fmajor7th Posted February 2, 2009 ID:52770 Share Posted February 2, 2009 Hello Malwarebytes,I've recently discovered your site. It is so encouraging to find a site dedicated to the task of eradicating malware with excellent advice and anti-malware programs. In response to infection, I recently downloaded and ran some new anti-malware software including SuperAntiSpyware and Comodo Antivirus. SuperAntiSpyware usually finds 100+ items: ~XX.TMP.EXE files (where X represents a hexadecimal integer) located in localsettings\temp, _restore, prefetch and system32 folders; also one file in start up. Then I found your site; I read your 'how did I become infected' entry, and downloaded and ran your Malwarebytes anti-malware software. With a full scan, your software reported no issues so I ran Hijack This: this found 20 or so suspect tmp files as running processes, and two further suspect files which seem to me to be the root or residual parts of the malware (pls see logs below). If this helps, I also ran Ad-aware some months ago: then, the logs recognised/classified the malware files into three main categories: win32. generic worm, win32.trojanproxy.bobax, and win32.trojan.killav. Both Adaware and SuperAntiSpyware remove or quarantine nearly all the files that they find, except these root files which appear to launch the tmp files each start up; these then show up on Task Manager alongside the usual 30-40 normal processes. The 'end process' facility in task manager is disabled. I often have to reload my anti-malware programs each time I wish to use them because they are often disabled (by the malware, I assume); occasionally, it does not allow them to be installed at all. I use Opera as my main browser, then Netscape, then on occasion, IE. I would be interested to hear your comments, especially ones that fully/properly explain what is happening on my machine, and in doing so, offer or lead to potential solutions for locating/eradicating these root files and what I can do to further prevent them infecting my system in the future. Whatever, congratulations on operating a business/website in such a noble and worthwhile cause. Fmajor7thLogfile of Trend Micro HijackThis v2.0.2Scan saved at 15:46:15, on 02/02/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\blueyonder\PCguard\fws.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\RunDll32.exeC:\Program Files\Comodo\Comodo AntiVirus\CMain.exeC:\Program Files\QuickTime\qttask.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~66.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~60.tmp.exeC:\WINDOWS\system32\ctfmon.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~6C.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~72.tmp.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Comodo\common\CAVASpy\cavasm.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~7A.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~8B.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~7B.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~8F.tmp.exeC:\Program Files\MSI\Core Center\CoreCenter.exeC:\WINDOWS\system32\RAMASST.exeC:\WINDOWS\System32\DVDRAMSV.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~A1.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~A3.tmp.exeC:\Program Files\Common Files\Command Software\dvpapi.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~A2.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~A5.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~B0.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~B4.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~B6.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~B8.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~BC.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~BF.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~C0.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~C3.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~C5.tmp.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankN2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheModeO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"O4 - HKLM\..\Run: [KHVUII_akXLNZ_J] C:\WINDOWS\system32\bdfyytlfshlqh.exeO4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [ueQaYzakOp] C:\WINDOWS\system32\mzyypdobc.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exeO4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exeO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dllO23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exeO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exeO23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe--End of file - 7524 bytesmbam-log-2009-02-02 (13-02-08).txtScan type: Full Scan (C:\|)Objects scanned: 143317Time elapsed: 1 hour(s), 1 minute(s), 40 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 3, 2009 Root Admin ID:52996 Share Posted February 3, 2009 Well that is not the full log for MBAM so I can't tell the version of the program or definitions.Please run the following program.Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
fmajor7th Posted February 3, 2009 Author ID:53126 Share Posted February 3, 2009 Hello Malwarebytes,Thank you for your prompt reply. Sorry about my hasty/sloppy C&P - failing to scroll up fully and thereby cutting off the top four lines of the mbam log text. Here is missing part:Malwarebytes' Anti-Malware 1.33Database version: 1714Windows 5.1.2600 Service Pack 302/02/2009 13:02:08mbam-log-2009-02-02 (13-02-08).txtThanks for your instructions; I'm on the case now and will get back to you shortly.Fmajor7th Link to post Share on other sites More sharing options...
fmajor7th Posted February 3, 2009 Author ID:53197 Share Posted February 3, 2009 Hello Again Malwarebytes,Continuing from last time... I followed your instructions re ComboFix: all very clear and straightforward. XP would not allow me to install the WRConsole manually from my XP CD prior to running ComboFix because of the XP version mismatch: my original XP disc is a four year old SP1 and I am running an updated XP SP3. However, I dont think this matters because WRC was installed satisfactorily as part of the ComboFix set up.I tried to disable all my running Antivirus/spyware and firewall s/w prior to running CF. I uninstalled Comodo, and I exited SuperAntiSpyware but the latter still showed up on the logs; PCGuard is my ISP's firewall: on a recent update, it somehow was disabled (by the malware, I assume - I am waiting to install ZA) so I though this would be OK but again it showed up on the logs. I notice other old protection s/w also showed up in the logs even though they are (or I thought they were) not running 'on access'. I hope this isn't a problem. Whatever, ComboFix seemed to run perfectly, executing all the pre-stated stages. I also ran HJT again as per your instructions - pls see the logs for both below. I realise I am not out of the woods yet and I don't wish to temp fate but... things look promising: in my present OS state, all the tmp (malware) processes have gone from Task manager and the end process facility is re-enabled, and my CPU is running a sweet hum at 0-4% in the background instead of the labouring 30+% and chasing its tail. I await your further comments/instructions with great anticipation. (Apologies, I have to go away for three days now - the machine will not be turned on or used at all during this period - I will be back Sat. 7th. ). Thank you once again.Fmajor7thComboFix 09-02-02.04 - User One 2009-02-03 21:58:02.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.736 [GMT 0:00]Running from: c:\documents and settings\User One\Desktop\ComboFix.exeAV: PCguard Anti-Virus *On-access scanning disabled* (Outdated)FW: PCguard Firewall *enabled* * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\IE4 Error Log.txtc:\windows\system32\i.((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 ))))))))))))))))))))))))))))))).2009-02-03 21:52 . 2009-02-03 21:52 43,520 --a------ c:\windows\system32\hdhgufd.exe2009-02-03 17:43 . 2009-02-03 17:43 43,520 --a------ c:\windows\system32\pphednnflwgjxq.exe2009-02-03 17:29 . 2009-02-03 17:29 43,520 --a------ c:\windows\system32\johjfcpftwddj.exe2009-02-03 11:35 . 2009-02-03 11:35 43,520 --a------ c:\windows\system32\iiznw.exe2009-02-02 15:44 . 2009-02-02 15:44 43,520 --a------ c:\windows\system32\upzwec.exe2009-02-02 15:18 . 2009-02-02 15:18 43,520 --a------ c:\windows\system32\ahxjq.exe2009-02-02 14:30 . 2009-02-02 14:30 <DIR> d-------- c:\program files\Trend Micro2009-02-02 14:26 . 2009-02-02 14:26 43,520 --a------ c:\windows\system32\oesrlrow.exe2009-02-02 11:12 . 2009-02-02 11:12 43,520 --a------ c:\windows\system32\fwwamhi.exe2009-01-20 23:01 . 2009-01-20 23:01 <DIR> d-------- c:\windows\Sun2009-01-18 16:16 . 2009-01-18 16:16 <DIR> d-------- c:\documents and settings\User One\Application Data\Malwarebytes2009-01-18 16:15 . 2009-01-18 16:15 <DIR> d-------- c:\program files\iPod2009-01-18 16:15 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-01-18 16:14 . 2009-01-18 16:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-01-18 16:14 . 2009-01-18 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-01-18 16:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-01-16 13:05 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll2009-01-16 13:05 . 2009-01-16 13:05 348,220 --a------ c:\windows\system32\vsconfig.xml2009-01-16 13:05 . 2009-01-16 13:05 4,212 --ah----- c:\windows\system32\zllictbl.dat2009-01-16 11:29 . 2009-01-19 01:35 <DIR> d-------- c:\program files\SUPERAntiSpyware2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\User One\Application Data\SUPERAntiSpyware.com2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com2009-01-15 21:03 . 2009-01-15 21:03 89,088 --a------ c:\windows\system32\ctfmon.exe2009-01-15 17:21 . 2009-01-15 17:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard2009-01-15 17:16 . 2009-01-15 17:16 <DIR> d-------- c:\windows\system32\scripting2009-01-15 17:15 . 2008-04-13 22:58 2,940,928 -----c--- c:\windows\system32\dllcache\wmploc.dll2009-01-15 17:14 . 2008-04-14 05:43 2,109,440 -----c--- c:\windows\system32\dllcache\wmvcore.dll2009-01-15 17:14 . 2008-04-14 05:42 809,984 -----c--- c:\windows\system32\dllcache\wmvdmod.dll2009-01-15 17:14 . 2008-04-14 05:42 759,296 -----c--- c:\windows\system32\dllcache\wmsdmod.dll2009-01-15 17:14 . 2008-04-14 05:42 303,616 -----c--- c:\windows\system32\dllcache\wmstream.dll2009-01-15 17:14 . 2008-04-14 05:42 278,559 -----c--- c:\windows\system32\dllcache\wmv8ds32.ax2009-01-15 17:14 . 2008-04-14 05:42 258,048 -----c--- c:\windows\system32\dllcache\wmvds32.ax2009-01-15 17:14 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys2009-01-15 17:14 . 2008-04-14 05:42 115,200 -----c--- c:\windows\system32\dllcache\wmsdmoe.dll2009-01-15 17:14 . 2008-04-14 05:42 20,480 -----c--- c:\windows\system32\dllcache\wmpui.dll2009-01-15 17:13 . 2006-12-29 00:31 19,569 --a------ c:\windows\005146_.tmp2009-01-15 17:13 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys2009-01-14 20:50 . 2009-01-14 20:50 <DIR> d-------- c:\documents and settings\User One\Application Data\OpenOffice.org2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\OpenOffice.org 32009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\JRE2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\Java2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\Common Files\Java2009-01-14 20:48 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl2009-01-14 20:45 . 2009-01-14 20:46 <DIR> d-------- c:\program files\OpenOfficeorg32009-01-14 19:44 . 2009-02-03 21:59 5,109 --a------ c:\windows\system32\drivers\kljgkg.sys2009-01-13 13:51 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll2009-01-13 13:47 . 2009-01-15 17:17 <DIR> d-------- c:\windows\ServicePackFiles2009-01-13 13:46 . 2008-04-13 23:09 2,897,920 --------- c:\windows\system32\xpsp2res.dll2009-01-13 13:45 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe2009-01-13 13:45 . 2004-07-17 11:40 19,528 --a------ c:\windows\002160_.tmp2009-01-13 13:43 . 2009-01-15 17:09 <DIR> d-------- c:\windows\EHome2009-01-11 18:29 . 2009-01-11 18:29 75,776 --ah----- c:\windows\system32\gbrv.exe2009-01-11 18:26 . 2009-01-11 18:26 75,776 --ah----- c:\windows\system32\jqwwpb.exe2009-01-06 01:11 . 2009-01-06 01:11 68,608 --ah----- c:\windows\system32\hjuytd.exe2009-01-04 23:05 . 2009-01-04 23:05 74,752 --ah----- c:\windows\system32\adgoms.exe.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-03 21:52 39,936 ----a-w c:\windows\system32\wmfptc32.dll2009-01-19 01:35 --------- d-----w c:\program files\iTunes2009-01-16 13:08 121,344 ----a-w c:\windows\Internet Logs\xDB24C.tmp2009-01-14 22:45 --------- d-----w c:\program files\SpywareBlaster2009-01-14 22:45 --------- d-----w c:\program files\Spybot - Search & Destroy2009-01-12 14:49 --------- d-----w c:\program files\Opera2008-12-30 15:50 73,216 ---ha-w c:\windows\system32\okxfeof.exe2005-11-28 14:47 21 ----a-w c:\program files\AVPersonalAVWIN.INI2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL.------- Sigcheck -------2004-08-04 00:56 44032 97e1ef029c968b457abb70e28f27b892 c:\windows\$NtServicePackUninstall$\ctfmon.exe2008-04-14 05:42 44032 1b513a83c7b862daca38de1b731c0040 c:\windows\ServicePackFiles\i386\ctfmon.exe2009-01-15 21:03 89088 35eb8dce4aab288029eff8bc9e9a6486 c:\windows\system32\ctfmon.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2009-01-15 89088]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-19 1900544][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2007-11-17 1499136]"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-11-17 132608]"PCguardadvisor.exe"="c:\program files\blueyonder\PCguard advisor\PCguardadvisor.exe" [2007-11-17 2007040]"PCguard"="c:\program files\blueyonder\PCguard\Rps.exe" [2007-11-17 393216]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-17 274432]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-19 352256]"UeQaYzakOp"="c:\windows\system32\hdhgufd.exe" [2009-02-03 43520]"Ptipbmf"="ptipbmf.dll" [2003-06-05 c:\windows\system32\ptipbmf.dll][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2009-01-15 89088]c:\documents and settings\User One\Start Menu\Programs\Startup\OpenOffice.org 1.0.1.lnk - c:\program files\OpenOffice.org1.0.1\program\quickstart.exe [10/28/2007 11:08:48 AM 180224]OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [1/15/2009 9:03:33 PM 457728]c:\documents and settings\All Users\Start Menu\Programs\Startup\CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [12/4/2007 8:59:16 PM 2613248]RAMASST.lnk - c:\windows\system32\RAMASST.exe [9/28/2007 11:02:55 AM 197656][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2002-03-28 77824]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [3/19/2004 5:47:29 PM 9344]R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06:00 AM 8944]R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05:58 AM 55024]R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [3/19/2004 5:47:28 PM 390400]R3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [3/18/2004 6:06:37 PM 65664]R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06:02 AM 7408]R4 NdisFileServices32;NdisFileServices32;c:\windows\system32\drivers\kljgkg.sys [1/14/2009 7:44:07 PM 5109]S2 AVWUpSrv;AntiVir Update;"c:\program files\AVPersonal\AVWUPSRV.EXE" --> c:\program files\AVPersonal\AVWUPSRV.EXE [?]S3 avgntdd;avgntdd;c:\program files\AVPersonal\AVGNTDD.SYS [12/10/2004 12:46:36 PM 32560]--- Other Services/Drivers In Memory ---*Deregistered* - PCAlertDriver*Deregistered* - RushTopDevice.- - - - ORPHANS REMOVED - - - -HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exeHKLM-Run-KHVUII_akXLNZ_J - c:\windows\system32\bdfyytlfshlqh.exeHKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exeHKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exeHKLM-Run-ZoneAlarm Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exeHKLM-Run-Cmaudio - cmicnfg.cpl.------- Supplementary Scan -------.uStart Page = about:blankDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-03 21:59:17Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1008)c:\program files\SUPERAntiSpyware\SASWINLO.dllc:\windows\system32\adsldpc.dll.Completion time: 2009-02-03 22:01:51ComboFix-quarantined-files.txt 2009-02-03 22:01:49Pre-Run: 79,794,221,056 bytes freePost-Run: 80,398,155,776 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn180--------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 22:12:00, on 03/02/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\blueyonder\PCguard\fws.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\DVDRAMSV.exeC:\Program Files\Common Files\Command Software\dvpapi.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\RAMASST.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\notepad.exeC:\WINDOWS\explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheModeO4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [ueQaYzakOp] C:\WINDOWS\system32\hdhgufd.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exeO4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exeO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exeO23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe--End of file - 5763 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 4, 2009 Root Admin ID:53341 Share Posted February 4, 2009 STEP 1Please download this tool and run it and then post back the results. reglooks.exeSTEP 2With all other applications closed (Taskbar empty), open HijackThis againand run Do a system scan only and place a check mark on the following items.O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO4 - HKLM\..\Run: [ueQaYzakOp] C:\WINDOWS\system32\hdhgufd.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dlThen Quit All Browsers including the one you're reading this in now.Then click on Fix checked and then quit HJTSTEP 3Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVAWhen we're done you can go back and install the latest version but for now please do not install any.Then run this tool to help cleanup any left over JavaYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location and post it back when you replyThen look for the following Java folders and if found delete them.C:\Program Files\JavaC:\Program Files\Common Files\JavaC:\Documents and Settings\All Users\Application Data\JavaC:\Documents and Settings\All Users\Application Data\Sun\JavaC:\Documents and Settings\username\Application Data\JavaC:\Documents and Settings\username\Application Data\Sun\JavaSTEP 4Download and install CCleanerCCleaner Double-click on the downloaded file "ccsetup216.exe" and install the application.Keep the default installation folder "C:\Program Files\CCleaner"Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"Click finish when done and close ALL PROGRAMSStart the CCleaner program.Click on Registry and Uncheck Registry Integrity so that it does not runClick on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log FilesClick on Run Cleaner button on the bottom right side of the program.Click OK to any promptsSTEP 5Please download Avenger 2.0 from hereOpen and copy the program file avenger.exe to your Desktop then double click to start it.Copy and paste the following text from the code box below into the main window of Avenger.Drivers to delete:NdisFileServices32Registry keys to delete:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISFILESERVICES32Files to delete:c:\windows\system32\drivers\kljgkg.sysc:\windows\system32\hdhgufd.exec:\windows\system32\pphednnflwgjxq.exec:\windows\system32\johjfcpftwddj.exec:\windows\system32\iiznw.exec:\windows\system32\upzwec.exec:\windows\system32\ahxjq.exec:\windows\system32\oesrlrow.exec:\windows\system32\fwwamhi.exec:\windows\005146_.tmpc:\windows\system32\javacpl.cplc:\windows\002160_.tmpc:\windows\system32\gbrv.exec:\windows\system32\jqwwpb.exec:\windows\system32\hjuytd.exec:\windows\system32\adgoms.exec:\windows\system32\wmfptc32.dllc:\windows\Internet Logs\xDB24C.tmpc:\windows\system32\okxfeof.exeDo not check any other boxes, uncheck Scan for Rootkits if it's checkedClose all other running applicationsAfter pasting the text into the main window, click on ExecuteOnce Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.Fix anything found and reboot the computer. Then run a new HJT log and post back all logs.STEP 6Now let's see if you can run MBAM or not.Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please. Link to post Share on other sites More sharing options...
fmajor7th Posted February 8, 2009 Author ID:54802 Share Posted February 8, 2009 Hello malwarebytes,Thank you again for your full and clear response; I appreciate the considerable time and effort you are dedicating to my case. Report: STEP 1: reglooks: d/l OK; on running, the program reported a number of 'could not find' and 'does not exist' warnings on its screen; otherwise, it seemed to run and finish OK. Logs pasted below as requested. STEP 2: HJT: did a scan and checked the 5 items you specified, as requested (of course, the name of the exe file associated with UeQaYzakOp entry changes on every start up, so the file in the list I checked to be fixed had, of course, a different exe name to the one shown in your statement). Clicked fix; seemed to run OK - these items specified were accurately listed in the backups log on completion (did not delete them). IMPORTANT, PLEASE NOTE: a new entry: O4 - HKLM\..\RunServices: [ueQaYzakOp] C:\WINDOWS\system32\nlqpj.exe was generated by the scan; I did NOT check and fix this – but thinking further about it (as I believe UeQaYzakOp is the/a malware) perhaps I should have done? STEP 3: Java removal; removed Java and Java 6 update 7 via Windows Add/Remove; d/l and ran JavaRa (logs below) seemed OK; later manually deleted, as requested, lots of small files and then folders in C:\Docsandset\username\appdata\Sun\Java – , plus a .java folder. Seems to have worked – not present in later logs. Cant find/see any further java. STEP 4: CCleaner. d/l and installed to desktop OK (unchecked boxes to leave 'make desktop icon' only in set up). All OK, however, app. would not run: on d/clicking, program loaded and showed its first page normally but only for c. 3 seconds then disappeared from the screen. So, this program was NOT executed at this time. Your comments would be most welcome here.STEP 5: Avenger: d/l OK; copied and pasted your code as requested into main page. Unchecked roots option as requested and clicked execute. It reported that it had prepared successfully and was ready to execute on rebooting; then did so. System rebooted normally but no sign of Avenger or any report; I cannot be certain that this application ran OK or what the results were. STEP 6: MBAM: seemed to run OK logs below as requested; HJT: ran OK log below as requested.Other notes/noticings: 20 or so tmp files remain in Task Manager processes and end process remains disabled; probably not relevant but something odd was happening with Netscape during above step sequence: the icon was replaced by an IE icon; and it was replaced by IE as my default browser.Thank you once again for your ongoing efforts; it may be cornered but it looks like our malware is not giving up without a fight! A little knowledge is probably a dangerous thing but I'm thinking, by not checking/fixing that other new UeQaYzakOp runservices entry above in Step 2, I may have allowed the malware to slip through again. Please advise. Fmajor7thREGLOOKS logfileversion 0.97708/02/2009 18:18:49.46running from: "C:\Documents and Settings\User One\My Documents\My Pictures"--- SSODL regkeys ---HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoadonly standard or legit regkeys found --- STS regkeys ---HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduleronly standard or legit regkeys found --- USERINIT regkey ---HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"--- SHELL regkey ---HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"Shell"="Explorer.exe"--- SYSTEM regkey ---HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"System"=""--- APPINIT_DLLS regkey --- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows"AppInit_DLLs"=""--- NOTIFY regkeys ---HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"!SASWinLogon" "DllName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll""dimsntfy" "DllName"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\--- BOOTEXECUTE regkey ---HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session ManagerBootExecute= autocheck autochk *\0\0--- PENDINGFILERENAMEOPERATIONS regkey ---HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session ManagerPendingfilerenameoperations= \??\C:\Program Files\OpenOffice.org 3\program\quickstart.exe.tmp\0\??\C:\Program Files\OpenOffice.org 3\program\quickstart.exe\0\0--- SHELLEXECUTEHOOKS regkey ---HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="""{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension""{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""--- HKLM\Run regkeys ---HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode""B'sCLiP"="C:\\PROGRA~1\\B'SCLI~1\\Win2K\\BSCLIP.exe""WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\"""PCguardadvisor.exe"="\"C:\\Program Files\\blueyonder\\PCguard advisor\\PCguardadvisor.exe\"""PCguard"="\"C:\\Program Files\\blueyonder\\PCguard\\Rps.exe\"""QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime""iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"""UeQaYzakOp"="C:\\WINDOWS\\system32\\nlqpj.exe"--- HKLM\RunOnce regkeys ---HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceno HKLM RunOnce keys found--- HKLM\RunOnceEx regkeys ---HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceExno HKLM RunOnceEx keys found--- HKLM\RunServices regkeys ---HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices"UeQaYzakOp"="C:\\WINDOWS\\system32\\nlqpj.exe"--- HKLM\RunServicesOnce regkeys ---HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnceno HKLM RunServicesOnce keys found--- HKCU\Run regkeys ---HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe""SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"--- HKCU\RunOnce regkeys ---HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceno HKCU RunOnce keys found--- HKCU\RunOnceEx regkeys ---HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceExregkey does not exist --- HKCU\RunServices regkeys ---HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesno HKCU RunServices keys found--- HKCU\RunServicesOnce regkeys ---HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnceno HKCU RunServicesOnce keys found--- HKU\.DEFAULT\Run regkeys - Default user ---HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"--- HKU\S-1-5-19\Run regkeys - User Lokale service ---HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Runregkey does not exist --- HKU\S-1-5-20\Run regkeys - User Netwerkservice ---HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Runregkey does not exist --- HKLM\Explorer\Run regkeys ---HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Runno HKLM Explorer\Run keys found--- HKCU\Explorer\Run regkeys ---HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Runno HKCU Explorer\Run keys found--- Image File Execution regkeys ---HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optionsno debuggers found--- BROWSER HELPER OBJECTS regkeys ---HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" FILE ="C:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\ActiveX\\AcroIEHelper.dll""{3C060EA2-E6A9-4E49-A530-D4657B8C449A}" FILE ="C:\\Program Files\\blueyonder\\PCguard\\pkR.dll""{53707962-6F74-2D53-2644-206D7942484F}" FILE ="C:\\PROGRA~1\\SPYBOT~1\\SDHelper.dll""{56071E0D-C61B-11D3-B41C-00E02927A304}" FILE ="C:\\Program Files\\blueyonder\\PCguard\\FBHR.dll""{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" FILE ="C:\\Program Files\\Java\\jre1.6.0_07\\bin\\ssv.dll"--- TOOLBAR regkeys ---HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbarno toolbars found --- URLSEARCHHOOKS regkeys ---HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooksonly standard regkeys found --- CONTEXTMENUHANDLERS regkeys ---HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll "Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE =%SystemRoot%\system32\SHELL32.dll "Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll "yEnc32" CLSID ={8CDA2F05-B2BA-4AC7-B731-51E9E6B006E1} FILE ="C:\\Program Files\\eSite Media\\yEnc32\\yEnc32Shell.dll""{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" Start Menu Pin FILE =%SystemRoot%\system32\SHELL32.dll "{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL""{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}" ECHO is off. FILE ="C:\\Program Files\\blueyonder\\PCguard\\AVCntxtR.dll"HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll "Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll "Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll""{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL""{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}" ECHO is off. FILE ="C:\\Program Files\\blueyonder\\PCguard\\AVCntxtR.dll"HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers"MBAMShlExt" CLSID ={57CE581A-0CB6-4266-9CA0-19364C90A0B3} FILE ="C:\\Program Files\\Malwarebytes' Anti-Malware\\mbamext.dll""{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}" ECHO is off. FILE ="C:\\Program Files\\blueyonder\\PCguard\\AVCntxtR.dll"--- SAFEBOOT MINIMAL SERVICES ---HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimalno unknown services found --- SAFEBOOT NETWORK SERVICES ---HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Networkno unknown services found --- SERVICES --- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avgntdd "DisplayName"="avgntdd" \??\C:\Program Files\AVPersonal\AVGNTDD.SYSHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVWUpSrv "DisplayName"="AntiVir Update" "C:\Program Files\AVPersonal\AVWUPSRV.EXE"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BsStor "DisplayName"="B.H.A Storage Helper Driver" no imagepath value found HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BsUDF "DisplayName"="B.H.A UDF Filesystem" no imagepath value found HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSS DVP "DisplayName"="CSS DVP" System32\DRIVERS\css-dvp.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DVD-RAM_Service "DisplayName"="DVD-RAM_Service" C:\WINDOWS\System32\DVDRAMSV.exe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dvpapi "DisplayName"="DvpApi" C:\Program Files\Common Files\Command Software\dvpapi.exeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\E1000 "DisplayName"="Intel® PRO/1000 Adapter Driver" System32\DRIVERS\e1000325.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fasttx2k system32\drivers\fasttx2k.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Freedom "DisplayName"="Freedom Miniport" System32\DRIVERS\FREEDOM.SYS HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FreeTdi "DisplayName"="Radialpoint Filter" System32\Drivers\FreeTdi.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GMSIPCI "DisplayName"="GMSIPCI" \??\D:\INSTALL\GMSIPCI.SYS HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HCF_MSFT System32\DRIVERS\HCF_MSFT.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InternetClient no imagepath value found HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\meiudf "DisplayName"="meiudf" System32\Drivers\meiudf.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCAlertDriver "DisplayName"="PCAlertDriver" \??\C:\Program Files\MSI\Core Center\NTGLM7X.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RP_FWS "DisplayName"="PCguard Firewall" C:\Program Files\blueyonder\PCguard\fws.exeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RushTopDevice "DisplayName"="RushTopDevice" \??\C:\Program Files\MSI\Core Center\RushTop.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s3legacy System32\DRIVERS\s3legacy.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASDIFSV "DisplayName"="SASDIFSV" \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYSHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASENUM "DisplayName"="SASENUM" \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYSHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASKUTIL "DisplayName"="SASKUTIL" \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swwd no imagepath value found HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD no imagepath value found HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{39993C85-56C8-4EA1-A198-F9864F0EAFCB} no imagepath value found HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{5F161803-BD67-4794-A14E-D67C1A3C0252} no imagepath value found --- SECURITYPROVIDERS regkey ---HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"--- SVCHOST regkey ---HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\SvchostLocalService: Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0NetworkService: DnsCache\0\0netsvcs: 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0TermService\0wuauserv\0BITS\0ShellHWDetection\0helpsvc\0xmlprov\0wscsvc\0WmdmPmSN\0napagent\0hkmsvc\0\0rpcss: RpcSs\0\0imgsvc: StiSvc\0\0termsvcs: TermService\0\0HTTPFilter: HTTPFilter\0\0DcomLaunch: DcomLaunch\0TermService\0\0eapsvcs: eaphost\0\0dot3svc: dot3svc\0\0--- WOW-CMDLINE regkeys ---HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW"cmdline" = %SystemRoot%\system32\ntvdm.exe "wowcmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386--- DNS SERVER regkeys ---no "NameServer" values found--- STARTUP FOLDERS ---C:\Documents and Settings\User One\Start Menu\Programs\Startup\desktop.iniC:\Documents and Settings\User One\Start Menu\Programs\Startup\OpenOffice.org 1.0.1.lnkC:\Documents and Settings\User One\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnkC:\Documents and Settings\All Users\Start Menu\Programs\Startup\CoreCenter.lnkC:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.iniC:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk--- TASK SCHEDULER JOBS ---no .job files found --- File associations ---.BAT files: ("%1" %*).COM files: ("%1" %*).EXE files: ("%1" %*).HLP files: (%SystemRoot%\System32\winhlp32.exe %1).INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1).INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1).JS files: (%SystemRoot%\System32\WScript.exe "%1" %*).PIF files: ("%1" %*).REG files: (regedit.exe "%1").SCR files: ("%1" /S).TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1).VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)FINISHED-----------------------------------------------------JavaRa 1.13 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Sun Feb 08 18:45:17 2009Found and removed: C:\Program Files\JavaSoft------------------------------------Finished reporting.------------------------------------Malwarebytes' Anti-Malware 1.33Database version: 1739Windows 5.1.2600 Service Pack 308/02/2009 20:55:50mbam-log-2009-02-08 (20-55-50).txtScan type: Quick ScanObjects scanned: 46118Time elapsed: 2 minute(s), 54 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptipbmf (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)--------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 21:26:27, on 08/02/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\blueyonder\PCguard\fws.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\DVDRAMSV.exeC:\Program Files\Common Files\Command Software\dvpapi.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~3A.tmp.exeC:\WINDOWS\system32\ctfmon.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~3B.tmp.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~4B.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~41.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~4A.tmp.exeC:\Program Files\MSI\Core Center\CoreCenter.exeC:\WINDOWS\system32\RAMASST.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~6C.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~5D.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~5E.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~70.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~71.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~74.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~78.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~7F.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~80.tmp.exeC:\Program Files\iPod\bin\iPodService.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~83.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~85.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~87.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~88.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~8B.tmp.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~8D.tmp.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dllO4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [ueQaYzakOp] C:\WINDOWS\system32\untoevl.exeO4 - HKLM\..\RunServices: [ueQaYzakOp] C:\WINDOWS\system32\untoevl.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exeO4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exeO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exeO23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe--End of file - 6283 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 9, 2009 Root Admin ID:54906 Share Posted February 9, 2009 Yeah something still there. Please run this tool.Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
fmajor7th Posted February 9, 2009 Author ID:55045 Share Posted February 9, 2009 Hello again,Thank you for your reply. I followed your instructions: ComboFix (downloaded/run previously with WRC) ran OK - all 50stages. It produced a set of logs, pasted below. Since the infection of my machine some months ago, I have run maybe 10-12 different antivirus/spyware programs. ComboFix is the only one that removes the malware tmp files (as the logs for HJT - run immediately after - show) and in doing so, returns my system temporarily to a state of operating and CPU normality. However, the logs also show that what I assume to be the root/spawner of those files - UeQaYzakOp - remains in the system as an HKLM\ \Run entry and an HKLM\ \Runservices entry, ready to do its work again on next start up. In your previous reply instructions, you asked me to check and fix 5 items in the HJT scan including the UeQaYzakOp entry; I notice that all the other four items have been removed; only this entry was not removed (or has returned). Should I try to check and fix these two items? CCleaner, loaded as per your instructions last time, still fails to run; the desktop short-cut was also disabled, so I have had to reload the program but with same results. Is this the malware? Thank you once again for your continued efforts; I look forward to your reply.Fmajor7thComboFix 09-02-02.04 - User One 2009-02-09 21:06:44.2 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.734 [GMT 0:00]Running from: c:\documents and settings\User One\Desktop\ComboFix.exeAV: PCguard Anti-Virus *On-access scanning disabled* (Outdated)FW: PCguard Firewall *enabled*.((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 ))))))))))))))))))))))))))))))).2009-02-09 17:40 . 2009-02-09 17:40 43,520 --a------ c:\windows\system32\yhixl.exe2009-02-08 20:43 . 2009-02-09 21:08 5,109 --a------ c:\windows\system32\drivers\kljgkg.sys2009-02-08 20:41 . 2009-02-08 20:41 3,453 --a------ C:\backup.reg2009-02-08 19:43 . 2009-02-09 19:19 <DIR> d-------- c:\program files\CCleaner2009-02-02 14:30 . 2009-02-02 14:30 <DIR> d-------- c:\program files\Trend Micro2009-01-20 23:01 . 2009-01-20 23:01 <DIR> d-------- c:\windows\Sun2009-01-18 16:16 . 2009-01-18 16:16 <DIR> d-------- c:\documents and settings\User One\Application Data\Malwarebytes2009-01-18 16:15 . 2009-01-18 16:15 <DIR> d-------- c:\program files\iPod2009-01-18 16:15 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-01-18 16:14 . 2009-01-18 16:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-01-18 16:14 . 2009-01-18 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-01-18 16:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-01-16 13:05 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll2009-01-16 13:05 . 2009-01-16 13:05 348,220 --a------ c:\windows\system32\vsconfig.xml2009-01-16 13:05 . 2009-01-16 13:05 4,212 --ah----- c:\windows\system32\zllictbl.dat2009-01-16 11:29 . 2009-02-04 00:20 <DIR> d-------- c:\program files\SUPERAntiSpyware2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\User One\Application Data\SUPERAntiSpyware.com2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com2009-01-15 21:03 . 2009-01-15 21:03 89,088 --a------ c:\windows\system32\ctfmon.exe2009-01-15 17:21 . 2009-01-15 17:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard2009-01-15 17:16 . 2009-01-15 17:16 <DIR> d-------- c:\windows\system32\scripting2009-01-15 17:15 . 2008-04-13 22:58 2,940,928 -----c--- c:\windows\system32\dllcache\wmploc.dll2009-01-15 17:14 . 2008-04-14 05:43 2,109,440 -----c--- c:\windows\system32\dllcache\wmvcore.dll2009-01-15 17:14 . 2008-04-14 05:42 809,984 -----c--- c:\windows\system32\dllcache\wmvdmod.dll2009-01-15 17:14 . 2008-04-14 05:42 759,296 -----c--- c:\windows\system32\dllcache\wmsdmod.dll2009-01-15 17:14 . 2008-04-14 05:42 303,616 -----c--- c:\windows\system32\dllcache\wmstream.dll2009-01-15 17:14 . 2008-04-14 05:42 278,559 -----c--- c:\windows\system32\dllcache\wmv8ds32.ax2009-01-15 17:14 . 2008-04-14 05:42 258,048 -----c--- c:\windows\system32\dllcache\wmvds32.ax2009-01-15 17:14 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys2009-01-15 17:14 . 2008-04-14 05:42 115,200 -----c--- c:\windows\system32\dllcache\wmsdmoe.dll2009-01-15 17:14 . 2008-04-14 05:42 20,480 -----c--- c:\windows\system32\dllcache\wmpui.dll2009-01-15 17:13 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys2009-01-14 20:50 . 2009-01-14 20:50 <DIR> d-------- c:\documents and settings\User One\Application Data\OpenOffice.org2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\OpenOffice.org 32009-01-14 20:45 . 2009-01-14 20:46 <DIR> d-------- c:\program files\OpenOfficeorg32009-01-13 13:51 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll2009-01-13 13:47 . 2009-01-15 17:17 <DIR> d-------- c:\windows\ServicePackFiles2009-01-13 13:46 . 2008-04-13 23:09 2,897,920 --------- c:\windows\system32\xpsp2res.dll2009-01-13 13:45 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe2009-01-13 13:43 . 2009-01-15 17:09 <DIR> d-------- c:\windows\EHome.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-09 17:39 39,936 ----a-w c:\windows\system32\wmfptc32.dll2009-02-09 14:01 --------- d-----w c:\program files\True Sword 42009-01-19 01:35 --------- d-----w c:\program files\iTunes2009-01-14 22:45 --------- d-----w c:\program files\SpywareBlaster2009-01-14 22:45 --------- d-----w c:\program files\Spybot - Search & Destroy2009-01-12 14:49 --------- d-----w c:\program files\Opera2005-11-28 14:47 21 ----a-w c:\program files\AVPersonalAVWIN.INI2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL.------- Sigcheck -------2004-08-04 00:56 44032 97e1ef029c968b457abb70e28f27b892 c:\windows\$NtServicePackUninstall$\ctfmon.exe2008-04-14 05:42 44032 1b513a83c7b862daca38de1b731c0040 c:\windows\ServicePackFiles\i386\ctfmon.exe2009-01-15 21:03 89088 35eb8dce4aab288029eff8bc9e9a6486 c:\windows\system32\ctfmon.exe.((((((((((((((((((((((((((((( snapshot@2009-02-03_21.59.33.65 ))))))))))))))))))))))))))))))))))))))))).- 2000-08-31 08:00:00 89,504 ----a-w c:\windows\fdsv.exe+ 2000-08-31 08:00:00 114,688 ----a-w c:\windows\fdsv.exe- 2000-08-31 08:00:00 80,412 ----a-w c:\windows\grep.exe+ 2000-08-31 08:00:00 109,056 ----a-w c:\windows\grep.exe- 2000-08-31 08:00:00 98,816 ----a-w c:\windows\sed.exe+ 2000-08-31 08:00:00 127,488 ----a-w c:\windows\sed.exe- 2000-08-31 08:00:00 136,704 ----a-w c:\windows\SWSC.exe+ 2000-08-31 08:00:00 165,376 ----a-w c:\windows\SWSC.exe- 2000-08-31 08:00:00 212,480 ----a-w c:\windows\SWXCACLS.exe+ 2000-08-31 08:00:00 241,152 ----a-w c:\windows\SWXCACLS.exe+ 2009-02-09 21:06:56 16,384 ----atw c:\windows\temp\Perflib_Perfdata_ec8.dat- 2000-08-31 08:00:00 49,152 ----a-w c:\windows\VFIND.exe+ 2000-08-31 08:00:00 77,824 ----a-w c:\windows\VFIND.exe- 2000-08-31 08:00:00 68,096 ----a-w c:\windows\zip.exe+ 2000-08-31 08:00:00 96,768 ----a-w c:\windows\zip.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2009-01-15 89088]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-04 1945600][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2007-11-17 1499136]"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-11-17 132608]"PCguardadvisor.exe"="c:\program files\blueyonder\PCguard advisor\PCguardadvisor.exe" [2007-11-17 2007040]"PCguard"="c:\program files\blueyonder\PCguard\Rps.exe" [2007-11-17 393216]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-17 274432]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-19 352256]"UeQaYzakOp"="c:\windows\system32\yhixl.exe" [2009-02-09 43520][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]"UeQaYzakOp"="c:\windows\system32\yhixl.exe" [2009-02-09 43520][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2009-01-15 89088]c:\documents and settings\User One\Start Menu\Programs\Startup\OpenOffice.org 1.0.1.lnk - c:\program files\OpenOffice.org1.0.1\program\quickstart.exe [10/28/2007 11:08:48 AM 180224]OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [1/15/2009 9:03:33 PM 457728]c:\documents and settings\All Users\Start Menu\Programs\Startup\CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [12/4/2007 8:59:16 PM 2613248]RAMASST.lnk - c:\windows\system32\RAMASST.exe [9/28/2007 11:02:55 AM 197656][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2002-03-28 77824]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [3/19/2004 5:47:29 PM 9344]R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06:00 AM 8944]R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05:58 AM 55024]R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [3/19/2004 5:47:28 PM 390400]R3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [3/18/2004 6:06:37 PM 65664]R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06:02 AM 7408]R4 NdisFileServices32;NdisFileServices32;c:\windows\system32\drivers\kljgkg.sys [2/8/2009 8:43:34 PM 5109]S2 AVWUpSrv;AntiVir Update;"c:\program files\AVPersonal\AVWUPSRV.EXE" --> c:\program files\AVPersonal\AVWUPSRV.EXE [?]S3 avgntdd;avgntdd;c:\program files\AVPersonal\AVGNTDD.SYS [12/10/2004 12:46:36 PM 32560]--- Other Services/Drivers In Memory ---*Deregistered* - PCAlertDriver*Deregistered* - RushTopDevice..------- Supplementary Scan -------.uStart Page = about:blankDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-09 21:07:59Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1012)c:\program files\SUPERAntiSpyware\SASWINLO.dll.Completion time: 2009-02-09 21:09:58ComboFix-quarantined-files.txt 2009-02-09 21:09:57Pre-Run: 79,531,171,840 bytes freePost-Run: 79,572,631,552 bytes free162-------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 21:29:51, on 09/02/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\blueyonder\PCguard\fws.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\DVDRAMSV.exeC:\Program Files\Common Files\Command Software\dvpapi.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\RAMASST.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\WINDOWS\system32\notepad.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\taskmgr.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dllO4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [ueQaYzakOp] C:\WINDOWS\system32\yhixl.exeO4 - HKLM\..\RunServices: [ueQaYzakOp] C:\WINDOWS\system32\yhixl.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exeO4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exeO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exeO23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe--End of file - 5247 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 10, 2009 Root Admin ID:55172 Share Posted February 10, 2009 Download but do not yet run ComboFixIf you have a previous version of Combofix.exe, delete it and download a fresh copy.Download it to your DESKTOP - it MUST run from the Desktopdownload.bleepingcomputer.com/sUBs/ComboFix.exesubs.geekstogo.com/ComboFix.exeUsing your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank linesKILLALL::Driver::NdisFileServices32File::c:\windows\system32\yhixl.exec:\windows\system32\drivers\kljgkg.sysc:\windows\system32\drivers\kljgkg.sysC:\backup.regc:\windows\system32\vsconfig.xmlc:\windows\system32\wmfptc32.dllFolder::c:\windows\SunRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"UeQaYzakOp"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]"UeQaYzakOp"=-Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.Disconnect from the Internet. Disable your Antivirus software. If it has Script Blocking features, please disable these as well. A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed. When the scan completes Notepad will open with with your results log open. Do a File, Exit.A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.Post back the Combofix log please. Link to post Share on other sites More sharing options...
fmajor7th Posted February 10, 2009 Author ID:55291 Share Posted February 10, 2009 Hello again,Thanks for your reply – your instructions were very clear/straightforward. I deleted old CFix and d/l a fresh copy to my desktop; I copied your code to a Notepad file and named/located it as instructed. Because the UeQaYzakOp entry creates a new name for its exe file in its Windows\system32\ folder upon each start up, the name of the file today (I switch my machine off every night), was, of course, not yhixl.exe (as cited in your code) but txzskjybuznpz.exe (which you could not have known, of course). As I assume you are trying to delete this file, I took the initiative of carefully adding a single line with this file name into the deletions list in the Notepad script file. I hope this was the correct thing to do? (Of course, with the reboot between CF's execution and its log creation, the name of the exe file had changed again, this time to axhkssnsbzm). I assume with the registry deletions that you specified, your dash character in the code covers all/any file names that follow; having said that, I did not see any mention of registry changes whilst CF was running, and these actions appear not to be explicitly reported in the logs. Anyway, I closed everything down and drag/dropped the script onto CF which then started and appeared to run fine, listing its commands and all 50 stages, no problem. It rebooted and created the log below; I've also appended the catchme log which was produced. Unfortunately, it appears UeQaYzakOp is still with us and all its derivative tmp files are back running as processes; I was hopeful of CF, as it looks so promising but it seems not to have worked on this attempt. I guess this little bug has buried itself deep in my system and is hell-bent on survival... I continue to appreciate the time and effort you are dedicating to my case and look forward to your reply.Fmajor7thComboFix 09-02-08.02 - User One 2009-02-10 15:06:40.3 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.740 [GMT 0:00]Running from: c:\documents and settings\User One\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\User One\Desktop\CFscript.txtAV: PCguard Anti-Virus *On-access scanning disabled* (Outdated)FW: PCguard Firewall *enabled* * Created a new restore pointFILE ::C:\backup.regc:\windows\system32\drivers\kljgkg.sysc:\windows\system32\txzskjybuznpz.exec:\windows\system32\vsconfig.xmlc:\windows\system32\wmfptc32.dllc:\windows\system32\yhixl.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\backup.regc:\windows\Sunc:\windows\system32\drivers\kljgkg.sysc:\windows\system32\txzskjybuznpz.exec:\windows\system32\vsconfig.xmlc:\windows\system32\wmfptc32.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_NDISFILESERVICES32-------\Service_NdisFileServices32((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 ))))))))))))))))))))))))))))))).2009-02-10 15:08 . 2009-02-10 15:08 43,520 --a------ c:\windows\system32\axhkssnsbzm.exe2009-02-08 19:43 . 2009-02-10 13:54 <DIR> d-------- c:\program files\CCleaner2009-02-02 14:30 . 2009-02-02 14:30 <DIR> d-------- c:\program files\Trend Micro2009-01-18 16:16 . 2009-01-18 16:16 <DIR> d-------- c:\documents and settings\User One\Application Data\Malwarebytes2009-01-18 16:15 . 2009-01-18 16:15 <DIR> d-------- c:\program files\iPod2009-01-18 16:15 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-01-18 16:14 . 2009-01-18 16:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-01-18 16:14 . 2009-01-18 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-01-18 16:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-01-16 13:05 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll2009-01-16 13:05 . 2009-01-16 13:05 4,212 --ah----- c:\windows\system32\zllictbl.dat2009-01-16 11:29 . 2009-02-04 00:20 <DIR> d-------- c:\program files\SUPERAntiSpyware2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\User One\Application Data\SUPERAntiSpyware.com2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com2009-01-15 21:03 . 2009-01-15 21:03 89,088 --a------ c:\windows\system32\ctfmon.exe2009-01-15 17:21 . 2009-01-15 17:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard2009-01-15 17:16 . 2009-01-15 17:16 <DIR> d-------- c:\windows\system32\scripting2009-01-15 17:15 . 2008-04-13 22:58 2,940,928 -----c--- c:\windows\system32\dllcache\wmploc.dll2009-01-15 17:14 . 2008-04-14 05:43 2,109,440 -----c--- c:\windows\system32\dllcache\wmvcore.dll2009-01-15 17:14 . 2008-04-14 05:42 809,984 -----c--- c:\windows\system32\dllcache\wmvdmod.dll2009-01-15 17:14 . 2008-04-14 05:42 759,296 -----c--- c:\windows\system32\dllcache\wmsdmod.dll2009-01-15 17:14 . 2008-04-14 05:42 303,616 -----c--- c:\windows\system32\dllcache\wmstream.dll2009-01-15 17:14 . 2008-04-14 05:42 278,559 -----c--- c:\windows\system32\dllcache\wmv8ds32.ax2009-01-15 17:14 . 2008-04-14 05:42 258,048 -----c--- c:\windows\system32\dllcache\wmvds32.ax2009-01-15 17:14 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys2009-01-15 17:14 . 2008-04-14 05:42 115,200 -----c--- c:\windows\system32\dllcache\wmsdmoe.dll2009-01-15 17:14 . 2008-04-14 05:42 20,480 -----c--- c:\windows\system32\dllcache\wmpui.dll2009-01-15 17:13 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys2009-01-14 20:50 . 2009-01-14 20:50 <DIR> d-------- c:\documents and settings\User One\Application Data\OpenOffice.org2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\OpenOffice.org 32009-01-14 20:45 . 2009-01-14 20:46 <DIR> d-------- c:\program files\OpenOfficeorg32009-01-13 13:51 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll2009-01-13 13:47 . 2009-01-15 17:17 <DIR> d-------- c:\windows\ServicePackFiles2009-01-13 13:46 . 2008-04-13 23:09 2,897,920 --------- c:\windows\system32\xpsp2res.dll2009-01-13 13:45 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe2009-01-13 13:43 . 2009-01-15 17:09 <DIR> d-------- c:\windows\EHome.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-09 14:01 --------- d-----w c:\program files\True Sword 42009-01-19 01:35 --------- d-----w c:\program files\iTunes2009-01-14 22:45 --------- d-----w c:\program files\SpywareBlaster2009-01-14 22:45 --------- d-----w c:\program files\Spybot - Search & Destroy2009-01-12 14:49 --------- d-----w c:\program files\Opera2005-11-28 14:47 21 ----a-w c:\program files\AVPersonalAVWIN.INI2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL.------- Sigcheck -------2004-08-04 00:56 44032 97e1ef029c968b457abb70e28f27b892 c:\windows\$NtServicePackUninstall$\ctfmon.exe2008-04-14 05:42 44032 1b513a83c7b862daca38de1b731c0040 c:\windows\ServicePackFiles\i386\ctfmon.exe2009-01-15 21:03 89088 35eb8dce4aab288029eff8bc9e9a6486 c:\windows\system32\ctfmon.exe.((((((((((((((((((((((((((((( snapshot@2009-02-03_21.59.33.65 ))))))))))))))))))))))))))))))))))))))))).+ 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE- 2000-08-31 08:00:00 89,504 ----a-w c:\windows\fdsv.exe+ 2000-08-31 08:00:00 114,688 ----a-w c:\windows\fdsv.exe- 2000-08-31 08:00:00 80,412 ----a-w c:\windows\grep.exe+ 2000-08-31 08:00:00 109,056 ----a-w c:\windows\grep.exe- 2000-08-31 08:00:00 98,816 ----a-w c:\windows\sed.exe+ 2000-08-31 08:00:00 127,488 ----a-w c:\windows\sed.exe- 2000-08-31 08:00:00 136,704 ----a-w c:\windows\SWSC.exe+ 2000-08-31 08:00:00 165,376 ----a-w c:\windows\SWSC.exe- 2000-08-31 08:00:00 212,480 ----a-w c:\windows\SWXCACLS.exe+ 2000-08-31 08:00:00 241,152 ----a-w c:\windows\SWXCACLS.exe+ 2009-02-10 15:08:46 16,384 ----atw c:\windows\temp\Perflib_Perfdata_84c.dat- 2000-08-31 08:00:00 49,152 ----a-w c:\windows\VFIND.exe+ 2000-08-31 08:00:00 77,824 ----a-w c:\windows\VFIND.exe- 2000-08-31 08:00:00 68,096 ----a-w c:\windows\zip.exe+ 2000-08-31 08:00:00 96,768 ----a-w c:\windows\zip.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2009-01-15 89088]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-04 1945600][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2007-11-17 1499136]"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-11-17 132608]"PCguardadvisor.exe"="c:\program files\blueyonder\PCguard advisor\PCguardadvisor.exe" [2007-11-17 2007040]"PCguard"="c:\program files\blueyonder\PCguard\Rps.exe" [2007-11-17 393216]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-17 274432]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-19 352256]"UeQaYzakOp"="c:\windows\system32\axhkssnsbzm.exe" [2009-02-10 43520][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]"UeQaYzakOp"="c:\windows\system32\axhkssnsbzm.exe" [2009-02-10 43520][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2009-01-15 89088]c:\documents and settings\User One\Start Menu\Programs\Startup\OpenOffice.org 1.0.1.lnk - c:\program files\OpenOffice.org1.0.1\program\quickstart.exe [10/28/2007 11:08:48 AM 180224]OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [1/15/2009 9:03:33 PM 457728]c:\documents and settings\All Users\Start Menu\Programs\Startup\CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [12/4/2007 8:59:16 PM 2613248]RAMASST.lnk - c:\windows\system32\RAMASST.exe [9/28/2007 11:02:55 AM 197656][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2002-03-28 77824]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [3/19/2004 5:47:29 PM 9344]R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06:00 AM 8944]R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05:58 AM 55024]R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [3/19/2004 5:47:28 PM 390400]R3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [3/18/2004 6:06:37 PM 65664]S2 AVWUpSrv;AntiVir Update;"c:\program files\AVPersonal\AVWUPSRV.EXE" --> c:\program files\AVPersonal\AVWUPSRV.EXE [?]S3 avgntdd;avgntdd;c:\program files\AVPersonal\AVGNTDD.SYS [12/10/2004 12:46:36 PM 32560]S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06:02 AM 7408]--- Other Services/Drivers In Memory ---*NewlyCreated* - NDISFILESERVICES32*NewlyCreated* - PCALERTDRIVER*NewlyCreated* - RUSHTOPDEVICE*Deregistered* - PCAlertDriver*Deregistered* - RushTopDevice..------- Supplementary Scan -------.uStart Page = about:blankDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-10 15:08:41Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1008)c:\program files\SUPERAntiSpyware\SASWINLO.dll.------------------------ Other Running Processes ------------------------.c:\program files\blueyonder\PCguard\fws.exec:\windows\system32\DVDRAMSV.exec:\program files\Common Files\Command Software\dvpapi.exec:\windows\system32\axhkssnsbzm.exe~1.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~2.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~3.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~5.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~6.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~8.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~B.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~D.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~10.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~12.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~13.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~14.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~1B.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~1A.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~1D.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~20.tmp.exec:\program files\iPod\bin\iPodService.exec:\docume~1\USERON~1\LOCALS~1\temp\~22.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~24.tmp.exec:\docume~1\USERON~1\LOCALS~1\temp\~26.tmp.exec:\program files\OpenOffice.org 3\program\soffice.exec:\program files\OpenOffice.org 3\program\soffice.binc:\docume~1\USERON~1\LOCALS~1\temp\~28.tmp.exe.**************************************************************************.Completion time: 2009-02-10 15:11:31 - machine was rebootedComboFix-quarantined-files.txt 2009-02-10 15:11:29ComboFix2.txt 2009-02-09 21:10:00Pre-Run: 79,426,392,064 bytes freePost-Run: 79,369,334,784 bytes free214------------------------------------catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-10 15:06:49Windows 5.1.2600 Service Pack 3 NTFSscanning hidden files ...IPC error: 2 The system cannot find the file specified.scan completed successfullyhidden files: 0 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 11, 2009 Root Admin ID:55454 Share Posted February 11, 2009 Yes unfortunately you can't be rebooting the system and it should probably be isolated off of the network from other computers.Let's try this tool and see if it can take care of it or at least most of it for us.Avira AntiVir Rescue SystemRequires access to a working computer with a CD/DVD burner to create a bootable CD.Download the Avira AntiVir Rescue System from herePlace a blank CD in your burner and double-click on the downloaded file.The program will automatically burn the CD for you.Place the burned CD into the affected computer and start the computer from this CD.On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.Click on the Configuration button.Select Scan all filesSelect Try to repair infected files and Rename files, if they cannot be removedSelect Scan for dialersSelect Scan for joke programs (Jokes)Select Scan for gamesSelect Scan for spyware (SPR)[*]Click on Virus scanner[*]Click on Start scanner at the bottom of the screen[*]Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and WarningsThe Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.Screen resolution problemsPlease see the post here if you're unable to view the entire screen of Avira. Link to post Share on other sites More sharing options...
fmajor7th Posted February 13, 2009 Author ID:56241 Share Posted February 13, 2009 Hello again,Thanks for your further advice/instructions... I d/l the Avira rescue system and created the boot CD - all OK. I booted my infected PC from this and it loaded what I assume to be a bare-bones Linux OS, followed by the Avira app. with the German language GUI as you described; the video was fine but my mouse was not enabled; so I invoked the command line but my keyboard was not configured properly either so I was unable to select/input command line options with any confidence. I use a somewhat old-fashioned serial mouse/PS2 keyboard; I'm guessing that this is the problem and that maybe the Linux default is a USB mouse and keyboard... I'll have to see if I can get hold of one... it may take a couple of days... Fmajor7th Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 14, 2009 Root Admin ID:56313 Share Posted February 14, 2009 Okay thanks for the input. Link to post Share on other sites More sharing options...
fmajor7th Posted February 22, 2009 Author ID:58815 Share Posted February 22, 2009 Hello Malwarebytes,Sorry, for the delay in responding; I managed to get temporary use of a USB mouse which has resolved the non-configured mouse problem indicated earlier. I booted the infected PC with the Avira rescue system CD and the GUI loaded fine; I configured and checked the options as you instructed and ran the a/v scanner. I hope the outcome makes sense to someone! The scan only took 18 seconds; it stated it had scanned 35 files and 11 directories; there were a couple of messages in the text report about not being able to read the boot sector but none of these seemed to be significant/terminal and the scan seemed to complete with no abnormalities and produced the message 'scan finished'. Yet, the items for Records were 0, Suspect files 0, and Warnings 0. Presumably, this scan was only looking in very specific places in the root and start up areas on my hard drive (I'm not sure exactly what /mnt/ - as the default directory - means in Linux); whatever, it did not seem to find/recognise any rogue files there. Its disappointing as, to me, this 'pre-boot' method - ie before the malware had had a chance to secure itself - seemed such a good idea... On rebooting XP from the HD using the normal boot method, the malware temp files processes are all still there; so is, I therefore assume, the root/parent malware agent. Yet, to report more generally, I have noticed that over the last couple of sessions, it seems to me that the malware activity (which usually has the CPU running at 30-50%) is somewhat reduced, despite all the files still being there. I have no idea why this is; whether it is just coincidental, just my imagination or wishful thinking, or that gradually your efforts are beginning to curtail its activities... Whatever, you have my continued thanks; I look forward to hearing further from you.Fmajor7th Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 24, 2009 Root Admin ID:59100 Share Posted February 24, 2009 Okay well let's try to update MBAM and scan with it again. There have been many additions since you've last run the scanner.The current version is: 1.34 with definitions of 1798Update and Scan with Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThen RESTART the computerAFTER the reboot run HJT Do a system scan and save a logfileThe post back NEW MBAM and HJT logs in that order please. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 25, 2009 Root Admin ID:59514 Share Posted February 25, 2009 Please post a status update on this. Link to post Share on other sites More sharing options...
fmajor7th Posted February 27, 2009 Author ID:60173 Share Posted February 27, 2009 Thank you for your reply. I updated MBAM (1.34/1807) and ran it, then rebooted and ran HJT as requested. Pls find logs below. The temp files remain and our old friend UeQaYzakOp is still in residence. Its very strange and frustrating - I just cant see how it is managing to evade so many anti-malware programs. Btw, I have installed a new Epson printer since my last scan – I know your advice elsewhere is not to install new s/w if infected, so I was waiting until we had got a clean system but in the end I needed it. The drivers/sw were all taken from an official/authorised Epson CD. Thanks once again, look forward to hearing from you.Fmajor7thMalwarebytes' Anti-Malware 1.34Database version: 1807Windows 5.1.2600 Service Pack 327/02/2009 12:14:16mbam-log-2009-02-27 (12-14-16).txtScan type: Quick ScanObjects scanned: 69537Time elapsed: 5 minute(s), 42 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)-------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:33:04, on 27/02/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\blueyonder\PCguard\fws.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\QuickTime\qttask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~145.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~14B.tmp.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~147.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~14C.tmp.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXEC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~14D.tmp.exeC:\Program Files\MSI\Core Center\CoreCenter.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~189.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~180.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~18D.tmp.exeC:\WINDOWS\system32\RAMASST.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~18F.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~193.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~194.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~196.tmp.exeC:\WINDOWS\System32\DVDRAMSV.exeC:\Program Files\Common Files\Command Software\dvpapi.exeC:\WINDOWS\System32\svchost.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~19A.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~19B.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~19C.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~19E.tmp.exeC:\Program Files\iPod\bin\iPodService.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~1A2.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~1A4.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~1A6.tmp.exeC:\DOCUME~1\USERON~1\LOCALS~1\Temp\~1A8.tmp.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.comO2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dllO2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dllO2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dllO3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dllO3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dllO4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [ueQaYzakOp] C:\WINDOWS\system32\qxyvrhl.exeO4 - HKLM\..\RunServices: [ueQaYzakOp] C:\WINDOWS\system32\qxyvrhl.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\Run: [EPSON SX100 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE /FU "C:\WINDOWS\TEMP\E_S1D1.tmp" /EF "HKCU"O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exeO4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exeO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exeO23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe--End of file - 7992 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 28, 2009 Root Admin ID:60431 Share Posted February 28, 2009 Please run the following AV scanner. First delete your copy of Combofix.exe on the desktop and empty your trash.Then after you download it you need to disable any other Anti-Virus and disconnect from the Internet while it runs.Please download to your Desktop: Dr.Web CureItAfter the file has downloaded, disable your current Anti-Virus and disconnect from the InternetDoubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.Once the short scan has finished, Click on the Complete scan radio button.Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the LanguageChoose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)On the File types tab ensure you select All filesClick on the Actions tab and set the following:Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = ReportInfected packages Archive = Move, E-mails = Report, Containers = MoveMalware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = MoveDo not change the Rename extension - default is: #??Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\Leave prompt on Action checked[*]On the Log file tab leave the Log to file checked.[*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log[*]Log mode = Append[*]Encoding = ANSI[*]Details Leave Names of file packers and Statistics checked.[*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.[*]On the General tab leave the Scan Priority on High[*]Click the Apply button at the bottom, and then the OK button.[*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.[*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives[*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.[*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.[*]Click 'Yes to all' if it asks if you want to cure/move the files.[*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)[*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list[*]Save the report to your Desktop. The report will be called DrWeb.csv[*]Close Dr.Web Cureit.[*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.[*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 7, 2009 Root Admin ID:62384 Share Posted March 7, 2009 Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 9, 2009 Root Admin ID:62948 Share Posted March 9, 2009 Post re-opened at user request. Link to post Share on other sites More sharing options...
fmajor7th Posted March 9, 2009 Author ID:63041 Share Posted March 9, 2009 Hello Malwarebytes,I'm sorry for the delay in responding. I had some issues with the Dr.Web scan and was then called away. I d/l Dr.Web and configured it as you stated in your instructions and then started the express scan. Very quickly it found the malware tmp files and then the root agent and deleted them. This was really encouraging, however, it then started to find all sorts of files including standard utilities and major programs which it stated were all infected and that it would cure. I was still in manual mode (ie it was stopping and prompting me for a response on each suspect item) and I wasn't sure if these were false positives or somehow the malware had attached itself to these innocuous files, or had otherwise infected them. For completeness/security, I decided that I should act upon (ie cure/move/delete) everything that it found. The scan had now moved on to the system response area of my system and was finding hundreds even thousands of suspect files. It was impossible to respond to these individually, so I decided to enable the 'yes to all' feature. The scan had now been running for over two hours and the progress bar chart showed that it was only about one third complete. I didn't have enough time to finish the scan so I aborted it and closed everything down. I was able to come back to it three days later with plenty of spare time. I booted my machine up and noticed immediately that the boot up process was shortened: all the temp malware files previously loaded on start up were not there. Very encouraging and the first time it had done that since it had become infected. I re-ran Dr Web; it ran through quickly to the point I had left off previously then started to find more files. I enabled 'yes to all' again and allowed it to run. It took over four hours, scanning 350 thousand files and finding nearly 25 thousand problem items - 99% of which were in the system restore or service pack area. Anyway, the Dr Web log pasted below is therefore not quite fully representative: it does not show the removal of all the malware tmp files and its root agent which were all (apparently) removed on the first Dr. Web (aborted) run and so, were not present on the second scan for it to report. In addition, since there are thousands of virtually identical lines in the log relating to two areas (system restore and XP service packs) I have edited these areas into a couple of representative lines. I hope this is more helpful. After rebooting again at the end of the scan, I can report that none of the malware tmp files, or the root agent, UeQaYzakOp, appear to be present. In summary, I now have a system that is a little incapacitated and vulnerable due to some of my utilities, anti-malware and even firewall programs, or their components, being disabled. However, this is a small price to pay for what I believe, and as HJT seems to confirm, could be the eradication of my malware. If this is the case, I will wait until the clean up process is complete and I am given the all clear before attempting to restore my disabled apps. (from OEM CDs, back ups and trusted web sites). I look forward to hearing from you.Fmajor7th. regLocal.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups;Probably SCRIPT.Virus;;SktInstall.exe;C:\Program Files\blueyonder\PCguard;Probably BACKDOOR.Trojan;;opera.exe;C:\Program Files\Opera;Win32.Sector.28682;Cured.;SimpleFileJoiner.exe;C:\Program Files\Peretek\Simple File Joiner;Win32.Sector.28682;Cured.;Uninstall.exe;C:\Program Files\Peretek\Simple File Joiner;Win32.Sector.28682;Cured.;Eudora.exe;C:\Program Files\Qualcomm\Eudora;Win32.Sector.28682;Cured.;swEudora.exe;C:\Program Files\Qualcomm\Eudora;Win32.Sector.28682;Cured.;PictureViewer.exe;C:\Program Files\QuickTime;Win32.Sector.28682;Cured.;QTInfo.exe;C:\Program Files\QuickTime;Win32.Sector.28682;Cured.;QuickTimePlayer.exe;C:\Program Files\QuickTime;Win32.Sector.28682;Cured.;fixrjb.exe;C:\Program Files\Real\RealPlayer;Win32.Sector.28682;Cured.;realjbox.exe;C:\Program Files\Real\RealPlayer;Win32.Sector.28682;Cured.;rphelperapp.exe;C:\Program Files\Real\RealPlayer;Win32.Sector.28682;Cured.;setup.exe;C:\Program Files\Real\RealPlayer\Setup;Win32.Sector.28682;Cured.;spywareblaster.exe;C:\Program Files\SpywareBlaster;Win32.Sector.28682;Cured.;BootSafe.exe;C:\Program Files\SUPERAntiSpyware;Win32.Sector.28682;Cured.;RUNSAS.EXE;C:\Program Files\SUPERAntiSpyware;Win32.Sector.28682;Cured.;SASINST.EXE;C:\Program Files\SUPERAntiSpyware;Win32.Sector.28682;Cured.;SSUpdate.exe;C:\Program Files\SUPERAntiSpyware;Win32.Sector.28682;Cured.;HijackThis.exe;C:\Program Files\Trend Micro\HijackThis;Win32.Sector.28682;Cured.;vlc.exe;C:\Program Files\VideoLAN\VLC;Win32.Sector.28682;Cured.;UninstWA.exe;C:\Program Files\Winamp;Win32.Sector.28682;Cured.;winamp.exe;C:\Program Files\Winamp;Win32.Sector.28682;Cured.;dlimport.exe;C:\Program Files\Windows Media Player;Win32.Sector.28682;Cured.;hypertrm.exe;C:\Program Files\Windows NT;Win32.Sector.28682;Cured.;Rar.exe;C:\Program Files\WinRAR;Win32.Sector.28682;Cured.;Uninstall.exe;C:\Program Files\WinRAR;Win32.Sector.28682;Cured.;UnRAR.exe;C:\Program Files\WinRAR;Win32.Sector.28682;Cured.;WinRAR.exe;C:\Program Files\WinRAR;Win32.Sector.28682;Cured.;txzskjybuznpz.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Win32.Proxed;Deleted.;wmfptc32.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.AVKill.295;Deleted.;kljgkg.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.AVKill.295;Deleted.;A0135828.sys;C:\System Volume Information\_restore{E35125BE-A984-4005-8530-69F18F046BAA}\RP900;Trojan.AVKill.295;Deleted.;A0135834.dll;C:\System Volume Information\_restore{E35125BE-A984-4005-8530-69F18F046BAA}\RP900;Trojan.AVKill.295;Deleted.;A0135853.exe;C:\System Volume Information\_restore{E35125BE-A984-4005-8530-69F18F046BAA}\RP900;Win32.Sector.28682;Cured.;A0135869.exe;C:\System Volume Information\_restore{E35125BE-A984-4005-8530-69F18F046BAA}\RP902;Trojan.Botnetlog.1;Deleted.;A0135880.exe;C:\System Volume Information\_restore{E35125BE-A984-4005-8530-69F18F046BAA}\RP902;Win32.Proxed;Cured.;*******EDITED: then follows many thousands of lines increasing incrementally but otherwise virtually identical to one of these five lines above*******BsUnInst.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;CmiRmRedundDir.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;CMIUninstall.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;fdsv.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;grep.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;internt.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;internt.exe;C:\WINDOWS;Trojan.DownLoader.2163;Deleted.;IsUninst.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;N6Uninst.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;NIRCMD.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;sed.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;setdebug.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;SWREG.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;SWSC.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;SWXCACLS.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;uinst001.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;VFIND.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;zip.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;accwiz.exe;C:\WINDOWS\$NtServicePackUninstall$;Win32.Sector.28682;Cured.;accwiz.exe.000;C:\WINDOWS\$NtServicePackUninstall$;Win32.Sector.28682;Cured.;admin.exe;C:\WINDOWS\$NtServicePackUninstall$;Win32.Sector.28682;Cured.;agentsvr.exe;C:\WINDOWS\$NtServicePackUninstall$;Win32.Sector.28682;Cured.;********EDITED: then a couple of hundred lines increasing incrementally but otherwise virtually identical to these four lines above*******setup.exe;C:\WINDOWS\Cache\Adobe Reader 6.0\ENUBIG;Win32.Sector.28682;Cured.;iTunesSetup.exe;C:\WINDOWS\Downloaded Installations\{1E8CF57A-24E8-4A97-9564-A8F1956C447B};Win32.Sector.28682;Cured.;copyinf.exe;C:\WINDOWS\Drivers;Win32.Sector.28682;Cured.;remove.exe;C:\WINDOWS\Drivers\Motorola;Win32.Sector.28682;Cured.;UNDPX.exe;C:\WINDOWS\Drivers\Old Drivers\WebSTAR;Win32.Sector.28682;Cured.;UNDPX2.exe;C:\WINDOWS\Drivers\Old Drivers\WebSTAR;Win32.Sector.28682;Cured.;undpxall.exe;C:\WINDOWS\Drivers\Old Drivers\WebSTAR;Win32.Sector.28682;Cured.;UNDPX.exe;C:\WINDOWS\Drivers\WebSTAR;Win32.Sector.28682;Cured.;UNDPX2.exe;C:\WINDOWS\Drivers\WebSTAR;Win32.Sector.28682;Cured.;UNDPX2A.EXE;C:\WINDOWS\Drivers\WebSTAR;Win32.Sector.28682;Cured.;UNDPX2K.EXE;C:\WINDOWS\Drivers\WebSTAR;Win32.Sector.28682;Cured.;undpxall.exe;C:\WINDOWS\Drivers\WebSTAR;Win32.Sector.28682;Cured.;ERDNT.EXE;C:\WINDOWS\ERDNT\Hiv-backup;Win32.Sector.28682;Cured.;ERDNT.EXE;C:\WINDOWS\ERDNT\subs;Win32.Sector.28682;Cured.;ARPPRODUCTICON.exe;C:\WINDOWS\Installer\{1E8CF57A-24E8-4A97-9564-A8F1956C447B};Win32.Sector.28682;Cured.;NewShortcut3_35AFD495EC2E4B2BB9DB30EEBC74049D.exe;C:\WINDOWS\Installer\{1E8CF57A-24E8-4A97-9564-A8F1956C447B};Win32.Sector.28682;Cured.;NewShortcut4_8C3BCD70236347B8A53EEE8A82FD5C78.exe;C:\WINDOWS\Installer\{1E8CF57A-24E8-4A97-9564-A8F1956C447B};Win32.Sector.28682;Cured.;NewShortcut6_35AFD495EC2E4B2BB9DB30EEBC74049D.exe;C:\WINDOWS\Installer\{1E8CF57A-24E8-4A97-9564-A8F1956C447B};Win32.Sector.28682;Cured.;places.exe;C:\WINDOWS\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227};Win32.Sector.28682;Cured.;ARPPRODUCTICON.exe;C:\WINDOWS\Installer\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07};Win32.Sector.28682;Cured.;_SHCT_Sprint.exe.exe;C:\WINDOWS\Installer\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07};Win32.Sector.28682;Cured.;IconCDDCBBF13.exe;C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA};Win32.Sector.28682;Cured.;IconCDDCBBF15.exe;C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA};Win32.Sector.28682;Cured.;dplaysvr.exe;C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C};Win32.Sector.28682;Cured.;dpnsvr.exe;C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C};Win32.Sector.28682;Cured.;dpvsetup.exe;C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C};Win32.Sector.28682;Cured.;dxdiag.exe;C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C};Win32.Sector.28682;Cured.;dxdllreg.exe;C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C};Win32.Sector.28682;Cured.;accwiz.exe;C:\WINDOWS\ServicePackFiles\i386;Win32.Sector.28682;Cured.;admin.exe;C:\WINDOWS\ServicePackFiles\i386;Win32.Sector.28682;Cured.;agentsvr.exe;C:\WINDOWS\ServicePackFiles\i386;Win32.Sector.28682;Cured.;ahui.exe;C:\WINDOWS\ServicePackFiles\i386;Win32.Sector.28682;Cured.;********EDITED: then a couple of hundred lines increasing incrementally but otherwise virtually identical to these four lines above*******msmsgs.exe;C:\WINDOWS\ServicePackFiles\ServicePackCache\i386;Win32.Sector.28682;Cured.;1499fc.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;16111b.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;18e4c2c.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;18f8e9f.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;1ba6924.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;1ba6981.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;2229412.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;223c261.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;3a5e71.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;3bb130.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;4da86e.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;afb13b.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;axhkssnsbzm.exe;C:\WINDOWS\system32;Win32.Proxed;Deleted.;b0f8fe.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;dtsjv.exe;C:\WINDOWS\system32;Win32.Proxed;Deleted.;hunlornl.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.2665;Deleted.;ihoahyjtwul.exe;C:\WINDOWS\system32;Win32.Proxed;Deleted.;kagxne.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.945;Deleted.;mstmp.html\Script.3;C:\WINDOWS\system32\mstmp.html;Exploit.CodeBase;;mstmp.html;C:\WINDOWS\system32;Container contains infected objects;Moved.;nkkwnk.exe;C:\WINDOWS\system32;Trojan.Packed.162;Deleted.;pdmnt.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.1464;Deleted.;qeitc.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.945;Deleted.;stxygc.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.945;Deleted.;uyufu.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.945;Deleted.;vsacwp.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.2665;Deleted.;win1eb2.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;win21d5.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;win32ec.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;win37f7.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;win4d5.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;win6a14.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;win7a5a.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;win7a85.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;win7cf0.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;win81ad.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;win890b.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;win970a.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;win9b02.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;win9d19.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;wina1b8.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;wina374.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;wina576.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;wina9d7.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;winb083.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;winb45a.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;winc11e.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;winc85a.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;wincf51.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;wind39c.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;windadc.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;windd7a.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;wineaf9.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;winf16.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;wmfptc32.dl_;C:\WINDOWS\system32;Trojan.AVKill.295;Deleted.;zuuxbjh.exe;C:\WINDOWS\system32;Win32.Virut.5;Cured.;zuuxbjh.exe;C:\WINDOWS\system32;Win32.Virut.5;Cured.;zuuxbjh.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.945;Deleted.;escndv.exe;C:\WINDOWS\twain_32\escndv;Win32.Sector.28682;Cured.;estwm.exe;C:\WINDOWS\twain_32\escndv;Win32.Sector.28682;Cured.;estwm.exe;C:\WINDOWS\twain_32\escndv\es0093;Win32.Sector.28682;Cured.;------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:49:43, on 09/03/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\blueyonder\PCguard\fws.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\DVDRAMSV.exeC:\Program Files\Common Files\Command Software\dvpapi.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXEC:\WINDOWS\system32\RAMASST.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\Program Files\Opera\opera.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.comO2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dllO2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dllO2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dllO3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dllO3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dllO4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\Run: [EPSON SX100 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE /FU "C:\WINDOWS\TEMP\E_S1D1.tmp" /EF "HKCU"O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exeO4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exeO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exeO23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe--End of file - 6239 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 9, 2009 Root Admin ID:63077 Share Posted March 9, 2009 You have a VERY NASTY Virus that has many names and versions as it's been around for a while and continues to be updated with new methods.(PE_SALITY.EK, Virus.Win32.Sality.aa, PE_SALITY.M, New Win32.s, New Malware.ew, Trojan.Agent.AINJ, Virus.Win32.Sality.y, Win32.Sality.OE, PE_SALITY.EN, Win32.Sality.OG, Virus.Win32.Sality.kaka, W32/Sality, Virus.Win32.Sality.2, Win32.Sality.NX, Virus.Win32.Sality.z, Embedded.Win32.Trojan-Downloader.Sality.kaka, Mal_Sality, Win32/Tanatos.A, Win32/Sality.AM, Virus:Win32/Sality.AM, W32/Sality.Y)Bottom line is that even though Dr Web may have seemingly eradicated it, there is no way you can ever trust this box again without rebuilding it.Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) . It attempts to infect any accessed .exe or .scr or files by appending itself to the executable.Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. It can penetrate and infect .exe files inside compressed files too.Disconnect it from any Network and do not share external USB drives or similar devices with any other computer as it can easily infect them as well if they're not protected from this Virus.Then Format the drive and re-install Windows and make sure you always have up to date continuous live protection enabled. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 11, 2009 Root Admin ID:63472 Share Posted March 11, 2009 Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Recommended Posts