Computer Crime and Intellectual property Section Malware

[alrose97]

I see from other posts from people who have this malware that you tell them to post the results of the Farbar Recovery Scan Tool; so that's what I've done. If I should be doing something else instead, let me know. Here is my results from Running Farbar:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-05-2013

Ran by Administrator (administrator) on 14-05-2013 13:28:32

Running from G:\

Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)

Internet Explorer Version 8

Boot Mode: Safe Mode (minimal)

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Windows\system32\cmd.exe

(Farbar) G:\FRST.exe

==================== Registry (Whitelisted) ==================

HKLM Group Policy restriction on software: %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* <====== ATTENTION

HKLM\...\Winlogon: [shell] [x ] ()

Winlogon\Notify\PCANotify: PCANotify.dll (Symantec Corporation)

Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)

HKCU\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe [26112 2008-04-13] (Microsoft Corporation)

HKU\administrator.kimkitchen\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe [26112 2008-04-13] (Microsoft Corporation)

HKU\administrator.kimkitchen\...\Winlogon: [shell] cmd.exe [26112 2008-04-13] (Microsoft Corporation) <==== ATTENTION

HKU\LocalService\...\Run: [{D30BC831-6C7F-4BDE-A84C-0A087669676F}] rundll32 "C:\Documents and Settings\stephanie\Local Settings\Application Data\Sun\{D30BC831-6C7F-4BDE-A84C-0A087669676F}\sabhw.dll",CloseSQLPerformanceData1 [x]

HKU\stephanie\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe [26112 2008-04-13] (Microsoft Corporation)

HKU\stephanie\...\Winlogon: [shell] cmd.exe [26112 2008-04-13] (Microsoft Corporation) <==== ATTENTION

Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

ShortcutTarget: Acrobat Assistant.lnk -> C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)

Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dentrix Quick Launch.lnk

ShortcutTarget: Dentrix Quick Launch.lnk -> C:\Program Files\Dentrix\DtxQuickLaunch.exe (Henry Schein, Inc.)

Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eSync 3.6.lnk

ShortcutTarget: eSync 3.6.lnk -> C:\Program Files\Henry Schein, Inc\eSync\Application Launcher\HSPS.eServices.DigitalHighway.Launcher.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080618

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080618

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb

HKLM SearchScopes: DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

SearchScopes: HKCU - DefaultScope value is missing.

BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)

BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()

BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()

PDF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1361307107123

PDF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

PDF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

PDF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

PDF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)

Handler: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - No File

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

Tcpip\..\Interfaces\{D8F31937-059F-4309-B008-A999A7FED445}: [NameServer]10.0.0.1

========================== Services (Whitelisted) =================

S2 ASFIPmon; C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [79168 2007-06-20] (Broadcom Corporation)

S2 awhost32; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [106496 2003-05-29] (Symantec Corporation)

S2 Digital Highway Server; C:\Program Files\Henry Schein, Inc\HSPS.eServices.DigitalHighway.Services.exe [35840 2012-07-19] ()

S2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

S1 awlegacy; C:\Windows\System32\Drivers\awlegacy.sys [10901 2003-04-21] (Symantec Corporation)

R1 AW_HOST; C:\Windows\System32\drivers\aw_host5.sys [24365 2003-05-05] (Symantec Corporation)

S3 b57w2k; C:\Windows\System32\DRIVERS\b57xp32.sys [161792 2007-07-25] (Broadcom Corporation)

S2 BASFND; C:\Program Files\Broadcom\ASFIPMon\BASFND.sys [10480 2007-06-20] (Broadcom Corporation)

R0 Gernuwa; C:\Windows\System32\Drivers\Gernuwa.sys [13898 2003-04-21] (Symantec Corporation)

R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider)

S3 SenFiltService; C:\Windows\System32\drivers\Senfilt.sys [392960 2007-09-24] (Sensaura)

S3 SymEvent; C:\Program Files\Symantec\SYMEVENT.SYS [73496 2008-06-25] (Symantec Corporation)

U3 .netbt; \? [x]

S4 Abiosdsk; No ImagePath

S4 Atdisk; No ImagePath

S1 Changer; No ImagePath

S1 lbrtfdc; No ImagePath

S1 PCIDump; No ImagePath

S3 PDCOMP; No ImagePath

S3 PDFRAME; No ImagePath

S3 PDRELI; No ImagePath

S3 PDRFRAME; No ImagePath

S4 Simbad; No ImagePath

S0 SMR250; System32\drivers\SMR250.SYS [x]

S3 WDICA; No ImagePath

U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-14 13:28 - 2013-05-14 13:28 - 00000000 ____D C:\FRST

2013-05-14 04:23 - 2013-05-14 04:47 - 00000000 ____D C:\Windows\Microsoft Antimalware

2013-05-14 02:40 - 2013-05-14 03:12 - 29016792 ____A C:\asdsetup.exe

2013-05-14 02:30 - 2013-05-14 02:30 - 38010880 ____A C:\Windows\System32\config\SOFTWARE.bhv

2013-05-14 02:30 - 2013-05-14 02:30 - 05505024 ____A C:\Windows\System32\config\SYSTEM.bhv

2013-05-14 02:30 - 2013-05-14 02:30 - 05242880 ____A C:\Windows\System32\config\DEFAULT.bhv

2013-05-14 02:30 - 2013-05-14 02:30 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv

2013-05-14 02:30 - 2013-05-14 02:30 - 00262144 ____A C:\Windows\System32\config\SAM.bhv

2013-05-14 02:19 - 2013-05-14 02:19 - 00000000 ___AD C:\$Anvi Rescue Disk$

2013-05-13 16:39 - 2013-05-13 16:39 - 00174411 ____A C:\Documents and Settings\administrator.kimkitchen\Application Data\2433f433

2013-05-13 16:39 - 2013-05-13 16:39 - 00174384 ____A C:\Documents and Settings\administrator.kimkitchen\Local Settings\Application Data\2433f433

2013-05-13 16:39 - 2013-05-13 16:39 - 00174376 ____A C:\Documents and Settings\All Users\Application Data\2433f433

2013-05-13 12:37 - 2013-05-13 16:39 - 00031744 ____A C:\Documents and Settings\stephanie\My Documents\139d2e78.dll

2013-05-13 12:37 - 2013-05-13 12:37 - 00031744 ____A C:\Documents and Settings\stephanie\My Documents\139d2e78.exe

==================== One Month Modified Files and Folders ========

2013-05-14 13:28 - 2013-05-14 13:28 - 00000000 ____D C:\FRST

2013-05-14 13:19 - 2004-08-11 18:20 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini

2013-05-14 13:19 - 2004-08-11 18:20 - 00000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini

2013-05-14 13:19 - 2004-08-11 18:00 - 00002206 ____A C:\Windows\System32\wpa.dbl

2013-05-14 13:17 - 2004-08-11 18:20 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini

2013-05-14 13:17 - 2004-08-11 18:13 - 01233091 ____A C:\Windows\WindowsUpdate.log

2013-05-14 13:15 - 2008-06-18 08:39 - 00647150 ____A C:\Windows\setupapi.log

2013-05-14 13:15 - 2004-08-11 18:20 - 00032484 ____A C:\Windows\SchedLgU.Txt

2013-05-14 13:15 - 2004-08-11 18:20 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-14 13:15 - 2004-08-11 18:09 - 00000216 ____A C:\Windows\wiadebug.log

2013-05-14 12:53 - 2012-04-25 15:04 - 00000000 ____D C:\Program Files\Henry Schein, Inc

2013-05-14 12:53 - 2004-08-11 18:09 - 00000049 ____A C:\Windows\wiaservc.log

2013-05-14 12:52 - 2004-08-11 18:20 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini

2013-05-14 04:47 - 2013-05-14 04:23 - 00000000 ____D C:\Windows\Microsoft Antimalware

2013-05-14 04:42 - 2013-03-13 10:59 - 00000000 ____D C:\Documents and Settings\stephanie\Local Settings\Application Data\Macromedia

2013-05-14 03:12 - 2013-05-14 02:40 - 29016792 ____A C:\asdsetup.exe

2013-05-14 02:52 - 2008-06-25 17:55 - 00000278 __ASH C:\Documents and Settings\stephanie\ntuser.ini

2013-05-14 02:52 - 2008-06-25 17:55 - 00000062 __ASH C:\Documents and Settings\stephanie\Local Settings\desktop.ini

2013-05-14 02:30 - 2013-05-14 02:30 - 38010880 ____A C:\Windows\System32\config\SOFTWARE.bhv

2013-05-14 02:30 - 2013-05-14 02:30 - 05505024 ____A C:\Windows\System32\config\SYSTEM.bhv

2013-05-14 02:30 - 2013-05-14 02:30 - 05242880 ____A C:\Windows\System32\config\DEFAULT.bhv

2013-05-14 02:30 - 2013-05-14 02:30 - 00262144 ____A C:\Windows\System32\config\SECURITY.bhv

2013-05-14 02:30 - 2013-05-14 02:30 - 00262144 ____A C:\Windows\System32\config\SAM.bhv

2013-05-14 02:19 - 2013-05-14 02:19 - 00000000 ___AD C:\$Anvi Rescue Disk$

2013-05-14 00:44 - 2008-06-18 08:40 - 00001158 ____A C:\Windows\setupact.log

2013-05-13 16:48 - 2008-06-25 17:54 - 00000136 ____A C:\Windows\System32\config\netlogon.ftl

2013-05-13 16:39 - 2013-05-13 16:39 - 00174411 ____A C:\Documents and Settings\administrator.kimkitchen\Application Data\2433f433

2013-05-13 16:39 - 2013-05-13 16:39 - 00174384 ____A C:\Documents and Settings\administrator.kimkitchen\Local Settings\Application Data\2433f433

2013-05-13 16:39 - 2013-05-13 16:39 - 00174376 ____A C:\Documents and Settings\All Users\Application Data\2433f433

2013-05-13 16:39 - 2013-05-13 12:37 - 00031744 ____A C:\Documents and Settings\stephanie\My Documents\139d2e78.dll

2013-05-13 16:39 - 2012-04-10 11:20 - 00000178 __ASH C:\Documents and Settings\administrator.kimkitchen\ntuser.ini

2013-05-13 16:39 - 2012-04-10 11:20 - 00000062 __ASH C:\Documents and Settings\administrator.kimkitchen\Local Settings\desktop.ini

2013-05-13 16:30 - 2013-03-21 10:06 - 00000000 ____D C:\Documents and Settings\stephanie\Local Settings\Application Data\Sun

2013-05-13 15:41 - 2012-09-05 02:28 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-13 12:37 - 2013-05-13 12:37 - 00031744 ____A C:\Documents and Settings\stephanie\My Documents\139d2e78.exe

2013-05-13 12:12 - 2011-05-20 09:05 - 00002073 ____A C:\Windows\dentrix.ini

2013-05-13 12:12 - 2008-06-25 22:03 - 00000000 ____D C:\Program Files\Dentrix

2013-05-09 16:36 - 2012-04-25 16:28 - 00134734 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat

2013-05-09 08:10 - 2008-06-25 18:03 - 00000036 ____A C:\Windows\iltwain.ini

2013-05-09 08:10 - 2008-06-25 18:03 - 00000000 ____D C:\Program Files\DYMO Label

2013-05-08 11:24 - 2008-07-02 09:26 - 00045843 ____A C:\Windows\CSTBox.INI

2013-05-08 11:22 - 2008-06-26 14:46 - 00000000 ____D C:\Documents and Settings\stephanie\Application Data\Canon

2013-05-06 12:08 - 2010-04-08 16:50 - 00000000 ____D C:\Documents and Settings\stephanie\My Documents\My Received Files

2013-04-29 07:38 - 2012-04-29 18:26 - 00000000 ____D C:\Documents and Settings\stephanie\Application Data\TeamViewer

2013-04-29 06:58 - 2013-03-11 01:19 - 00000815 ____A C:\Documents and Settings\All Users\Desktop\TeamViewer 8.lnk

2013-04-25 16:29 - 2012-04-25 17:36 - 00000664 ____A C:\Windows\System32\d3d9caps.dat

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Any help would be greatly Appreciated!!!

[MrCharlie]

OK, here you go......this should get you going:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

[alrose97]

Ok here are the fix results:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-05-2013

Ran by Administrator at 2013-05-14 15:07:41 Run:1

Running from G:\

Boot Mode: Safe Mode (minimal)

==============================================

HKLM => Group Policy Restriction on software restored successfully.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.

HKEY_USERS\administrator.kimkitchen\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

HKEY_USERS\LocalService\Software\Microsoft\Windows\CurrentVersion\Run\\{D30BC831-6C7F-4BDE-A84C-0A087669676F} => Value deleted successfully.

HKEY_USERS\stephanie\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.

C:\Documents and Settings\administrator.kimkitchen\Application Data\2433f433 => Moved successfully.

C:\Documents and Settings\administrator.kimkitchen\Local Settings\Application Data\2433f433 => Moved successfully.

C:\Documents and Settings\All Users\Application Data\2433f433 => Moved successfully.

C:\Documents and Settings\stephanie\My Documents\139d2e78.dll => Moved successfully.

C:\Documents and Settings\stephanie\My Documents\139d2e78.exe => Moved successfully.

C:\Documents and Settings\stephanie\Local Settings\Application Data\Sun\{D30BC831-6C7F-4BDE-A84C-0A087669676F}\sabhw.dll => File/Directory not found.

==== End of Fixlog ====

And I was able to login!!!! Thanks so much!! I am going to update anti-virus and spyware software now and run full scans!!!!

[MrCharlie]

I suggest you run this one also:

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that your system is now functioning normally.

MrC

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!