Jump to content

Something deep inside...


Recommended Posts

Hello Malwarebytes,

I've recently discovered your site. It is so encouraging to find a site dedicated to the task of eradicating malware with excellent advice and anti-malware programs.

In response to infection, I recently downloaded and ran some new anti-malware software including SuperAntiSpyware and Comodo Antivirus. SuperAntiSpyware usually finds 100+ items: ~XX.TMP.EXE files (where X represents a hexadecimal integer) located in localsettings\temp, _restore, prefetch and system32 folders; also one file in start up. Then I found your site; I read your 'how did I become infected' entry, and downloaded and ran your Malwarebytes anti-malware software. With a full scan, your software reported no issues so I ran Hijack This: this found 20 or so suspect tmp files as running processes, and two further suspect files which seem to me to be the root or residual parts of the malware (pls see logs below).

If this helps, I also ran Ad-aware some months ago: then, the logs recognised/classified the malware files into three main categories: win32. generic worm, win32.trojanproxy.bobax, and win32.trojan.killav. Both Adaware and SuperAntiSpyware remove or quarantine nearly all the files that they find, except these root files which appear to launch the tmp files each start up; these then show up on Task Manager alongside the usual 30-40 normal processes. The 'end process' facility in task manager is disabled. I often have to reload my anti-malware programs each time I wish to use them because they are often disabled (by the malware, I assume); occasionally, it does not allow them to be installed at all. I use Opera as my main browser, then Netscape, then on occasion, IE.

I would be interested to hear your comments, especially ones that fully/properly explain what is happening on my machine, and in doing so, offer or lead to potential solutions for locating/eradicating these root files and what I can do to further prevent them infecting my system in the future. Whatever, congratulations on operating a business/website in such a noble and worthwhile cause.

Fmajor7th

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:46:15, on 02/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\blueyonder\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe

C:\Program Files\QuickTime\qttask.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~66.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~60.tmp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~6C.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~72.tmp.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Comodo\common\CAVASpy\cavasm.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~7A.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~8B.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~7B.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~8F.tmp.exe

C:\Program Files\MSI\Core Center\CoreCenter.exe

C:\WINDOWS\system32\RAMASST.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~A1.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~A3.tmp.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~A2.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~A5.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~B0.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~B4.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~B6.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~B8.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~BC.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~BF.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~C0.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~C3.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~C5.tmp.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"

O4 - HKLM\..\Run: [KHVUII_akXLNZ_J] C:\WINDOWS\system32\bdfyytlfshlqh.exe

O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [ueQaYzakOp] C:\WINDOWS\system32\mzyypdobc.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll

O23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)

O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)

O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

--

End of file - 7524 bytes

mbam-log-2009-02-02 (13-02-08).txt

Scan type: Full Scan (C:\|)

Objects scanned: 143317

Time elapsed: 1 hour(s), 1 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Well that is not the full log for MBAM so I can't tell the version of the program or definitions.

Please run the following program.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Hello Malwarebytes,

Thank you for your prompt reply. Sorry about my hasty/sloppy C&P - failing to scroll up fully and thereby cutting off the top four lines of the mbam log text. Here is missing part:

Malwarebytes' Anti-Malware 1.33

Database version: 1714

Windows 5.1.2600 Service Pack 3

02/02/2009 13:02:08

mbam-log-2009-02-02 (13-02-08).txt

Thanks for your instructions; I'm on the case now and will get back to you shortly.

Fmajor7th

Link to post
Share on other sites

Hello Again Malwarebytes,

Continuing from last time... I followed your instructions re ComboFix: all very clear and straightforward. XP would not allow me to install the WRConsole manually from my XP CD prior to running ComboFix because of the XP version mismatch: my original XP disc is a four year old SP1 and I am running an updated XP SP3. However, I dont think this matters because WRC was installed satisfactorily as part of the ComboFix set up.

I tried to disable all my running Antivirus/spyware and firewall s/w prior to running CF. I uninstalled Comodo, and I exited SuperAntiSpyware but the latter still showed up on the logs; PCGuard is my ISP's firewall: on a recent update, it somehow was disabled (by the malware, I assume - I am waiting to install ZA) so I though this would be OK but again it showed up on the logs. I notice other old protection s/w also showed up in the logs even though they are (or I thought they were) not running 'on access'. I hope this isn't a problem.

Whatever, ComboFix seemed to run perfectly, executing all the pre-stated stages. I also ran HJT again as per your instructions - pls see the logs for both below. I realise I am not out of the woods yet and I don't wish to temp fate but... things look promising: in my present OS state, all the tmp (malware) processes have gone from Task manager and the end process facility is re-enabled, and my CPU is running a sweet hum at 0-4% in the background instead of the labouring 30+% and chasing its tail. I await your further comments/instructions with great anticipation. (Apologies, I have to go away for three days now - the machine will not be turned on or used at all during this period - I will be back Sat. 7th. ). Thank you once again.

Fmajor7th

ComboFix 09-02-02.04 - User One 2009-02-03 21:58:02.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.736 [GMT 0:00]

Running from: c:\documents and settings\User One\Desktop\ComboFix.exe

AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated)

FW: PCguard Firewall *enabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\IE4 Error Log.txt

c:\windows\system32\i

.

((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))

.

2009-02-03 21:52 . 2009-02-03 21:52 43,520 --a------ c:\windows\system32\hdhgufd.exe

2009-02-03 17:43 . 2009-02-03 17:43 43,520 --a------ c:\windows\system32\pphednnflwgjxq.exe

2009-02-03 17:29 . 2009-02-03 17:29 43,520 --a------ c:\windows\system32\johjfcpftwddj.exe

2009-02-03 11:35 . 2009-02-03 11:35 43,520 --a------ c:\windows\system32\iiznw.exe

2009-02-02 15:44 . 2009-02-02 15:44 43,520 --a------ c:\windows\system32\upzwec.exe

2009-02-02 15:18 . 2009-02-02 15:18 43,520 --a------ c:\windows\system32\ahxjq.exe

2009-02-02 14:30 . 2009-02-02 14:30 <DIR> d-------- c:\program files\Trend Micro

2009-02-02 14:26 . 2009-02-02 14:26 43,520 --a------ c:\windows\system32\oesrlrow.exe

2009-02-02 11:12 . 2009-02-02 11:12 43,520 --a------ c:\windows\system32\fwwamhi.exe

2009-01-20 23:01 . 2009-01-20 23:01 <DIR> d-------- c:\windows\Sun

2009-01-18 16:16 . 2009-01-18 16:16 <DIR> d-------- c:\documents and settings\User One\Application Data\Malwarebytes

2009-01-18 16:15 . 2009-01-18 16:15 <DIR> d-------- c:\program files\iPod

2009-01-18 16:15 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-18 16:14 . 2009-01-18 16:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-18 16:14 . 2009-01-18 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-18 16:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-16 13:05 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll

2009-01-16 13:05 . 2009-01-16 13:05 348,220 --a------ c:\windows\system32\vsconfig.xml

2009-01-16 13:05 . 2009-01-16 13:05 4,212 --ah----- c:\windows\system32\zllictbl.dat

2009-01-16 11:29 . 2009-01-19 01:35 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\User One\Application Data\SUPERAntiSpyware.com

2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-15 21:03 . 2009-01-15 21:03 89,088 --a------ c:\windows\system32\ctfmon.exe

2009-01-15 17:21 . 2009-01-15 17:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-01-15 17:16 . 2009-01-15 17:16 <DIR> d-------- c:\windows\system32\scripting

2009-01-15 17:15 . 2008-04-13 22:58 2,940,928 -----c--- c:\windows\system32\dllcache\wmploc.dll

2009-01-15 17:14 . 2008-04-14 05:43 2,109,440 -----c--- c:\windows\system32\dllcache\wmvcore.dll

2009-01-15 17:14 . 2008-04-14 05:42 809,984 -----c--- c:\windows\system32\dllcache\wmvdmod.dll

2009-01-15 17:14 . 2008-04-14 05:42 759,296 -----c--- c:\windows\system32\dllcache\wmsdmod.dll

2009-01-15 17:14 . 2008-04-14 05:42 303,616 -----c--- c:\windows\system32\dllcache\wmstream.dll

2009-01-15 17:14 . 2008-04-14 05:42 278,559 -----c--- c:\windows\system32\dllcache\wmv8ds32.ax

2009-01-15 17:14 . 2008-04-14 05:42 258,048 -----c--- c:\windows\system32\dllcache\wmvds32.ax

2009-01-15 17:14 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys

2009-01-15 17:14 . 2008-04-14 05:42 115,200 -----c--- c:\windows\system32\dllcache\wmsdmoe.dll

2009-01-15 17:14 . 2008-04-14 05:42 20,480 -----c--- c:\windows\system32\dllcache\wmpui.dll

2009-01-15 17:13 . 2006-12-29 00:31 19,569 --a------ c:\windows\005146_.tmp

2009-01-15 17:13 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys

2009-01-14 20:50 . 2009-01-14 20:50 <DIR> d-------- c:\documents and settings\User One\Application Data\OpenOffice.org

2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\OpenOffice.org 3

2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\JRE

2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\Java

2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\Common Files\Java

2009-01-14 20:48 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-01-14 20:45 . 2009-01-14 20:46 <DIR> d-------- c:\program files\OpenOfficeorg3

2009-01-14 19:44 . 2009-02-03 21:59 5,109 --a------ c:\windows\system32\drivers\kljgkg.sys

2009-01-13 13:51 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll

2009-01-13 13:47 . 2009-01-15 17:17 <DIR> d-------- c:\windows\ServicePackFiles

2009-01-13 13:46 . 2008-04-13 23:09 2,897,920 --------- c:\windows\system32\xpsp2res.dll

2009-01-13 13:45 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe

2009-01-13 13:45 . 2004-07-17 11:40 19,528 --a------ c:\windows\002160_.tmp

2009-01-13 13:43 . 2009-01-15 17:09 <DIR> d-------- c:\windows\EHome

2009-01-11 18:29 . 2009-01-11 18:29 75,776 --ah----- c:\windows\system32\gbrv.exe

2009-01-11 18:26 . 2009-01-11 18:26 75,776 --ah----- c:\windows\system32\jqwwpb.exe

2009-01-06 01:11 . 2009-01-06 01:11 68,608 --ah----- c:\windows\system32\hjuytd.exe

2009-01-04 23:05 . 2009-01-04 23:05 74,752 --ah----- c:\windows\system32\adgoms.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-03 21:52 39,936 ----a-w c:\windows\system32\wmfptc32.dll

2009-01-19 01:35 --------- d-----w c:\program files\iTunes

2009-01-16 13:08 121,344 ----a-w c:\windows\Internet Logs\xDB24C.tmp

2009-01-14 22:45 --------- d-----w c:\program files\SpywareBlaster

2009-01-14 22:45 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-01-12 14:49 --------- d-----w c:\program files\Opera

2008-12-30 15:50 73,216 ---ha-w c:\windows\system32\okxfeof.exe

2005-11-28 14:47 21 ----a-w c:\program files\AVPersonalAVWIN.INI

2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL

.

------- Sigcheck -------

2004-08-04 00:56 44032 97e1ef029c968b457abb70e28f27b892 c:\windows\$NtServicePackUninstall$\ctfmon.exe

2008-04-14 05:42 44032 1b513a83c7b862daca38de1b731c0040 c:\windows\ServicePackFiles\i386\ctfmon.exe

2009-01-15 21:03 89088 35eb8dce4aab288029eff8bc9e9a6486 c:\windows\system32\ctfmon.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2009-01-15 89088]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-19 1900544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2007-11-17 1499136]

"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-11-17 132608]

"PCguardadvisor.exe"="c:\program files\blueyonder\PCguard advisor\PCguardadvisor.exe" [2007-11-17 2007040]

"PCguard"="c:\program files\blueyonder\PCguard\Rps.exe" [2007-11-17 393216]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-17 274432]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-19 352256]

"UeQaYzakOp"="c:\windows\system32\hdhgufd.exe" [2009-02-03 43520]

"Ptipbmf"="ptipbmf.dll" [2003-06-05 c:\windows\system32\ptipbmf.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2009-01-15 89088]

c:\documents and settings\User One\Start Menu\Programs\Startup\

OpenOffice.org 1.0.1.lnk - c:\program files\OpenOffice.org1.0.1\program\quickstart.exe [10/28/2007 11:08:48 AM 180224]

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [1/15/2009 9:03:33 PM 457728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [12/4/2007 8:59:16 PM 2613248]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [9/28/2007 11:02:55 AM 197656]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2002-03-28 77824]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [3/19/2004 5:47:29 PM 9344]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06:00 AM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05:58 AM 55024]

R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [3/19/2004 5:47:28 PM 390400]

R3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [3/18/2004 6:06:37 PM 65664]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06:02 AM 7408]

R4 NdisFileServices32;NdisFileServices32;c:\windows\system32\drivers\kljgkg.sys [1/14/2009 7:44:07 PM 5109]

S2 AVWUpSrv;AntiVir Update;"c:\program files\AVPersonal\AVWUPSRV.EXE" --> c:\program files\AVPersonal\AVWUPSRV.EXE [?]

S3 avgntdd;avgntdd;c:\program files\AVPersonal\AVGNTDD.SYS [12/10/2004 12:46:36 PM 32560]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCAlertDriver

*Deregistered* - RushTopDevice

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe

HKLM-Run-KHVUII_akXLNZ_J - c:\windows\system32\bdfyytlfshlqh.exe

HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe

HKLM-Run-ZoneAlarm Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

HKLM-Run-Cmaudio - cmicnfg.cpl

.

------- Supplementary Scan -------

.

uStart Page = about:blank

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-03 21:59:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\adsldpc.dll

.

Completion time: 2009-02-03 22:01:51

ComboFix-quarantined-files.txt 2009-02-03 22:01:49

Pre-Run: 79,794,221,056 bytes free

Post-Run: 80,398,155,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

180

--------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:12:00, on 03/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\blueyonder\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ueQaYzakOp] C:\WINDOWS\system32\hdhgufd.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)

O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

--

End of file - 5763 bytes

Link to post
Share on other sites

  • Root Admin

STEP 1

Please download this tool and run it and then post back the results. reglooks.exe

STEP 2

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  • O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
  • O4 - HKLM\..\Run: [ueQaYzakOp] C:\WINDOWS\system32\hdhgufd.exe
  • O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
  • O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dl
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 3

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

Then look for the following Java folders and if found delete them.

C:\Program Files\Java

C:\Program Files\Common Files\Java

C:\Documents and Settings\All Users\Application Data\Java

C:\Documents and Settings\All Users\Application Data\Sun\Java

C:\Documents and Settings\username\Application Data\Java

C:\Documents and Settings\username\Application Data\Sun\Java

STEP 4

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup216.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 5

Please download Avenger 2.0 from here

Open and copy the program file avenger.exe to your Desktop then double click to start it.

Copy and paste the following text from the code box below into the main window of Avenger.

Drivers to delete:
NdisFileServices32

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISFILESERVICES32


Files to delete:
c:\windows\system32\drivers\kljgkg.sys
c:\windows\system32\hdhgufd.exe
c:\windows\system32\pphednnflwgjxq.exe
c:\windows\system32\johjfcpftwddj.exe
c:\windows\system32\iiznw.exe
c:\windows\system32\upzwec.exe
c:\windows\system32\ahxjq.exe
c:\windows\system32\oesrlrow.exe
c:\windows\system32\fwwamhi.exe
c:\windows\005146_.tmp
c:\windows\system32\javacpl.cpl
c:\windows\002160_.tmp
c:\windows\system32\gbrv.exe
c:\windows\system32\jqwwpb.exe
c:\windows\system32\hjuytd.exe
c:\windows\system32\adgoms.exe
c:\windows\system32\wmfptc32.dll
c:\windows\Internet Logs\xDB24C.tmp
c:\windows\system32\okxfeof.exe
  • Do not check any other boxes, uncheck Scan for Rootkits if it's checked
  • Close all other running applications
  • After pasting the text into the main window, click on Execute

Once Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.

Fix anything found and reboot the computer. Then run a new HJT log and post back all logs.

STEP 6

Now let's see if you can run MBAM or not.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Hello malwarebytes,

Thank you again for your full and clear response; I appreciate the considerable time and effort you are dedicating to my case.

Report:

STEP 1: reglooks: d/l OK; on running, the program reported a number of 'could not find' and 'does not exist' warnings on its screen; otherwise, it seemed to run and finish OK. Logs pasted below as requested.

STEP 2: HJT: did a scan and checked the 5 items you specified, as requested (of course, the name of the exe file associated with UeQaYzakOp entry changes on every start up, so the file in the list I checked to be fixed had, of course, a different exe name to the one shown in your statement). Clicked fix; seemed to run OK - these items specified were accurately listed in the backups log on completion (did not delete them). IMPORTANT, PLEASE NOTE: a new entry: O4 - HKLM\..\RunServices: [ueQaYzakOp] C:\WINDOWS\system32\nlqpj.exe was generated by the scan; I did NOT check and fix this – but thinking further about it (as I believe UeQaYzakOp is the/a malware) perhaps I should have done?

STEP 3: Java removal; removed Java and Java 6 update 7 via Windows Add/Remove; d/l and ran JavaRa (logs below) seemed OK; later manually deleted, as requested, lots of small files and then folders in C:\Docsandset\username\appdata\Sun\Java – , plus a .java folder. Seems to have worked – not present in later logs. Cant find/see any further java.

STEP 4: CCleaner. d/l and installed to desktop OK (unchecked boxes to leave 'make desktop icon' only in set up). All OK, however, app. would not run: on d/clicking, program loaded and showed its first page normally but only for c. 3 seconds then disappeared from the screen. So, this program was NOT executed at this time. Your comments would be most welcome here.

STEP 5: Avenger: d/l OK; copied and pasted your code as requested into main page. Unchecked roots option as requested and clicked execute. It reported that it had prepared successfully and was ready to execute on rebooting; then did so. System rebooted normally but no sign of Avenger or any report; I cannot be certain that this application ran OK or what the results were.

STEP 6: MBAM: seemed to run OK logs below as requested; HJT: ran OK log below as requested.

Other notes/noticings: 20 or so tmp files remain in Task Manager processes and end process remains disabled; probably not relevant but something odd was happening with Netscape during above step sequence: the icon was replaced by an IE icon; and it was replaced by IE as my default browser.

Thank you once again for your ongoing efforts; it may be cornered but it looks like our malware is not giving up without a fight! A little knowledge is probably a dangerous thing but I'm thinking, by not checking/fixing that other new UeQaYzakOp runservices entry above in Step 2, I may have allowed the malware to slip through again. Please advise.

Fmajor7th

REGLOOKS logfile

version 0.977

08/02/2009 18:18:49.46

running from: "C:\Documents and Settings\User One\My Documents\My Pictures"

--- SSODL regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

only standard or legit regkeys found

--- STS regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

only standard or legit regkeys found

--- USERINIT regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

--- SHELL regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

"Shell"="Explorer.exe"

--- SYSTEM regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

"System"=""

--- APPINIT_DLLS regkey ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

"AppInit_DLLs"=""

--- NOTIFY regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

"!SASWinLogon" "DllName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"

"dimsntfy" "DllName"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\

--- BOOTEXECUTE regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

BootExecute= autocheck autochk *\0\0

--- PENDINGFILERENAMEOPERATIONS regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

Pendingfilerenameoperations= \??\C:\Program Files\OpenOffice.org 3\program\quickstart.exe.tmp\0\??\C:\Program Files\OpenOffice.org 3\program\quickstart.exe\0\0

--- SHELLEXECUTEHOOKS regkey ---

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

--- HKLM\Run regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"

"B'sCLiP"="C:\\PROGRA~1\\B'SCLI~1\\Win2K\\BSCLIP.exe"

"WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\""

"PCguardadvisor.exe"="\"C:\\Program Files\\blueyonder\\PCguard advisor\\PCguardadvisor.exe\""

"PCguard"="\"C:\\Program Files\\blueyonder\\PCguard\\Rps.exe\""

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"UeQaYzakOp"="C:\\WINDOWS\\system32\\nlqpj.exe"

--- HKLM\RunOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

no HKLM RunOnce keys found

--- HKLM\RunOnceEx regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

no HKLM RunOnceEx keys found

--- HKLM\RunServices regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

"UeQaYzakOp"="C:\\WINDOWS\\system32\\nlqpj.exe"

--- HKLM\RunServicesOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

no HKLM RunServicesOnce keys found

--- HKCU\Run regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

--- HKCU\RunOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

no HKCU RunOnce keys found

--- HKCU\RunOnceEx regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

regkey does not exist

--- HKCU\RunServices regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

no HKCU RunServices keys found

--- HKCU\RunServicesOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

no HKCU RunServicesOnce keys found

--- HKU\.DEFAULT\Run regkeys - Default user ---

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

--- HKU\S-1-5-19\Run regkeys - User Lokale service ---

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

regkey does not exist

--- HKU\S-1-5-20\Run regkeys - User Netwerkservice ---

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

regkey does not exist

--- HKLM\Explorer\Run regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

no HKLM Explorer\Run keys found

--- HKCU\Explorer\Run regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

no HKCU Explorer\Run keys found

--- Image File Execution regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

no debuggers found

--- BROWSER HELPER OBJECTS regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" FILE ="C:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\ActiveX\\AcroIEHelper.dll"

"{3C060EA2-E6A9-4E49-A530-D4657B8C449A}" FILE ="C:\\Program Files\\blueyonder\\PCguard\\pkR.dll"

"{53707962-6F74-2D53-2644-206D7942484F}" FILE ="C:\\PROGRA~1\\SPYBOT~1\\SDHelper.dll"

"{56071E0D-C61B-11D3-B41C-00E02927A304}" FILE ="C:\\Program Files\\blueyonder\\PCguard\\FBHR.dll"

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" FILE ="C:\\Program Files\\Java\\jre1.6.0_07\\bin\\ssv.dll"

--- TOOLBAR regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

no toolbars found

--- URLSEARCHHOOKS regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

only standard regkeys found

--- CONTEXTMENUHANDLERS regkeys ---

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll

"Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE =%SystemRoot%\system32\SHELL32.dll

"Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll

"yEnc32" CLSID ={8CDA2F05-B2BA-4AC7-B731-51E9E6B006E1} FILE ="C:\\Program Files\\eSite Media\\yEnc32\\yEnc32Shell.dll"

"{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" Start Menu Pin FILE =%SystemRoot%\system32\SHELL32.dll

"{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"

"{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}" ECHO is off. FILE ="C:\\Program Files\\blueyonder\\PCguard\\AVCntxtR.dll"

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers

"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll

"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll

"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"

"{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"

"{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}" ECHO is off. FILE ="C:\\Program Files\\blueyonder\\PCguard\\AVCntxtR.dll"

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers

"MBAMShlExt" CLSID ={57CE581A-0CB6-4266-9CA0-19364C90A0B3} FILE ="C:\\Program Files\\Malwarebytes' Anti-Malware\\mbamext.dll"

"{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}" ECHO is off. FILE ="C:\\Program Files\\blueyonder\\PCguard\\AVCntxtR.dll"

--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

no unknown services found

--- SAFEBOOT NETWORK SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

no unknown services found

--- SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avgntdd

"DisplayName"="avgntdd"

\??\C:\Program Files\AVPersonal\AVGNTDD.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVWUpSrv

"DisplayName"="AntiVir Update"

"C:\Program Files\AVPersonal\AVWUPSRV.EXE"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BsStor

"DisplayName"="B.H.A Storage Helper Driver"

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BsUDF

"DisplayName"="B.H.A UDF Filesystem"

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSS DVP

"DisplayName"="CSS DVP"

System32\DRIVERS\css-dvp.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DVD-RAM_Service

"DisplayName"="DVD-RAM_Service"

C:\WINDOWS\System32\DVDRAMSV.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dvpapi

"DisplayName"="DvpApi"

C:\Program Files\Common Files\Command Software\dvpapi.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\E1000

"DisplayName"="Intel® PRO/1000 Adapter Driver"

System32\DRIVERS\e1000325.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fasttx2k

system32\drivers\fasttx2k.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Freedom

"DisplayName"="Freedom Miniport"

System32\DRIVERS\FREEDOM.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FreeTdi

"DisplayName"="Radialpoint Filter"

System32\Drivers\FreeTdi.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GMSIPCI

"DisplayName"="GMSIPCI"

\??\D:\INSTALL\GMSIPCI.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HCF_MSFT

System32\DRIVERS\HCF_MSFT.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InternetClient

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\meiudf

"DisplayName"="meiudf"

System32\Drivers\meiudf.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCAlertDriver

"DisplayName"="PCAlertDriver"

\??\C:\Program Files\MSI\Core Center\NTGLM7X.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RP_FWS

"DisplayName"="PCguard Firewall"

C:\Program Files\blueyonder\PCguard\fws.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RushTopDevice

"DisplayName"="RushTopDevice"

\??\C:\Program Files\MSI\Core Center\RushTop.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s3legacy

System32\DRIVERS\s3legacy.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASDIFSV

"DisplayName"="SASDIFSV"

\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASENUM

"DisplayName"="SASENUM"

\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASKUTIL

"DisplayName"="SASKUTIL"

\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swwd

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{39993C85-56C8-4EA1-A198-F9864F0EAFCB}

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{5F161803-BD67-4794-A14E-D67C1A3C0252}

no imagepath value found

--- SECURITYPROVIDERS regkey ---

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

--- SVCHOST regkey ---

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost

LocalService: Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService: DnsCache\0\0

netsvcs: 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0TermService\0wuauserv\0BITS\0ShellHWDetection\0helpsvc\0xmlprov\0wscsvc\0WmdmPmSN\0napagent\0hkmsvc\0\0

rpcss: RpcSs\0\0

imgsvc: StiSvc\0\0

termsvcs: TermService\0\0

HTTPFilter: HTTPFilter\0\0

DcomLaunch: DcomLaunch\0TermService\0\0

eapsvcs: eaphost\0\0

dot3svc: dot3svc\0\0

--- WOW-CMDLINE regkeys ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW

"cmdline" = %SystemRoot%\system32\ntvdm.exe

"wowcmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

--- DNS SERVER regkeys ---

no "NameServer" values found

--- STARTUP FOLDERS ---

C:\Documents and Settings\User One\Start Menu\Programs\Startup\desktop.ini

C:\Documents and Settings\User One\Start Menu\Programs\Startup\OpenOffice.org 1.0.1.lnk

C:\Documents and Settings\User One\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CoreCenter.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk

--- TASK SCHEDULER JOBS ---

no .job files found

--- File associations ---

.BAT files: ("%1" %*)

.COM files: ("%1" %*)

.EXE files: ("%1" %*)

.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)

.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)

.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)

.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)

.PIF files: ("%1" %*)

.REG files: (regedit.exe "%1")

.SCR files: ("%1" /S)

.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)

.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)

FINISHED

-----------------------------------------------------

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Feb 08 18:45:17 2009

Found and removed: C:\Program Files\JavaSoft

------------------------------------

Finished reporting.

------------------------------------

Malwarebytes' Anti-Malware 1.33

Database version: 1739

Windows 5.1.2600 Service Pack 3

08/02/2009 20:55:50

mbam-log-2009-02-08 (20-55-50).txt

Scan type: Quick Scan

Objects scanned: 46118

Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptipbmf (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:26:27, on 08/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\blueyonder\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~3A.tmp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~3B.tmp.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~4B.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~41.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~4A.tmp.exe

C:\Program Files\MSI\Core Center\CoreCenter.exe

C:\WINDOWS\system32\RAMASST.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~6C.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~5D.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~5E.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~70.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~71.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~74.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~78.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~7F.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~80.tmp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~83.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~85.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~87.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~88.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~8B.tmp.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~8D.tmp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll

O4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ueQaYzakOp] C:\WINDOWS\system32\untoevl.exe

O4 - HKLM\..\RunServices: [ueQaYzakOp] C:\WINDOWS\system32\untoevl.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)

O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

--

End of file - 6283 bytes

Link to post
Share on other sites

  • Root Admin

Yeah something still there. Please run this tool.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Hello again,

Thank you for your reply. I followed your instructions: ComboFix (downloaded/run previously with WRC) ran OK - all 50stages. It produced a set of logs, pasted below. Since the infection of my machine some months ago, I have run maybe 10-12 different antivirus/spyware programs. ComboFix is the only one that removes the malware tmp files (as the logs for HJT - run immediately after - show) and in doing so, returns my system temporarily to a state of operating and CPU normality. However, the logs also show that what I assume to be the root/spawner of those files - UeQaYzakOp - remains in the system as an HKLM\ \Run entry and an HKLM\ \Runservices entry, ready to do its work again on next start up.

In your previous reply instructions, you asked me to check and fix 5 items in the HJT scan including the UeQaYzakOp entry; I notice that all the other four items have been removed; only this entry was not removed (or has returned). Should I try to check and fix these two items?

CCleaner, loaded as per your instructions last time, still fails to run; the desktop short-cut was also disabled, so I have had to reload the program but with same results. Is this the malware?

Thank you once again for your continued efforts; I look forward to your reply.

Fmajor7th

ComboFix 09-02-02.04 - User One 2009-02-09 21:06:44.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.734 [GMT 0:00]

Running from: c:\documents and settings\User One\Desktop\ComboFix.exe

AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated)

FW: PCguard Firewall *enabled*

.

((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))

.

2009-02-09 17:40 . 2009-02-09 17:40 43,520 --a------ c:\windows\system32\yhixl.exe

2009-02-08 20:43 . 2009-02-09 21:08 5,109 --a------ c:\windows\system32\drivers\kljgkg.sys

2009-02-08 20:41 . 2009-02-08 20:41 3,453 --a------ C:\backup.reg

2009-02-08 19:43 . 2009-02-09 19:19 <DIR> d-------- c:\program files\CCleaner

2009-02-02 14:30 . 2009-02-02 14:30 <DIR> d-------- c:\program files\Trend Micro

2009-01-20 23:01 . 2009-01-20 23:01 <DIR> d-------- c:\windows\Sun

2009-01-18 16:16 . 2009-01-18 16:16 <DIR> d-------- c:\documents and settings\User One\Application Data\Malwarebytes

2009-01-18 16:15 . 2009-01-18 16:15 <DIR> d-------- c:\program files\iPod

2009-01-18 16:15 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-18 16:14 . 2009-01-18 16:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-18 16:14 . 2009-01-18 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-18 16:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-16 13:05 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll

2009-01-16 13:05 . 2009-01-16 13:05 348,220 --a------ c:\windows\system32\vsconfig.xml

2009-01-16 13:05 . 2009-01-16 13:05 4,212 --ah----- c:\windows\system32\zllictbl.dat

2009-01-16 11:29 . 2009-02-04 00:20 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\User One\Application Data\SUPERAntiSpyware.com

2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-15 21:03 . 2009-01-15 21:03 89,088 --a------ c:\windows\system32\ctfmon.exe

2009-01-15 17:21 . 2009-01-15 17:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-01-15 17:16 . 2009-01-15 17:16 <DIR> d-------- c:\windows\system32\scripting

2009-01-15 17:15 . 2008-04-13 22:58 2,940,928 -----c--- c:\windows\system32\dllcache\wmploc.dll

2009-01-15 17:14 . 2008-04-14 05:43 2,109,440 -----c--- c:\windows\system32\dllcache\wmvcore.dll

2009-01-15 17:14 . 2008-04-14 05:42 809,984 -----c--- c:\windows\system32\dllcache\wmvdmod.dll

2009-01-15 17:14 . 2008-04-14 05:42 759,296 -----c--- c:\windows\system32\dllcache\wmsdmod.dll

2009-01-15 17:14 . 2008-04-14 05:42 303,616 -----c--- c:\windows\system32\dllcache\wmstream.dll

2009-01-15 17:14 . 2008-04-14 05:42 278,559 -----c--- c:\windows\system32\dllcache\wmv8ds32.ax

2009-01-15 17:14 . 2008-04-14 05:42 258,048 -----c--- c:\windows\system32\dllcache\wmvds32.ax

2009-01-15 17:14 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys

2009-01-15 17:14 . 2008-04-14 05:42 115,200 -----c--- c:\windows\system32\dllcache\wmsdmoe.dll

2009-01-15 17:14 . 2008-04-14 05:42 20,480 -----c--- c:\windows\system32\dllcache\wmpui.dll

2009-01-15 17:13 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys

2009-01-14 20:50 . 2009-01-14 20:50 <DIR> d-------- c:\documents and settings\User One\Application Data\OpenOffice.org

2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\OpenOffice.org 3

2009-01-14 20:45 . 2009-01-14 20:46 <DIR> d-------- c:\program files\OpenOfficeorg3

2009-01-13 13:51 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll

2009-01-13 13:47 . 2009-01-15 17:17 <DIR> d-------- c:\windows\ServicePackFiles

2009-01-13 13:46 . 2008-04-13 23:09 2,897,920 --------- c:\windows\system32\xpsp2res.dll

2009-01-13 13:45 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe

2009-01-13 13:43 . 2009-01-15 17:09 <DIR> d-------- c:\windows\EHome

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-09 17:39 39,936 ----a-w c:\windows\system32\wmfptc32.dll

2009-02-09 14:01 --------- d-----w c:\program files\True Sword 4

2009-01-19 01:35 --------- d-----w c:\program files\iTunes

2009-01-14 22:45 --------- d-----w c:\program files\SpywareBlaster

2009-01-14 22:45 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-01-12 14:49 --------- d-----w c:\program files\Opera

2005-11-28 14:47 21 ----a-w c:\program files\AVPersonalAVWIN.INI

2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL

.

------- Sigcheck -------

2004-08-04 00:56 44032 97e1ef029c968b457abb70e28f27b892 c:\windows\$NtServicePackUninstall$\ctfmon.exe

2008-04-14 05:42 44032 1b513a83c7b862daca38de1b731c0040 c:\windows\ServicePackFiles\i386\ctfmon.exe

2009-01-15 21:03 89088 35eb8dce4aab288029eff8bc9e9a6486 c:\windows\system32\ctfmon.exe

.

((((((((((((((((((((((((((((( snapshot@2009-02-03_21.59.33.65 )))))))))))))))))))))))))))))))))))))))))

.

- 2000-08-31 08:00:00 89,504 ----a-w c:\windows\fdsv.exe

+ 2000-08-31 08:00:00 114,688 ----a-w c:\windows\fdsv.exe

- 2000-08-31 08:00:00 80,412 ----a-w c:\windows\grep.exe

+ 2000-08-31 08:00:00 109,056 ----a-w c:\windows\grep.exe

- 2000-08-31 08:00:00 98,816 ----a-w c:\windows\sed.exe

+ 2000-08-31 08:00:00 127,488 ----a-w c:\windows\sed.exe

- 2000-08-31 08:00:00 136,704 ----a-w c:\windows\SWSC.exe

+ 2000-08-31 08:00:00 165,376 ----a-w c:\windows\SWSC.exe

- 2000-08-31 08:00:00 212,480 ----a-w c:\windows\SWXCACLS.exe

+ 2000-08-31 08:00:00 241,152 ----a-w c:\windows\SWXCACLS.exe

+ 2009-02-09 21:06:56 16,384 ----atw c:\windows\temp\Perflib_Perfdata_ec8.dat

- 2000-08-31 08:00:00 49,152 ----a-w c:\windows\VFIND.exe

+ 2000-08-31 08:00:00 77,824 ----a-w c:\windows\VFIND.exe

- 2000-08-31 08:00:00 68,096 ----a-w c:\windows\zip.exe

+ 2000-08-31 08:00:00 96,768 ----a-w c:\windows\zip.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2009-01-15 89088]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-04 1945600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2007-11-17 1499136]

"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-11-17 132608]

"PCguardadvisor.exe"="c:\program files\blueyonder\PCguard advisor\PCguardadvisor.exe" [2007-11-17 2007040]

"PCguard"="c:\program files\blueyonder\PCguard\Rps.exe" [2007-11-17 393216]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-17 274432]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-19 352256]

"UeQaYzakOp"="c:\windows\system32\yhixl.exe" [2009-02-09 43520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

"UeQaYzakOp"="c:\windows\system32\yhixl.exe" [2009-02-09 43520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2009-01-15 89088]

c:\documents and settings\User One\Start Menu\Programs\Startup\

OpenOffice.org 1.0.1.lnk - c:\program files\OpenOffice.org1.0.1\program\quickstart.exe [10/28/2007 11:08:48 AM 180224]

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [1/15/2009 9:03:33 PM 457728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [12/4/2007 8:59:16 PM 2613248]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [9/28/2007 11:02:55 AM 197656]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2002-03-28 77824]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [3/19/2004 5:47:29 PM 9344]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06:00 AM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05:58 AM 55024]

R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [3/19/2004 5:47:28 PM 390400]

R3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [3/18/2004 6:06:37 PM 65664]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06:02 AM 7408]

R4 NdisFileServices32;NdisFileServices32;c:\windows\system32\drivers\kljgkg.sys [2/8/2009 8:43:34 PM 5109]

S2 AVWUpSrv;AntiVir Update;"c:\program files\AVPersonal\AVWUPSRV.EXE" --> c:\program files\AVPersonal\AVWUPSRV.EXE [?]

S3 avgntdd;avgntdd;c:\program files\AVPersonal\AVGNTDD.SYS [12/10/2004 12:46:36 PM 32560]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCAlertDriver

*Deregistered* - RushTopDevice

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-09 21:07:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-02-09 21:09:58

ComboFix-quarantined-files.txt 2009-02-09 21:09:57

Pre-Run: 79,531,171,840 bytes free

Post-Run: 79,572,631,552 bytes free

162

-------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:29:51, on 09/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\blueyonder\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll

O4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ueQaYzakOp] C:\WINDOWS\system32\yhixl.exe

O4 - HKLM\..\RunServices: [ueQaYzakOp] C:\WINDOWS\system32\yhixl.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)

O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

--

End of file - 5247 bytes

Link to post
Share on other sites

  • Root Admin

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
NdisFileServices32

File::
c:\windows\system32\yhixl.exe
c:\windows\system32\drivers\kljgkg.sys
c:\windows\system32\drivers\kljgkg.sys
C:\backup.reg
c:\windows\system32\vsconfig.xml
c:\windows\system32\wmfptc32.dll


Folder::
c:\windows\Sun

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UeQaYzakOp"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"UeQaYzakOp"=-

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log please.

Link to post
Share on other sites

Hello again,

Thanks for your reply – your instructions were very clear/straightforward. I deleted old CFix and d/l a fresh copy to my desktop; I copied your code to a Notepad file and named/located it as instructed. Because the UeQaYzakOp entry creates a new name for its exe file in its Windows\system32\ folder upon each start up, the name of the file today (I switch my machine off every night), was, of course, not yhixl.exe (as cited in your code) but txzskjybuznpz.exe (which you could not have known, of course). As I assume you are trying to delete this file, I took the initiative of carefully adding a single line with this file name into the deletions list in the Notepad script file. I hope this was the correct thing to do? (Of course, with the reboot between CF's execution and its log creation, the name of the exe file had changed again, this time to axhkssnsbzm). I assume with the registry deletions that you specified, your dash character in the code covers all/any file names that follow; having said that, I did not see any mention of registry changes whilst CF was running, and these actions appear not to be explicitly reported in the logs.

Anyway, I closed everything down and drag/dropped the script onto CF which then started and appeared to run fine, listing its commands and all 50 stages, no problem. It rebooted and created the log below; I've also appended the catchme log which was produced. Unfortunately, it appears UeQaYzakOp is still with us and all its derivative tmp files are back running as processes; I was hopeful of CF, as it looks so promising but it seems not to have worked on this attempt.

I guess this little bug has buried itself deep in my system and is hell-bent on survival... I continue to appreciate the time and effort you are dedicating to my case and look forward to your reply.

Fmajor7th

ComboFix 09-02-08.02 - User One 2009-02-10 15:06:40.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.740 [GMT 0:00]

Running from: c:\documents and settings\User One\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User One\Desktop\CFscript.txt

AV: PCguard Anti-Virus *On-access scanning disabled* (Outdated)

FW: PCguard Firewall *enabled*

* Created a new restore point

FILE ::

C:\backup.reg

c:\windows\system32\drivers\kljgkg.sys

c:\windows\system32\txzskjybuznpz.exe

c:\windows\system32\vsconfig.xml

c:\windows\system32\wmfptc32.dll

c:\windows\system32\yhixl.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\backup.reg

c:\windows\Sun

c:\windows\system32\drivers\kljgkg.sys

c:\windows\system32\txzskjybuznpz.exe

c:\windows\system32\vsconfig.xml

c:\windows\system32\wmfptc32.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NDISFILESERVICES32

-------\Service_NdisFileServices32

((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))

.

2009-02-10 15:08 . 2009-02-10 15:08 43,520 --a------ c:\windows\system32\axhkssnsbzm.exe

2009-02-08 19:43 . 2009-02-10 13:54 <DIR> d-------- c:\program files\CCleaner

2009-02-02 14:30 . 2009-02-02 14:30 <DIR> d-------- c:\program files\Trend Micro

2009-01-18 16:16 . 2009-01-18 16:16 <DIR> d-------- c:\documents and settings\User One\Application Data\Malwarebytes

2009-01-18 16:15 . 2009-01-18 16:15 <DIR> d-------- c:\program files\iPod

2009-01-18 16:15 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-18 16:14 . 2009-01-18 16:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-18 16:14 . 2009-01-18 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-18 16:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-16 13:05 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll

2009-01-16 13:05 . 2009-01-16 13:05 4,212 --ah----- c:\windows\system32\zllictbl.dat

2009-01-16 11:29 . 2009-02-04 00:20 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\User One\Application Data\SUPERAntiSpyware.com

2009-01-16 11:29 . 2009-01-16 11:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-15 21:03 . 2009-01-15 21:03 89,088 --a------ c:\windows\system32\ctfmon.exe

2009-01-15 17:21 . 2009-01-15 17:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-01-15 17:16 . 2009-01-15 17:16 <DIR> d-------- c:\windows\system32\scripting

2009-01-15 17:15 . 2008-04-13 22:58 2,940,928 -----c--- c:\windows\system32\dllcache\wmploc.dll

2009-01-15 17:14 . 2008-04-14 05:43 2,109,440 -----c--- c:\windows\system32\dllcache\wmvcore.dll

2009-01-15 17:14 . 2008-04-14 05:42 809,984 -----c--- c:\windows\system32\dllcache\wmvdmod.dll

2009-01-15 17:14 . 2008-04-14 05:42 759,296 -----c--- c:\windows\system32\dllcache\wmsdmod.dll

2009-01-15 17:14 . 2008-04-14 05:42 303,616 -----c--- c:\windows\system32\dllcache\wmstream.dll

2009-01-15 17:14 . 2008-04-14 05:42 278,559 -----c--- c:\windows\system32\dllcache\wmv8ds32.ax

2009-01-15 17:14 . 2008-04-14 05:42 258,048 -----c--- c:\windows\system32\dllcache\wmvds32.ax

2009-01-15 17:14 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys

2009-01-15 17:14 . 2008-04-14 05:42 115,200 -----c--- c:\windows\system32\dllcache\wmsdmoe.dll

2009-01-15 17:14 . 2008-04-14 05:42 20,480 -----c--- c:\windows\system32\dllcache\wmpui.dll

2009-01-15 17:13 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys

2009-01-14 20:50 . 2009-01-14 20:50 <DIR> d-------- c:\documents and settings\User One\Application Data\OpenOffice.org

2009-01-14 20:48 . 2009-01-14 20:48 <DIR> d-------- c:\program files\OpenOffice.org 3

2009-01-14 20:45 . 2009-01-14 20:46 <DIR> d-------- c:\program files\OpenOfficeorg3

2009-01-13 13:51 . 2008-04-14 05:42 221,184 --a------ c:\windows\system32\wmpns.dll

2009-01-13 13:47 . 2009-01-15 17:17 <DIR> d-------- c:\windows\ServicePackFiles

2009-01-13 13:46 . 2008-04-13 23:09 2,897,920 --------- c:\windows\system32\xpsp2res.dll

2009-01-13 13:45 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe

2009-01-13 13:43 . 2009-01-15 17:09 <DIR> d-------- c:\windows\EHome

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-09 14:01 --------- d-----w c:\program files\True Sword 4

2009-01-19 01:35 --------- d-----w c:\program files\iTunes

2009-01-14 22:45 --------- d-----w c:\program files\SpywareBlaster

2009-01-14 22:45 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-01-12 14:49 --------- d-----w c:\program files\Opera

2005-11-28 14:47 21 ----a-w c:\program files\AVPersonalAVWIN.INI

2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL

.

------- Sigcheck -------

2004-08-04 00:56 44032 97e1ef029c968b457abb70e28f27b892 c:\windows\$NtServicePackUninstall$\ctfmon.exe

2008-04-14 05:42 44032 1b513a83c7b862daca38de1b731c0040 c:\windows\ServicePackFiles\i386\ctfmon.exe

2009-01-15 21:03 89088 35eb8dce4aab288029eff8bc9e9a6486 c:\windows\system32\ctfmon.exe

.

((((((((((((((((((((((((((((( snapshot@2009-02-03_21.59.33.65 )))))))))))))))))))))))))))))))))))))))))

.

+ 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

- 2000-08-31 08:00:00 89,504 ----a-w c:\windows\fdsv.exe

+ 2000-08-31 08:00:00 114,688 ----a-w c:\windows\fdsv.exe

- 2000-08-31 08:00:00 80,412 ----a-w c:\windows\grep.exe

+ 2000-08-31 08:00:00 109,056 ----a-w c:\windows\grep.exe

- 2000-08-31 08:00:00 98,816 ----a-w c:\windows\sed.exe

+ 2000-08-31 08:00:00 127,488 ----a-w c:\windows\sed.exe

- 2000-08-31 08:00:00 136,704 ----a-w c:\windows\SWSC.exe

+ 2000-08-31 08:00:00 165,376 ----a-w c:\windows\SWSC.exe

- 2000-08-31 08:00:00 212,480 ----a-w c:\windows\SWXCACLS.exe

+ 2000-08-31 08:00:00 241,152 ----a-w c:\windows\SWXCACLS.exe

+ 2009-02-10 15:08:46 16,384 ----atw c:\windows\temp\Perflib_Perfdata_84c.dat

- 2000-08-31 08:00:00 49,152 ----a-w c:\windows\VFIND.exe

+ 2000-08-31 08:00:00 77,824 ----a-w c:\windows\VFIND.exe

- 2000-08-31 08:00:00 68,096 ----a-w c:\windows\zip.exe

+ 2000-08-31 08:00:00 96,768 ----a-w c:\windows\zip.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2009-01-15 89088]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-04 1945600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2007-11-17 1499136]

"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2007-11-17 132608]

"PCguardadvisor.exe"="c:\program files\blueyonder\PCguard advisor\PCguardadvisor.exe" [2007-11-17 2007040]

"PCguard"="c:\program files\blueyonder\PCguard\Rps.exe" [2007-11-17 393216]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-17 274432]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-19 352256]

"UeQaYzakOp"="c:\windows\system32\axhkssnsbzm.exe" [2009-02-10 43520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

"UeQaYzakOp"="c:\windows\system32\axhkssnsbzm.exe" [2009-02-10 43520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2009-01-15 89088]

c:\documents and settings\User One\Start Menu\Programs\Startup\

OpenOffice.org 1.0.1.lnk - c:\program files\OpenOffice.org1.0.1\program\quickstart.exe [10/28/2007 11:08:48 AM 180224]

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [1/15/2009 9:03:33 PM 457728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [12/4/2007 8:59:16 PM 2613248]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [9/28/2007 11:02:55 AM 197656]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2002-03-28 77824]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [3/19/2004 5:47:29 PM 9344]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 11:06:00 AM 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 11:05:58 AM 55024]

R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [3/19/2004 5:47:28 PM 390400]

R3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [3/18/2004 6:06:37 PM 65664]

S2 AVWUpSrv;AntiVir Update;"c:\program files\AVPersonal\AVWUPSRV.EXE" --> c:\program files\AVPersonal\AVWUPSRV.EXE [?]

S3 avgntdd;avgntdd;c:\program files\AVPersonal\AVGNTDD.SYS [12/10/2004 12:46:36 PM 32560]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 11:06:02 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NDISFILESERVICES32

*NewlyCreated* - PCALERTDRIVER

*NewlyCreated* - RUSHTOPDEVICE

*Deregistered* - PCAlertDriver

*Deregistered* - RushTopDevice

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-10 15:08:41

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\blueyonder\PCguard\fws.exe

c:\windows\system32\DVDRAMSV.exe

c:\program files\Common Files\Command Software\dvpapi.exe

c:\windows\system32\axhkssnsbzm.exe~1.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~2.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~3.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~5.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~6.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~8.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~B.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~D.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~10.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~12.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~13.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~14.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~1B.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~1A.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~1D.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~20.tmp.exe

c:\program files\iPod\bin\iPodService.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~22.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~24.tmp.exe

c:\docume~1\USERON~1\LOCALS~1\temp\~26.tmp.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\docume~1\USERON~1\LOCALS~1\temp\~28.tmp.exe

.

**************************************************************************

.

Completion time: 2009-02-10 15:11:31 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-10 15:11:29

ComboFix2.txt 2009-02-09 21:10:00

Pre-Run: 79,426,392,064 bytes free

Post-Run: 79,369,334,784 bytes free

214

------------------------------------

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-10 15:06:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden files ...

IPC error: 2 The system cannot find the file specified.

scan completed successfully

hidden files: 0

Link to post
Share on other sites

  • Root Admin

Yes unfortunately you can't be rebooting the system and it should probably be isolated off of the network from other computers.

Let's try this tool and see if it can take care of it or at least most of it for us.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file.

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems

Please see the post
here
if you're unable to view the entire screen of Avira.
Link to post
Share on other sites

Hello again,

Thanks for your further advice/instructions... I d/l the Avira rescue system and created the boot CD - all OK. I booted my infected PC from this and it loaded what I assume to be a bare-bones Linux OS, followed by the Avira app. with the German language GUI as you described; the video was fine but my mouse was not enabled; so I invoked the command line but my keyboard was not configured properly either so I was unable to select/input command line options with any confidence. I use a somewhat old-fashioned serial mouse/PS2 keyboard; I'm guessing that this is the problem and that maybe the Linux default is a USB mouse and keyboard... I'll have to see if I can get hold of one... it may take a couple of days...

Fmajor7th

Link to post
Share on other sites

  • 2 weeks later...

Hello Malwarebytes,

Sorry, for the delay in responding; I managed to get temporary use of a USB mouse which has resolved the non-configured mouse problem indicated earlier.

I booted the infected PC with the Avira rescue system CD and the GUI loaded fine; I configured and checked the options as you instructed and ran the a/v scanner. I hope the outcome makes sense to someone! The scan only took 18 seconds; it stated it had scanned 35 files and 11 directories; there were a couple of messages in the text report about not being able to read the boot sector but none of these seemed to be significant/terminal and the scan seemed to complete with no abnormalities and produced the message 'scan finished'. Yet, the items for Records were 0, Suspect files 0, and Warnings 0. Presumably, this scan was only looking in very specific places in the root and start up areas on my hard drive (I'm not sure exactly what /mnt/ - as the default directory - means in Linux); whatever, it did not seem to find/recognise any rogue files there. Its disappointing as, to me, this 'pre-boot' method - ie before the malware had had a chance to secure itself - seemed such a good idea...

On rebooting XP from the HD using the normal boot method, the malware temp files processes are all still there; so is, I therefore assume, the root/parent malware agent. Yet, to report more generally, I have noticed that over the last couple of sessions, it seems to me that the malware activity (which usually has the CPU running at 30-50%) is somewhat reduced, despite all the files still being there. I have no idea why this is; whether it is just coincidental, just my imagination or wishful thinking, or that gradually your efforts are beginning to curtail its activities... Whatever, you have my continued thanks; I look forward to hearing further from you.

Fmajor7th

Link to post
Share on other sites

  • Root Admin

Okay well let's try to update MBAM and scan with it again. There have been many additions since you've last run the scanner.

The current version is: 1.34 with definitions of 1798

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Thank you for your reply. I updated MBAM (1.34/1807) and ran it, then rebooted and ran HJT as requested. Pls find logs below. The temp files remain and our old friend UeQaYzakOp is still in residence. Its very strange and frustrating - I just cant see how it is managing to evade so many anti-malware programs. Btw, I have installed a new Epson printer since my last scan – I know your advice elsewhere is not to install new s/w if infected, so I was waiting until we had got a clean system but in the end I needed it. The drivers/sw were all taken from an official/authorised Epson CD. Thanks once again, look forward to hearing from you.

Fmajor7th

Malwarebytes' Anti-Malware 1.34

Database version: 1807

Windows 5.1.2600 Service Pack 3

27/02/2009 12:14:16

mbam-log-2009-02-27 (12-14-16).txt

Scan type: Quick Scan

Objects scanned: 69537

Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:33:04, on 27/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\blueyonder\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~145.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~14B.tmp.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~147.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~14C.tmp.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~14D.tmp.exe

C:\Program Files\MSI\Core Center\CoreCenter.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~189.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~180.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~18D.tmp.exe

C:\WINDOWS\system32\RAMASST.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~18F.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~193.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~194.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~196.tmp.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\WINDOWS\System32\svchost.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~19A.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~19B.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~19C.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~19E.tmp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~1A2.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~1A4.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~1A6.tmp.exe

C:\DOCUME~1\USERON~1\LOCALS~1\Temp\~1A8.tmp.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll

O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ueQaYzakOp] C:\WINDOWS\system32\qxyvrhl.exe

O4 - HKLM\..\RunServices: [ueQaYzakOp] C:\WINDOWS\system32\qxyvrhl.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [EPSON SX100 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE /FU "C:\WINDOWS\TEMP\E_S1D1.tmp" /EF "HKCU"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)

O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

--

End of file - 7992 bytes

Link to post
Share on other sites

  • Root Admin

Please run the following AV scanner. First delete your copy of Combofix.exe on the desktop and empty your trash.

Then after you download it you need to disable any other Anti-Virus and disconnect from the Internet while it runs.

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Hello Malwarebytes,

I'm sorry for the delay in responding. I had some issues with the Dr.Web scan and was then called away. I d/l Dr.Web and configured it as you stated in your instructions and then started the express scan. Very quickly it found the malware tmp files and then the root agent and deleted them. This was really encouraging, however, it then started to find all sorts of files including standard utilities and major programs which it stated were all infected and that it would cure. I was still in manual mode (ie it was stopping and prompting me for a response on each suspect item) and I wasn't sure if these were false positives or somehow the malware had attached itself to these innocuous files, or had otherwise infected them.

For completeness/security, I decided that I should act upon (ie cure/move/delete) everything that it found. The scan had now moved on to the system response area of my system and was finding hundreds even thousands of suspect files. It was impossible to respond to these individually, so I decided to enable the 'yes to all' feature. The scan had now been running for over two hours and the progress bar chart showed that it was only about one third complete. I didn't have enough time to finish the scan so I aborted it and closed everything down. I was able to come back to it three days later with plenty of spare time. I booted my machine up and noticed immediately that the boot up process was shortened: all the temp malware files previously loaded on start up were not there. Very encouraging and the first time it had done that since it had become infected. I re-ran Dr Web; it ran through quickly to the point I had left off previously then started to find more files. I enabled 'yes to all' again and allowed it to run. It took over four hours, scanning 350 thousand files and finding nearly 25 thousand problem items - 99% of which were in the system restore or service pack area.

Anyway, the Dr Web log pasted below is therefore not quite fully representative: it does not show the removal of all the malware tmp files and its root agent which were all (apparently) removed on the first Dr. Web (aborted) run and so, were not present on the second scan for it to report. In addition, since there are thousands of virtually identical lines in the log relating to two areas (system restore and XP service packs) I have edited these areas into a couple of representative lines. I hope this is more helpful. After rebooting again at the end of the scan, I can report that none of the malware tmp files, or the root agent, UeQaYzakOp, appear to be present.

In summary, I now have a system that is a little incapacitated and vulnerable due to some of my utilities, anti-malware and even firewall programs, or their components, being disabled. However, this is a small price to pay for what I believe, and as HJT seems to confirm, could be the eradication of my malware. If this is the case, I will wait until the clean up process is complete and I am given the all clear before attempting to restore my disabled apps. (from OEM CDs, back ups and trusted web sites). I look forward to hearing from you.

Fmajor7th.

regLocal.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups;Probably SCRIPT.Virus;;

SktInstall.exe;C:\Program Files\blueyonder\PCguard;Probably BACKDOOR.Trojan;;

opera.exe;C:\Program Files\Opera;Win32.Sector.28682;Cured.;

SimpleFileJoiner.exe;C:\Program Files\Peretek\Simple File Joiner;Win32.Sector.28682;Cured.;

Uninstall.exe;C:\Program Files\Peretek\Simple File Joiner;Win32.Sector.28682;Cured.;

Eudora.exe;C:\Program Files\Qualcomm\Eudora;Win32.Sector.28682;Cured.;

swEudora.exe;C:\Program Files\Qualcomm\Eudora;Win32.Sector.28682;Cured.;

PictureViewer.exe;C:\Program Files\QuickTime;Win32.Sector.28682;Cured.;

QTInfo.exe;C:\Program Files\QuickTime;Win32.Sector.28682;Cured.;

QuickTimePlayer.exe;C:\Program Files\QuickTime;Win32.Sector.28682;Cured.;

fixrjb.exe;C:\Program Files\Real\RealPlayer;Win32.Sector.28682;Cured.;

realjbox.exe;C:\Program Files\Real\RealPlayer;Win32.Sector.28682;Cured.;

rphelperapp.exe;C:\Program Files\Real\RealPlayer;Win32.Sector.28682;Cured.;

setup.exe;C:\Program Files\Real\RealPlayer\Setup;Win32.Sector.28682;Cured.;

spywareblaster.exe;C:\Program Files\SpywareBlaster;Win32.Sector.28682;Cured.;

BootSafe.exe;C:\Program Files\SUPERAntiSpyware;Win32.Sector.28682;Cured.;

RUNSAS.EXE;C:\Program Files\SUPERAntiSpyware;Win32.Sector.28682;Cured.;

SASINST.EXE;C:\Program Files\SUPERAntiSpyware;Win32.Sector.28682;Cured.;

SSUpdate.exe;C:\Program Files\SUPERAntiSpyware;Win32.Sector.28682;Cured.;

HijackThis.exe;C:\Program Files\Trend Micro\HijackThis;Win32.Sector.28682;Cured.;

vlc.exe;C:\Program Files\VideoLAN\VLC;Win32.Sector.28682;Cured.;

UninstWA.exe;C:\Program Files\Winamp;Win32.Sector.28682;Cured.;

winamp.exe;C:\Program Files\Winamp;Win32.Sector.28682;Cured.;

dlimport.exe;C:\Program Files\Windows Media Player;Win32.Sector.28682;Cured.;

hypertrm.exe;C:\Program Files\Windows NT;Win32.Sector.28682;Cured.;

Rar.exe;C:\Program Files\WinRAR;Win32.Sector.28682;Cured.;

Uninstall.exe;C:\Program Files\WinRAR;Win32.Sector.28682;Cured.;

UnRAR.exe;C:\Program Files\WinRAR;Win32.Sector.28682;Cured.;

WinRAR.exe;C:\Program Files\WinRAR;Win32.Sector.28682;Cured.;

txzskjybuznpz.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Win32.Proxed;Deleted.;

wmfptc32.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.AVKill.295;Deleted.;

kljgkg.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.AVKill.295;Deleted.;

A0135828.sys;C:\System Volume Information\_restore{E35125BE-A984-4005-8530-69F18F046BAA}\RP900;Trojan.AVKill.295;Deleted.;

A0135834.dll;C:\System Volume Information\_restore{E35125BE-A984-4005-8530-69F18F046BAA}\RP900;Trojan.AVKill.295;Deleted.;

A0135853.exe;C:\System Volume Information\_restore{E35125BE-A984-4005-8530-69F18F046BAA}\RP900;Win32.Sector.28682;Cured.;

A0135869.exe;C:\System Volume Information\_restore{E35125BE-A984-4005-8530-69F18F046BAA}\RP902;Trojan.Botnetlog.1;Deleted.;

A0135880.exe;C:\System Volume Information\_restore{E35125BE-A984-4005-8530-69F18F046BAA}\RP902;Win32.Proxed;Cured.;

*******EDITED: then follows many thousands of lines increasing incrementally but otherwise virtually identical to one of these five lines above*******

BsUnInst.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

CmiRmRedundDir.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

CMIUninstall.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

fdsv.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

grep.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

internt.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

internt.exe;C:\WINDOWS;Trojan.DownLoader.2163;Deleted.;

IsUninst.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

N6Uninst.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

NIRCMD.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

sed.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

setdebug.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

SWREG.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

SWSC.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

SWXCACLS.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

uinst001.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

VFIND.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

zip.exe;C:\WINDOWS;Win32.Sector.28682;Cured.;

accwiz.exe;C:\WINDOWS\$NtServicePackUninstall$;Win32.Sector.28682;Cured.;

accwiz.exe.000;C:\WINDOWS\$NtServicePackUninstall$;Win32.Sector.28682;Cured.;

admin.exe;C:\WINDOWS\$NtServicePackUninstall$;Win32.Sector.28682;Cured.;

agentsvr.exe;C:\WINDOWS\$NtServicePackUninstall$;Win32.Sector.28682;Cured.;

********EDITED: then a couple of hundred lines increasing incrementally but otherwise virtually identical to these four lines above*******

setup.exe;C:\WINDOWS\Cache\Adobe Reader 6.0\ENUBIG;Win32.Sector.28682;Cured.;

iTunesSetup.exe;C:\WINDOWS\Downloaded Installations\{1E8CF57A-24E8-4A97-9564-A8F1956C447B};Win32.Sector.28682;Cured.;

copyinf.exe;C:\WINDOWS\Drivers;Win32.Sector.28682;Cured.;

remove.exe;C:\WINDOWS\Drivers\Motorola;Win32.Sector.28682;Cured.;

UNDPX.exe;C:\WINDOWS\Drivers\Old Drivers\WebSTAR;Win32.Sector.28682;Cured.;

UNDPX2.exe;C:\WINDOWS\Drivers\Old Drivers\WebSTAR;Win32.Sector.28682;Cured.;

undpxall.exe;C:\WINDOWS\Drivers\Old Drivers\WebSTAR;Win32.Sector.28682;Cured.;

UNDPX.exe;C:\WINDOWS\Drivers\WebSTAR;Win32.Sector.28682;Cured.;

UNDPX2.exe;C:\WINDOWS\Drivers\WebSTAR;Win32.Sector.28682;Cured.;

UNDPX2A.EXE;C:\WINDOWS\Drivers\WebSTAR;Win32.Sector.28682;Cured.;

UNDPX2K.EXE;C:\WINDOWS\Drivers\WebSTAR;Win32.Sector.28682;Cured.;

undpxall.exe;C:\WINDOWS\Drivers\WebSTAR;Win32.Sector.28682;Cured.;

ERDNT.EXE;C:\WINDOWS\ERDNT\Hiv-backup;Win32.Sector.28682;Cured.;

ERDNT.EXE;C:\WINDOWS\ERDNT\subs;Win32.Sector.28682;Cured.;

ARPPRODUCTICON.exe;C:\WINDOWS\Installer\{1E8CF57A-24E8-4A97-9564-A8F1956C447B};Win32.Sector.28682;Cured.;

NewShortcut3_35AFD495EC2E4B2BB9DB30EEBC74049D.exe;C:\WINDOWS\Installer\{1E8CF57A-24E8-4A97-9564-A8F1956C447B};Win32.Sector.28682;Cured.;

NewShortcut4_8C3BCD70236347B8A53EEE8A82FD5C78.exe;C:\WINDOWS\Installer\{1E8CF57A-24E8-4A97-9564-A8F1956C447B};Win32.Sector.28682;Cured.;

NewShortcut6_35AFD495EC2E4B2BB9DB30EEBC74049D.exe;C:\WINDOWS\Installer\{1E8CF57A-24E8-4A97-9564-A8F1956C447B};Win32.Sector.28682;Cured.;

places.exe;C:\WINDOWS\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227};Win32.Sector.28682;Cured.;

ARPPRODUCTICON.exe;C:\WINDOWS\Installer\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07};Win32.Sector.28682;Cured.;

_SHCT_Sprint.exe.exe;C:\WINDOWS\Installer\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07};Win32.Sector.28682;Cured.;

IconCDDCBBF13.exe;C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA};Win32.Sector.28682;Cured.;

IconCDDCBBF15.exe;C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA};Win32.Sector.28682;Cured.;

dplaysvr.exe;C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C};Win32.Sector.28682;Cured.;

dpnsvr.exe;C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C};Win32.Sector.28682;Cured.;

dpvsetup.exe;C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C};Win32.Sector.28682;Cured.;

dxdiag.exe;C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C};Win32.Sector.28682;Cured.;

dxdllreg.exe;C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C};Win32.Sector.28682;Cured.;

accwiz.exe;C:\WINDOWS\ServicePackFiles\i386;Win32.Sector.28682;Cured.;

admin.exe;C:\WINDOWS\ServicePackFiles\i386;Win32.Sector.28682;Cured.;

agentsvr.exe;C:\WINDOWS\ServicePackFiles\i386;Win32.Sector.28682;Cured.;

ahui.exe;C:\WINDOWS\ServicePackFiles\i386;Win32.Sector.28682;Cured.;

********EDITED: then a couple of hundred lines increasing incrementally but otherwise virtually identical to these four lines above*******

msmsgs.exe;C:\WINDOWS\ServicePackFiles\ServicePackCache\i386;Win32.Sector.28682;Cured.;

1499fc.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;

16111b.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;

18e4c2c.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;

18f8e9f.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;

1ba6924.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;

1ba6981.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;

2229412.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;

223c261.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;

3a5e71.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;

3bb130.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;

4da86e.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;

afb13b.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;

axhkssnsbzm.exe;C:\WINDOWS\system32;Win32.Proxed;Deleted.;

b0f8fe.dll;C:\WINDOWS\system32;Trojan.DownLoader.49154;Deleted.;

dtsjv.exe;C:\WINDOWS\system32;Win32.Proxed;Deleted.;

hunlornl.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.2665;Deleted.;

ihoahyjtwul.exe;C:\WINDOWS\system32;Win32.Proxed;Deleted.;

kagxne.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.945;Deleted.;

mstmp.html\Script.3;C:\WINDOWS\system32\mstmp.html;Exploit.CodeBase;;

mstmp.html;C:\WINDOWS\system32;Container contains infected objects;Moved.;

nkkwnk.exe;C:\WINDOWS\system32;Trojan.Packed.162;Deleted.;

pdmnt.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.1464;Deleted.;

qeitc.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.945;Deleted.;

stxygc.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.945;Deleted.;

uyufu.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.945;Deleted.;

vsacwp.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.2665;Deleted.;

win1eb2.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

win21d5.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

win32ec.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

win37f7.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

win4d5.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

win6a14.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

win7a5a.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

win7a85.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

win7cf0.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

win81ad.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

win890b.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

win970a.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

win9b02.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

win9d19.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

wina1b8.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

wina374.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

wina576.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

wina9d7.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

winb083.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

winb45a.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

winc11e.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

winc85a.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

wincf51.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

wind39c.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

windadc.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

windd7a.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

wineaf9.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

winf16.dll;C:\WINDOWS\system32;Trojan.Proxy.2798;Deleted.;

wmfptc32.dl_;C:\WINDOWS\system32;Trojan.AVKill.295;Deleted.;

zuuxbjh.exe;C:\WINDOWS\system32;Win32.Virut.5;Cured.;

zuuxbjh.exe;C:\WINDOWS\system32;Win32.Virut.5;Cured.;

zuuxbjh.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.945;Deleted.;

escndv.exe;C:\WINDOWS\twain_32\escndv;Win32.Sector.28682;Cured.;

estwm.exe;C:\WINDOWS\twain_32\escndv;Win32.Sector.28682;Cured.;

estwm.exe;C:\WINDOWS\twain_32\escndv\es0093;Win32.Sector.28682;Cured.;

------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:49:43, on 09/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\blueyonder\PCguard\fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Opera\opera.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.demon.net/"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\USER ONE\Application Data\Mozilla\Profiles\default\p5xnmo1h.slt\prefs.js)

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll

O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"

O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [EPSON SX100 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDE.EXE /FU "C:\WINDOWS\TEMP\E_S1D1.tmp" /EF "HKCU"

O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AntiVir Service (AntiVirService) - Unknown owner - C:\Program Files\AVPersonal\AVGUARD.EXE (file missing)

O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

--

End of file - 6239 bytes

Link to post
Share on other sites

  • Root Admin

You have a VERY NASTY Virus that has many names and versions as it's been around for a while and continues to be updated with new methods.

(PE_SALITY.EK, Virus.Win32.Sality.aa, PE_SALITY.M, New Win32.s, New Malware.ew, Trojan.Agent.AINJ, Virus.Win32.Sality.y, Win32.Sality.OE, PE_SALITY.EN, Win32.Sality.OG, Virus.Win32.Sality.kaka, W32/Sality, Virus.Win32.Sality.2, Win32.Sality.NX, Virus.Win32.Sality.z, Embedded.Win32.Trojan-Downloader.Sality.kaka, Mal_Sality, Win32/Tanatos.A, Win32/Sality.AM, Virus:Win32/Sality.AM, W32/Sality.Y)

Bottom line is that even though Dr Web may have seemingly eradicated it, there is no way you can ever trust this box again without rebuilding it.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) . It attempts to infect any accessed .exe or .scr or files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. It can penetrate and infect .exe files inside compressed files too.

Disconnect it from any Network and do not share external USB drives or similar devices with any other computer as it can easily infect them as well if they're not protected from this Virus.

Then Format the drive and re-install Windows and make sure you always have up to date continuous live protection enabled.

Link to post
Share on other sites

  • Root Admin

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.