Need help removing malware

View previous topic View next topic Go down

Solved Need help removing malware

Post by kschulz on Wed Nov 26, 2008 3:40 pm

I haven't been able to id this malware that infected my machine last night. Started by getting a fake looking Windows Security pop up referring to a Spyware:ISpynow infection, and to click a button to get removal tools. Didn't click - just closed the pop up. Chrome stopped working - could no longer find any pages I attempted to browse to. IE seems to be working, however when I do searches with Google or Live Search the results seem to be hijacked. Clicking on them goes to various bogus (or maybe just random) sites. Tried installing the latest mbam - won't run. I see imbam-setup.exe in my process list but nothing happens. Have been able to run SUPERAntiSpyware, although not all the time. It found Trojan.Dropper/SVCHost-Fake and have it quarantined. Browsing C:\Documents and Settings\\Application Data\Google with Win Explorer and found two bogus files "ijdkq12234484.exe" and "spclrp.dll" - moved them to \temp for now.

Any help would be greatly appreciated.

Thanks!

HijackThis log to follow...

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Need help removing malware - HijackThis Log Part 1

Post by kschulz on Wed Nov 26, 2008 3:46 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:21 AM, on 11/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Avtec, Inc\CPS\FileZilla Server\FileZilla Server.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\MicroTouch\MT7\TwService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
D:\Xfer\mbam-setup.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\_VR32W.EXE
C:\Program Files\HijackThis\HijackThis.exe

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Need help removing malware - HijackThis Log Part 2

Post by kschulz on Wed Nov 26, 2008 3:48 pm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 206.74.184.13 av_subversion # Avtec subversion repository\
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 5.0\SetHook.exe
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [Console Monitor] "C:\Program Files\Avtec, Inc\Scout\ConsoleMonitor.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Append to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 3:52 pm

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O15 - Trusted Zone: *.line6.net
O15 - Trusted IP range: [You must be registered and logged in to see this link.]
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - [You must be registered and logged in to see this link.]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avtec VPGate - Avtec, Inc. - C:\Program Files\Avtec, Inc\VPGate\VPGate.exe
O23 - Service: Axon Service (AxonService) - Unknown owner - C:\Program Files\NCH Swift Sound\Axon\axon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Avtec Business Layer (BusinessService.exe) - Avtec, Inc. - C:\Program Files\Avtec, Inc\Scout\BusinessService.exe
O23 - Service: Avtec Console Manager (ConsoleMgrSvc.exe) - Avtec, Inc. - C:\Program Files\Avtec, Inc\Scout\ConsoleMgrSvc.exe
O23 - Service: Avtec Control Layer (ControlService.exe) - Avtec, Inc. - C:\Program Files\Avtec, Inc\Scout\ControlService.exe
O23 - Service: Avtec Centralized Project Storage (CPSSvc.exe) - Avtec, Inc. - C:\Program Files\Avtec, Inc\CPS\CPSSvc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\Avtec, Inc\CPS\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Avtec Media Workstation 1900-316-42xx (MediaWkstnSvc.exe) - Avtec, Inc. - C:\Program Files\Avtec, Inc\Scout\MediaWkstnSvc.exe
O23 - Service: MSS Simulator (MSS) - Avtec, Inc. - D:\My Projects\Avtec\Visual Studio 2005\Newport\Avtec SVN Repository\FrontEndApps\bin\Debug\mss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: MT7 Serial Search Service (TwDrvService) - 3M Touch Systems, Inc. - C:\Program Files\MicroTouch\MT7\TwService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe

--
End of file - 18994 bytes

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 4:29 pm

Hello.
Moving them to temp was probably a good idea, it should have disabled it.


  • Please download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved ComboFix Won't Execute

Post by kschulz on Wed Nov 26, 2008 5:06 pm

Thanks for the fast reply.

I downloaded and attempted to run ComboFix, however it doesn't show. I see hourglass for a few seconds then nothing. Same thing happens when I try to run mbam-setup. I see them both in Task Mgr/Process list:


kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 5:08 pm

Hello.
Maybe the malware stopping it.

Please download it from this mirror.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved ComboFix - Log Dump Part 1

Post by kschulz on Wed Nov 26, 2008 5:50 pm

Success...here's the log dump:


ComboFix 08-11-26.03 - Kurt 2008-11-26 12:31:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1569 [GMT -5:00]
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kurt\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\_000019_.tmp.dll
c:\windows\system32\drivers\TDSSmxjt.sys
c:\windows\system32\msvcsv60.dll
c:\windows\system32\TDSSarxx.dll
c:\windows\system32\TDSSdxcp.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSmtye.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnvuo.dll
c:\windows\system32\TDSSottt.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvoqm.dll
c:\windows\system32\TDSSxhyf.log
C:\xcrashdump.dat
E:\Autorun.inf

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 22:46 . 2008-11-25 22:46 80,384 --a------ c:\documents and settings\Kurt\nah_tvmn.exe
2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\TortoiseSVN
2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\Common Files\TortoiseOverlays
2008-11-18 16:09 . 2008-11-18 16:09 d-------- c:\documents and settings\Kurt\Application Data\Vusion
2008-11-09 11:38 . 2008-11-09 11:38 d-------- c:\program files\Common Files\Adobe AIR
2008-10-29 12:49 . 2004-04-13 13:48 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2008-10-29 12:47 . 2008-10-29 12:50 d-------- c:\documents and settings\All Users\Application Data\Cakewalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 06:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec,_Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec, Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Apple Computer
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Ahead
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\AdobeUM
2008-11-26 03:46 502,272 ----a-w c:\windows\system32\winlogon.exe
2008-11-26 03:46 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-26 00:33 5,157,888 ----a-w c:\windows\system32\drivers\vrcore.sys
2008-11-25 13:22 --------- d-----w c:\documents and settings\Kurt\Application Data\TortoiseSVN
2008-11-19 13:18 --------- d-----w c:\program files\Google
2008-11-14 20:44 --------- d-----w c:\program files\Avtec, Inc
2008-11-08 23:07 --------- d-----w c:\documents and settings\Kurt\Application Data\Cakewalk
2008-10-30 11:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 18:18 --------- d-----w c:\program files\Cakewalk
2008-10-21 23:32 --------- d-----w c:\program files\Activision
2008-10-18 20:16 --------- d-----w c:\program files\Lexicon
2008-10-10 18:44 --------- d-----w c:\program files\Apple Software Update
2008-10-10 18:40 --------- d-----w c:\program files\iTunes
2008-10-10 18:40 --------- d-----w c:\program files\iPod
2008-10-10 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-10 18:39 --------- d-----w c:\program files\Bonjour
2008-10-10 18:38 --------- d-----w c:\program files\QuickTime
2008-10-02 19:57 --------- d-----w c:\program files\Common Files\Aladdin Shared
2008-10-02 19:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-01 23:38 22,328 ------w c:\documents and settings\Kurt\Application Data\PnkBstrK.sys
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET328.tmp
2004-08-04 21:00 1,431,144 ----a-w c:\windows\inf\SET39B.tmp
.

------- Sigcheck -------

2008-11-25 22:46 502272 9b1bd82bd0761b5ba986af66d2809c30 c:\windows\system32\winlogon.exe

2008-11-25 22:46 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"nah_Shell"="c:\documents and settings\Kurt\nah_tvmn.exe" [2008-11-25 80384]

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 5:50 pm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Console Monitor"="c:\program files\Avtec" [X]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-27 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-27 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-06 202032]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Vrmon"="c:\program files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe" [2005-06-27 249916]
"VrSchedule"="c:\program files\PCSecurityShield\ShieldAntivirus\Vrres.exe" [2004-03-11 266304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-11-26 1349120]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2006-09-27 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\Kurt\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
Qshelf.lnk - c:\program files\Microsoft Reference\Bookshelf 98\qshelf98.exe [2006-12-10 123904]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-12-23 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 05:37 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\My Projects\\Avtec\\Visual Studio 2005\\Newport\\Avtec SVN Repository\\FrontEndApps\\bin\\Debug\\BusinessService.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Avtec, Inc\\Scout\\BusinessService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Avtec, Inc\\VPGate\\Endpoints\\NXU2.exe"=
"c:\\Documents and Settings\\Kurt\\Application Data\\Vusion\\WARPVideoStreamer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
"5060:UDP"= 5060:UDP:Axon Sip Incoming Calls (UDP)
"81:TCP"= 81:TCP:Axon Web Server
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [2007-04-20 13184]
R2 aksfridge;HASP Fridge;c:\windows\system32\DRIVERS\aksfridge.sys [2008-10-02 350720]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run []
R2 TwDrvService;MT7 Serial Search Service;c:\program files\MicroTouch\MT7\TwService.exe /Service [2007-02-22 36864]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-04-02 24652]
R2 XobniService;XobniService;"c:\program files\Xobni\XobniService.exe" [2008-05-05 33280]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952]
R3 L6DP;L6DP;c:\windows\system32\Drivers\l6dp.sys [2003-06-27 29312]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 TwBus;MicroTouch Serial Bus Enumerator;c:\windows\system32\DRIVERS\TwBus.sys [2007-02-22 12240]
S3 akshhl;Aladdin HASP HL Key;c:\windows\system32\DRIVERS\akshhl.sys [2008-10-02 46336]
S3 Avtec VPGate;Avtec VPGate;c:\program files\Avtec, Inc\VPGate\VPGate.exe [2007-08-07 371200]
S3 AxonService;Axon Service;"c:\program files\NCH Swift Sound\Axon\axon.exe" -service [2008-07-10 438276]
S3 BusinessService.exe;Avtec Business Layer;c:\program files\Avtec, Inc\Scout\BusinessService.exe [2008-10-28 327680]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\Drivers\CEUSBAUD.sys [2003-11-01 17920]
S3 ConsoleMgrSvc.exe;Avtec Console Manager;c:\program files\Avtec, Inc\Scout\ConsoleMgrSvc.exe [2007-04-25 233472]
S3 ControlService.exe;Avtec Control Layer;c:\program files\Avtec, Inc\Scout\ControlService.exe [2008-10-28 225280]
S3 CPSSvc.exe;Avtec Centralized Project Storage;c:\program files\Avtec, Inc\CPS\CPSSvc.exe [2007-04-02 172032]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys [2004-05-19 142169]
S3 L6POD;L6 PODxt Service;c:\windows\system32\Drivers\L6POD.sys [2003-06-27 114048]
S3 MediaWkstnSvc.exe;Avtec Media Workstation 1900-316-42xx;c:\program files\Avtec, Inc\Scout\MediaWkstnSvc.exe [2007-04-25 126976]
S3 MSS;MSS Simulator;d:\my projects\Avtec\Visual Studio 2005\Newport\Avtec SVN Repository\FrontEndApps\bin\Debug\mss.exe [2007-03-15 69632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\Drivers\PDEXLOCK.sys [2006-12-14 12288]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2008-05-10 360448]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-05-10 18944]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-05-10 33792]
S3 TwTouch;MicroTouch touch screen;c:\windows\system32\DRIVERS\TwTouch.sys [2007-02-22 84945]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-26 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 20:40]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-HPsetm - c:\documents and settings\Kurt\Application Data\Google\ijdkq13324484.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-26 12:41:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???0???????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmxjt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1332)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2008-11-26 12:43:30
ComboFix-quarantined-files.txt 2008-11-26 17:42:56

Pre-Run: 11,383,189,504 bytes free
Post-Run: 11,718,623,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

288 --- E O F --- 2007-07-21 13:12:46

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 6:00 pm

Hello.
Before we go any further, we need to replace a patched file, but we have to locate a clean copy.


  • Now open a new notepad file.
  • Input this into the notepad file:

    For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\system32\winlogon.exe'
    ) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
    start notepad report.txt & exit

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste report.txt back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 6:27 pm

"C:\WINDOWS\system32\winlogon.exe" 502272 11/25/2008 10:46 PM

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 6:33 pm

Darn.
Do you have your XP CD available?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 6:44 pm

System Recovery DVD
Microsoft Windows XP Professional Service Pack 2
Discs 1 & 2

Never opened.

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 6:49 pm

Well we need to use them.

We need to use the MS windows XP SP2 CD.
Put the CD into your machine, and let me know what letter it uses.
Press Start and open My Computer, which letter does it use?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 6:53 pm

Inserted disc 1. Logical drive F:
Contains the I386 folder.

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 7:06 pm

Okay, thank you.

Now open a new notepad file.
Input this into the notepad file:

Driver::
Viewpoint Manager Service

File::
c:\documents and settings\Kurt\nah_tvmn.exe

Folder::
c:\program files\Viewpoint

FCopy::
F:\i386\winlogon.exe | c:\windows\system32\winlogon.exe
F:\i386\termsrv.dll | c:\windows\system32\termsrv.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nah_Shell"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll,schannel.dll,digest.dll,msnsspc.dll"
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 7:49 pm

Ran ComboFix again with CFscript. Had a BSOD when while it was rebooting. Here's the ComboFix log dump:

ComboFix 08-11-26.03 - Kurt 2008-11-26 14:11:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1292 [GMT -5:00]
Running from: d:\downloads\c0mb0-fix.exe
Command switches used :: d:\downloads\CFscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\documents and settings\Kurt\nah_tvmn.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kurt\nah_tvmn.exe
c:\program files\Viewpoint
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Viewpoint\Common\VistaBoot.sdll
c:\program files\Viewpoint\Viewpoint Manager\CPtask.xml
c:\program files\Viewpoint\Viewpoint Manager\VETscriptInterpreter.dll
c:\program files\Viewpoint\Viewpoint Manager\ViewCP.cpl
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\s.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_av.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_cp.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_up.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bg.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bottom.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab_bg.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_off.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_on.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_off.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_on.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vwpt_logo.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\options.ini
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\viewpoint.ico
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\vmctrl.html
c:\program files\Viewpoint\Viewpoint Manager\ViewCPexe.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgrCore.dll
c:\program files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305001C.dll
c:\program files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
c:\program files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\TortoiseSVN
2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\Common Files\TortoiseOverlays
2008-11-18 16:09 . 2008-11-18 16:09 d-------- c:\documents and settings\Kurt\Application Data\Vusion
2008-11-09 11:38 . 2008-11-09 11:38 d-------- c:\program files\Common Files\Adobe AIR
2008-10-29 12:49 . 2004-04-13 13:48 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2008-10-29 12:47 . 2008-10-29 12:50 d-------- c:\documents and settings\All Users\Application Data\Cakewalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 06:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec,_Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec, Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Apple Computer
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Ahead
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\AdobeUM
2008-11-26 03:46 502,272 ----a-w c:\windows\system32\winlogon.exe
2008-11-26 03:46 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-26 00:33 5,157,888 ----a-w c:\windows\system32\drivers\vrcore.sys
2008-11-25 13:22 --------- d-----w c:\documents and settings\Kurt\Application Data\TortoiseSVN
2008-11-19 13:18 --------- d-----w c:\program files\Google
2008-11-14 20:44 --------- d-----w c:\program files\Avtec, Inc
2008-11-08 23:07 --------- d-----w c:\documents and settings\Kurt\Application Data\Cakewalk
2008-10-30 11:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 18:18 --------- d-----w c:\program files\Cakewalk
2008-10-21 23:32 --------- d-----w c:\program files\Activision
2008-10-18 20:16 --------- d-----w c:\program files\Lexicon
2008-10-10 18:44 --------- d-----w c:\program files\Apple Software Update
2008-10-10 18:40 --------- d-----w c:\program files\iTunes
2008-10-10 18:40 --------- d-----w c:\program files\iPod
2008-10-10 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-10 18:39 --------- d-----w c:\program files\Bonjour
2008-10-10 18:38 --------- d-----w c:\program files\QuickTime
2008-10-02 19:57 --------- d-----w c:\program files\Common Files\Aladdin Shared
2008-10-02 19:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-01 23:38 22,328 ------w c:\documents and settings\Kurt\Application Data\PnkBstrK.sys
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET328.tmp
2004-08-04 21:00 1,431,144 ----a-w c:\windows\inf\SET39B.tmp
.

------- Sigcheck -------

2008-11-25 22:46 502272 9b1bd82bd0761b5ba986af66d2809c30 c:\windows\system32\winlogon.exe

2008-11-25 22:46 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-11-26 17:29:51 17,290 ----a-w c:\windows\system32\tablet.dat
+ 2008-11-26 19:29:37 17,290 ----a-w c:\windows\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 7:50 pm

ComboFix log dump continued....


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Console Monitor"="c:\program files\Avtec" [X]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-27 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-27 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-06 202032]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Vrmon"="c:\program files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe" [2005-06-27 249916]
"VrSchedule"="c:\program files\PCSecurityShield\ShieldAntivirus\Vrres.exe" [2004-03-11 266304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-11-26 1349120]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2006-09-27 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\Kurt\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
Qshelf.lnk - c:\program files\Microsoft Reference\Bookshelf 98\qshelf98.exe [2006-12-10 123904]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-12-23 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 05:37 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\My Projects\\Avtec\\Visual Studio 2005\\Newport\\Avtec SVN Repository\\FrontEndApps\\bin\\Debug\\BusinessService.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Avtec, Inc\\Scout\\BusinessService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Avtec, Inc\\VPGate\\Endpoints\\NXU2.exe"=
"c:\\Documents and Settings\\Kurt\\Application Data\\Vusion\\WARPVideoStreamer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
"5060:UDP"= 5060:UDP:Axon Sip Incoming Calls (UDP)
"81:TCP"= 81:TCP:Axon Web Server
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [2007-04-20 13184]
R2 aksfridge;HASP Fridge;c:\windows\system32\DRIVERS\aksfridge.sys [2008-10-02 350720]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run []
R2 TwDrvService;MT7 Serial Search Service;c:\program files\MicroTouch\MT7\TwService.exe /Service [2007-02-22 36864]
R2 XobniService;XobniService;"c:\program files\Xobni\XobniService.exe" [2008-05-05 33280]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952]
R3 L6DP;L6DP;c:\windows\system32\Drivers\l6dp.sys [2003-06-27 29312]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 TwBus;MicroTouch Serial Bus Enumerator;c:\windows\system32\DRIVERS\TwBus.sys [2007-02-22 12240]
S3 akshhl;Aladdin HASP HL Key;c:\windows\system32\DRIVERS\akshhl.sys [2008-10-02 46336]
S3 Avtec VPGate;Avtec VPGate;c:\program files\Avtec, Inc\VPGate\VPGate.exe [2007-08-07 371200]
S3 AxonService;Axon Service;"c:\program files\NCH Swift Sound\Axon\axon.exe" -service [2008-07-10 438276]
S3 BusinessService.exe;Avtec Business Layer;c:\program files\Avtec, Inc\Scout\BusinessService.exe [2008-10-28 327680]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\Drivers\CEUSBAUD.sys [2003-11-01 17920]
S3 ConsoleMgrSvc.exe;Avtec Console Manager;c:\program files\Avtec, Inc\Scout\ConsoleMgrSvc.exe [2007-04-25 233472]
S3 ControlService.exe;Avtec Control Layer;c:\program files\Avtec, Inc\Scout\ControlService.exe [2008-10-28 225280]
S3 CPSSvc.exe;Avtec Centralized Project Storage;c:\program files\Avtec, Inc\CPS\CPSSvc.exe [2007-04-02 172032]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys [2004-05-19 142169]
S3 L6POD;L6 PODxt Service;c:\windows\system32\Drivers\L6POD.sys [2003-06-27 114048]
S3 MediaWkstnSvc.exe;Avtec Media Workstation 1900-316-42xx;c:\program files\Avtec, Inc\Scout\MediaWkstnSvc.exe [2007-04-25 126976]
S3 MSS;MSS Simulator;d:\my projects\Avtec\Visual Studio 2005\Newport\Avtec SVN Repository\FrontEndApps\bin\Debug\mss.exe [2007-03-15 69632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\Drivers\PDEXLOCK.sys [2006-12-14 12288]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2008-05-10 360448]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-05-10 18944]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-05-10 33792]
S3 TwTouch;MicroTouch touch screen;c:\windows\system32\DRIVERS\TwTouch.sys [2007-02-22 84945]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-26 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 20:40]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-26 14:30:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???Pd??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1324)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\msdtc.exe
c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Avtec, Inc\CPS\FileZilla Server\FileZilla server.exe
c:\windows\system32\hasplms.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Photodex\ProShowProducer\scsiaccess.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\Tablet.exe
c:\program files\MicroTouch\MT7\TwService.exe
c:\program files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Avtec, Inc\Scout\ConsoleMonitor.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2008-11-26 14:38:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-26 19:38:56

Pre-Run: 11,632,496,640 bytes free
Post-Run: 11,468,439,552 bytes free

337 --- E O F --- 2007-07-21 13:12:46

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 8:01 pm

Was the XP SP2 CD in when you ran the CFScript?
It still says winlogon is infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 8:08 pm

Yeah I saw that. The CD was in - I only popped it out during the reboot and then popped it back in. Can I manually copy winlogon.exe and termsrv.dll over to my system32 folder, or should I try running ComboFix again?

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 8:10 pm

Please download a clean copy of them from here.
[You must be registered and logged in to see this link.]

Unzip them to your desktop and run this bat script.
Please make sure they are on your desktop, or this will fail.


  • Now open a new notepad file.
  • Input this into the notepad file:

    @echo off
    copy /y c:\documents and settings\Kurt\Desktop\winlogon.exe C:\windows\system32\winlogon.exe
    copy /y c:\documents and settings\Kurt\Desktop\termsrv.dll C:\windows\system32\termsrv.dll
    del Copy.bat
    exit

  • Save this as Copy.bat, save it to your desktop.
  • Double click Copy.bat to run it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 8:21 pm

Ok, done.

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 8:22 pm

Good.
Please re-run combofix now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 8:33 pm

ComboFix 08-11-26.03 - Kurt 2008-11-26 15:24:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1438 [GMT -5:00]
Running from: c:\documents and settings\Kurt\Desktop\c0mb0-fix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\TortoiseSVN
2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\Common Files\TortoiseOverlays
2008-11-18 16:09 . 2008-11-18 16:09 d-------- c:\documents and settings\Kurt\Application Data\Vusion
2008-11-09 11:38 . 2008-11-09 11:38 d-------- c:\program files\Common Files\Adobe AIR
2008-10-29 12:49 . 2004-04-13 13:48 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2008-10-29 12:47 . 2008-10-29 12:50 d-------- c:\documents and settings\All Users\Application Data\Cakewalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 06:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec,_Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec, Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Apple Computer
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Ahead
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\AdobeUM
2008-11-26 03:46 502,272 ----a-w c:\windows\system32\winlogon.exe
2008-11-26 03:46 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-26 00:33 5,157,888 ----a-w c:\windows\system32\drivers\vrcore.sys
2008-11-25 13:22 --------- d-----w c:\documents and settings\Kurt\Application Data\TortoiseSVN
2008-11-19 13:18 --------- d-----w c:\program files\Google
2008-11-14 20:44 --------- d-----w c:\program files\Avtec, Inc
2008-11-08 23:07 --------- d-----w c:\documents and settings\Kurt\Application Data\Cakewalk
2008-10-30 11:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 18:18 --------- d-----w c:\program files\Cakewalk
2008-10-21 23:32 --------- d-----w c:\program files\Activision
2008-10-18 20:16 --------- d-----w c:\program files\Lexicon
2008-10-10 18:44 --------- d-----w c:\program files\Apple Software Update
2008-10-10 18:40 --------- d-----w c:\program files\iTunes
2008-10-10 18:40 --------- d-----w c:\program files\iPod
2008-10-10 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-10 18:39 --------- d-----w c:\program files\Bonjour
2008-10-10 18:38 --------- d-----w c:\program files\QuickTime
2008-10-02 19:57 --------- d-----w c:\program files\Common Files\Aladdin Shared
2008-10-02 19:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-01 23:38 22,328 ------w c:\documents and settings\Kurt\Application Data\PnkBstrK.sys
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET328.tmp
2004-08-04 21:00 1,431,144 ----a-w c:\windows\inf\SET39B.tmp
.

------- Sigcheck -------

2008-11-25 22:46 502272 9b1bd82bd0761b5ba986af66d2809c30 c:\windows\system32\winlogon.exe

2008-11-25 22:46 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-11-26 17:29:51 17,290 ----a-w c:\windows\system32\tablet.dat
+ 2008-11-26 19:29:37 17,290 ----a-w c:\windows\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 8:33 pm

Part 2....

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Console Monitor"="c:\program files\Avtec" [X]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-27 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-27 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-06 202032]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Vrmon"="c:\program files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe" [2005-06-27 249916]
"VrSchedule"="c:\program files\PCSecurityShield\ShieldAntivirus\Vrres.exe" [2004-03-11 266304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-11-26 1349120]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2006-09-27 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\Kurt\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
Qshelf.lnk - c:\program files\Microsoft Reference\Bookshelf 98\qshelf98.exe [2006-12-10 123904]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-12-23 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 05:37 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\My Projects\\Avtec\\Visual Studio 2005\\Newport\\Avtec SVN Repository\\FrontEndApps\\bin\\Debug\\BusinessService.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Avtec, Inc\\Scout\\BusinessService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Avtec, Inc\\VPGate\\Endpoints\\NXU2.exe"=
"c:\\Documents and Settings\\Kurt\\Application Data\\Vusion\\WARPVideoStreamer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
"5060:UDP"= 5060:UDP:Axon Sip Incoming Calls (UDP)
"81:TCP"= 81:TCP:Axon Web Server
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [2007-04-20 13184]
R2 aksfridge;HASP Fridge;c:\windows\system32\DRIVERS\aksfridge.sys [2008-10-02 350720]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run []
R2 TwDrvService;MT7 Serial Search Service;c:\program files\MicroTouch\MT7\TwService.exe /Service [2007-02-22 36864]
R2 XobniService;XobniService;"c:\program files\Xobni\XobniService.exe" [2008-05-05 33280]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952]
R3 L6DP;L6DP;c:\windows\system32\Drivers\l6dp.sys [2003-06-27 29312]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 TwBus;MicroTouch Serial Bus Enumerator;c:\windows\system32\DRIVERS\TwBus.sys [2007-02-22 12240]
S3 akshhl;Aladdin HASP HL Key;c:\windows\system32\DRIVERS\akshhl.sys [2008-10-02 46336]
S3 Avtec VPGate;Avtec VPGate;c:\program files\Avtec, Inc\VPGate\VPGate.exe [2007-08-07 371200]
S3 AxonService;Axon Service;"c:\program files\NCH Swift Sound\Axon\axon.exe" -service [2008-07-10 438276]
S3 BusinessService.exe;Avtec Business Layer;c:\program files\Avtec, Inc\Scout\BusinessService.exe [2008-10-28 327680]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\Drivers\CEUSBAUD.sys [2003-11-01 17920]
S3 ConsoleMgrSvc.exe;Avtec Console Manager;c:\program files\Avtec, Inc\Scout\ConsoleMgrSvc.exe [2007-04-25 233472]
S3 ControlService.exe;Avtec Control Layer;c:\program files\Avtec, Inc\Scout\ControlService.exe [2008-10-28 225280]
S3 CPSSvc.exe;Avtec Centralized Project Storage;c:\program files\Avtec, Inc\CPS\CPSSvc.exe [2007-04-02 172032]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys [2004-05-19 142169]
S3 L6POD;L6 PODxt Service;c:\windows\system32\Drivers\L6POD.sys [2003-06-27 114048]
S3 MediaWkstnSvc.exe;Avtec Media Workstation 1900-316-42xx;c:\program files\Avtec, Inc\Scout\MediaWkstnSvc.exe [2007-04-25 126976]
S3 MSS;MSS Simulator;d:\my projects\Avtec\Visual Studio 2005\Newport\Avtec SVN Repository\FrontEndApps\bin\Debug\mss.exe [2007-03-15 69632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\Drivers\PDEXLOCK.sys [2006-12-14 12288]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2008-05-10 360448]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-05-10 18944]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-05-10 33792]
S3 TwTouch;MicroTouch touch screen;c:\windows\system32\DRIVERS\TwTouch.sys [2007-02-22 84945]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-26 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 20:40]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-26 15:28:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???Pd??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1324)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2008-11-26 15:30:21
ComboFix-quarantined-files.txt 2008-11-26 20:29:45
ComboFix2.txt 2008-11-26 19:39:01

Pre-Run: 11,575,107,584 bytes free
Post-Run: 11,555,975,168 bytes free

249 --- E O F --- 2007-07-21 13:12:46

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 8:51 pm

Hmmmm.
I thinking this is either a false alert, or something is still active on your machine.

Lets try this manually.
Put your XP SP2 CD back in and access the i386 yourself.
Find a copy of winlogon.exe and right click > and select Copy

Press Start > Open My computer.
Open the C drive.
Then open the Windows folder.
Then open the system32 folder.
Now right click anywhere and select Paste, select yes to the overwrite warning.

Please re-run combofix again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 9:07 pm

Getting an error on copy. This is immediately after a reboot, before running any programs (other than the startup services).

"Error Copying File or Folder

Cannot copy winlogon: It is being used by another person or program.
Close any programs that might using the file and try again."

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 9:12 pm

Now open a new notepad file.
Input this into the notepad file:

FCopy::
F:\i386\winlogon.exe | c:\windows\system32\winlogon.exe
F:\i386\termsrv.dll | c:\windows\system32\termsrv.dll

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.
====


Please run a GMER Rootkit scan:

Download GMER's application from here:
[You must be registered and logged in to see this link.]

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 10:47 pm

Ok, I ran Combofix again, feeding it CFscript to copy over the files. The dump is below (still showing infected).

I ran GMER in normal boot mode, but it would eventually exception out and not complete. It ran all the way through in Safe Mode but didn't spit out much in the output:

GMER 1.0.14.14536 - [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-26 17:30:06
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Ahead Software AG)

---- EOF - GMER 1.0.14 ----

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 10:47 pm

ComboFix 08-11-26.03 - Kurt 2008-11-26 16:22:20.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1416 [GMT -5:00]
Running from: c:\documents and settings\Kurt\Desktop\c0mb0-fix.exe
Command switches used :: c:\documents and settings\Kurt\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\TortoiseSVN
2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\Common Files\TortoiseOverlays
2008-11-18 16:09 . 2008-11-18 16:09 d-------- c:\documents and settings\Kurt\Application Data\Vusion
2008-11-09 11:38 . 2008-11-09 11:38 d-------- c:\program files\Common Files\Adobe AIR
2008-10-29 12:49 . 2004-04-13 13:48 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2008-10-29 12:47 . 2008-10-29 12:50 d-------- c:\documents and settings\All Users\Application Data\Cakewalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 06:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec,_Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec, Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Apple Computer
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Ahead
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\AdobeUM
2008-11-26 03:46 502,272 ----a-w c:\windows\system32\winlogon.exe
2008-11-26 03:46 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-26 00:33 5,157,888 ----a-w c:\windows\system32\drivers\vrcore.sys
2008-11-25 13:22 --------- d-----w c:\documents and settings\Kurt\Application Data\TortoiseSVN
2008-11-19 13:18 --------- d-----w c:\program files\Google
2008-11-14 20:44 --------- d-----w c:\program files\Avtec, Inc
2008-11-08 23:07 --------- d-----w c:\documents and settings\Kurt\Application Data\Cakewalk
2008-10-30 11:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 18:18 --------- d-----w c:\program files\Cakewalk
2008-10-21 23:32 --------- d-----w c:\program files\Activision
2008-10-18 20:16 --------- d-----w c:\program files\Lexicon
2008-10-10 18:44 --------- d-----w c:\program files\Apple Software Update
2008-10-10 18:40 --------- d-----w c:\program files\iTunes
2008-10-10 18:40 --------- d-----w c:\program files\iPod
2008-10-10 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-10 18:39 --------- d-----w c:\program files\Bonjour
2008-10-10 18:38 --------- d-----w c:\program files\QuickTime
2008-10-02 19:57 --------- d-----w c:\program files\Common Files\Aladdin Shared
2008-10-02 19:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-01 23:38 22,328 ------w c:\documents and settings\Kurt\Application Data\PnkBstrK.sys
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET328.tmp
2004-08-04 21:00 1,431,144 ----a-w c:\windows\inf\SET39B.tmp
.

------- Sigcheck -------

2008-11-25 22:46 502272 9b1bd82bd0761b5ba986af66d2809c30 c:\windows\system32\winlogon.exe

2008-11-25 22:46 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-11-26 17:29:51 17,290 ----a-w c:\windows\system32\tablet.dat
+ 2008-11-26 21:15:20 17,290 ----a-w c:\windows\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 10:47 pm

Continued....


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Console Monitor"="c:\program files\Avtec" [X]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-27 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-27 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-06 202032]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Vrmon"="c:\program files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe" [2005-06-27 249916]
"VrSchedule"="c:\program files\PCSecurityShield\ShieldAntivirus\Vrres.exe" [2004-03-11 266304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-11-26 1349120]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2006-09-27 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\Kurt\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
Qshelf.lnk - c:\program files\Microsoft Reference\Bookshelf 98\qshelf98.exe [2006-12-10 123904]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-12-23 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 05:37 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\My Projects\\Avtec\\Visual Studio 2005\\Newport\\Avtec SVN Repository\\FrontEndApps\\bin\\Debug\\BusinessService.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Avtec, Inc\\Scout\\BusinessService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Avtec, Inc\\VPGate\\Endpoints\\NXU2.exe"=
"c:\\Documents and Settings\\Kurt\\Application Data\\Vusion\\WARPVideoStreamer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
"5060:UDP"= 5060:UDP:Axon Sip Incoming Calls (UDP)
"81:TCP"= 81:TCP:Axon Web Server
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [2007-04-20 13184]
R2 aksfridge;HASP Fridge;c:\windows\system32\DRIVERS\aksfridge.sys [2008-10-02 350720]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run []
R2 TwDrvService;MT7 Serial Search Service;c:\program files\MicroTouch\MT7\TwService.exe /Service [2007-02-22 36864]
R2 XobniService;XobniService;"c:\program files\Xobni\XobniService.exe" [2008-05-05 33280]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952]
R3 L6DP;L6DP;c:\windows\system32\Drivers\l6dp.sys [2003-06-27 29312]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 TwBus;MicroTouch Serial Bus Enumerator;c:\windows\system32\DRIVERS\TwBus.sys [2007-02-22 12240]
S3 akshhl;Aladdin HASP HL Key;c:\windows\system32\DRIVERS\akshhl.sys [2008-10-02 46336]
S3 Avtec VPGate;Avtec VPGate;c:\program files\Avtec, Inc\VPGate\VPGate.exe [2007-08-07 371200]
S3 AxonService;Axon Service;"c:\program files\NCH Swift Sound\Axon\axon.exe" -service [2008-07-10 438276]
S3 BusinessService.exe;Avtec Business Layer;c:\program files\Avtec, Inc\Scout\BusinessService.exe [2008-10-28 327680]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\Drivers\CEUSBAUD.sys [2003-11-01 17920]
S3 ConsoleMgrSvc.exe;Avtec Console Manager;c:\program files\Avtec, Inc\Scout\ConsoleMgrSvc.exe [2007-04-25 233472]
S3 ControlService.exe;Avtec Control Layer;c:\program files\Avtec, Inc\Scout\ControlService.exe [2008-10-28 225280]
S3 CPSSvc.exe;Avtec Centralized Project Storage;c:\program files\Avtec, Inc\CPS\CPSSvc.exe [2007-04-02 172032]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys [2004-05-19 142169]
S3 L6POD;L6 PODxt Service;c:\windows\system32\Drivers\L6POD.sys [2003-06-27 114048]
S3 MediaWkstnSvc.exe;Avtec Media Workstation 1900-316-42xx;c:\program files\Avtec, Inc\Scout\MediaWkstnSvc.exe [2007-04-25 126976]
S3 MSS;MSS Simulator;d:\my projects\Avtec\Visual Studio 2005\Newport\Avtec SVN Repository\FrontEndApps\bin\Debug\mss.exe [2007-03-15 69632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\Drivers\PDEXLOCK.sys [2006-12-14 12288]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2008-05-10 360448]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-05-10 18944]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-05-10 33792]
S3 TwTouch;MicroTouch touch screen;c:\windows\system32\DRIVERS\TwTouch.sys [2007-02-22 84945]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-26 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 20:40]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-26 16:31:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???Pd??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2008-11-26 16:33:25
ComboFix-quarantined-files.txt 2008-11-26 21:32:48
ComboFix2.txt 2008-11-26 20:30:23
ComboFix3.txt 2008-11-26 19:39:01

Pre-Run: 11,513,860,096 bytes free
Post-Run: 11,497,275,392 bytes free

252 --- E O F --- 2007-07-21 13:12:46

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 11:03 pm

Hello.
Does the machine seem okay?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 11:35 pm

Yes, since the first ComboFix run it seems to be working normally, which is hard for me to believe as bad as it seemed. We'll see how it goes for awhile - hopefully it's scoured clean by now.

Belahzur, thanks so much for your help. You saved me a huge amount of time and aggravation. Really appreciate the help!

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 11:38 pm

Hello again.
I think I made a mistake before.

Put your XP SP2 CD back in the machine in normal mode.
Press Start > Run. When the run command opens, type this in the open field.
cmd
Press enter.

Then when the command prompt opens, type this in:
expand f:\i386\winlogon.ex_ c:\windows\system32\winlogon.exe
Press enter.
Now type this in:
expand f:\i386\termsrv.dl_ c:\windows\system32\termsrv.dll
Press enter.

Please re-run combofix again, I think it might not display the infected alert anymore.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Thu Nov 27, 2008 12:12 am

"Can't open input file: f:\i386\winlogon.ex_."

Looking at the i386 folder on the CD, it doesn't look there are any compressed files. I do see the winlogon.exe and termsrv.dll files there.

If it's any help, there is the winlogon.exe in my C:\Windows\System32 folder, dated yesterday, 11/25/2008 10:46pm which is about the time I first noticed problems and suspected malware. There is also a winlogon.old file there dated 8/4/2004 4:00pm of the exact same size. Same with termsrv.dll.

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Thu Nov 27, 2008 12:18 am

That's maybe where the alert is coming from.
Delete the .old files.

The real dll and exe are the proper size, we are both running XP SP2 so your files are the same as mine, so I think they aren't infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Thu Nov 27, 2008 12:56 am

I deleted the .old files and ComboFix is still reporting winlogon.exe as infected. Everything seems to be running fine though - I think you're right that it's probably a false positive. Maybe just the file date change is why it's getting tagged.

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Thu Nov 27, 2008 1:01 am

Okay, let me know if anything changes.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Thu Nov 27, 2008 1:11 am

Belahzur, thanks again. I really appreciate your time and patience with this. Hopefully I won't be back to bug you.

You've been a tremendous help! My Buddy

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Thu Nov 27, 2008 4:07 pm

A final bit of info - I noticed the following in the ComboFix log dumps:

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

Thinking that SAS is interfering with ComboFix accessing the winlogo.exe file, causing it to be tagged as infected - but it's a false positive. A few quick searches on the net reveals this is a common issue even with other anti-virus programs.

So I feel confident we're good. Solved?

kschulz
Novice
Novice

Posts Posts : 25
Joined Joined : 2008-11-26
OS OS : WinXP
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Thu Nov 27, 2008 4:10 pm

I think your right, SAS has hooked itself into winlogon, probably to protect it.
But combofix detects this as malware.

If everything is still good for you, then yes.
I will add solved tags to the topic and leave it open for a few days incase you have any questions.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Doctor Inferno on Thu Dec 04, 2008 4:05 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum