Jump to content

AOL Email Continually Getting Hacked


escapee

Recommended Posts

Someone is sending emails requesting money to people in my contact list. They have set the contacts emails in the spam filter, so the responses go to spam. I did not click on any email links, so I'm little unsure as to how they continue to get the password. Someone mentioned a bot. Also, I ran malwarebytes and superantispyware, but they only turned up non-critical adware. Any suggestions on my next step?

Iran DDS and below are the DDS.txt and Attach.txt files.

Thanks so much,

The Escapee

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 7.0.6000.17114

Run by David at 11:48:41 on 2012-11-28

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.112 [GMT -5:00]

.

.

============== Running Processes ================

.

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe

C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe

C:\Program Files\Kyocera\FileUtility\SFUSVC.exe

C:\Program Files\Kyocera\FileUtility\nsCatCom.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\AOL\1306250982\ee\AOLSoftware.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AOL Desktop 9.6\waol.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Kyocera\FileUtility\NsCatCom.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AOL Desktop 9.6\shellmon.exe

C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe

C:\Program Files\AOL Desktop 9.6\AOLBrowser\aolbrowser.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AOL Fast Start] "c:\program files\aol desktop 9.6\AOL.EXE" -b

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [HostManager] c:\program files\common files\aol\1306250982\ee\AOLSoftware.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [synchronization Manager] c:\windows\system32\mobsync.exe /logon

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [sBAMTray] "c:\program files\gfi software\gfiagent\SBAMTray.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\kyocera\fileutility\NsCatCom.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1302017581687

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: NameServer = 192.168.1.3 4.2.2.2

TCP: Interfaces\{56486247-69C8-465F-BE6F-77B17FC4AD21} : DHCPNameServer = 192.168.1.3 4.2.2.2

Notify: LMIinit - LMIinit.dll

SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath -

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2012-11-19 21496]

R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-11-19 332248]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-8-30 101624]

R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2012-11-19 212568]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2012-10-19 374704]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2012-8-24 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2012-11-19 47640]

R2 SBAMSvc;VIPRE Business Premium;c:\program files\gfi software\gfiagent\SBAMSvc.exe [2011-10-12 2804312]

R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2012-11-19 74104]

R2 SBPIMSvc;SB Recovery Service;c:\program files\gfi software\gfiagent\SBPIMSvc.exe [2011-10-12 181616]

R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-11-19 69208]

S0 cerc6;cerc6; [x]

S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-11-19 69208]

S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2012-11-19 94040]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2012-11-27 19:22:53 -------- d-----w- c:\documents and settings\david\application data\SUPERAntiSpyware.com

2012-11-27 19:22:52 -------- d-----w- c:\documents and settings\david\local settings\application data\Google

2012-11-27 19:21:08 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-11-27 19:21:08 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2012-11-27 19:19:48 22230840 ----a-w- C:\SUPERAntiSpyware.exe

2012-11-27 19:14:59 -------- d-----w- c:\documents and settings\david\application data\Malwarebytes

2012-11-27 19:14:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-11-27 19:14:40 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-27 19:14:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-11-21 08:09:07 -------- d-----w- c:\program files\MSXML 4.0

2012-11-21 03:03:25 214256 ----a-w- c:\windows\system32\muweb.dll

2012-11-21 03:03:25 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2012-11-21 03:03:24 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-11-21 03:02:10 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-11-21 03:02:10 3072 ------w- c:\windows\system32\iacenc.dll

2012-11-21 02:34:57 -------- d-----w- c:\documents and settings\all users\Microsoft

2012-11-21 02:07:43 -------- d-----w- C:\outlook201032bit

2012-11-20 16:42:54 -------- d-----w- c:\documents and settings\david\local settings\application data\Temp

2012-11-20 16:42:54 -------- d-----w- c:\documents and settings\david\local settings\application data\Adobe

2012-11-19 20:34:32 74104 ----a-w- c:\windows\system32\drivers\sbapifs.sys

2012-11-19 20:34:22 21496 ----a-w- c:\windows\system32\drivers\sbaphd.sys

2012-11-19 20:21:06 -------- d-----w- c:\documents and settings\david\application data\GFI Software

2012-11-19 20:20:40 94040 ----a-w- c:\windows\system32\drivers\sbhips.sys

2012-11-19 20:20:40 212568 ----a-w- c:\windows\system32\drivers\sbtis.sys

2012-11-19 20:20:31 69208 ----a-w- c:\windows\system32\drivers\SbFwIm.sys

2012-11-19 20:20:31 332248 ----a-w- c:\windows\system32\drivers\SbFw.sys

2012-11-19 20:18:34 -------- d-----w- c:\documents and settings\all users\application data\GFI Software

2012-11-19 20:18:31 -------- d-----w- c:\program files\GFI Software

2012-11-19 20:16:17 -------- d-----w- c:\documents and settings\david\local settings\application data\LogMeIn

2012-11-19 20:16:14 83912 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2012-11-19 20:16:14 52648 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll

2012-11-19 20:16:14 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys

2012-11-19 20:16:14 31144 ----a-w- c:\windows\system32\LMIport.dll

2012-11-19 20:16:08 92072 ----a-w- c:\windows\system32\LMIinit.dll

2012-11-19 20:16:02 -------- d-----w- c:\documents and settings\all users\application data\LogMeIn

2012-11-19 20:15:45 -------- d-----w- c:\program files\LogMeIn

2012-11-19 19:50:34 -------- d-----w- c:\documents and settings\david\local settings\application data\Microsoft Help

2012-11-19 19:33:45 -------- d-----w- c:\documents and settings\david\application data\AOL

2012-11-19 19:09:10 -------- d-----w- c:\documents and settings\david\local settings\application data\AOL

2012-11-05 17:17:25 -------- d-----w- C:\scans

.

==================== Find3M ====================

.

2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll

.

============= FINISH: 11:50:06.16 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 4/4/2011 4:09:54 PM

System Uptime: 11/28/2012 8:04:35 AM (3 hours ago)

.

Motherboard: Dell Computer Corp. | | 0J0592

Processor: Intel® Pentium® 4 CPU 2.53GHz | Microprocessor | 2525/533mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 37 GiB total, 22.039 GiB free.

D: is CDROM ()

E: is CDROM ()

M: is NetworkDisk (NTFS) - 422 GiB total, 419.01 GiB free.

U: is NetworkDisk (NTFS) - 422 GiB total, 419.01 GiB free.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP557: 10/29/2012 5:13:15 AM - System Checkpoint

RP558: 10/30/2012 5:18:02 AM - System Checkpoint

RP559: 10/31/2012 6:18:01 AM - System Checkpoint

RP560: 11/1/2012 7:18:01 AM - System Checkpoint

RP561: 11/2/2012 8:44:33 AM - System Checkpoint

RP562: 11/3/2012 9:26:15 AM - System Checkpoint

RP563: 11/4/2012 8:48:05 AM - System Checkpoint

RP564: 11/5/2012 10:04:27 AM - System Checkpoint

RP565: 11/5/2012 12:16:38 PM - Installed Kyocera Scanner File Utility

RP566: 11/6/2012 12:18:59 PM - System Checkpoint

RP567: 11/7/2012 12:25:59 PM - System Checkpoint

RP568: 11/8/2012 1:12:16 PM - System Checkpoint

RP569: 11/9/2012 1:51:10 PM - System Checkpoint

RP570: 11/10/2012 2:05:04 PM - System Checkpoint

RP571: 11/11/2012 3:05:04 PM - System Checkpoint

RP572: 11/12/2012 4:31:04 PM - System Checkpoint

RP573: 11/13/2012 5:05:05 PM - System Checkpoint

RP574: 11/14/2012 6:05:05 PM - System Checkpoint

RP575: 11/15/2012 7:05:05 PM - System Checkpoint

RP576: 11/16/2012 7:08:35 PM - System Checkpoint

RP577: 11/17/2012 8:08:35 PM - System Checkpoint

RP578: 11/18/2012 9:08:34 PM - System Checkpoint

RP579: 11/19/2012 2:47:45 PM - Installed Microsoft Outlook 2010

RP580: 11/19/2012 2:51:12 PM - avast! Internet Security Setup

RP581: 11/19/2012 3:15:40 PM - Installed LogMeIn

RP582: 11/20/2012 3:54:36 PM - System Checkpoint

RP583: 11/20/2012 9:28:03 PM - Installed Microsoft Outlook 2010

RP584: 11/21/2012 3:00:36 AM - Software Distribution Service 3.0

RP585: 11/22/2012 3:00:55 AM - Software Distribution Service 3.0

RP586: 11/23/2012 3:04:43 AM - System Checkpoint

RP587: 11/24/2012 3:09:17 AM - System Checkpoint

RP588: 11/25/2012 3:10:02 AM - System Checkpoint

RP589: 11/26/2012 4:09:04 AM - System Checkpoint

RP590: 11/27/2012 4:09:20 AM - System Checkpoint

RP591: 11/28/2012 5:10:08 AM - System Checkpoint

.

==== Installed Programs ======================

.

32 Bit HP CIO Components Installer

Adobe Flash Player 10 ActiveX

Adobe Reader X (10.1.4)

AOL Uninstaller (Choose which Products to Remove)

Conexant SmartHSFi V.9x 56K Speakerphone PCI Modem

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

GFI Business Agent

Google Chrome

Google Update Helper

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2756822)

Hotfix for Windows XP (KB952287)

Intel® PRO Ethernet Adapter and Software

Kyocera Product Library

Kyocera Scanner File Utility

LogMeIn

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Outlook 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office Professional Edition 2003

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Outlook 2010

Microsoft Software Update for Web Folders (English) 14

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Mozilla Firefox (3.6.17)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553260) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589322) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589337) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition

Security Update for Microsoft Windows (KB2564958)

Security Update for Microsoft Word 2010 (KB2553488) 32-Bit Edition

Security Update for Windows Internet Explorer 7 (KB2482017)

Security Update for Windows Internet Explorer 7 (KB2544521)

Security Update for Windows Internet Explorer 7 (KB2744842)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2482017)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219-v2)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135-v2)

Security Update for Windows XP (KB2724197)

Security Update for Windows XP (KB2727528)

Security Update for Windows XP (KB2761226)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

SoundMAX

SUPERAntiSpyware

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2661254-v2)

Update for Windows XP (KB2736233)

Update for Windows XP (KB2749655)

Update for Windows XP (KB898461)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Viewpoint Media Player

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

.

==== End Of File ===========================

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 4/4/2011 4:09:54 PM

System Uptime: 11/28/2012 8:04:35 AM (3 hours ago)

.

Motherboard: Dell Computer Corp. | | 0J0592

Processor: Intel® Pentium® 4 CPU 2.53GHz | Microprocessor | 2525/533mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 37 GiB total, 22.039 GiB free.

D: is CDROM ()

E: is CDROM ()

M: is NetworkDisk (NTFS) - 422 GiB total, 419.01 GiB free.

U: is NetworkDisk (NTFS) - 422 GiB total, 419.01 GiB free.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP557: 10/29/2012 5:13:15 AM - System Checkpoint

RP558: 10/30/2012 5:18:02 AM - System Checkpoint

RP559: 10/31/2012 6:18:01 AM - System Checkpoint

RP560: 11/1/2012 7:18:01 AM - System Checkpoint

RP561: 11/2/2012 8:44:33 AM - System Checkpoint

RP562: 11/3/2012 9:26:15 AM - System Checkpoint

RP563: 11/4/2012 8:48:05 AM - System Checkpoint

RP564: 11/5/2012 10:04:27 AM - System Checkpoint

RP565: 11/5/2012 12:16:38 PM - Installed Kyocera Scanner File Utility

RP566: 11/6/2012 12:18:59 PM - System Checkpoint

RP567: 11/7/2012 12:25:59 PM - System Checkpoint

RP568: 11/8/2012 1:12:16 PM - System Checkpoint

RP569: 11/9/2012 1:51:10 PM - System Checkpoint

RP570: 11/10/2012 2:05:04 PM - System Checkpoint

RP571: 11/11/2012 3:05:04 PM - System Checkpoint

RP572: 11/12/2012 4:31:04 PM - System Checkpoint

RP573: 11/13/2012 5:05:05 PM - System Checkpoint

RP574: 11/14/2012 6:05:05 PM - System Checkpoint

RP575: 11/15/2012 7:05:05 PM - System Checkpoint

RP576: 11/16/2012 7:08:35 PM - System Checkpoint

RP577: 11/17/2012 8:08:35 PM - System Checkpoint

RP578: 11/18/2012 9:08:34 PM - System Checkpoint

RP579: 11/19/2012 2:47:45 PM - Installed Microsoft Outlook 2010

RP580: 11/19/2012 2:51:12 PM - avast! Internet Security Setup

RP581: 11/19/2012 3:15:40 PM - Installed LogMeIn

RP582: 11/20/2012 3:54:36 PM - System Checkpoint

RP583: 11/20/2012 9:28:03 PM - Installed Microsoft Outlook 2010

RP584: 11/21/2012 3:00:36 AM - Software Distribution Service 3.0

RP585: 11/22/2012 3:00:55 AM - Software Distribution Service 3.0

RP586: 11/23/2012 3:04:43 AM - System Checkpoint

RP587: 11/24/2012 3:09:17 AM - System Checkpoint

RP588: 11/25/2012 3:10:02 AM - System Checkpoint

RP589: 11/26/2012 4:09:04 AM - System Checkpoint

RP590: 11/27/2012 4:09:20 AM - System Checkpoint

RP591: 11/28/2012 5:10:08 AM - System Checkpoint

.

==== Installed Programs ======================

.

32 Bit HP CIO Components Installer

Adobe Flash Player 10 ActiveX

Adobe Reader X (10.1.4)

AOL Uninstaller (Choose which Products to Remove)

Conexant SmartHSFi V.9x 56K Speakerphone PCI Modem

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

GFI Business Agent

Google Chrome

Google Update Helper

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2756822)

Hotfix for Windows XP (KB952287)

Intel® PRO Ethernet Adapter and Software

Kyocera Product Library

Kyocera Scanner File Utility

LogMeIn

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Outlook 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office Professional Edition 2003

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Outlook 2010

Microsoft Software Update for Web Folders (English) 14

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Mozilla Firefox (3.6.17)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553260) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589322) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589337) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition

Security Update for Microsoft Windows (KB2564958)

Security Update for Microsoft Word 2010 (KB2553488) 32-Bit Edition

Security Update for Windows Internet Explorer 7 (KB2482017)

Security Update for Windows Internet Explorer 7 (KB2544521)

Security Update for Windows Internet Explorer 7 (KB2744842)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2482017)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219-v2)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135-v2)

Security Update for Windows XP (KB2724197)

Security Update for Windows XP (KB2727528)

Security Update for Windows XP (KB2761226)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

SoundMAX

SUPERAntiSpyware

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2661254-v2)

Update for Windows XP (KB2736233)

Update for Windows XP (KB2749655)

Update for Windows XP (KB898461)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Viewpoint Media Player

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

.

==== End Of File ===========================

Link to post
Share on other sites

:welcome: I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. :)

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

=====

Also, please download Malwarebytes Anti-Rootkit here.

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as adminsistrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.

Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

=====

In your reply please provide the contents of the following logs:

  • ComboFix.txt.
  • Both MBAR logs.

How is your computer running?

Link to post
Share on other sites

Hello escapee,

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com).

  • There are 3 different versions. If one of them won't run then download and try to run the other one.
  • Vista and Win7 users need to right click and choose Run as Admin.
  • You only need to get one of them to run, not all of them.

rkill.exe

rkill.com

rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the Desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Before proceeding any further the processes that belong to Windows Recovery need to be terminated so that it does not interfere with the cleaning procedure.

Double-click on the RKill.exe icon in order to automatically attempt to stop any processes associated with Windows Recovery and other Rogue programs.

===

Please do not reboot your computer.

Then try running ComboFix. If you still get a Blue Screen, please try booting into Safe Mode (restart and tap F8 repeatedly to bring up the Boot Screen Menu). Run Rkill, then run ComboFix.

Link to post
Share on other sites

Thanks!

I ran rkill and comboxfix both successfully with no BSOD. During last stages of Combofix, SuperAntiSpyware popped up and reported that it found Trojan.CDSC63R.Process (CDSCSIX3.DLL). After finishing Combofix, I ran mbar, which found nothing. Below is the logs from rkill and Combofix. I ran SuperAntispyware to remove the above Trojan, but SuperAntiSpyware appeared to lock up. I tried to close it from the task manager, but it says that it is locked by the system...very strange! The machine wouldn't let me open the log files, so I've attached them. Sorry, if thats a problem.

-Escapee

Rkill.txt

ComboFixLog.txt

mbar-log-2012-11-29 (13-07-27).txt

Link to post
Share on other sites


  • Here's all of the logs:

  • Rkill 2.4.5 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html
    Program started at: 11/29/2012 12:19:29 PM in x86 mode.
    Windows Version: Microsoft Windows XP Service Pack 3
    Checking for Windows services to stop:
    * No malware services found to stop.
    Checking for processes to terminate:
    * No malware processes found to kill.
    Checking Registry for malware related settings:
    * No issues found in the Registry.
    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
    Performing miscellaneous checks:
    * No issues found.
    Checking Windows Service Integrity:
    * Security Center (wscsvc) is not Running.
    Startup Type set to: Automatic
    * RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [incorrect ImagePath]
    Searching for Missing Digital Signatures:
    * No issues found.
    Checking HOSTS File:
    * HOSTS file entries found:
    127.0.0.1 localhost
    Program finished at: 11/29/2012 12:20:18 PM
    Execution time: 0 hours(s), 0 minute(s), and 49 seconds(s)

ComboFix 12-11-29.02 - David 11/29/2012 12:33:49.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.379 [GMT -5:00]

Running from: c:\documents and settings\David\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-29 )))))))))))))))))))))))))))))))

.

.

2012-11-27 19:22 . 2012-11-27 19:32 -------- d-----w- c:\program files\Google

2012-11-27 19:21 . 2012-11-27 19:22 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-11-27 19:21 . 2012-11-27 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2012-11-27 19:19 . 2012-11-27 19:20 22230840 ----a-w- C:\SUPERAntiSpyware.exe

2012-11-27 19:14 . 2012-11-27 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-11-27 19:14 . 2012-11-27 19:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-11-27 19:14 . 2012-09-30 00:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-21 08:09 . 2012-11-21 08:09 -------- d-----w- c:\program files\MSXML 4.0

2012-11-21 03:03 . 2012-06-02 20:18 214256 ----a-w- c:\windows\system32\muweb.dll

2012-11-21 03:03 . 2012-06-02 20:18 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-11-21 03:02 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-11-21 03:02 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll

2012-11-21 02:34 . 2012-11-21 02:34 -------- d-----w- c:\documents and settings\All Users\Microsoft

2012-11-21 02:07 . 2012-11-21 02:07 -------- d-----w- C:\outlook201032bit

2012-11-19 20:34 . 2011-08-30 11:56 74104 ----a-w- c:\windows\system32\drivers\sbapifs.sys

2012-11-19 20:34 . 2011-08-30 11:56 21496 ----a-w- c:\windows\system32\drivers\sbaphd.sys

2012-11-19 20:20 . 2011-09-09 19:46 94040 ----a-w- c:\windows\system32\drivers\sbhips.sys

2012-11-19 20:20 . 2011-09-09 19:46 212568 ----a-w- c:\windows\system32\drivers\sbtis.sys

2012-11-19 20:20 . 2011-09-09 19:46 69208 ----a-w- c:\windows\system32\drivers\SbFwIm.sys

2012-11-19 20:20 . 2011-09-09 19:46 332248 ----a-w- c:\windows\system32\drivers\SbFw.sys

2012-11-19 20:18 . 2012-11-19 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\GFI Software

2012-11-19 20:18 . 2012-11-19 20:21 -------- d-----w- c:\program files\GFI Software

2012-11-19 20:16 . 2012-10-19 23:10 83912 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2012-11-19 20:16 . 2012-10-19 23:08 52648 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll

2012-11-19 20:16 . 2012-10-19 23:08 31144 ----a-w- c:\windows\system32\LMIport.dll

2012-11-19 20:16 . 2012-08-24 19:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys

2012-11-19 20:16 . 2012-10-19 23:08 92072 ----a-w- c:\windows\system32\LMIinit.dll

2012-11-19 20:16 . 2012-11-29 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn

2012-11-19 20:15 . 2012-11-19 20:15 -------- d-----w- c:\program files\LogMeIn

2012-11-19 19:50 . 2012-11-22 08:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2012-11-19 19:08 . 2012-11-19 20:11 -------- d-----w- c:\documents and settings\David

2012-11-19 19:08 . 2012-11-19 19:08 -------- d-----w- c:\windows\SchCache

2012-11-19 19:04 . 2012-11-19 19:04 -------- d-----w- c:\documents and settings\halo

2012-11-05 17:17 . 2012-11-05 17:20 -------- d-----w- C:\scans

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-19 19:32 . 2012-11-19 19:32 277377363 ----a-w- C:\outlook201032bit.zip

2012-10-22 08:37 . 2008-04-14 07:00 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-10-02 18:04 . 2008-04-14 07:00 58368 ----a-w- c:\windows\system32\synceng.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AOL Fast Start"="c:\program files\AOL Desktop 9.6\AOL.EXE" [2011-04-25 42320]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 4763008]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HostManager"="c:\program files\Common Files\AOL\1306250982\ee\AOLSoftware.exe" [2010-03-08 41800]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2012-10-10 63048]

"SBAMTray"="c:\program files\GFI Software\GFIAgent\SBAMTray.exe" [2011-10-12 1627504]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2012-11-5 401408]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2012-10-19 23:08 92072 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1306250982\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL Desktop 9.6\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\AOL Desktop 9.6\\AOLBrowser\\aolbrowser.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\GFI Software\\GFIAgent\\SBAMSvc.exe"=

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [11/19/2012 3:34 PM 21496]

R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [11/19/2012 3:20 PM 332248]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/30/2011 6:56 AM 101624]

R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [11/19/2012 3:20 PM 212568]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/11/2012 1:54 PM 116608]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/19/2012 6:08 PM 374704]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/24/2012 2:41 PM 12856]

R2 SBAMSvc;VIPRE Business Premium;c:\program files\GFI Software\GFIAgent\SBAMSvc.exe [10/12/2011 12:28 PM 2804312]

R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [11/19/2012 3:34 PM 74104]

R2 SBPIMSvc;SB Recovery Service;c:\program files\GFI Software\GFIAgent\SBPIMSvc.exe [10/12/2011 12:28 PM 181616]

R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [11/19/2012 3:20 PM 69208]

S0 cerc6;cerc6; [x]

S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [11/19/2012 3:20 PM 69208]

S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [11/19/2012 3:20 PM 94040]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-27 19:22]

.

2012-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-27 19:22]

.

2012-11-29 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 63182dbc-2d03-46b1-8f97-35b6ff25a15e.job

- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]

.

2012-11-29 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task a6bdf703-6216-430c-913e-397b08be18a4.job

- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]

.

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.3 4.2.2.2

FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\isihlrpk.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

- - - - ORPHANS REMOVED - - - -

.

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-29 12:45

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(960)

c:\windows\system32\LMIinit.dll

c:\windows\system32\l3codeca.acm

c:\windows\system32\LMIRfsClientNP.dll

.

Completion time: 2012-11-29 12:49:26

ComboFix-quarantined-files.txt 2012-11-29 17:49

.

Pre-Run: 23,531,270,144 bytes free

Post-Run: 23,557,361,664 bytes free

.

- - End Of File - - 119358160E389980724FC4F980A903AF

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.11.29.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 7.0.5730.13

David :: OWNER-19BCA7116 [administrator]

11/29/2012 1:07:27 PM

mbar-log-2012-11-29 (13-07-27).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: PUP | PUM | P2P

Objects scanned: 24863

Time elapsed: 10 minute(s), 49 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 7.0.5730.13

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.525000 GHz

Memory total: 804261888, free: 318930944

------------ Kernel report ------------

11/29/2012 12:55:35

------------ Loaded modules -----------

\WINDOWS\system32\ntoskrnl.exe

\WINDOWS\system32\hal.dll

\WINDOWS\system32\KDCOM.DLL

\WINDOWS\system32\BOOTVID.dll

ACPI.sys

\WINDOWS\system32\DRIVERS\WMILIB.SYS

pci.sys

isapnp.sys

PCIIde.sys

\WINDOWS\System32\Drivers\PCIIDEX.SYS

intelide.sys

MountMgr.sys

ftdisk.sys

dmload.sys

dmio.sys

PartMgr.sys

VolSnap.sys

atapi.sys

disk.sys

\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

fltMgr.sys

sr.sys

KSecDD.sys

Ntfs.sys

NDIS.sys

Mup.sys

agp440.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\ati2mtaa.sys

\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HSFHWBS2.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\HSF_DP.sys

\SystemRoot\system32\DRIVERS\HSF_CNXT.sys

\SystemRoot\System32\Drivers\Modem.SYS

\SystemRoot\system32\DRIVERS\e100b325.sys

\SystemRoot\system32\DRIVERS\fdc.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\parport.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\DRIVERS\redbook.sys

\SystemRoot\system32\DRIVERS\imapi.sys

\SystemRoot\system32\drivers\smwdm.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\aeaudio.sys

\SystemRoot\system32\DRIVERS\lmimirr.sys

\SystemRoot\system32\DRIVERS\audstub.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\DRIVERS\psched.sys

\SystemRoot\system32\DRIVERS\msgpc.sys

\SystemRoot\system32\DRIVERS\ptilink.sys

\SystemRoot\system32\DRIVERS\raspti.sys

\SystemRoot\system32\DRIVERS\wanatw4.sys

\SystemRoot\system32\DRIVERS\rdpdr.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\SBFWIM.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\update.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\drivers\MODEMCSA.sys

\SystemRoot\System32\Drivers\Fs_Rec.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\??\C:\WINDOWS\system32\drivers\SBREdrv.sys

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\Drivers\mnmdd.SYS

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\rasacd.sys

\SystemRoot\system32\DRIVERS\ipsec.sys

\SystemRoot\system32\DRIVERS\tcpip.sys

\SystemRoot\system32\drivers\SbFw.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\sbtis.sys

\SystemRoot\system32\DRIVERS\netbt.sys

\SystemRoot\System32\drivers\ws2ifsl.sys

\SystemRoot\System32\drivers\afd.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\drivers\sbaphd.sys

\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\System32\Drivers\Fips.SYS

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\System32\Drivers\Cdfs.SYS

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_WMILIB.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\watchdog.sys

\SystemRoot\System32\drivers\dxg.sys

\SystemRoot\System32\drivers\dxgthk.sys

\SystemRoot\System32\ati2dvaa.dll

\SystemRoot\system32\drivers\sbapifs.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\mrxdav.sys

\SystemRoot\System32\Drivers\ParVdm.SYS

\??\C:\Program Files\LogMeIn\x86\RaInfo.sys

\SystemRoot\system32\DRIVERS\srv.sys

\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

\SystemRoot\system32\DRIVERS\mdmxsdk.sys

\SystemRoot\system32\drivers\wdmaud.sys

\SystemRoot\system32\drivers\sysaudio.sys

\SystemRoot\System32\Drivers\HTTP.sys

\SystemRoot\System32\ATMFD.DLL

\??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

\??\C:\DOCUME~1\David\LOCALS~1\Temp\catchme.sys

\SystemRoot\system32\drivers\kmixer.sys

\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys

\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

\WINDOWS\system32\ntdll.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff82fceab8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\

Lower Device Object: 0xffffffff82f64b00

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2012.11.29.09

Downloaded database version: v2012.11.28.01

Initializing...

Done!

Scanning directory: C:\WINDOWS\system32\drivers...

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff82fceab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff82faa900, DeviceName: Unknown, DriverName: \Driver\PartMgr\

DevicePointer: 0xffffffff82fceab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff82f64b00, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xffffffffe17abaf0, 0xffffffff82fceab8, 0xffffffff81cb92b0

Lower DeviceData: 0xffffffffe3127088, 0xffffffff82f64b00, 0xffffffff82f000b8

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: DD25DD25

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 78140097

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 40019582464 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-78143247-78163247)...

Done!

Performing system, memory and registry scan...

Done!

Scan finished

=======================================

Link to post
Share on other sites

Hey escapee,

Your logs came back fine. Are you able to post a log from SAS, or at least the file path for that threat it identified?

=====

Please download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

=====

In your reply please provide the contents of both OTL logs and the information from SUPERAntiSpyware.

Link to post
Share on other sites

  • 2 weeks later...

Dark Knight,

I believe the Trojan.CDSC63R.Process (CDSCSIX3.DLL) found by SAS was in system32. When I ran SAS it never located the file. It showed up both times when I was running Combofix though. Is there any chance Combofix uses this DLL?

I ran OTL and it produced the two files, but they contain possibly some confidential files. Is it wise to post this to the forum?

Link to post
Share on other sites

  • 3 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.