Jump to content

Spyware Protect 2009 tried to eat my Emachine


Recommended Posts

Thank you for assisting me in ridding my computer of this nasty virus. Spyware Protect 2009 slipped past my updated Trend Micro Antivirus software. Malwarebytes was already installed on my system but I was unable to start it. Thank goodness I never disabled SUPERAntiSpyware from the startup menu because that's the only way I was able to scan. Once SUPERAntiSpyware finished scanning and deleting, my system automatically rebooted but in safe mode only. I then ran Malwarebytes to further remove any leftover virus and Hijackthis afterwards. Their respective logs are posted below.

--------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.34

Database version: 1832

Windows 5.1.2600 Service Pack 3

3/10/2009 6:04:06 PM

mbam-log-2009-03-10 (18-04-06).txt

Scan type: Quick Scan

Objects scanned: 104515

Time elapsed: 49 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\system32\lowsec (Spyware.StolenData) -> Delete on reboot.

Files Infected:

C:\WINDOWS\Temp\E.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec\local.ds (Spyware.StolenData) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds (Spyware.StolenData) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds.lll (Spyware.StolenData) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.

-------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:21:28 PM, on 3/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\ScsiAccess.EXE

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\Program Files\Trend Micro\Internet Security\UfNavi.exe

C:\Program Files\Trend Micro\Internet Security\tsc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\Juno\SearchEnh1.dll

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL (file missing)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll

O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL (file missing)

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O4 - HKLM\..\Run: [bellSouthAlertManager.exe] C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe /P HelpCenter4.1

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [Z0snRfZ9j] ie4scfg.exe

O4 - HKCU\..\Run: [uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101352009234

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...135/mcfscan.cab

O20 - AppInit_DLLs: tqckba.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 10129 bytes

Link to post
Share on other sites

  • Staff

Hi,

I notice from your log that there's more than 1 Firewall installed. The one in Trendmicro Internet Security and Zonealarm

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Firewall you prefer and uninstall the other one. It makes sense to uninstall Zonealarm, because the Trendmicro firewall is part of a suite

Then reboot after uninstalling.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Thanks for the swift assist miekiemoes and here's the ComboFix log!

ComboFix 09-03-10.03 - Owner 2009-03-11 15:58:56.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.1104 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))

.

2009-03-10 11:00 . 2009-03-10 12:54 16,384 --a------ c:\windows\DCEBoot.exe

2009-03-03 04:15 . 2009-03-03 04:15 <DIR> d-------- c:\windows\system32\log

2009-02-25 03:32 . 2009-01-09 14:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

2009-02-19 04:55 . 2009-02-19 04:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier

2009-02-19 04:54 . 2004-04-27 05:40 11,264 --a------ c:\windows\system32\SpOrder.dll

2009-02-19 04:54 . 2009-02-22 09:04 4,212 ---h----- c:\windows\system32\zllictbl.dat

2009-02-18 19:45 . 2009-03-11 15:12 <DIR> d-------- c:\windows\Internet Logs

2009-02-16 20:05 . 2009-02-25 08:28 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-16 20:05 . 2009-02-16 20:05 <DIR> d-------- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2009-02-16 20:05 . 2009-02-16 20:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-02-16 17:16 . 2008-02-15 10:06 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys

2009-02-16 17:16 . 2008-02-15 10:06 52,496 --a------ c:\windows\system32\drivers\tmactmon.sys

2009-02-16 17:16 . 2008-02-15 10:06 52,240 --a------ c:\windows\system32\drivers\tmevtmgr.sys

2009-02-16 17:15 . 2009-02-16 17:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro

2009-02-16 17:14 . 2009-02-18 12:22 <DIR> d-------- c:\program files\Trend Micro

2009-02-16 14:34 . 2009-02-16 14:34 <DIR> d-------- c:\windows\system32\XPSViewer

2009-02-16 14:34 . 2009-02-16 14:34 <DIR> d-------- c:\program files\Reference Assemblies

2009-02-16 14:34 . 2009-02-16 14:34 <DIR> d-------- c:\program files\MSBuild

2009-02-16 14:33 . 2009-02-16 14:34 <DIR> d-------- C:\b32f6b8ca78ef059c5adb557

2009-02-16 14:33 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll

2009-02-16 14:33 . 2008-07-06 07:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll

2009-02-16 14:33 . 2008-07-06 05:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-02-16 14:33 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll

2009-02-16 14:33 . 2008-07-06 07:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll

2009-02-16 14:33 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll

2009-02-16 14:33 . 2008-07-06 07:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-02-12 06:02 . 2009-02-12 06:02 <DIR> d-------- C:\VundoFix Backups

2009-02-12 05:31 . 2009-02-12 05:30 410,984 --a------ c:\windows\system32\deploytk.dll

2009-02-12 05:31 . 2009-02-12 05:30 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-02-11 23:31 . 2009-02-11 23:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-11 23:31 . 2009-02-11 23:31 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-02-11 23:31 . 2009-02-11 23:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-11 23:31 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 23:31 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-11 20:59 --------- d-----w c:\documents and settings\Owner\Application Data\DNA

2009-03-11 20:39 --------- d-----w c:\program files\DNA

2009-03-11 20:05 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent

2009-03-10 21:57 1,788 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat

2009-03-01 02:25 --------- d-----w c:\documents and settings\Owner\Application Data\DVD Flick

2009-02-27 05:25 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink

2009-02-27 05:01 --------- d-----w c:\program files\AVS4YOU

2009-02-22 01:43 43,684 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_02_19_07_21_27_small.dmp.zip

2009-02-22 01:43 43,049 ----a-w c:\windows\Internet Logs\zlclient_2nd_2009_02_19_07_18_18_small.dmp.zip

2009-02-17 01:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-16 22:19 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-02-16 22:13 --------- d-----w c:\program files\McAfee

2009-02-16 16:26 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-02-12 10:30 --------- d-----w c:\program files\Java

2009-02-12 03:48 --------- d-----w c:\program files\Symantec

2009-02-08 16:23 --------- d-----w c:\documents and settings\Owner\Application Data\U3

2009-02-04 00:19 --------- d-----w c:\program files\ResumeMaker

2009-02-04 00:19 --------- d-----w c:\documents and settings\Owner\Application Data\Individual Software

2009-02-04 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\Individual Software

2009-01-29 23:51 --------- d-----w c:\program files\ATTToolbar

2009-01-23 14:14 --------- d-----w c:\program files\QuickTime

2009-01-23 14:13 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer

2009-01-23 14:12 --------- d-----w c:\program files\Apple Software Update

2009-01-14 22:55 --------- d-----w c:\program files\DVD Flick

2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll

2008-08-30 18:05 47,360 ----a-w c:\documents and settings\Owner\Application Data\pcouffin.sys

2008-09-25 04:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092420080925\index.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-03-11_15.29.14.43 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-03-11 20:39:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_65c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-04-02 9442584]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-25 39408]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-30 342848]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-25 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BellSouthAlertManager.exe"="c:\program files\BellSouth\Alert Manager\BellSouthAlertManager.exe" [2006-01-10 1896448]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-12 136600]

"HelpCenter4.1"="c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe" [2007-04-12 198184]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-23 413696]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSimpleStartMenu"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=tqckba.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\AbacastDistributedOnDemand\\Node\\11\\AbacastDistributedOnDemand.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient2.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-15 36368]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-02-16 52240]

S3 PciTest;WinMTA PCI Service;c:\windows\system32\drivers\pcitest.sys [2004-10-03 6912]

S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-02-16 648456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bedf9ca-857b-11dd-860d-001111559d64}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{697c8490-d4a9-11dd-8650-001111559d64}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5dd17db-1096-11dd-85be-001111559d64}]

\Shell\AutoRun\command - E:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2009-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-04 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job

- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 09:50]

2008-04-28 c:\windows\Tasks\Uniblue SpeedUpMyPC.job

- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 09:50]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.att.net/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = localhost;*.local

uSearchURL,(Default) = hxxp://my.juno.com/s/search?r=minisearch

IE: E&xport to Microsoft Excel - e:\micros~1\OFFICE11\EXCEL.EXE/3000

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-11 16:00:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-03-11 16:03:18

ComboFix-quarantined-files.txt 2009-03-11 21:02:23

ComboFix2.txt 2009-03-11 20:31:33

Pre-Run: 15,343,374,336 bytes free

Post-Run: 15,329,878,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

185 --- E O F --- 2009-02-25 09:02:22

Link to post
Share on other sites

  • Staff

Hi,

I see MalwareBytes already deleted all malware previously. Combofix didn't show any leftovers anymore. Only one entry we need to fix in the registry, so..

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=""

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

It didn't give me a command field to type ComboFix /u - it only displayed: Information in C:\Documents and Settings\Owner\Desktop\Fix.reg has been successfully entered into the registry. I then clicked OK and that's it. The clock had already reset back to its correct time when the posted ComboFix log generated. My Emachine is running just like it's newly refurbished again! It's running so fast now until it's actually scared me for a minute! :D I guess two firewalls are not better than one afterall! Once again, thank you for your time, energy and effort!

Link to post
Share on other sites

  • Staff

Hi,

It looks like you mixed up two sets of instructions. To get the command line, as I said in my previous post..

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter. :D

Glad I could help. :D

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Root Admin

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.