:51 57344 ------w- c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-11-07 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 18:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2006-03-16 01:15 1355468 ----a-w- c:\windows\system32\CTMBHA.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-20 21:00 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-12-16 21:26 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 14:20 1118208 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"MDM"=2 (0x2)
"GoToAssist"=3 (0x3)
"Creative Labs Licensing Service"=2 (0x2)
"ATI Smart"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4735:UDP"= 4735:UDP:Windows Media Format SDK (iexplore.exe)
"4734:UDP"= 4734:UDP:Windows Media Format SDK (iexplore.exe)
"4737:UDP"= 4737:UDP:Windows Media Format SDK (iexplore.exe)
"4769:UDP"= 4769:UDP:Windows Media Format SDK (iexplore.exe)
"4768:UDP"= 4768:UDP:Windows Media Format SDK (iexplore.exe)
"4771:UDP"= 4771:UDP:Windows Media Format SDK (iexplore.exe)
"4079:UDP"= 4079:UDP:Windows Media Format SDK (iexplore.exe)
"4078:UDP"= 4078:UDP:Windows Media Format SDK (iexplore.exe)

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [12/31/2009 7:22 AM 26248]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [12/31/2009 7:22 AM 20616]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [12/31/2009 12:24 AM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/29/2009 8:30 PM 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [12/31/2009 12:10 AM 93320]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [12/31/2009 12:24 AM 88040]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [12/31/2009 7:22 AM 122504]
R3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\system32\drivers\pctNdis-DNS.sys [12/31/2009 12:23 AM 32552]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [12/31/2009 12:23 AM 70408]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [12/31/2009 12:23 AM 56512]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [12/31/2009 12:23 AM 115216]
S2 gupdate1c9f0398c257c1e;Google Update Service (gupdate1c9f0398c257c1e);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [12/31/2009 7:22 AM 14216]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys --> c:\windows\system32\DRIVERS\TM_CFW.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mark Bengston\Application Data\Mozilla\Firefox\Profiles\4bobwwxr.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - hȋdden: XULRunner: {47F52104-6423-4E02-AB7E-D623A548E3DB} - c:\documents and settings\Mark Bengston\Local Settings\Application Data\{47F52104-6423-4E02-AB7E-D623A548E3DB}
FF - hȋdden: XULRunner: {8F5BF2E5-67A3-4E3C-B10A-F2E1BE68B163} - c:\documents and settings\Ryan\Local Settings\Application Data\{8F5BF2E5-67A3-4E3C-B10A-F2E1BE68B163}
FF - hȋdden: XULRunner: {7986657D-D94D-4364-BAD7-14D9EBC5D909} - c:\documents and settings\Harley\Local Settings\Application Data\{7986657D-D94D-4364-BAD7-14D9EBC5D909}\
FF - hȋdden: XULRunner: {8028AEC6-9285-44DE-A508-2BD51A4973CA} - c:\documents and settings\Kim\Local Settings\Application Data\{8028AEC6-9285-44DE-A508-2BD51A4973CA}\
FF - hȋdden: XULRunner: {B9C96AF4-FF6D-45F2-996C-F3099B3358A6} - c:\documents and settings\Brittany\Local Settings\Application Data\{B9C96AF4-FF6D-45F2-996C-F3099B3358A6}\
FF - hȋdden: XULRunner: {2AC08518-8D90-4E22-B93D-F04211A76C6F} - c:\documents and settings\Mark Bengston\Local Settings\Application Data\{2AC08518-8D90-4E22-B93D-F04211A76C6F}\
FF - hȋdden: XULRunner: {3A279311-79E7-4EBC-A240-2051153BEDF7} - c:\documents and settings\Ryan\Local Settings\Application Data\{3A279311-79E7-4EBC-A240-2051153BEDF7}\
FF - hȋdden: XULRunner: {AF1B3379-8E1E-43F6-B406-D1A5484E72E0} - c:\documents and settings\Kim\Local Settings\Application Data\{AF1B3379-8E1E-43F6-B406-D1A5484E72E0}\
FF - hȋdden: XULRunner: {737F58CA-9071-40AA-AB2F-63975219D8EA} - c:\documents and settings\Kim\Local Settings\Application Data\{737F58CA-9071-40AA-AB2F-63975219D8EA}\
FF - hȋdden: XULRunner: {C4F406BB-2D3A-408B-B19C-6CB3955D2192} - c:\documents and settings\Ryan\Local Settings\Application Data\{C4F406BB-2D3A-408B-B19C-6CB3955D2192}
FF - hȋdden: XULRunner: {606834A8-ABF4-4384-B0D6-DE3ED254F4D9} - c:\documents and settings\Kim\Local Settings\Application Data\{606834A8-ABF4-4384-B0D6-DE3ED254F4D9}
FF - hȋdden: XULRunner: {6EA53344-47D9-471A-95D1-88B5DEA0C28E} - c:\documents and settings\Mark Bengston\Local Settings\Application Data\{6EA53344-47D9-471A-95D1-88B5DEA0C28E}
FF - hȋdden: XULRunner: {36C2655B-7C3D-41E4-AA12-2B748564664C} - c:\documents and settings\Admin\Local Settings\Application Data\{36C2655B-7C3D-41E4-AA12-2B748564664C}
FF - hȋdden: XULRunner: {F966A3C4-4FBE-4F5E-A572-F788B95B09AD} - c:\documents and settings\Mark Bengston\Local Settings\Application Data\{F966A3C4-4FBE-4F5E-A572-F788B95B09AD}\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
MSConfigStartUp-04b9c993 - c:\windows\system32\ketisuli.dll
MSConfigStartUp-CPM078afa0f - c:\windows\system32\takobazi.dll
MSConfigStartUp-Ctesupofuyipid - c:\windows\ifaxohay.dll
MSConfigStartUp-hedigagiku - c:\windows\system32\juwurapi.dll
MSConfigStartUp-pccguide - c:\program files\Trend Micro\Internet Security 14\pccguide.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-31 17:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C1BFB3EF-A754-4642-AF1B-9095D0788AF9}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\cewmd.dll"
"ThreadingModel"="apartment"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3004)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-31 18:00:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-31 23:00

Pre-Run: 211,763,089,408 bytes free
Post-Run: 212,432,384,000 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 1122F6A5CC8A4E1AB52EED64566A3B19

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 31st December 2009, 11:26 pm

weird, the combo fix log filwe says firewall was enabled, however it was disabled while trying to install it, and all through the scanning process.

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 31st December 2009, 11:30 pm

Wow, a lot of Goored there.

Please download GooredFix from one of the locations below and save it to your Desktop
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 31st December 2009, 11:48 pm

i take it goored is bad....-)

and here i thought i had this Pc mostly cleaned up, glad i asked for a double check via the hijack thias log, thank you!

goored log:

GooredFix by jpshortstuff (28.12.09.1)
Log created at 18:35 on 31/12/2009 (Mark Bengston)
Firefox version 3.0.16 (en-US)

========== GooredScan ==========

(nȯne)
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{47F52104-6423-4E02-AB7E-D623A548E3DB} -> Success!
Deleting C:\Documents and Settings\Mark Bengston\Local Settings\Application Data\{47F52104-6423-4E02-AB7E-D623A548E3DB} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{8F5BF2E5-67A3-4E3C-B10A-F2E1BE68B163} -> Success!
Deleting C:\Documents and Settings\Ryan\Local Settings\Application Data\{8F5BF2E5-67A3-4E3C-B10A-F2E1BE68B163} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{7986657D-D94D-4364-BAD7-14D9EBC5D909} -> Success!
Deleting C:\Documents and Settings\Harley\Local Settings\Application Data\{7986657D-D94D-4364-BAD7-14D9EBC5D909} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{C4F406BB-2D3A-408B-B19C-6CB3955D2192} -> Success!
Deleting C:\Documents and Settings\Ryan\Local Settings\Application Data\{C4F406BB-2D3A-408B-B19C-6CB3955D2192} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{606834A8-ABF4-4384-B0D6-DE3ED254F4D9} -> Success!
Deleting C:\Documents and Settings\Kim\Local Settings\Application Data\{606834A8-ABF4-4384-B0D6-DE3ED254F4D9} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{6EA53344-47D9-471A-95D1-88B5DEA0C28E} -> Success!
Deleting C:\Documents and Settings\Mark Bengston\Local Settings\Application Data\{6EA53344-47D9-471A-95D1-88B5DEA0C28E} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{36C2655B-7C3D-41E4-AA12-2B748564664C} -> Success!
Deleting C:\Documents and Settings\Admin\Local Settings\Application Data\{36C2655B-7C3D-41E4-AA12-2B748564664C} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{F966A3C4-4FBE-4F5E-A572-F788B95B09AD} -> Success!
Deleting C:\Documents and Settings\Mark Bengston\Local Settings\Application Data\{F966A3C4-4FBE-4F5E-A572-F788B95B09AD} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:45 14/06/2009]

C:\Documents and Settings\Mark Bengston\Application Data\Mozilla\Firefox\Profiles\4bobwwxr.default\extensions\
(nȯne)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{8028AEC6-9285-44DE-A508-2BD51A4973CA}"="C:\Documents and Settings\Kim\Local Settings\Application Data\{8028AEC6-9285-44DE-A508-2BD51A4973CA}\" [17:26 21/12/2009]
"{B9C96AF4-FF6D-45F2-996C-F3099B3358A6}"="C:\Documents and Settings\Brittany\Local Settings\Application Data\{B9C96AF4-FF6D-45F2-996C-F3099B3358A6}\" [00:22 22/12/2009]
"{2AC08518-8D90-4E22-B93D-F04211A76C6F}"="C:\Documents and Settings\Mark Bengston\Local Settings\Application Data\{2AC08518-8D90-4E22-B93D-F04211A76C6F}\" [13:37 22/12/2009]
"{3A279311-79E7-4EBC-A240-2051153BEDF7}"="C:\Documents and Settings\Ryan\Local Settings\Application Data\{3A279311-79E7-4EBC-A240-2051153BEDF7}\" [16:22 25/12/2009]
"{AF1B3379-8E1E-43F6-B406-D1A5484E72E0}"="C:\Documents and Settings\Kim\Local Settings\Application Data\{AF1B3379-8E1E-43F6-B406-D1A5484E72E0}\" [13:28 26/12/2009]
"{737F58CA-9071-40AA-AB2F-63975219D8EA}"="C:\Documents and Settings\Kim\Local Settings\Application Data\{737F58CA-9071-40AA-AB2F-63975219D8EA}\" [22:42 27/12/2009]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [05:09 31/12/2009]

-=E.O.F=-

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 1st January 2010, 3:39 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\Wkejuc.bin
    c:\windows\Ylapobunit.dat

    Folder::
    C:\Documents and Settings\Brittany\Local Settings\Application Data\{B9C96AF4-FF6D-45F2-996C-F3099B3358A6}
    C:\Documents and Settings\Mark Bengston\Local Settings\Application Data\{2AC08518-8D90-4E22-B93D-F04211A76C6F}
    C:\Documents and Settings\Ryan\Local Settings\Application Data\{3A279311-79E7-4EBC-A240-2051153BEDF7}
    C:\Documents and Settings\Kim\Local Settings\Application Data\{AF1B3379-8E1E-43F6-B406-D1A5484E72E0}
    C:\Documents and Settings\Kim\Local Settings\Application Data\{737F58CA-9071-40AA-AB2F-63975219D8EA}

    Registry::
    HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
    "{8028AEC6-9285-44DE-A508-2BD51A4973CA}"=-
    "{B9C96AF4-FF6D-45F2-996C-F3099B3358A6}"=-
    "{2AC08518-8D90-4E22-B93D-F04211A76C6F}"=-
    "{3A279311-79E7-4EBC-A240-2051153BEDF7}"=-
    "{AF1B3379-8E1E-43F6-B406-D1A5484E72E0}"=-
    "{737F58CA-9071-40AA-AB2F-63975219D8EA}"=-

    Driver::
    Viewpoint Manager Service

    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C1BFB3EF-A754-4642-AF1B-9095D0788AF9}\InprocServer32]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 1st January 2010, 5:42 pm

thanks again for your help !!

ComboFix 09-12-31.A1 - Mark Bengston 01/01/2010 10:59:51.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1490 [GMT -5:00]
Running from: c:\documents and settings\Mark Bengston\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Mark Bengston\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

FILE ::
"c:\windows\Wkejuc.bin"
"c:\windows\Ylapobunit.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brittany\Local Settings\Application Data\{B9C96AF4-FF6D-45F2-996C-F3099B3358A6}
c:\documents and settings\Brittany\Local Settings\Application Data\{B9C96AF4-FF6D-45F2-996C-F3099B3358A6}\chrome.manifest
c:\documents and settings\Brittany\Local Settings\Application Data\{B9C96AF4-FF6D-45F2-996C-F3099B3358A6}\chrome\content\_cfg.js
c:\documents and settings\Brittany\Local Settings\Application Data\{B9C96AF4-FF6D-45F2-996C-F3099B3358A6}\install.rdf
c:\documents and settings\Kim\Local Settings\Application Data\{737F58CA-9071-40AA-AB2F-63975219D8EA}
c:\documents and settings\Kim\Local Settings\Application Data\{737F58CA-9071-40AA-AB2F-63975219D8EA}\chrome.manifest
c:\documents and settings\Kim\Local Settings\Application Data\{737F58CA-9071-40AA-AB2F-63975219D8EA}\chrome\content\_cfg.js
c:\documents and settings\Kim\Local Settings\Application Data\{737F58CA-9071-40AA-AB2F-63975219D8EA}\install.rdf
c:\documents and settings\Kim\Local Settings\Application Data\{AF1B3379-8E1E-43F6-B406-D1A5484E72E0}
c:\documents and settings\Kim\Local Settings\Application Data\{AF1B3379-8E1E-43F6-B406-D1A5484E72E0}\chrome.manifest
c:\documents and settings\Kim\Local Settings\Application Data\{AF1B3379-8E1E-43F6-B406-D1A5484E72E0}\chrome\content\_cfg.js
c:\documents and settings\Kim\Local Settings\Application Data\{AF1B3379-8E1E-43F6-B406-D1A5484E72E0}\install.rdf
c:\documents and settings\Mark Bengston\Local Settings\Application Data\{2AC08518-8D90-4E22-B93D-F04211A76C6F}
c:\documents and settings\Mark Bengston\Local Settings\Application Data\{2AC08518-8D90-4E22-B93D-F04211A76C6F}\chrome.manifest
c:\documents and settings\Mark Bengston\Local Settings\Application Data\{2AC08518-8D90-4E22-B93D-F04211A76C6F}\chrome\content\_cfg.js
c:\documents and settings\Mark Bengston\Local Settings\Application Data\{2AC08518-8D90-4E22-B93D-F04211A76C6F}\install.rdf
c:\documents and settings\Ryan\Local Settings\Application Data\{3A279311-79E7-4EBC-A240-2051153BEDF7}
c:\documents and settings\Ryan\Local Settings\Application Data\{3A279311-79E7-4EBC-A240-2051153BEDF7}\chrome.manifest
c:\documents and settings\Ryan\Local Settings\Application Data\{3A279311-79E7-4EBC-A240-2051153BEDF7}\chrome\content\_cfg.js
c:\documents and settings\Ryan\Local Settings\Application Data\{3A279311-79E7-4EBC-A240-2051153BEDF7}\install.rdf
c:\windows\Wkejuc.bin
c:\windows\Ylapobunit.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-12-01 to 2010-01-01 )))))))))))))))))))))))))))))))
.

2009-12-31 17:09 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 17:09 . 2009-12-31 17:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 17:09 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 12:22 . 2009-12-02 17:21 20616 ----a-w- c:\windows\system32\drivers\eufs.sys
2009-12-31 12:22 . 2009-12-02 17:20 14216 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2009-12-31 12:22 . 2009-12-02 17:20 26248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2009-12-31 12:22 . 2009-12-02 17:20 122504 ----a-w- c:\windows\system32\drivers\EuDisk.sys
2009-12-31 12:22 . 2009-12-31 12:22 -------- d-----w- c:\program files\EASEUS
2009-12-31 05:35 . 2009-12-31 05:35 388096 ----a-r- c:\documents and settings\Mark Bengston\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-31 05:35 . 2009-12-31 05:35 -------- d-----w- c:\program files\TrendMicro
2009-12-31 05:27 . 2009-12-31 05:28 -------- d-----w- c:\documents and settings\Mark Bengston\Application Data\PCToolsFirewallPlus
2009-12-31 05:24 . 2009-12-31 05:24 -------- d-----w- c:\documents and settings\Mark Bengston\Application Data\IObit
2009-12-31 05:24 . 2009-12-31 05:24 -------- d-----w- c:\program files\IObit
2009-12-31 05:24 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-31 05:24 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-31 05:24 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-31 05:23 . 2009-12-31 05:24 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-31 05:23 . 2009-11-24 13:54 56512 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2009-12-31 05:23 . 2009-11-10 22:11 70408 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2009-12-31 05:23 . 2009-08-14 18:44 32552 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2009-12-31 05:23 . 2009-10-16 21:55 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2009-12-31 05:23 . 2009-12-31 05:28 -------- d-----w- c:\program files\PC Tools Firewall Plus
2009-12-31 05:13 . 2009-12-31 05:13 -------- d-----w- c:\program files\VS Revo Group
2009-12-31 05:10 . 2009-12-31 05:10 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-31 05:09 . 2009-12-31 05:26 -------- d-----w- c:\program files\McAfee
2009-12-31 05:09 . 2009-12-31 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-30 19:56 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-12-30 19:46 . 2009-12-31 05:30 52224 ----a-w- c:\documents and settings\Mark Bengston\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-30 19:45 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-30 19:33 . 2009-12-30 19:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-12-30 18:41 . 2009-12-31 05:30 117760 ----a-w- c:\documents and settings\Mark Bengston\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-30 17:18 . 2009-12-30 17:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-30 16:04 . 2009-12-30 16:04 -------- d-----w- c:\program files\Uniblue
2009-12-30 13:20 . 2009-12-30 13:20 -------- d-sh--w- c:\documents and settings\Admin\IECompatCache
2009-12-30 13:19 . 2009-12-30 13:19 -------- d-sh--w- c:\documents and settings\Admin\PrivacIE
2009-12-30 03:54 . 2009-12-31 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-30 03:24 . 2009-12-30 03:24 -------- d-sh--w- c:\documents and settings\Admin\IETldCache
2009-12-30 02:33 . 2009-12-31 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-30 02:33 . 2009-12-30 19:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-30 02:24 . 2009-12-30 02:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2009-12-30 01:47 . 2010-01-01 17:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-30 01:30 . 2009-11-25 16:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-30 01:30 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-30 01:30 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-12-30 01:30 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-12-30 01:30 . 2009-12-30 01:30 -------- d-----w- c:\program files\Avira
2009-12-30 01:30 . 2009-12-30 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-30 01:28 . 2009-12-31 05:31 -------- d-----w- c:\program files\SpywareBlaster
2009-12-28 19:29 . 2009-12-28 19:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-12-21 17:26 . 2009-12-21 17:26 -------- d-----w- c:\documents and settings\Kim\Local Settings\Application Data\{8028AEC6-9285-44DE-A508-2BD51A4973CA}
2009-12-20 12:25 . 2009-12-20 12:26 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 05:26 . 2009-06-15 12:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-31 05:22 . 2009-06-15 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-30 19:57 . 2009-12-30 19:57 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-12-30 19:57 . 2009-12-30 19:57 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-12-30 19:33 . 2008-01-15 18:45 -------- d-----w- c:\program files\DIGStream
2009-12-30 18:40 . 2008-08-30 11:53 -------- d-----w- c:\documents and settings\Mark Bengston\Application Data\SUPERAntiSpyware.com
2009-12-30 17:19 . 2009-04-19 22:46 117760 ----a-w- c:\documents and settings\Kim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-30 17:18 . 2008-08-24 22:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-30 01:08 . 2008-08-25 01:24 -------- d-----w- c:\program files\CCleaner
2009-12-30 01:06 . 2008-01-27 23:11 -------- d-----w- c:\program files\Google
2009-12-30 01:05 . 2008-01-19 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-30 00:45 . 2008-01-15 19:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-21 15:16 . 2008-01-20 15:59 32752 ----a-w- c:\documents and settings\Harley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-18 18:05 . 2009-12-18 18:04 -------- d-----w- c:\documents and settings\Kim\Application Data\Creative
2009-11-27 19:43 . 2008-11-18 23:45 -------- d-----w- c:\documents and settings\Mark Bengston\Application Data\Apple Computer
2009-11-21 15:51 . 2004-08-10 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-30 00:12 . 2008-01-15 19:40 32752 ----a-w- c:\documents and settings\Mark Bengston\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:45 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-10 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-10 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 15:38 . 2008-01-24 21:27 32752 ----a-w- c:\documents and settings\Brittany\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 13:38 . 2004-08-10 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
2008-09-11 17:23 . 2008-09-11 17:23 14591 ----a-w- c:\program files\Common Files\majulidij.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-11-27 2971608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-08-24 22:48 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-02 22:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-10-31 15:51 57344 ------w- c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-11-07 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 18:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2006-03-16 01:15 1355468 ----a-w- c:\windows\system32\CTMBHA.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-20 21:00 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-12-16 21:26 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 14:20 1118208 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"MDM"=2 (0x2)
"GoToAssist"=3 (0x3)
"Creative Labs Licensing Service"=2 (0x2)
"ATI Smart"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4735:UDP"= 4735:UDP:Windows Media Format SDK (iexplore.exe)
"4734:UDP"= 4734:UDP:Windows Media Format SDK (iexplore.exe)
"4737:UDP"= 4737:UDP:Windows Media Format SDK (iexplore.exe)
"4769:UDP"= 4769:UDP:Windows Media Format SDK (iexplore.exe)
"4768:UDP"= 4768:UDP:Windows Media Format SDK (iexplore.exe)
"4771:UDP"= 4771:UDP:Windows Media Format SDK (iexplore.exe)
"4079:UDP"= 4079:UDP:Windows Media Format SDK (iexplore.exe)
"4078:UDP"= 4078:UDP:Windows Media Format SDK (iexplore.exe)

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [12/31/2009 7:22 AM 26248]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [12/31/2009 7:22 AM 20616]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [12/31/2009 12:24 AM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/29/2009 8:30 PM 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [12/31/2009 12:10 AM 93320]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [12/31/2009 12:24 AM 88040]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [12/31/2009 7:22 AM 122504]
R3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\system32\drivers\pctNdis-DNS.sys [12/31/2009 12:23 AM 32552]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [12/31/2009 12:23 AM 70408]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [12/31/2009 12:23 AM 56512]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [12/31/2009 12:23 AM 115216]
S2 gupdate1c9f0398c257c1e;Google Update Service (gupdate1c9f0398c257c1e);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [12/31/2009 7:22 AM 14216]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys --> c:\windows\system32\DRIVERS\TM_CFW.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mark Bengston\Application Data\Mozilla\Firefox\Profiles\4bobwwxr.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - hȋdden: XULRunner: {8028AEC6-9285-44DE-A508-2BD51A4973CA} - c:\documents and settings\Kim\Local Settings\Application Data\{8028AEC6-9285-44DE-A508-2BD51A4973CA}\
.

**************************************************************************
scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(1732)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-01 12:36:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-01 17:36
ComboFix2.txt 2009-12-31 23:00

Pre-Run: 212,433,395,712 bytes free
Post-Run: 212,392,640,512 bytes free

- - End Of File - - 847BA0591472F967E52D8D015BD10512

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 1st January 2010, 6:52 pm

Hello.
I've contacted the author of Gooredfix, he wants some samples of this infection so his tool can catch it, but we need to clean this up, more Goored appeared.

Please re-run Gooredfix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 1st January 2010, 6:59 pm

here is a newly created logfile, after running goored once again.

GooredFix by jpshortstuff (28.12.09.1)
Log created at 13:56 on 01/01/2010 (Mark Bengston)
Firefox version 3.0.16 (en-US)

========== GooredScan ==========

(nȯne)
Removing Orphan:
"{B9C96AF4-FF6D-45F2-996C-F3099B3358A6}"="C:\Documents and Settings\Brittany\Local Settings\Application Data\{B9C96AF4-FF6D-45F2-996C-F3099B3358A6}\" -> Success!
Removing Orphan:
"{2AC08518-8D90-4E22-B93D-F04211A76C6F}"="C:\Documents and Settings\Mark Bengston\Local Settings\Application Data\{2AC08518-8D90-4E22-B93D-F04211A76C6F}\" -> Success!
Removing Orphan:
"{3A279311-79E7-4EBC-A240-2051153BEDF7}"="C:\Documents and Settings\Ryan\Local Settings\Application Data\{3A279311-79E7-4EBC-A240-2051153BEDF7}\" -> Success!
Removing Orphan:
"{AF1B3379-8E1E-43F6-B406-D1A5484E72E0}"="C:\Documents and Settings\Kim\Local Settings\Application Data\{AF1B3379-8E1E-43F6-B406-D1A5484E72E0}\" -> Success!
Removing Orphan:
"{737F58CA-9071-40AA-AB2F-63975219D8EA}"="C:\Documents and Settings\Kim\Local Settings\Application Data\{737F58CA-9071-40AA-AB2F-63975219D8EA}\" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:45 14/06/2009]

C:\Documents and Settings\Mark Bengston\Application Data\Mozilla\Firefox\Profiles\4bobwwxr.default\extensions\
(nȯne)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{8028AEC6-9285-44DE-A508-2BD51A4973CA}"="C:\Documents and Settings\Kim\Local Settings\Application Data\{8028AEC6-9285-44DE-A508-2BD51A4973CA}\" [17:26 21/12/2009]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [05:09 31/12/2009]

---------- Old Logs ----------
GooredFix[23.37.21_31-12-2009].txt

-=E.O.F=-

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 1st January 2010, 7:15 pm

Hello.
Okay, one more time round, then I think were done (hopefully)

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\program files\Common Files\majulidij.db

    Folder::
    C:\Documents and Settings\Kim\Local Settings\Application Data\{8028AEC6-9285-44DE-A508-2BD51A4973CA}

    Registry::
    [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
    "{8028AEC6-9285-44DE-A508-2BD51A4973CA}"=-

    Driver::
    tmcfw

    Firefox::
    FF - ProfilePath - c:\documents and settings\Mark Bengston\Application Data\Mozilla\Firefox\Profiles\4bobwwxr.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 1st January 2010, 8:09 pm

hopefully this is it, thank so much!

ComboFix 09-12-31.A1 - Mark Bengston 01/01/2010 14:31:42.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1580 [GMT -5:00]
Running from: c:\documents and settings\Mark Bengston\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Mark Bengston\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

FILE ::
"c:\program files\Common Files\majulidij.db"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kim\Local Settings\Application Data\{8028AEC6-9285-44DE-A508-2BD51A4973CA}
c:\documents and settings\Kim\Local Settings\Application Data\{8028AEC6-9285-44DE-A508-2BD51A4973CA}\chrome.manifest
c:\documents and settings\Kim\Local Settings\Application Data\{8028AEC6-9285-44DE-A508-2BD51A4973CA}\chrome\content\_cfg.js
c:\documents and settings\Kim\Local Settings\Application Data\{8028AEC6-9285-44DE-A508-2BD51A4973CA}\install.rdf
c:\program files\Common Files\majulidij.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_tmcfw


((((((((((((((((((((((((( Files Created from 2009-12-01 to 2010-01-01 )))))))))))))))))))))))))))))))
.

2010-01-01 15:59 . 2010-01-01 17:36 -------- d-----w- C:\Combo-Fix
2009-12-31 17:09 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 17:09 . 2009-12-31 17:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 17:09 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 12:22 . 2009-12-02 17:21 20616 ----a-w- c:\windows\system32\drivers\eufs.sys
2009-12-31 12:22 . 2009-12-02 17:20 14216 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2009-12-31 12:22 . 2009-12-02 17:20 26248 ----a-w- c:\windows\system32\drivers\eubakup.sys
2009-12-31 12:22 . 2009-12-02 17:20 122504 ----a-w- c:\windows\system32\drivers\EuDisk.sys
2009-12-31 12:22 . 2009-12-31 12:22 -------- d-----w- c:\program files\EASEUS
2009-12-31 05:35 . 2009-12-31 05:35 388096 ----a-r- c:\documents and settings\Mark Bengston\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-31 05:35 . 2009-12-31 05:35 -------- d-----w- c:\program files\TrendMicro
2009-12-31 05:27 . 2009-12-31 05:28 -------- d-----w- c:\documents and settings\Mark Bengston\Application Data\PCToolsFirewallPlus
2009-12-31 05:24 . 2009-12-31 05:24 -------- d-----w- c:\documents and settings\Mark Bengston\Application Data\IObit
2009-12-31 05:24 . 2009-12-31 05:24 -------- d-----w- c:\program files\IObit
2009-12-31 05:24 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-31 05:24 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-31 05:24 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-31 05:23 . 2009-12-31 05:24 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-31 05:23 . 2009-11-24 13:54 56512 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2009-12-31 05:23 . 2009-11-10 22:11 70408 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2009-12-31 05:23 . 2009-08-14 18:44 32552 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2009-12-31 05:23 . 2009-10-16 21:55 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2009-12-31 05:23 . 2009-12-31 05:28 -------- d-----w- c:\program files\PC Tools Firewall Plus
2009-12-31 05:13 . 2009-12-31 05:13 -------- d-----w- c:\program files\VS Revo Group
2009-12-31 05:10 . 2009-12-31 05:10 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-31 05:09 . 2009-12-31 05:26 -------- d-----w- c:\program files\McAfee
2009-12-31 05:09 . 2009-12-31 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-30 19:56 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-12-30 19:46 . 2009-12-31 05:30 52224 ----a-w- c:\documents and settings\Mark Bengston\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-30 19:45 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-30 19:33 . 2009-12-30 19:33 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-12-30 18:41 . 2009-12-31 05:30 117760 ----a-w- c:\documents and settings\Mark Bengston\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-30 17:18 . 2009-12-30 17:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-30 16:04 . 2009-12-30 16:04 -------- d-----w- c:\program files\Uniblue
2009-12-30 13:20 . 2009-12-30 13:20 -------- d-sh--w- c:\documents and settings\Admin\IECompatCache
2009-12-30 13:19 . 2009-12-30 13:19 -------- d-sh--w- c:\documents and settings\Admin\PrivacIE
2009-12-30 03:54 . 2009-12-31 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-30 03:24 . 2009-12-30 03:24 -------- d-sh--w- c:\documents and settings\Admin\IETldCache
2009-12-30 02:33 . 2009-12-31 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-30 02:33 . 2009-12-30 19:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-30 02:24 . 2009-12-30 02:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2009-12-30 01:47 . 2010-01-01 19:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-30 01:30 . 2009-11-25 16:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-30 01:30 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-30 01:30 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-12-30 01:30 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-12-30 01:30 . 2009-12-30 01:30 -------- d-----w- c:\program files\Avira
2009-12-30 01:30 . 2009-12-30 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-30 01:28 . 2009-12-31 05:31 -------- d-----w- c:\program files\SpywareBlaster
2009-12-28 19:29 . 2009-12-28 19:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-12-20 12:25 . 2009-12-20 12:26 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 05:26 . 2009-06-15 12:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-31 05:22 . 2009-06-15 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-30 19:57 . 2009-12-30 19:57 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-12-30 19:57 . 2009-12-30 19:57 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-12-30 19:33 . 2008-01-15 18:45 -------- d-----w- c:\program files\DIGStream
2009-12-30 18:40 . 2008-08-30 11:53 -------- d-----w- c:\documents and settings\Mark Bengston\Application Data\SUPERAntiSpyware.com
2009-12-30 17:19 . 2009-04-19 22:46 117760 ----a-w- c:\documents and settings\Kim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-30 17:18 . 2008-08-24 22:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-30 01:08 . 2008-08-25 01:24 -------- d-----w- c:\program files\CCleaner
2009-12-30 01:06 . 2008-01-27 23:11 -------- d-----w- c:\program files\Google
2009-12-30 01:05 . 2008-01-19 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-30 00:45 . 2008-01-15 19:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-21 15:16 . 2008-01-20 15:59 32752 ----a-w- c:\documents and settings\Harley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-18 18:05 . 2009-12-18 18:04 -------- d-----w- c:\documents and settings\Kim\Application Data\Creative
2009-11-27 19:43 . 2008-11-18 23:45 -------- d-----w- c:\documents and settings\Mark Bengston\Application Data\Apple Computer
2009-11-21 15:51 . 2004-08-10 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-30 00:12 . 2008-01-15 19:40 32752 ----a-w- c:\documents and settings\Mark Bengston\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:45 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-10 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-10 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 15:38 . 2008-01-24 21:27 32752 ----a-w- c:\documents and settings\Brittany\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 13:38 . 2004-08-10 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-11-27 2971608]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-08-24 22:48 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-02 22:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-10-31 15:51 57344 ------w- c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-11-07 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 18:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2006-03-16 01:15 1355468 ----a-w- c:\windows\system32\CTMBHA.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-20 21:00 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-12-16 21:26 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 14:20 1118208 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"MDM"=2 (0x2)
"GoToAssist"=3 (0x3)
"Creative Labs Licensing Service"=2 (0x2)
"ATI Smart"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4735:UDP"= 4735:UDP:Windows Media Format SDK (iexplore.exe)
"4734:UDP"= 4734:UDP:Windows Media Format SDK (iexplore.exe)
"4737:UDP"= 4737:UDP:Windows Media Format SDK (iexplore.exe)
"4769:UDP"= 4769:UDP:Windows Media Format SDK (iexplore.exe)
"4768:UDP"= 4768:UDP:Windows Media Format SDK (iexplore.exe)
"4771:UDP"= 4771:UDP:Windows Media Format SDK (iexplore.exe)
"4079:UDP"= 4079:UDP:Windows Media Format SDK (iexplore.exe)
"4078:UDP"= 4078:UDP:Windows Media Format SDK (iexplore.exe)

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [12/31/2009 7:22 AM 26248]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [12/31/2009 7:22 AM 20616]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [12/31/2009 12:24 AM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/29/2009 8:30 PM 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [12/31/2009 12:10 AM 93320]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [12/31/2009 12:24 AM 88040]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [12/31/2009 7:22 AM 122504]
R3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\system32\drivers\pctNdis-DNS.sys [12/31/2009 12:23 AM 32552]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [12/31/2009 12:23 AM 70408]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [12/31/2009 12:23 AM 56512]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [12/31/2009 12:23 AM 115216]
S2 gupdate1c9f0398c257c1e;Google Update Service (gupdate1c9f0398c257c1e);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [12/31/2009 7:22 AM 14216]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mark Bengston\Application Data\Mozilla\Firefox\Profiles\4bobwwxr.default\
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-01 14:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-01 14:49:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-01 19:49
ComboFix2.txt 2010-01-01 17:36
ComboFix3.txt 2009-12-31 23:00

Pre-Run: 212,396,433,408 bytes free
Post-Run: 212,362,199,040 bytes free

- - End Of File - - 0DD757FBCD91550807C85689C402B387

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 1st January 2010, 8:24 pm

Hello.
Please zip up the entire C:\Qoobox folder so we can send all the quarantine items to our experts.

Do you have Winrar installed?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 1st January 2010, 8:44 pm

using PK Secure ip, hope that is ok.

Are we actually done ?!?! Thanks for all your help and time!

Let me know if you need anything else to help aid in the eeffort to rid PCs of this malware stuff.

after zipping, can i delete that qoobox folder? any other folders i can delete as well?

Don't see a file link to upload, are you going to PM me with an e-mail to send it to?

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 1st January 2010, 8:49 pm

We should be done, but don't delete the Qoobox folder just yet.
Did you make a .zip or .rar archive? need it to be one of the two. Right On!


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 1st January 2010, 9:01 pm

i made a zip file, if you need it to be .rar, I'll down load winrar.

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 1st January 2010, 9:05 pm

Nah, it's okay, just asking.

Please visit [You must be registered and logged in to see this link.].

1. In the first box, copy and paste in the URL of this thread.
2. Second, browse and send the Qoobox.zip file.
3. In the comments section, please copy/paste in:

For jpshortstuff - Goored

Hit send file.

Let me know once that is done.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 1st January 2010, 9:09 pm

file has been submitted, thank you. let me know if any other logs are needed.

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 1st January 2010, 9:14 pm

This should be okay now, I just sent a PM to the author to let him know you've sent him this.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 1st January 2010, 9:20 pm

Machine is running good. Seemed to be running good after I ran the TDSS tool and was able to run my antivirus and anti spyware tools.

I was surprised we found so much afterwards.

Ok, getting an error uninstalling ComboFix, windows says it cannot find \ComboFix\uninstall

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 1st January 2010, 9:25 pm

Hehe, you had an infection our auto tool wasn't seeing, that's why we just the author some samples. Manually remove all Combofix files from your Desktop and C:\ drive.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 1st January 2010, 10:02 pm

Ahhh...ok, well, thanks again to you, and all the other fine folks on here who help us with infections.

Is it ok to delete the goored folder/files now?

Do donations go through Paypal?

Now that the system is clean, going to set a new system restore point and perform a system backup using EASEUS, thanks again and Happy New Year!

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected

Post by Belahzur on 1st January 2010, 10:50 pm

Yes, delete Gooredfix too.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected

Post by Pauliwood on 2nd January 2010, 2:09 am

Thank you Belahzur,

I updated my Windows OS before arriving at the forum, and it is set for auto update for critical updates.

As for Spyware proggies: I've installed and updated these programs:
Spyware Blaster
Super Anti Spyware Free Edition
Spy Bot S&D, I also enabled SD Helper for IE
Malware Byte's Antimalware

I uninstalled Ad-Aware, as it didnt find anything when I used it for scanning, yet Spy-Bot and Super Anti-Spyware found items after I had ran Ad-Aware.

I'll download and install the latest Mozilla browser.

Avira goes out and seeks an update, each time I boot my pc it seems, and I set it to load first, which makes boot time a bit slower, however, gives better protection on things that may try to start maliciously.

Any thoughts on the PC Tools Firewall? I run that on my laptop and I use that laptop for online gaming, and have had no issues "fingers crossed".

I'll definitely leave some feedback, thanks again !

Pauliwood
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-12-30
OS OS : Vista
Points Points : 25603
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum