Can't scan

NeedHelp · August 10, 2009

Hello all, and thanks in advance for the help.

I think I've been afflicted with the nasty little rootkit that seems to be going around. Here are my symptoms, which probably are beginning to sound familiar:

When I try to scan with MalwareBytes, HiJackThis, RootRepel, etc., the window disappears after a few seconds and the program becomes essentially locked; if I try to click on the icon, I get a message saying, bascially, that I don't have permission to access the file. This happens in normal and in safe mode.

I've tried running D.D.S. -- again in normal and safe mode -- but it never produces a log.

Oh, and here's the most obvious symptom: Written on the background on my desktop is "DANGER!!! YOU ARE INFECTED ..."

SuperAntiSpyware will run just fine, but it does not detect the problem.

I'm able to run GMAER about 80 percent of the way through before it quits. I stopped a scan before it quit and captured a log, which I will post below.

Again, thanks for any help you can offer:

GMER 1.0.15.15020 [88nztk45[1].exe] - http://www.gmer.net

Rootkit scan 2009-08-10 16:43:13

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT 82EF3358 ZwConnectPort

SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAAE92350]

SSDT 82E18628 ZwQueryValueKey

SSDT 82DAAF38 ZwResumeThread

SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAAE92580]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \Driver\BTHUSB \Device\0000009c bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\BTHUSB \Device\0000009e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\2E0054EE.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [564] 0x35670000

Library \\?\globalroot\Device\__max++>\2E0054EE.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [584] 0x35670000

Library \\?\globalroot\Device\__max++>\2E0054EE.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [1012] 0x35670000

Library \\?\globalroot\Device\__max++>\2E0054EE.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1340] 0x35670000

Library \\?\globalroot\Device\__max++>\2E0054EE.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1420] 0x35670000

Library \\?\globalroot\Device\__max++>\2E0054EE.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1524] 0x35670000

Library \\?\globalroot\Device\__max++>\2E0054EE.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1604] 0x35670000

Library \\?\globalroot\Device\__max++>\2E0054EE.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1616] 0x35670000

Library \\?\globalroot\Device\__max++>\2E0054EE.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [1760] 0x35670000

Library \\?\globalroot\Device\__max++>\2E0054EE.x86.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\VPTray.exe [1768] 0x35670000

Library \\?\globalroot\Device\__max++>\2E0054EE.x86.dll (*** hidden *** ) @ C:\Program Files\DNA\btdna.exe [1792] 0x35670000

Library \\?\globalroot\Device\__max++>\2E0054EE.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [2036] 0x35670000

Library \\?\globalroot\Device\__max++>\2E0054EE.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\IEXPLORE.EXE [4040] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0010c6960890 (not active ControlSet)

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c6960890

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00164173906a

Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\0010c6960890 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\00164173906a (not active ControlSet)

Reg HKLM\SOFTWARE\Classes\CLSID\{ABD42510-9B22-41cd-9DCD-8182A2D07C63}\InProcServer32@ C:\WINDOWS\system32\iehelper.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{ABD42510-9B22-41cd-9DCD-8182A2D07C63}\InProcServer32@ThreadingModel Apartment

---- EOF - GMER 1.0.15 ----

SpySentinel · August 10, 2009

Hi NeedHelp, Welcome to Malwarebytes

Please download this tool by sUBs, and save it to your desktop.

Close any applications that you have open, as your computer will be rebooted
Double click +++.exe to run the tool
When it has run it will reboot your computer, you may then delete the tool

Then try running CF, make sure you delete the current ComboFix you have first:

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

NeedHelp · August 11, 2009

Hello, and thanks for the help.

Unfortunately, I can't run Combofix. The green status bar comes up, then disappears.

Just to be sure it didn't work, I went to c:combofix looking for a log. There was none. I also tried running it in safe mode with no success.

Also, I downloaded the +++.exe tool and ran it first. It said it didn't find any infections and therefore did not restart my computer.

SpySentinel · August 11, 2009

Hi NeedHelp,

Step #1

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

@echo off
copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll
Exit

3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

4. Double click fixes.bat.

Step #2

We need to execute an Avenger2 script

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please download The Avenger2 by SwanDog46.
Unzip avenger.exe to your desktop.
Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
```
Files to move:c:\scecli.dll | C:\WINDOWS\system32\scecli.dll
```
Now start The Avenger2 by double clicking avenger.exe on your desktop.
Read the prompt that appears, and press OK.
Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
Press the "Execute" button.
You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE.
Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #3

Now try running ComboFix and Malwarebytes, then post the logs here.

NeedHelp · August 11, 2009

Thanks for the help, Spy. The good news is that everything worked. But wow, what a mess. As you can see, MalwareBytes found more than 50 infected files.

Here are the logs:

Avenger:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "c:\scecli.dll|C:\WINDOWS\system32\scecli.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Combofix:

ComboFix 09-08-10.06 - iorizzp 2009-08-11 17:00.9.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.216 [GMT -4:00]

Running from: c:\documents and settings\iorizzp\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\-1132837576

c:\documents and settings\iorizzp\Application Data\EurekaLog

c:\documents and settings\iorizzp\nah_qkuj.exe

c:\program files\AskSearch\bin\DefaultSearch.dll

c:\program files\Mozilla Firefox\extensions\{62C54186-F506-43F5-9F60-01652338F84C}

c:\program files\Mozilla Firefox\extensions\{62C54186-F506-43F5-9F60-01652338F84C}\chrome.manifest

c:\program files\Mozilla Firefox\extensions\{62C54186-F506-43F5-9F60-01652338F84C}\chrome\content\overlay.xul

c:\program files\Mozilla Firefox\extensions\{62C54186-F506-43F5-9F60-01652338F84C}\install.rdf

c:\program files\Mozilla Firefox\searchplugins\search.xml

C:\vkywt.exe

c:\windows\system32\enumusul.ini

c:\windows\system32\odipojin.ini

c:\windows\system32\opumuyep.ini

c:\windows\system32\wisdstr.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))

.

2009-08-11 19:56 . 2009-08-11 20:02 -------- d-----w- C:\VIPRERESCUE1

2009-08-11 16:39 . 2009-08-11 20:02 0 ----a-w- c:\windows\system32\SBRC.dat

2009-08-11 16:38 . 2009-03-17 17:26 65320 ----a-w- c:\windows\system32\sbbd.exe

2009-08-11 16:38 . 2008-10-22 21:08 92464 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2009-08-11 16:38 . 2009-08-11 16:43 -------- d-----w- C:\VIPRERESCUE

2009-08-10 15:01 . 2009-08-11 16:54 -------- d-----w- c:\program files\Malewarebytes

2009-08-09 21:07 . 2009-08-09 21:08 -------- d-----w- c:\program files\MBytes

2009-08-09 03:42 . 2009-08-09 03:42 -------- d-----w- c:\program files\MBam

2009-08-09 03:26 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys

2009-08-09 01:44 . 2009-08-09 01:44 -------- d-----w- c:\documents and settings\iorizzp\Application Data\GRETECH

2009-08-09 01:44 . 2009-08-09 01:44 -------- d-----w- c:\program files\GRETECH

2009-08-08 21:03 . 2009-08-08 21:03 -------- d-----w- c:\program files\Sophos

2009-08-08 20:45 . 2009-08-08 20:45 0 ----a-w- C:\settings.dat

2009-08-08 19:33 . 2009-08-08 19:33 -------- d-----w- c:\program files\install.com

2009-08-08 18:17 . 2009-08-08 18:18 -------- d-----w- c:\program files\ThisOne

2009-08-08 12:22 . 2009-08-08 12:22 -------- d-----w- c:\program files\mine

2009-08-08 12:19 . 2009-08-08 12:19 -------- d-----w- c:\program files\tryingagain

2009-08-08 12:18 . 2009-08-08 12:18 -------- d-----w- c:\program files\Iorizzoee

2009-08-08 12:18 . 2009-08-08 12:18 -------- d-----w- c:\program files\IorizzoHi

2009-08-07 02:58 . 2009-08-07 02:59 -------- d-----w- c:\program files\MyAPP

2009-08-07 02:55 . 2009-08-07 02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3

2009-08-07 02:45 . 2009-08-07 02:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2

2009-08-06 22:04 . 2009-08-06 22:04 19968 ----a-w- c:\program files\Common Files\axerylym.bin

2009-08-06 22:04 . 2009-08-06 22:04 17536 ----a-w- c:\windows\xecyc.bin

2009-08-06 22:04 . 2009-08-06 22:04 17175 ----a-w- c:\windows\system32\efakihumux.scr

2009-08-06 22:04 . 2009-08-06 22:04 17014 ----a-w- c:\windows\ikyqupezak.bin

2009-08-06 22:04 . 2009-08-06 22:04 14386 ----a-w- c:\program files\Common Files\aqitulu.bin

2009-08-06 22:04 . 2009-08-06 22:04 12867 ----a-w- c:\program files\Common Files\apaxuj.dat

2009-08-06 22:04 . 2009-08-06 22:04 11025 ----a-w- c:\program files\Common Files\oxut.scr

2009-08-06 22:04 . 2009-08-06 22:04 10944 ----a-w- c:\windows\ahidi.exe

2009-08-06 22:04 . 2009-08-06 22:04 16910 ----a-w- c:\program files\Common Files\lixuneg.vbs

2009-08-06 21:50 . 2009-08-06 21:50 -------- d-----w- C:\_OTM

2009-08-06 21:29 . 2008-11-27 22:47 -------- d---a-w- c:\windows\system32\images

2009-08-06 21:09 . 2009-08-06 21:48 4 ----a-w- c:\windows\system32\bincd32.dat

2009-08-06 21:09 . 2009-08-06 21:50 2 ----a-w- c:\windows\ppp3.dat

2009-08-06 21:09 . 2009-08-06 21:50 64 ----a-w- c:\windows\ppp4.dat

2009-08-06 21:09 . 2009-08-06 21:09 36 ----a-w- c:\windows\system32\sysnet.dat

2009-08-06 21:08 . 2009-08-06 21:13 -------- d-----w- c:\program files\Windows Antivirus Pro

2009-08-06 19:33 . 2009-08-06 19:33 90624 ----a-w- C:\criqmsck.exe

2009-08-06 19:33 . 2009-08-06 19:33 27136 ----a-w- C:\ibts.exe

2009-08-06 19:32 . 2009-08-06 23:12 19456 ----a-w- C:\hcel.exe

2009-08-06 19:32 . 2009-08-06 23:12 19456 ----a-w- C:\niawndos.exe

2009-08-05 22:24 . 2009-08-09 02:09 -------- d-----w- c:\documents and settings\iorizzp\Application Data\vlc

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-11 21:09 . 2008-12-27 18:02 -------- d-----w- c:\program files\DNA

2009-08-11 21:09 . 2008-12-27 18:02 -------- d-----w- c:\documents and settings\iorizzp\Application Data\DNA

2009-08-11 15:30 . 2009-03-13 03:12 117760 ----a-w- c:\documents and settings\iorizzp\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-08-11 13:49 . 2008-09-06 14:56 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-07 13:16 . 2008-12-07 20:04 -------- d-----w- c:\program files\Trend Micro

2009-08-06 22:04 . 2009-08-06 22:04 16580 ----a-w- c:\program files\Common Files\aguhipib.inf

2009-08-06 22:04 . 2009-08-06 22:04 14741 ----a-w- c:\program files\Common Files\yzod._sy

2009-08-06 22:04 . 2009-08-06 22:04 10879 ----a-w- c:\program files\Common Files\ojywohahuf.ban

2009-08-06 22:04 . 2009-08-06 22:04 10477 ----a-w- c:\documents and settings\All Users\Application Data\ofusyteku.bin

2009-08-06 22:00 . 2008-12-10 04:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-06 22:00 . 2009-02-15 18:18 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-03 17:36 . 2008-12-10 04:45 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 17:36 . 2008-12-10 04:45 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-05-29 03:34 . 2009-05-29 03:34 11410 ----a-w- c:\documents and settings\iorizzp\Application Data\CyberLink\msgdi.dll

2009-05-29 03:34 . 2009-05-29 03:34 10121 ----a-w- c:\documents and settings\iorizzp\Application Data\Identities\kern.dll

2009-05-29 03:34 . 2009-05-29 03:34 16141 ----a-w- c:\documents and settings\iorizzp\Application Data\BitZipper\lego.exe

2009-05-29 03:34 . 2009-05-29 03:34 145131 ----a-w- c:\documents and settings\iorizzp\Application Data\Apple Computer\nomad.exe

2009-05-29 03:34 . 2009-05-29 03:34 422 ----a-w- c:\documents and settings\iorizzp\Application Data\AdobeUM\socks1.exe

2009-05-29 03:34 . 2009-05-29 03:34 13221 ----a-w- c:\documents and settings\iorizzp\Application Data\AdobeAUM\rengo.dll

2009-05-29 03:34 . 2009-05-29 03:34 11232 ----a-w- c:\documents and settings\iorizzp\Application Data\Adobe\shalom.exe

2009-03-27 13:10 . 1601-01-01 00:12 61440 --sha-w- c:\windows\system32\vetidika.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-27 342848]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-1-17 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-03 19:56 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\WINDOWS\\system32\\wuauclt.exe"=

"c:\\Program Files\\Verizon Wireless\\VZAccess Manager\\VZAccess Manager.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2009-08-08 18816]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2007-06-22 106808]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-03-19 87936]

R3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2009-03-25 58240]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2.tmp --> c:\windows\system32\2.tmp [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]

S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-08-11 92464]

.

Contents of the 'Scheduled Tasks' folder

2009-08-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-08-11 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.espn.com/

uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f

mStart Page = hxxp://www.google.com

mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=%s

mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: tusharep

Trusted Zone: TUPATCHLINK01

Trusted Zone: tusharep

FF - ProfilePath - c:\documents and settings\iorizzp\Application Data\Mozilla\Firefox\Profiles\96sw40zv.default\

FF - plugin: c:\documents and settings\iorizzp\Application Data\Mozilla\Firefox\Profiles\96sw40zv.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-11 17:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\2.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ABD42510-9B22-41cd-9DCD-8182A2D07C63}\InProcServer32]

@DACL=(02 0000)

@="c:\\WINDOWS\\system32\\iehelper.dll"

"ThreadingModel"="Apartment"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1104)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\windows\system32\scardsvr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\rundll32.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Symantec AntiVirus\DoScan.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

.

**************************************************************************

.

Completion time: 2009-08-11 17:15 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-11 21:15

Pre-Run: 69,131,862,016 bytes free

Post-Run: 69,170,700,288 bytes free

223 --- E O F --- 2009-03-06 14:49

MalwareBytes:

Malwarebytes' Anti-Malware 1.40

Database version: 2605

Windows 5.1.2600 Service Pack 2

2009-08-11 17:57:55

mbam-log-2009-08-11 (17-57-55).txt

Scan type: Full Scan (C:\|)

Objects scanned: 129898

Time elapsed: 36 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 4

Files Infected: 47

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{abd42510-9b22-41cd-9dcd-8182a2d07c63} (Trojan.FakeAlert) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Documents and Settings\iorizzp\Start Menu\Programs\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

Files Infected:

C:\criqmsck.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\hcel.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\ibts.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\niawndos.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Program Files\Windows Antivirus Pro\tmp\dbsinit.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\vkywt.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.

C:\_OTM\MovedFiles\08062009_175040\WINDOWS\system32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.

C:\_OTM\MovedFiles\08062009_175040\WINDOWS\system32\desot.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\msvcm80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\msvcp80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\msvcr80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\wispex.html (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\i1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\i2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\i3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\j1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\j2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\j3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\jj1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\jj2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\jj3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\l1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\l2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\l3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\pix.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\t1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\t2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\up1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\up2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\w1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\w11.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\w2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.jpg (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\wt1.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\wt2.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\tmp\images\wt3.gif (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Documents and Settings\iorizzp\Start Menu\Programs\Windows AntiVirus Pro\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wispex.html (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.

SpySentinel · August 11, 2009

Hi NeedHelp,

Glad the steps worked. Yes your computer is very infected.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\Common Files\yzod._sy
c:\program files\Common Files\ojywohahuf.ban
c:\documents and settings\All Users\Application Data\ofusyteku.bin
c:\program files\Common Files\axerylym.bin
c:\windows\xecyc.bin
c:\windows\system32\efakihumux.scr
c:\windows\ikyqupezak.bin
c:\program files\Common Files\aqitulu.bin
c:\program files\Common Files\apaxuj.dat
c:\program files\Common Files\oxut.scr
c:\windows\ahidi.exe
c:\program files\Common Files\lixuneg.vbs
Folder::
c:\program files\Windows Antivirus Pro

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NeedHelp · August 12, 2009

Spy, I can't thank you enough for your help. Here is the log you requested:

ComboFix 09-08-10.06 - iorizzp 2009-08-11 23:25.10.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.197 [GMT -4:00]

Running from: c:\documents and settings\iorizzp\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\iorizzp\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::

"c:\documents and settings\All Users\Application Data\ofusyteku.bin"

"c:\program files\Common Files\apaxuj.dat"

"c:\program files\Common Files\aqitulu.bin"

"c:\program files\Common Files\axerylym.bin"

"c:\program files\Common Files\lixuneg.vbs"

"c:\program files\Common Files\ojywohahuf.ban"

"c:\program files\Common Files\oxut.scr"

"c:\program files\Common Files\yzod._sy"

"c:\windows\ahidi.exe"

"c:\windows\ikyqupezak.bin"

"c:\windows\system32\efakihumux.scr"

"c:\windows\xecyc.bin"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\ofusyteku.bin

c:\program files\Common Files\apaxuj.dat

c:\program files\Common Files\aqitulu.bin

c:\program files\Common Files\axerylym.bin

c:\program files\Common Files\lixuneg.vbs

c:\program files\Common Files\ojywohahuf.ban

c:\program files\Common Files\oxut.scr

c:\program files\Common Files\yzod._sy

c:\windows\ahidi.exe

c:\windows\ikyqupezak.bin

c:\windows\system32\efakihumux.scr

c:\windows\xecyc.bin

.

((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))

.

2009-08-11 23:15 . 2009-08-11 23:15 -------- d-----w- c:\windows\ServicePackFiles

2009-08-11 21:18 . 2009-08-11 21:18 -------- d-----w- c:\program files\MalwareBytes