Jump to content

Got infected by antivirus 2009


Recommended Posts

I got this nasty virus from installing a fake video codec.... I've managed to remove most of the virus using MBAM. However, it wont remove the infection of the userinit.exe, it keeps on popping up everytime I run MBAM even though I removed it the previous time.

I've tried to search for all userinits and it seems there are two more of those. When I upload them to a online scanner, all four show up as infected!

When I enter XP after the log-on screen I have to use Task Manager to manually start explorer, otherwise Windows won't load. And everytime I connect to the internet, the virus starts downloading more malware and redirect homepages. I've also tried F-secure but it's not able to find anything.

I would have reinstalled XP long time ago if I hadn't had a number of programs installed, which I am not able to reinstall easily. Is there anyway I can repair the userinit.exe-files? Please help me someone!

Malwarebytes' Anti-Malware 1.33

Database version: 1654

Windows 5.1.2600 Service Pack 3

2/2/2009 11:07:04 AM

mbam-log-2009-02-02 (11-07-04).txt

Scan type: Quick Scan

Objects scanned: 80120

Time elapsed: 10 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:08:51, on 2/3/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

C:\Program Files\F-Secure\Common\FSMA32.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\F-Secure\Anti-Virus\fssm32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Adobe\Distillr\Acrotray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\vVX3000.exe

C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\F-Secure\Common\FSLAUNCH.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by

Link to post
Share on other sites

Hi. :D

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

Thanks for your quick reply!

I downloaded Combofix on the desktop and launched it. It opens up a blue window with no text in it and then nothing happens. I've let it run for 10 min or so.

Hi. :D

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

I ran combofix in safe mode and it worked (though this means I wasn't able to install Windows recovery console)! Here's the log along with the hijack log. Thanks in advance!

ComboFix 09-02-02.04 - okoNK 2009-02-04 10:22:48.1 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.800 [GMT -5:00]

Running from: c:\documents and settings\okonk\Desktop\ComboFix.exe

AV: F-Secure Client Security 8.00 *On-access scanning enabled* (Updated)

FW: F-Secure Client Security 8.00 *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\303374.exe

c:\windows\system32\test.ttt

c:\windows\system32\tmp.reg

c:\windows\system32\uniq.tll

c:\windows\system32\win32hlp.cnf

----- BITS: Possible infected sites -----

hxxp://wsus-srv

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))

.

2009-02-04 09:44 . 2009-02-04 09:44 137,280 --a------ c:\windows\system32\drivers\ethorpkk.sys

2009-02-04 09:44 . 2009-02-04 09:44 66,560 ---h----- c:\windows\system32\secupdat.dat

2009-02-04 09:44 . 2009-02-04 09:44 32,768 --ah----- c:\documents and settings\okonk\gma.exe

2009-02-03 21:33 . 2009-02-03 21:33 0 --a------ c:\windows\system32\55B.tmp

2009-02-03 18:04 . 2009-02-03 18:04 <DIR> d-------- c:\program files\Trend Micro

2009-02-03 16:46 . 2009-02-03 16:46 262,144 --a------ c:\documents and settings\TESTKO~3

2009-02-03 16:42 . 2009-02-03 16:42 262,144 --a------ c:\documents and settings\TESTKO~2

2009-02-03 16:32 . 2009-02-03 16:32 262,144 --a------ c:\documents and settings\TESTKO~1

2009-02-03 16:23 . 2009-02-03 16:23 211 --a------ c:\windows\AvDetected.ini

2009-02-03 14:23 . 2009-02-03 14:23 <DIR> d-------- c:\program files\CCleaner

2009-02-03 13:43 . 2009-02-03 13:43 0 --a------ c:\windows\system32\AC.tmp

2009-02-03 08:50 . 2009-02-03 08:50 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-03 08:50 . 2009-02-03 08:50 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-02-03 08:50 . 2009-02-03 08:50 <DIR> d-------- c:\documents and settings\okonk\Application Data\SUPERAntiSpyware.com

2009-02-03 08:50 . 2009-02-03 08:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-02-02 10:19 . 2009-02-02 10:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-02 10:19 . 2009-02-02 10:19 <DIR> d-------- c:\documents and settings\okonk\Application Data\Malwarebytes

2009-02-02 10:19 . 2009-02-02 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-02 10:19 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-02 10:19 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-01 22:12 . 2009-02-01 22:12 142,848 --a--c--- c:\windows\system32\dllcache\userinit.exe

2009-02-01 22:03 . 2006-02-27 22:00 221,184 --a------ c:\windows\system32\wmpns.dll

2009-01-26 11:04 . 2009-01-26 11:04 <DIR> d-------- c:\program files\SecureW2

2009-01-26 11:04 . 2009-01-26 11:04 <DIR> d-------- C:\BrownSW

2009-01-23 13:35 . 2009-01-23 13:35 <DIR> d--h----- c:\windows\PIF

2009-01-23 13:32 . 2009-01-23 13:32 <DIR> d-------- c:\documents and settings\okonk\Application Data\Windows Search

2009-01-23 12:48 . 2009-01-25 09:27 115,224 --a------ C:\img2-001.raw

2009-01-23 12:46 . 2008-04-14 05:42 91,136 --a------ c:\windows\system32\kswdmcap.ax

2009-01-23 12:46 . 2008-04-14 05:42 91,136 --a--c--- c:\windows\system32\dllcache\kswdmcap.ax

2009-01-23 12:46 . 2008-04-14 05:42 61,952 --a------ c:\windows\system32\kstvtune.ax

2009-01-23 12:46 . 2008-04-14 05:42 61,952 --a--c--- c:\windows\system32\dllcache\kstvtune.ax

2009-01-23 12:46 . 2008-04-14 05:42 53,760 --a------ c:\windows\system32\vfwwdm32.dll

2009-01-23 12:46 . 2008-04-14 05:42 53,760 --a--c--- c:\windows\system32\dllcache\vfwwdm32.dll

2009-01-23 12:46 . 2008-04-14 05:42 43,008 --a------ c:\windows\system32\ksxbar.ax

2009-01-23 12:46 . 2008-04-14 05:42 43,008 --a--c--- c:\windows\system32\dllcache\ksxbar.ax

2009-01-23 12:46 . 2008-04-14 00:16 17,024 --a------ c:\windows\system32\drivers\CCDECODE.sys

2009-01-23 12:46 . 2008-04-14 00:16 17,024 --a--c--- c:\windows\system32\dllcache\ccdecode.sys

2009-01-23 12:44 . 2009-01-23 12:45 <DIR> d-------- c:\program files\Microsoft LifeCam

2009-01-23 12:44 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll

2009-01-22 13:23 . 2009-02-01 09:51 <DIR> d-------- c:\documents and settings\okonk\Application Data\skypePM

2009-01-22 13:23 . 2009-01-22 13:23 56 --ah----- c:\windows\system32\ezsidmv.dat

2009-01-22 07:47 . 2009-02-01 13:59 <DIR> d-------- c:\documents and settings\okonk\Application Data\Skype

2009-01-22 07:46 . 2009-01-22 07:46 <DIR> d-------- c:\program files\Skype

2009-01-22 07:46 . 2009-01-22 07:46 <DIR> d-------- c:\program files\Common Files\Skype

2009-01-22 07:46 . 2009-01-22 07:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

2009-01-21 12:02 . 2009-01-21 12:02 <DIR> d--h----- c:\windows\system32\GroupPolicy

2009-01-21 12:02 . 2009-01-21 12:02 <DIR> d-------- c:\program files\Windows Desktop Search

2009-01-21 12:02 . 2009-01-21 12:02 <DIR> d-------- c:\documents and settings\okonk\Application Data\Windows Desktop Search

2009-01-21 12:01 . 2008-03-07 12:02 192,000 -----c--- c:\windows\system32\dllcache\offfilt.dll

2009-01-21 12:01 . 2008-03-07 12:02 98,304 -----c--- c:\windows\system32\dllcache\nlhtml.dll

2009-01-21 12:01 . 2008-03-07 12:02 29,696 -----c--- c:\windows\system32\dllcache\mimefilt.dll

2009-01-19 06:46 . 2009-02-02 09:54 <DIR> d-------- c:\program files\DNA

2009-01-19 06:46 . 2009-02-02 10:03 <DIR> d-------- c:\documents and settings\okonk\Application Data\DNA

2009-01-15 10:34 . 2009-01-15 10:34 <DIR> d-------- c:\documents and settings\okonk\Application Data\MathWorks

2009-01-15 10:26 . 2004-03-01 16:05 407,104 --a------ c:\windows\system32\MSHFLXGD.OCX

2009-01-15 10:26 . 2004-02-11 08:37 203,976 --a------ c:\windows\system32\RICHTX32.OCX

2009-01-15 10:10 . 2009-01-15 10:10 <DIR> d-------- c:\program files\MATLAB

2009-01-15 10:04 . 2009-01-15 10:04 <DIR> d-------- c:\documents and settings\okonk\Application Data\Corel

2009-01-15 10:03 . 2009-01-15 10:04 313 --a------ c:\windows\PowerReg.dat

2009-01-15 10:02 . 2009-01-15 10:02 <DIR> d-------- c:\windows\Setup

2009-01-15 09:59 . 2009-01-15 09:59 <DIR> d-------- c:\program files\Corel

2009-01-15 09:58 . 2009-01-15 10:03 <DIR> d-------- c:\windows\Corel

2009-01-15 09:55 . 2009-01-22 13:34 33,408 --a------ c:\windows\system32\drivers\fsbts.sys

2009-01-15 09:39 . 2008-10-09 05:18 79,872 --a------ c:\windows\system32\drivers\fsdfw.sys

2009-01-15 09:38 . 2009-01-15 09:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\fssg

2009-01-14 08:43 . 2008-04-13 23:42 159,232 --a------ c:\windows\system32\ptpusd.dll

2009-01-14 08:43 . 2001-08-17 16:36 5,632 --a------ c:\windows\system32\ptpusb.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-04 02:35 --------- d-----w c:\program files\F-Secure

2009-02-03 21:40 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-02 02:22 --------- d-----w c:\documents and settings\okonk\Application Data\F-Secure

2009-01-15 14:39 --------- d-----w c:\documents and settings\All Users\Application Data\F-Secure

2009-01-14 13:50 --------- d-----w c:\program files\GameHouse

.

------- Sigcheck -------

2008-04-13 22:42 1051136 5b7d42a7afcfc1eaed3364598d96588b c:\windows\explorer.exe

2007-06-13 06:26 1050624 1c45e2517832bf15122d5e5db9e36bdb c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

2007-06-13 05:23 1050624 d330f6e056d972b263ee28a437099d87 c:\windows\$NtServicePackUninstall$\explorer.exe

2008-04-13 22:42 1051136 bb27f12114ee0e2888c0c99345b6f408 c:\windows\ServicePackFiles\i386\explorer.exe

2006-02-27 22:00 32768 fd33d84c38fc26ae13acd2882cd7b187 c:\windows\$NtServicePackUninstall$\ctfmon.exe

2008-04-13 22:42 32768 6a06e6a20c51784bcfab72bd8cdd8034 c:\windows\ServicePackFiles\i386\ctfmon.exe

2008-04-13 22:42 32768 4d432029e19854f14a4640d7af2a3c48 c:\windows\system32\ctfmon.exe

2005-06-10 19:17 75264 2a8780d38ea268296db4311925e621e1 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

2005-06-10 18:53 75264 b66eb7b4766b703ebc5e24674116412a c:\windows\$NtServicePackUninstall$\spoolsv.exe

2008-04-13 22:42 75264 f5b4a3c4bba0c13af4e3fac5bc023e98 c:\windows\ServicePackFiles\i386\spoolsv.exe

2008-04-13 22:42 75264 5b645231ef9bd87dfe8d637ebd9db632 c:\windows\system32\spoolsv.exe

2006-02-27 22:00 41984 ec4cacd518b1b3d3a2be51cd364d7eee c:\windows\$NtServicePackUninstall$\userinit.exe

2008-04-13 22:42 43520 2fffdfcf583233bff4aaed4278c1c54f c:\windows\ServicePackFiles\i386\userinit.exe

2009-02-01 22:12 142848 a9ea298e724164ff86d9c63231722837 c:\windows\system32\userinit.exe

2009-02-01 22:12 142848 a9ea298e724164ff86d9c63231722837 c:\windows\system32\dllcache\userinit.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-16 8495104]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-16 81920]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 425984]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2005-09-24 503808]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-05-26 136600]

"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 323584]

"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2008-10-09 182936]

"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2008-10-09 1182304]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-09-08 277296]

"VX3000"="c:\windows\vVX3000.exe" [2006-07-26 720896]

"nwiz"="nwiz.exe" [2007-11-16 c:\windows\system32\nwiz.exe]

"NVHotkey"="nvHotkey.dll" [2007-11-16 c:\windows\system32\nvhotkey.dll]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-13 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-05-15 25214]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 141312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyPictures"= 1 (0x1)

"NoStartMenuMyMusic"= 1 (0x1)

"NoSMBalloonTip"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"="0x00000000"

"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-01-15 79872]

S0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-01-15 33408]

S0 oqlic;oqlic;c:\windows\system32\drivers\gbsekrpw.sys --> c:\windows\system32\drivers\gbsekrpw.sys [?]

S1 ethorpkk;ethorpkk;c:\windows\system32\drivers\ethorpkk.sys [2009-02-04 137280]

S1 jyk_x;jyk_x;c:\program files\Common Files\System\jyk_x32.dll [2009-02-01 29184]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2009-01-15 84096]

S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2008-09-03 39048]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [2009-01-15 39776]

S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [2009-01-15 25184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbfd4580-7802-11dd-b21c-001a6b76bf43}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

.

- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-jsf8uiw3jnjgffght - c:\windows\TEMP\winlognn.exe

.

------- Supplementary Scan -------

.

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL

DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-04 10:28:45

Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:

ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(364)

c:\program files\F-Secure\FSPS\program\FSLSP.DLL

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(420)

c:\program files\F-Secure\FSPS\program\FSLSP.DLL

.

Completion time: 2009-02-04 10:32:18 - machine was rebooted [okoNK]

ComboFix-quarantined-files.txt 2009-02-04 15:32:16

Pre-Run: 39,648,305,152 bytes free

Post-Run: 39,934,730,240 bytes free

229 --- E O F --- 2008-06-16 15:08:16

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:35, on 2009-02-04

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} (CPlayFirstmsiControl Object) - http://zone.msn.com/bingame/mosi/default/msi.1.0.0.9.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad

O17 - HKLM\Software\..\Telephony: DomainName = ibt.ku.dk.ad

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE

O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 7145 bytes

Link to post
Share on other sites

Please run this in normal mode if possible:

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\system32\drivers\ethorpkk.sys

c:\windows\system32\secupdat.dat

c:\documents and settings\okonk\gma.exe

c:\windows\system32\55B.tmp

c:\windows\system32\AC.tmp

c:\windows\system32\ezsidmv.dat

c:\windows\system32\drivers\gbsekrpw.sys

c:\program files\Common Files\System\jyk_x32.dll

Driver::

oqlic

ethorpkk

jyk_x

DirLook::

c:\documents and settings\TESTKO~3

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.