Jump to content

Recommended Posts

I can't seem to shake an infection that reappears whenever the computer restarts. MBAM seems to eradicate it with a quick scan, and the computer functions normally, but when I reboot the infections return. This started out as a system security virus, but the residual effects I'm seeing are a "svchost.exe has encountered a problem..." error message on reboot, and it seems to eliminate my automatic logins to forums such as this one and Yahoo. Strangely, any site where I have to log in on each vist (like my bank) are not affected (the password is recalled on the drop down menu). I'm posting the latest MBAM log and the Hijackthis log, any help would be appreciated.

MBAM:

Malwarebytes' Anti-Malware 1.39

Database version: 2508

Windows 5.1.2600 Service Pack 2

7/26/2009 8:44:32 PM

mbam-log-2009-07-26 (20-44-32).txt

Scan type: Quick Scan

Objects scanned: 120319

Time elapsed: 14 minute(s), 44 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

C:\WINDOWS\9129837.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\system32\ms18_word.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Systemntmi (Rootkit.Spamtool) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms18_word (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms18_word (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\drivers\systemntmi.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Administrator\ms18_word.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\9129837.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\wpv211248551196.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Administrator\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Administrator\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ms18_word.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:28:49 PM, on 7/27/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Documents and Settings\HP_Administrator\Desktop\yProxy.exe

c:\windows\system\hpsysdrv.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\DISC\DISCover.exe

C:\Program Files\DISC\DiscUpdMgr.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.trymedia.com (HKLM)

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238527934296

O17 - HKLM\System\CCS\Services\Tcpip\..\{0BA62877-8BEA-458E-9209-6F51E4CC697E}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{49E71310-75FF-497D-BECD-E9C49FE7B764}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{4B7B8D55-4C0A-480F-9C44-79656DC6EC28}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\..\{0BA62877-8BEA-458E-9209-6F51E4CC697E}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\..\{0BA62877-8BEA-458E-9209-6F51E4CC697E}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O20 - AppInit_DLLs: oowfqs.dll pcqval.dll xljvab.dll,C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\206448493mmx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

O23 - Service: Google Update Service (gupdate1ca08a443d5b73e) (gupdate1ca08a443d5b73e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 9840 bytes

Link to post
Share on other sites

  • Staff

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!

This is somewhat suicidal in today's digital world.

That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/

This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

Link to post
Share on other sites

Hi, and thanks for your help, it's really appreciated. Sorry about not having an anti-virus program installed. I had McAfee for a long time, and I don't think it ever stopped anything. A scan would reveal no problems, and then a scan using MBAM would identify and repair any problems. MBAM worked so well, I let McAfee lapse, it was pretty much useless. In fact this is the first thing I've had that MBAM has not gotten rid of (except for a rather nasty rootkit that prevented MBAM from opening), and even then it got rid of the worst of it. I have installed the Avira as requested and run the scan, and it seems to have fixed the symptoms I was experiencing. As far as I can tell, everything is now operating normally. Here is the Avira scan:

Avira AntiVir Personal

Report file date: Tuesday, July 28, 2009 17:57

Scanning for 1575908 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 2) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : YOUR-4DACD0EA75

Version information:

BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00

AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 15:14:47

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 22:55:45

ANTIVIR2.VDF : 7.1.4.253 1779200 Bytes 7/19/2009 22:55:50

ANTIVIR3.VDF : 7.1.5.41 325120 Bytes 7/28/2009 22:55:51

Engineversion : 8.2.0.234

AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 17:52:04

AESCRIPT.DLL : 8.1.2.21 450939 Bytes 7/28/2009 22:55:58

AESCN.DLL : 8.1.2.4 127348 Bytes 7/28/2009 22:55:57

AERDL.DLL : 8.1.2.4 430452 Bytes 7/28/2009 22:55:57

AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 22:07:20

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/28/2009 22:55:56

AEHEUR.DLL : 8.1.0.147 1884536 Bytes 7/28/2009 22:55:55

AEHELP.DLL : 8.1.5.3 233846 Bytes 7/28/2009 22:55:53

AEGEN.DLL : 8.1.1.51 352629 Bytes 7/28/2009 22:55:53

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 20:32:40

AECORE.DLL : 8.1.7.6 184694 Bytes 7/28/2009 22:55:52

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 16:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 16:19:48

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:, E:, L:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Tuesday, July 28, 2009 17:57

Starting search for hidden objects.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\78b792d\imagepath

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\78b792d\type

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\78b792d\start

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\78b792d\errorcontrol

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\78b792d\zpkoymjn

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\78b792d\f96zk6npb

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\81478963\imagepath

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\81478963\type

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\81478963\start

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\81478963\errorcontrol

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\87eb356c\imagepath

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\87eb356c\type

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\87eb356c\start

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\87eb356c\errorcontrol

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\87eb356c\zpkoymjn

[iNFO] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\87eb356c\f96zk6npb

[iNFO] The registry entry is invisible.

'68293' objects were checked, '16' hidden objects were found.

The scan of running processes will be started

Scan process 'msimn.exe' - '1' Module(s) have been scanned

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'msiexec.exe' - '1' Module(s) have been scanned

Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned

Scan process 'DiscStreamHub.exe' - '1' Module(s) have been scanned

Scan process 'DISCUpdMgr.exe' - '1' Module(s) have been scanned

Scan process 'DISCover.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned

Scan process 'yProxy.exe' - '1' Module(s) have been scanned

Scan process 'ehmsas.exe' - '1' Module(s) have been scanned

Scan process 'dllhost.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned

Scan process 'ELService.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned

Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned

Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned

Scan process 'IAANTmon.exe' - '1' Module(s) have been scanned

Scan process 'FreeAgentService.exe' - '1' Module(s) have been scanned

Scan process 'ehSched.exe' - '1' Module(s) have been scanned

Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'Updates from HP.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'QTTask.exe' - '1' Module(s) have been scanned

Scan process 'stxmenumgr.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'DMAScheduler.exe' - '1' Module(s) have been scanned

Scan process 'ehtray.exe' - '1' Module(s) have been scanned

Scan process 'IAAnotif.exe' - '1' Module(s) have been scanned

Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned

Scan process 'realsched.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

56 processes with 56 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Master boot sector HD3

[iNFO] No virus was found!

Master boot sector HD4

[iNFO] No virus was found!

Master boot sector HD5

[iNFO] No virus was found!

Master boot sector HD6

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Boot sector 'E:\'

[iNFO] No virus was found!

Boot sector 'L:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '57' files ).

Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\88.exe

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\pbwtsspucb.tmp

[DETECTION] Is the TR/CryptRedol.88576.3 Trojan

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~TM81.tmp

[DETECTION] Is the TR/Dldr.Small.jxi Trojan

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\ikowin32.exe

[DETECTION] Is the TR/Dldr.Small.jxi Trojan

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0000001.exe

[DETECTION] Is the TR/Trash.Gen Trojan

C:\WINDOWS\system32\drivers\78b792d.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[WARNING] The file could not be opened!

C:\WINDOWS\system32\drivers\81478963.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[WARNING] The file could not be opened!

C:\WINDOWS\system32\drivers\87eb356c.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[WARNING] The file could not be opened!

Begin scan in 'D:\'

Begin scan in 'E:\' <HP_RECOVERY>

Begin scan in 'L:\' <FreeAgent Drive>

Beginning disinfection:

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\88.exe

[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

[NOTE] The file was moved to '4a9d94de.qua'!

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\pbwtsspucb.tmp

[DETECTION] Is the TR/CryptRedol.88576.3 Trojan

[NOTE] The file was moved to '4ae69508.qua'!

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~TM81.tmp

[DETECTION] Is the TR/Dldr.Small.jxi Trojan

[NOTE] The file was moved to '4abc94fa.qua'!

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\ikowin32.exe

[DETECTION] Is the TR/Dldr.Small.jxi Trojan

[NOTE] The file was moved to '4ade9511.qua'!

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0000001.exe

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4a9f94d6.qua'!

C:\WINDOWS\system32\drivers\78b792d.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[NOTE] The file was moved to '4ad194df.qua'!

C:\WINDOWS\system32\drivers\81478963.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[NOTE] The file was moved to '4aa394dd.qua'!

C:\WINDOWS\system32\drivers\87eb356c.sys

[DETECTION] Is the TR/Rootkit.Gen Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[NOTE] The file was moved to '4ad494e5.qua'!

End of the scan: Tuesday, July 28, 2009 19:15

Used time: 1:17:52 Hour(s)

The scan has been done completely.

12815 Scanned directories

673394 Files were scanned

8 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

8 Files were moved to quarantine

0 Files were renamed

5 Files cannot be scanned

673381 Files not concerned

17292 Archives were scanned

5 Warnings

10 Notes

68293 Objects were scanned with rootkit scan

16 Hidden objects were found

And here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:36:14 PM, on 7/28/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Documents and Settings\HP_Administrator\Desktop\yProxy.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\windows\system\hpsysdrv.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\DISC\DISCover.exe

C:\Program Files\DISC\DiscUpdMgr.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.trymedia.com (HKLM)

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238527934296

O17 - HKLM\System\CCS\Services\Tcpip\..\{0BA62877-8BEA-458E-9209-6F51E4CC697E}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{49E71310-75FF-497D-BECD-E9C49FE7B764}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{4B7B8D55-4C0A-480F-9C44-79656DC6EC28}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\..\{0BA62877-8BEA-458E-9209-6F51E4CC697E}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS3\Services\Tcpip\..\{0BA62877-8BEA-458E-9209-6F51E4CC697E}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O20 - AppInit_DLLs: oowfqs.dll pcqval.dll xljvab.dll,C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\206448493mmx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

O23 - Service: Google Update Service (gupdate1ca08a443d5b73e) (gupdate1ca08a443d5b73e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 10255 bytes

Thanks again for your assistance.

Link to post
Share on other sites

  • Staff

Hi,

We're still not finished yet, so * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

OK, I ran Combofix. It found a virus and asked what I wanted to do with it (the default action was deny access), so I checked delete it. Hope this was okay. After I did that I noticed that the Avira umbrella had opened in my taskbar, but it may have been open prior to that time, as I was not watching the full scan. I know for a fact I disabled it before the scan began; the umbrella was closed. Do I need to re-run Combofix?

Also, FYI, I guess I did have some lingering problem after the initial Avira scan I did yesterday, as I received some kind of error message on startup that caused a shutdown of the computer. Actually there was a 60 second countdown to shutdown, but it just froze up after the 60 seconds elapsed, and I had to turn it off. It restarted fine after that. This has happened twice. The message was something similar to this: "Shutdown was initiated by NT Authority\Sysytem...system process C:\\windows\system32\service.exe terminated unexpectedly with status code 1073741819." No idea what that is or what caused it.

Anyway I just wanted to say thanks again for your help with this. I don't know what motivates people like you to help us poor, ignorant computer saps, but I'm surely grateful for it. Here's the Combofix log:

ComboFix 09-07-29.03 - HP_Administrator 07/29/2009 17:41.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1510 [GMT -5:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll

c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll

c:\temp\1cb

c:\temp\1cb\syscheck.log

c:\temp\DIV55

c:\temp\DIV55\xDb.log

c:\windows\kb913800.exe

c:\windows\run.log

c:\windows\system32\drivers\78b792d.sys

c:\windows\system32\drivers\81478963.sys

c:\windows\system32\drivers\87eb356c.sys

c:\windows\system32\drivers\ntndis.sys

c:\windows\system32\gi3

c:\windows\system32\giv

c:\windows\system32\IN

c:\windows\system32\mfc45.dll

c:\windows\system32\op8

c:\windows\system32\TEC

c:\windows\system32\vi

c:\windows\system32\yFMllUvw.ini

c:\windows\system32\yFMllUvw.ini2

c:\windows\system32\YHRtAJlm.ini

c:\windows\system32\YHRtAJlm.ini2

c:\windows\Tasks\dvudhiue.job

c:\windows\wiaserviv.log

E:\Autorun.inf

L:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_AVAST!ANTIVIRUS

-------\Legacy_FIPS32CUP

-------\Legacy_SYSTEMNTMI

-------\Legacy_TDSSSERV.SYS

-------\Service_81478963

-------\Service_87eb356c

-------\Service_78b792d

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))

.

2009-07-28 22:54 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-07-28 22:54 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-07-28 22:54 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-07-28 22:54 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-07-28 22:54 . 2009-07-28 22:54 -------- d-----w- c:\program files\Avira

2009-07-28 22:54 . 2009-07-28 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-07-25 13:53 . 2009-07-25 13:53 -------- d-----w- c:\program files\Enigma Software Group

2009-07-25 05:29 . 2009-07-25 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\10399844

2009-07-25 05:03 . 2009-07-25 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\10376874

2009-07-25 04:46 . 2009-07-25 14:41 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-25 04:46 . 2009-07-25 04:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-07-25 04:33 . 2009-07-25 04:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-07-25 04:27 . 2009-07-25 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\10454064

2009-07-25 03:59 . 2009-07-29 22:17 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-25 03:59 . 2009-07-25 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-07-25 03:59 . 2009-07-28 21:54 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-25 03:59 . 2009-07-25 03:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com

2009-07-25 03:58 . 2009-07-25 03:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-25 03:39 . 2009-07-25 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\10364374

2009-07-25 02:16 . 2009-07-25 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\10361714

2009-07-25 01:26 . 2009-07-25 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\10657504

2009-07-25 01:06 . 2009-07-25 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\10468904

2009-07-25 00:22 . 2009-07-25 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\14535314

2009-07-19 19:08 . 2009-07-19 19:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2009-07-19 19:07 . 2009-07-19 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-07-04 20:43 . 2009-07-04 20:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\The Creative Assembly

2009-07-04 19:53 . 2009-07-29 23:09 -------- d-----w- c:\program files\Steam

2009-07-04 19:51 . 2009-07-04 19:51 -------- d-----w- c:\windows\Logs

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-29 22:46 . 2004-08-10 04:00 577536 ----a-w- c:\windows\system32\user32.dll

2009-07-25 16:25 . 2008-09-28 22:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-25 16:11 . 2008-10-02 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-07-25 15:51 . 2009-07-25 15:51 1688 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2009-07-25 15:51 . 2009-07-25 15:51 656 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg

2009-07-25 15:18 . 2009-07-25 15:18 528 ----a-w- c:\program files\ukwjckr.txt

2009-07-19 20:01 . 2008-06-04 00:35 1915520 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe

2009-07-19 19:08 . 2006-08-28 22:41 -------- d-----w- c:\program files\Google

2009-07-13 23:52 . 2008-10-06 02:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-13 23:52 . 2008-12-03 19:24 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-07-13 18:36 . 2008-10-06 02:20 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 18:36 . 2008-10-06 02:20 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-16 14:55 . 2004-08-10 04:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2004-08-10 04:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:24 . 2004-08-10 04:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-02 20:47 . 2009-06-02 20:47 390664 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

2009-05-16 16:26 . 2009-05-16 16:26 34062 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\ie_bin\Uninst.exe

2009-05-16 16:26 . 2009-05-16 16:26 1047072 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\MoveMediaPlayer_071303000006.exe

2009-05-07 15:44 . 2004-08-10 04:00 344064 ----a-w- c:\windows\system32\localspl.dll

2009-05-01 22:53 . 2009-05-01 22:25 637264 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-05-01 22:30 . 2006-07-21 06:52 50512 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2008-12-17 02:16 . 2008-12-17 02:16 7518240 ----a-w- c:\program files\Firefox Setup 3.0.5.exe

2008-11-12 00:16 . 2008-11-12 00:16 14622342 ----a-w- c:\program files\vlc-0.9.6-win32.exe

2008-11-06 23:38 . 2008-11-06 23:38 2078831 ----a-w- c:\program files\mplayerc_20081005.zip

2006-08-29 23:13 . 2006-08-29 23:13 599592 ----a-w- c:\program files\DMSetup.exe

2006-08-28 22:40 . 2006-08-28 22:40 13736064 ----a-w- c:\program files\GoogleEarthWin.exe

2006-08-28 19:43 . 2006-08-28 19:43 37518744 ----a-w- c:\program files\iTunesSetup.exe

2006-08-28 19:33 . 2006-08-28 19:33 5834344 ----a-w- c:\program files\winzip100.exe

2006-08-28 02:42 . 2008-09-26 21:25 410309 ----a-w- c:\program files\yproxy12.zip

2006-08-28 00:39 . 2006-08-28 00:39 198656 ----a-w- c:\program files\yproxywizard.exe

2008-12-02 20:12 . 2008-12-17 02:17 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2006-10-31 01:40 . 2006-10-31 01:40 22 -csha-w- c:\windows\SMINST\HPCD.sys

.

Infected c:\windows\system32\user32.dll hex repaired

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-08-30 4621816]

"Steam"="c:\program files\Steam\Steam.exe" [2009-07-04 1217784]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-19 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-22 185896]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]

"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-31 1622016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-7-21 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]

R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/28/2009 5:54 PM 108289]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]

R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [7/21/2006 1:40 AM 468768]

S2 gupdate1ca08a443d5b73e;Google Update Service (gupdate1ca08a443d5b73e);c:\program files\Google\Update\GoogleUpdate.exe [7/19/2009 2:08 PM 133104]

S3 s916bus;Sony Ericsson Device 916 driver (WDM);c:\windows\system32\drivers\s916bus.sys [12/28/2008 10:51 PM 83496]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

.

Contents of the 'Scheduled Tasks' folder

2009-07-29 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-03 19:07]

2009-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 19:08]

2009-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 19:08]

.

- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)

HKLM-Run-PCDrProfiler - (no file)

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-AVG Anti-Spyware Guard

.

------- Supplementary Scan -------

.

uStart Page = www.yahoo.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uInternet Settings,ProxyOverride = *.local;<local>

Trusted Zone: trymedia.com

TCP: {0BA62877-8BEA-458E-9209-6F51E4CC697E} = 208.67.220.220,208.67.222.222

TCP: {49E71310-75FF-497D-BECD-E9C49FE7B764} = 208.67.220.220,208.67.222.222

TCP: {4B7B8D55-4C0A-480F-9C44-79656DC6EC28} = 208.67.220.220,208.67.222.222

TCP: {892900FC-9814-4488-99C0-81491C1EE93D} = 208.67.220.220,208.67.222.222

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\gs1t2cw0.default\

FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/

FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-29 18:10

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(5900)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\ehome\ehmsas.exe

c:\windows\system\hpsysdrv.exe

c:\program files\Java\jre1.5.0_06\bin\jusched.exe

c:\program files\DISC\DISCover.exe

c:\program files\DISC\DISCUpdMgr.exe

c:\program files\DISC\DiscStreamHub.exe

.

**************************************************************************

.

Completion time: 2009-07-29 18:32 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-29 23:31

Pre-Run: 170,166,816,768 bytes free

Post-Run: 170,810,961,920 bytes free

254 --- E O F --- 2009-07-28 03:44

Link to post
Share on other sites

  • Staff

Hi,

Navigate to and delete the following folders:

c:\documents and settings\All Users\Application Data\10364374

c:\documents and settings\All Users\Application Data\10361714

c:\documents and settings\All Users\Application Data\10657504

c:\documents and settings\All Users\Application Data\10468904

c:\documents and settings\All Users\Application Data\14535314

c:\documents and settings\All Users\Application Data\10454064

c:\documents and settings\All Users\Application Data\10399844

c:\documents and settings\All Users\Application Data\10376874

then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Apparently I don't have these files. I have the Documents and Settings Folder and the All Users folder, but the latter contains no Application Data folder. there is such a folder under the HP_Administrator folder, but it contains only other folders. I did a file search for the number suffix on the first file you listed and found nothing. Everything seems to be running fine. I didn't have the system shutdown when I turned on the computer today, and everything else seems normal.

Link to post
Share on other sites

As an update to the above post, I just ran a MBAM quick scan and came up with one infection, which happened to be in the folder you're looking for. So now I'm thoroughly confused, as I still can bring up this folder by going through the progression on My Computer. Here's the MBAM log:

Malwarebytes' Anti-Malware 1.39

Database version: 2533

Windows 5.1.2600 Service Pack 2

7/30/2009 8:34:27 PM

mbam-log-2009-07-30 (20-34-27).txt

Scan type: Quick Scan

Objects scanned: 107400

Time elapsed: 9 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index (Rogue.SmartProtector) -> Quarantined and deleted successfully.

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

Those folders are present there...

Please set your system to show all files.

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.

And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

Then navigate to the following folder:

c:\documents and settings\All Users\Application Data

In there, you'll find the following subfolders:

10364374

10361714

10657504

14535314

10454064

10399844

10376874

Delete those... Don't delete anything else there.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Yeah, I'm such a tool. I deleted the folders and uninstalled Combofix. Everything seems to be running swimmingly, with your kind assistance. The MBAM scan I performed when I booted up today found nothing...and that's the first time that's happened in a while.

Link to post
Share on other sites

  • Staff

Good to hear and Glad I could help. <_<

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.