Need help removing malware

View previous topic View next topic Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 8:51 pm

Hmmmm.
I thinking this is either a false alert, or something is still active on your machine.

Lets try this manually.
Put your XP SP2 CD back in and access the i386 yourself.
Find a copy of winlogon.exe and right click > and select Copy

Press Start > Open My computer.
Open the C drive.
Then open the Windows folder.
Then open the system32 folder.
Now right click anywhere and select Paste, select yes to the overwrite warning.

Please re-run combofix again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 9:07 pm

Getting an error on copy. This is immediately after a reboot, before running any programs (other than the startup services).

"Error Copying File or Folder

Cannot copy winlogon: It is being used by another person or program.
Close any programs that might using the file and try again."

kschulz
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2008-11-26
OS : WinXP

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 9:12 pm

Now open a new notepad file.
Input this into the notepad file:

FCopy::
F:\i386\winlogon.exe | c:\windows\system32\winlogon.exe
F:\i386\termsrv.dll | c:\windows\system32\termsrv.dll

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.
====


Please run a GMER Rootkit scan:

Download GMER's application from here:
[You must be registered and logged in to see this link.]

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 10:47 pm

Ok, I ran Combofix again, feeding it CFscript to copy over the files. The dump is below (still showing infected).

I ran GMER in normal boot mode, but it would eventually exception out and not complete. It ran all the way through in Safe Mode but didn't spit out much in the output:

GMER 1.0.14.14536 - [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-26 17:30:06
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Ahead Software AG)

---- EOF - GMER 1.0.14 ----

kschulz
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2008-11-26
OS : WinXP

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 10:47 pm

ComboFix 08-11-26.03 - Kurt 2008-11-26 16:22:20.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1416 [GMT -5:00]
Running from: c:\documents and settings\Kurt\Desktop\c0mb0-fix.exe
Command switches used :: c:\documents and settings\Kurt\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\TortoiseSVN
2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\Common Files\TortoiseOverlays
2008-11-18 16:09 . 2008-11-18 16:09 d-------- c:\documents and settings\Kurt\Application Data\Vusion
2008-11-09 11:38 . 2008-11-09 11:38 d-------- c:\program files\Common Files\Adobe AIR
2008-10-29 12:49 . 2004-04-13 13:48 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2008-10-29 12:47 . 2008-10-29 12:50 d-------- c:\documents and settings\All Users\Application Data\Cakewalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 06:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec,_Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec, Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Apple Computer
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Ahead
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\AdobeUM
2008-11-26 03:46 502,272 ----a-w c:\windows\system32\winlogon.exe
2008-11-26 03:46 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-26 00:33 5,157,888 ----a-w c:\windows\system32\drivers\vrcore.sys
2008-11-25 13:22 --------- d-----w c:\documents and settings\Kurt\Application Data\TortoiseSVN
2008-11-19 13:18 --------- d-----w c:\program files\Google
2008-11-14 20:44 --------- d-----w c:\program files\Avtec, Inc
2008-11-08 23:07 --------- d-----w c:\documents and settings\Kurt\Application Data\Cakewalk
2008-10-30 11:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 18:18 --------- d-----w c:\program files\Cakewalk
2008-10-21 23:32 --------- d-----w c:\program files\Activision
2008-10-18 20:16 --------- d-----w c:\program files\Lexicon
2008-10-10 18:44 --------- d-----w c:\program files\Apple Software Update
2008-10-10 18:40 --------- d-----w c:\program files\iTunes
2008-10-10 18:40 --------- d-----w c:\program files\iPod
2008-10-10 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-10 18:39 --------- d-----w c:\program files\Bonjour
2008-10-10 18:38 --------- d-----w c:\program files\QuickTime
2008-10-02 19:57 --------- d-----w c:\program files\Common Files\Aladdin Shared
2008-10-02 19:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-01 23:38 22,328 ------w c:\documents and settings\Kurt\Application Data\PnkBstrK.sys
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET328.tmp
2004-08-04 21:00 1,431,144 ----a-w c:\windows\inf\SET39B.tmp
.

------- Sigcheck -------

2008-11-25 22:46 502272 9b1bd82bd0761b5ba986af66d2809c30 c:\windows\system32\winlogon.exe

2008-11-25 22:46 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-11-26 17:29:51 17,290 ----a-w c:\windows\system32\tablet.dat
+ 2008-11-26 21:15:20 17,290 ----a-w c:\windows\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

kschulz
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2008-11-26
OS : WinXP

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 10:47 pm

Continued....


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Console Monitor"="c:\program files\Avtec" [X]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-27 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-27 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-06 202032]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Vrmon"="c:\program files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe" [2005-06-27 249916]
"VrSchedule"="c:\program files\PCSecurityShield\ShieldAntivirus\Vrres.exe" [2004-03-11 266304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-11-26 1349120]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2006-09-27 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\Kurt\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
Qshelf.lnk - c:\program files\Microsoft Reference\Bookshelf 98\qshelf98.exe [2006-12-10 123904]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-12-23 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 05:37 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\My Projects\\Avtec\\Visual Studio 2005\\Newport\\Avtec SVN Repository\\FrontEndApps\\bin\\Debug\\BusinessService.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Avtec, Inc\\Scout\\BusinessService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Avtec, Inc\\VPGate\\Endpoints\\NXU2.exe"=
"c:\\Documents and Settings\\Kurt\\Application Data\\Vusion\\WARPVideoStreamer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
"5060:UDP"= 5060:UDP:Axon Sip Incoming Calls (UDP)
"81:TCP"= 81:TCP:Axon Web Server
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [2007-04-20 13184]
R2 aksfridge;HASP Fridge;c:\windows\system32\DRIVERS\aksfridge.sys [2008-10-02 350720]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run []
R2 TwDrvService;MT7 Serial Search Service;c:\program files\MicroTouch\MT7\TwService.exe /Service [2007-02-22 36864]
R2 XobniService;XobniService;"c:\program files\Xobni\XobniService.exe" [2008-05-05 33280]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952]
R3 L6DP;L6DP;c:\windows\system32\Drivers\l6dp.sys [2003-06-27 29312]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 TwBus;MicroTouch Serial Bus Enumerator;c:\windows\system32\DRIVERS\TwBus.sys [2007-02-22 12240]
S3 akshhl;Aladdin HASP HL Key;c:\windows\system32\DRIVERS\akshhl.sys [2008-10-02 46336]
S3 Avtec VPGate;Avtec VPGate;c:\program files\Avtec, Inc\VPGate\VPGate.exe [2007-08-07 371200]
S3 AxonService;Axon Service;"c:\program files\NCH Swift Sound\Axon\axon.exe" -service [2008-07-10 438276]
S3 BusinessService.exe;Avtec Business Layer;c:\program files\Avtec, Inc\Scout\BusinessService.exe [2008-10-28 327680]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\Drivers\CEUSBAUD.sys [2003-11-01 17920]
S3 ConsoleMgrSvc.exe;Avtec Console Manager;c:\program files\Avtec, Inc\Scout\ConsoleMgrSvc.exe [2007-04-25 233472]
S3 ControlService.exe;Avtec Control Layer;c:\program files\Avtec, Inc\Scout\ControlService.exe [2008-10-28 225280]
S3 CPSSvc.exe;Avtec Centralized Project Storage;c:\program files\Avtec, Inc\CPS\CPSSvc.exe [2007-04-02 172032]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys [2004-05-19 142169]
S3 L6POD;L6 PODxt Service;c:\windows\system32\Drivers\L6POD.sys [2003-06-27 114048]
S3 MediaWkstnSvc.exe;Avtec Media Workstation 1900-316-42xx;c:\program files\Avtec, Inc\Scout\MediaWkstnSvc.exe [2007-04-25 126976]
S3 MSS;MSS Simulator;d:\my projects\Avtec\Visual Studio 2005\Newport\Avtec SVN Repository\FrontEndApps\bin\Debug\mss.exe [2007-03-15 69632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\Drivers\PDEXLOCK.sys [2006-12-14 12288]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2008-05-10 360448]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-05-10 18944]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-05-10 33792]
S3 TwTouch;MicroTouch touch screen;c:\windows\system32\DRIVERS\TwTouch.sys [2007-02-22 84945]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-26 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 20:40]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-26 16:31:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???Pd??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2008-11-26 16:33:25
ComboFix-quarantined-files.txt 2008-11-26 21:32:48
ComboFix2.txt 2008-11-26 20:30:23
ComboFix3.txt 2008-11-26 19:39:01

Pre-Run: 11,513,860,096 bytes free
Post-Run: 11,497,275,392 bytes free

252 --- E O F --- 2007-07-21 13:12:46

kschulz
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2008-11-26
OS : WinXP

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 11:03 pm

Hello.
Does the machine seem okay?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Wed Nov 26, 2008 11:35 pm

Yes, since the first ComboFix run it seems to be working normally, which is hard for me to believe as bad as it seemed. We'll see how it goes for awhile - hopefully it's scoured clean by now.

Belahzur, thanks so much for your help. You saved me a huge amount of time and aggravation. Really appreciate the help!

kschulz
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2008-11-26
OS : WinXP

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Wed Nov 26, 2008 11:38 pm

Hello again.
I think I made a mistake before.

Put your XP SP2 CD back in the machine in normal mode.
Press Start > Run. When the run command opens, type this in the open field.
cmd
Press enter.

Then when the command prompt opens, type this in:
expand f:\i386\winlogon.ex_ c:\windows\system32\winlogon.exe
Press enter.
Now type this in:
expand f:\i386\termsrv.dl_ c:\windows\system32\termsrv.dll
Press enter.

Please re-run combofix again, I think it might not display the infected alert anymore.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Thu Nov 27, 2008 12:12 am

"Can't open input file: f:\i386\winlogon.ex_."

Looking at the i386 folder on the CD, it doesn't look there are any compressed files. I do see the winlogon.exe and termsrv.dll files there.

If it's any help, there is the winlogon.exe in my C:\Windows\System32 folder, dated yesterday, 11/25/2008 10:46pm which is about the time I first noticed problems and suspected malware. There is also a winlogon.old file there dated 8/4/2004 4:00pm of the exact same size. Same with termsrv.dll.

kschulz
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2008-11-26
OS : WinXP

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Thu Nov 27, 2008 12:18 am

That's maybe where the alert is coming from.
Delete the .old files.

The real dll and exe are the proper size, we are both running XP SP2 so your files are the same as mine, so I think they aren't infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Thu Nov 27, 2008 12:56 am

I deleted the .old files and ComboFix is still reporting winlogon.exe as infected. Everything seems to be running fine though - I think you're right that it's probably a false positive. Maybe just the file date change is why it's getting tagged.

kschulz
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2008-11-26
OS : WinXP

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Thu Nov 27, 2008 1:01 am

Okay, let me know if anything changes.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Thu Nov 27, 2008 1:11 am

Belahzur, thanks again. I really appreciate your time and patience with this. Hopefully I won't be back to bug you.

You've been a tremendous help! My Buddy

kschulz
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2008-11-26
OS : WinXP

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by kschulz on Thu Nov 27, 2008 4:07 pm

A final bit of info - I noticed the following in the ComboFix log dumps:

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

Thinking that SAS is interfering with ComboFix accessing the winlogo.exe file, causing it to be tagged as infected - but it's a false positive. A few quick searches on the net reveals this is a common issue even with other anti-virus programs.

So I feel confident we're good. Solved?

kschulz
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2008-11-26
OS : WinXP

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Belahzur on Thu Nov 27, 2008 4:10 pm

I think your right, SAS has hooked itself into winlogon, probably to protect it.
But combofix detects this as malware.

If everything is still good for you, then yes.
I will add solved tags to the topic and leave it open for a few days incase you have any questions.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Need help removing malware

Post by Doctor Inferno on Thu Dec 04, 2008 4:05 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum