spywaresucks Posted August 29, 2009 ID:116622 Share Posted August 29, 2009 Hi,MBAM and Hijackthis won't install.Spybot won't run.Browser (Firefox) redirects.Rootrepeal report attached.Cheers,RootRepeal_report_08_29_09__16_47_05_.txt Link to post Share on other sites More sharing options...
Katana Posted August 31, 2009 ID:117928 Share Posted August 31, 2009 Please note that all instructions given are customised for this computer only,the tools used may cause damage if used on a computer with different infections.If you think you have similar problems, please post a log in the HJT forum and wait for help.Hello and welcome to the forumsMy name is Katana and I will be helping you to remove any infection(s) that you may have.Please observe these rules while we work: Please Read All Instructions Carefully If you don't understand something, stop and ask! Don't keep going on. Please do not run any other tools or scans whilst I am helping you Failure to reply within 5 days will result in the topic being closed. Please continue to respond until I give you the "All Clear" (Just because you can't see a problem doesn't mean it isn't there)If you can do those few things, everything should go smoothly Some of the logs I request will be quite large, You may need to split them over a couple of replies.Please Note, your security programs may give warnings for some of the tools I will ask you to use.Be assured, any links I give are safe----------------------------------------------------------------------------------------Download and Run ComboFix (by sUBs)Please visit this webpage for instructions for downloading and running ComboFix:Bleeping Computer ComboFix Tutorial You must download it to and run it from your Desktop Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix. Double click combofix.exe & follow the prompts. When finished, it will produce a log. Please save that log to post in your next reply Re-enable all the programs that were disabled during the running of ComboFix..A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.ComboFix SHOULD NOT be used unless requested by a forum helper For instructions on how to disable your security programs, please see this topicHow To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Link to post Share on other sites More sharing options...
spywaresucks Posted August 31, 2009 Author ID:118145 Share Posted August 31, 2009 G'day Katana,Thanks for the advice.I downloaded Combofix but it wouldn't install either.I get the windows prompt that says the publisher isn't verified but then the install just stops.Am I heading towards format c:? Link to post Share on other sites More sharing options...
Katana Posted September 1, 2009 ID:118373 Share Posted September 1, 2009 Am I heading towards format c:?Not just yet.Please try the following ....Please Download GMER to your desktopDownload GMER and extract it to your desktop.***Please close any open programs ***Double-click gmer.exe. The program will begin to run.Note:- If GMER doesn't run, please Reboot and then rename gmer.exe to Look.exe and try again**Caution**These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security AnalystIf possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click Yes.Once the scan is complete, you may receive another notice about rootkit activity. Click OK. GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !Please post the results from the GMER scan in your reply. Link to post Share on other sites More sharing options...
spywaresucks Posted September 3, 2009 Author ID:119774 Share Posted September 3, 2009 G'day Katana,Spot on with the need to rename the file.gmer.exe wouldn't run look.exe was fine.I tried to attach the file but got an error message stating I couldn't upload this type of file.Opted for cut and paste - hope that wroks for you.Cheers.GMER 1.0.15.15077 [look.exe] - http://www.gmer.netRootkit scan 2009-09-03 21:13:32Windows 5.1.2600 Service Pack 2---- System - GMER 1.0.15 ----Code 89D5A0D8 ZwEnumerateKeyCode 89DAA560 ZwFlushInstructionCacheCode 89D952CE IofCallDriverCode 89D590D6 IofCompleteRequest---- Kernel code sections - GMER 1.0.15 ----.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 89D952D3 .text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 89D590DB PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 5 Bytes JMP 89D5A0DC PAGE ntoskrnl.exe!ZwFlushInstructionCache 80576A6A 5 Bytes JMP 89DAA564 ---- Kernel IAT/EAT - GMER 1.0.15 ----IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F77A9380] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F77A93F0] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F77A9710] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F77A9750] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F77A9710] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F77A93F0] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F77A9380] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F77A9710] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F77A9750] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F77A9380] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F77A93F0] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)---- Devices - GMER 1.0.15 ----AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)---- Processes - GMER 1.0.15 ----Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [316] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [872] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\system32\svchost.exe [940] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [1036] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [1092] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [1220] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [2708] 0x10000000 Library \\?\globalroot\systemroot\system32\UACtheesqvbdx.dll (*** hidden *** ) @ F:\WINDOWS\System32\svchost.exe [3120] 0x10000000 ---- Services - GMER 1.0.15 ----Service F:\WINDOWS\system32\drivers\UACbwwosrqrms.sys (*** hidden *** ) [sYSTEM] UACd.sys <-- ROOTKIT !!!---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACbwwosrqrms.sysReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file systemReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACbwwosrqrms.sysReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACpllooqbpxo.dllReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACtheesqvbdx.dllReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACmppdiqxhga.datReg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACyxuyrlfwmk.dllReg HKLM\SYSTEM\ControlSet002\Services\UACd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACbwwosrqrms.sysReg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file systemReg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACbwwosrqrms.sysReg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACpllooqbpxo.dllReg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACtheesqvbdx.dllReg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACmppdiqxhga.datReg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACyxuyrlfwmk.dll---- EOF - GMER 1.0.15 ---- Link to post Share on other sites More sharing options...
Katana Posted September 3, 2009 ID:119784 Share Posted September 3, 2009 Download and Run ComboFix----------------------------------------------------------------------------------------Delete any copy of Combofix that you have, and download an updated copy of Combofix from the link below. Save it to your desktop. Link 1Link 2--------------------------------------------------------------------Double click on Combo-Fix.exe & follow the prompts.When finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a C:\Qoobox\Add-Remove Programs.txt so we can continue cleaning the system.------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Additional NotesIf Comobofix still doesn't run, please do the following and then try Combofix again.We need to use GMER to disable a service : 1. Start GMER and do a quick scan. It should give a message about rootkit activity.2. If it asks for full scan, select "no".3. Right click UACd.sys and select "disable service". You'll be most likely asked to reboot system. Please, let it do so.4. After reboot, open GMER again and see if the corresponding service is in disabled state. Link to post Share on other sites More sharing options...
spywaresucks Posted September 5, 2009 Author ID:120969 Share Posted September 5, 2009 G'day Katana.Nice work - you're making good progress - thanks.The two requested files attached.Cheers.ComboFix.txtAdd_Remove_Programs.txt Link to post Share on other sites More sharing options...
Katana Posted September 5, 2009 ID:121020 Share Posted September 5, 2009 Please can you post the logs rather than attaching them.Step 1Custom CFScript Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:Driver::oflpydinRegLock::[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}][HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]ADS:: Save this as CFScript.txt and place it on your desktop. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.ComboFix SHOULD NOT be used unless requested by a forum helper ----------------------------------------------------------------------------------------Step 2Malwarebytes' Anti-MalwarePlease download Malwarebytes' Anti-Malware to your desktop.Double-click mbam-setup.exe and follow the prompts to install the program.At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware[*] then click Finish.[*]If an update is found, it will download and install the latest version.[*]Once the program has loaded, select Perform full scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply[*]If requested, please reboot If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt----------------------------------------------------------------------------------------Logs/Information to Post in ReplyPlease post the following logs/Information in your replySome of the logs I request will be quite large, You may need to split them over a couple of replies.Combofix LogMalwareBytes LogHow are things running now ?------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Additional NotesYour Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.Adobe Reader is a large program and uses unnecessary space.If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << RecommendedThere is a newer version of Adobe Acrobat Reader available.Please go to this link Adobe Acrobat Reader Download LinkClick DownloadOn the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.Click the Continue buttonClick Run, and click Run againNext click the Install Now button and follow the on screen promptsYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download Java SE Runtime Environment (JRE) . ( don't install it yet )Scroll down to where it says "Java SE Runtime Environment (JRE)".Click the "Download" button to the right.Platform = Windows Language = Multi Language[*]Check the box that says: "Accept License Agreement".[*]The page will refresh.[*]Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.Now download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location.Now install the Java SE Runtime Environment (JRE) package you downloaded(it comes with a toolbar pre-selected, so make sure you uncheck the box)You can delete JavaRa (zip and exe) Link to post Share on other sites More sharing options...
spywaresucks Posted September 6, 2009 Author ID:121574 Share Posted September 6, 2009 G'day Katana,combofix log...ComboFix 09-08-31.03 - Allen n 06/09/09 19:08.2.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.2.1252.61.1033.18.1279.913 [GMT 10:00]Running from: f:\documents and settings\Allen\Desktop\Combo-Fix.exeCommand switches used :: f:\documents and settings\Allen\Desktop\CFScript.txtAV: Bitdefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6} * Resident AV is activeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).f:\windows\system32\mdm.exe.((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 ))))))))))))))))))))))))))))))).2009-09-06 06:47 . 2009-09-06 06:47 -------- d-sh--w- f:\documents and settings\Troy\PrivacIE2009-08-20 23:15 . 2008-12-10 22:38 159600 ----a-w- f:\windows\system32\drivers\pctgntdi.sys2009-08-20 23:15 . 2009-04-03 00:18 130936 ----a-w- f:\windows\system32\drivers\PCTCore.sys2009-08-20 23:15 . 2008-12-18 01:16 73840 ----a-w- f:\windows\system32\drivers\PCTAppEvent.sys2009-08-20 23:15 . 2009-08-20 23:17 -------- d-----w- f:\program files\Common Files\PC Tools2009-08-20 23:15 . 2008-12-10 01:36 64392 ----a-w- f:\windows\system32\drivers\pctplsg.sys2009-08-20 23:14 . 2009-08-20 23:17 -------- d-----w- f:\program files\Spyware Doctor2009-08-20 23:14 . 2009-08-20 23:14 -------- d-----w- f:\documents and settings\Tammy\Application Data\PC Tools2009-08-20 23:14 . 2009-08-20 23:14 -------- d-----w- f:\documents and settings\All Users\Application Data\PC Tools2009-08-20 22:59 . 2009-08-20 22:59 -------- d-----w- f:\program files\Common Files\Uninstall2009-08-20 22:59 . 2009-08-20 22:59 -------- d-----w- f:\program files\PersonalAV2009-08-13 10:20 . 2009-06-05 07:42 655872 -c----w- f:\windows\system32\dllcache\mstscax.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-09-06 08:53 . 2007-05-03 21:02 -------- d-----w- f:\documents and settings\Allen\Application Data\Skype2009-09-06 07:03 . 2007-05-31 09:26 81984 ----a-w- f:\windows\system32\bdod.bin2009-09-06 06:20 . 2008-10-08 21:00 -------- d---a-w- f:\documents and settings\All Users\Application Data\TEMP2009-08-31 07:17 . 2006-05-28 03:11 65008 ----a-w- f:\documents and settings\Allen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-08-29 06:07 . 2007-01-12 19:57 -------- d-----w- f:\program files\Java2009-08-29 05:38 . 2007-03-08 20:33 -------- d-----w- f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2009-08-29 05:38 . 2007-03-08 20:33 -------- d-----w- f:\program files\Spybot - Search & Destroy2009-08-28 06:05 . 2008-05-03 10:22 -------- d-----w- f:\program files\Common Files\BitDefender2009-08-06 08:06 . 2009-08-06 08:06 -------- d-----w- f:\program files\MSBuild2009-08-06 08:06 . 2009-08-06 08:06 -------- d-----w- f:\program files\Reference Assemblies2009-08-05 09:11 . 2003-03-31 12:00 204800 ----a-w- f:\windows\system32\mswebdvd.dll2009-08-04 04:46 . 2008-09-29 05:56 -------- d-----w- f:\documents and settings\All Users\Application Data\NOS2009-08-03 18:40 . 2008-09-29 05:56 -------- d-----w- f:\program files\NOS2009-07-24 19:23 . 2008-11-30 09:48 411368 ----a-w- f:\windows\system32\deploytk.dll2009-07-23 11:24 . 2009-07-23 11:24 -------- d-----w- f:\documents and settings\Tammy\Application Data\GRETECH2009-07-23 11:15 . 2009-07-23 11:15 -------- d-----w- f:\program files\GNU2009-07-23 11:13 . 2009-07-23 11:13 -------- d-----w- f:\documents and settings\Allen\Application Data\GRETECH2009-07-23 11:12 . 2009-07-23 11:12 -------- d-----w- f:\program files\GRETECH2009-07-23 11:04 . 2009-07-23 11:04 -------- d-----w- f:\program files\LD-Anime2009-07-22 07:28 . 2008-01-05 09:06 -------- d-----w- f:\documents and settings\Allen\Application Data\CoreFTP2009-07-17 18:55 . 2003-03-31 12:00 58880 ----a-w- f:\windows\system32\atl.dll2009-07-13 00:08 . 2006-05-28 02:59 286720 ----a-w- f:\windows\system32\wmpdxm.dll2009-07-03 17:09 . 2003-03-31 12:00 915456 ----a-w- f:\windows\system32\wininet.dll2009-06-25 08:44 . 2008-07-29 11:03 724480 ----a-w- f:\windows\system32\lsasrv.dll2009-06-25 08:44 . 2008-07-29 11:03 133632 ----a-w- f:\windows\system32\msv1_0.dll2009-06-25 08:44 . 2008-07-29 11:03 168448 ----a-w- f:\windows\system32\schannel.dll2009-06-25 08:44 . 2003-03-31 12:00 59392 ----a-w- f:\windows\system32\wdigest.dll2009-06-25 08:44 . 2003-03-31 12:00 56320 ----a-w- f:\windows\system32\secur32.dll2009-06-25 08:44 . 2003-03-31 12:00 298496 ----a-w- f:\windows\system32\kerberos.dll2009-06-22 11:34 . 2008-07-29 11:03 92544 ----a-w- f:\windows\system32\drivers\ksecdd.sys2009-06-16 14:55 . 2003-03-31 12:00 82432 ----a-w- f:\windows\system32\fontsub.dll2009-06-16 14:55 . 2003-03-31 12:00 119808 ----a-w- f:\windows\system32\t2embed.dll2009-06-12 11:50 . 2003-03-31 12:00 76288 ----a-w- f:\windows\system32\telnet.exe2009-06-10 14:21 . 2003-03-31 12:00 84992 ----a-w- f:\windows\system32\avifil32.dll2009-06-10 06:32 . 2008-07-29 11:03 132096 ----a-w- f:\windows\system32\wkssvc.dll2007-08-16 10:48 . 2007-08-16 10:48 135680 ----a-w- f:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Skype"="f:\program files\Skype\Phone\Skype.exe" [2007-03-30 25263144][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NVMixerTray"="f:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072]"RemoteControl"="f:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]"QuickTime Task"="f:\program files\QuickTime\qttask.exe" [2006-06-07 282624]"EPSON Stylus C67 Series"="f:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE" [2005-01-25 98304]"SMSTray"="f:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 126976]"MAAgent"="f:\program files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 57344]"EPSON Stylus C67 Series (Copy 1)"="f:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE" [2005-01-25 98304]"BitDefender Antiphishing Helper"="f:\program files\BitDefender\2008\IEShow.exe" [2007-10-09 61440]"BDAgent"="f:\program files\BitDefender\2008\bdagent.exe" [2009-08-28 368640]"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="f:\windows\System32\CTFMON.EXE" [2004-08-03 15360]f:\documents and settings\Allen\Start Menu\Programs\Startup\Capture Express 2000.lnk - f:\program files\Capture Express\capexp.exe [2007-3-19 891904]f:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - f:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2008-07-23 06:28 352256 ----a-w- f:\program files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]@=""[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="f:\\Program Files\\Messenger\\msmsgs.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="f:\\WINDOWS\\system32\\dpvsetup.exe"="f:\\Program Files\\Mozilla Firefox\\firefox.exe"="f:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="f:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="f:\\Program Files\\Skype\\Phone\\Skype.exe"=R0 PCTCore;PCTools KDS;f:\windows\system32\drivers\PCTCore.sys [21/08/09 09:15 130936]R1 SASDIFSV;SASDIFSV;f:\program files\SUPERAntiSpyware\sasdifsv.sys [3/09/08 14:07 8944]R1 SASKUTIL;SASKUTIL;f:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/09/08 14:07 55024]S3 BS_DEF;BS_DEF;\??\f:\windows\system32\drivers\BS_DEF.sys --> f:\windows\system32\drivers\BS_DEF.sys [?]S3 getPlus® Helper;getPlus® Helper;f:\program files\NOS\bin\getPlus_HelperSvc.exe --> f:\program files\NOS\bin\getPlus_HelperSvc.exe [?]S3 oflpydin;oflpydin;\??\f:\docume~1\Allen\LOCALS~1\Temp\oflpydin.sys --> f:\docume~1\Allen\LOCALS~1\Temp\oflpydin.sys [?]S3 SASENUM;SASENUM;f:\program files\SUPERAntiSpyware\SASENUM.SYS [3/09/08 14:07 7408]S3 sdAuxService;PC Tools Auxiliary Service;f:\program files\Spyware Doctor\pctsAuxs.exe [21/08/09 09:14 348752][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]bdx REG_MULTI_SZ scan[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]"f:\windows\system32\rundll32.exe" "f:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP.Contents of the 'Scheduled Tasks' folder2009-09-06 f:\windows\Tasks\Symantec NetDetect.job- f:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-05-28 23:04]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com.au/uInternet Connection Wizard,ShellNext = iexploreTrusted Zone: qld.gov.au\www.qships.transportFF - ProfilePath - f:\documents and settings\Allen\Application Data\Mozilla\Firefox\Profiles\0stquyp2.default\FF - prefs.js: browser.search.selectedEngine - Google.co.ukFF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/FF - component: f:\documents and settings\Allen\Application Data\Mozilla\Firefox\Profiles\0stquyp2.default\extensions\piclens@cooliris.com\components\coolirisstub.dllFF - component: f:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dllFF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dllFF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dllFF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dllFF - plugin: f:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: f:\program files\Mozilla Firefox\plugins\npmozax.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-09-06 19:18Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]"Enabled"=dword:00000001[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]@Denied: (A 2) (Everyone)@="IFlashBroker3"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(644)f:\program files\SUPERAntiSpyware\SASWINLO.dllf:\windows\system32\WININET.dll.Completion time: 2009-09-06 19:22ComboFix-quarantined-files.txt 2009-09-06 09:21ComboFix2.txt 2009-09-05 01:07Pre-Run: 18,474,184,704 bytes freePost-Run: 18,483,998,720 bytes free187 --- E O F --- 2009-09-03 11:52 Link to post Share on other sites More sharing options...
Katana Posted September 6, 2009 ID:121669 Share Posted September 6, 2009 Do you have the MalwareBytes Log ? Link to post Share on other sites More sharing options...
spywaresucks Posted September 7, 2009 Author ID:122171 Share Posted September 7, 2009 Malwarebytes' Anti-Malware 1.40Database version: 2747Windows 5.1.2600 Service Pack 26/09/09 22:16:44mbam-log-2009-09-06 (22-16-44).txtScan type: Full Scan (C:\|F:\|)Objects scanned: 235749Time elapsed: 2 hour(s), 21 minute(s), 58 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 3Files Infected: 7Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:F:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.F:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.F:\Documents and Settings\All Users\Start Menu\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.Files Infected:F:\Qoobox\Quarantine\F\WINDOWS\system32\UACtheesqvbdx.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.F:\Qoobox\Quarantine\F\WINDOWS\system32\UACyxuyrlfwmk.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.F:\System Volume Information\_restore{31B1763A-A2C0-44E2-8F10-8599A571FBFA}\RP733\A0178849.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.F:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.F:\Program Files\PersonalAV\pav.exe (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.F:\Documents and Settings\All Users\Start Menu\PersonalAV\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.F:\Documents and Settings\All Users\Start Menu\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Katana Posted September 8, 2009 ID:122654 Share Posted September 8, 2009 Recovery Console!!!!!! Warning !!!!!!.... Your log shows that Recovery Console is not installed.Due to the threat that current and future malware poses it is vital that you have some form of recovery console.Go to Microsoft's website => http://support.microsoft.com/kb/310994Select the download that's appropriate for your Operating System - (SP3 Users should download the SP2 pack)Windows XP Home Edition SP2Download the file & save it as its originally named, next to ComboFix.exe. Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.----------------------------------------------------------------------------------------Step 1Custom CFScript Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:File::C:\Check1.txtDriver::oflpydinRegLock::[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}][HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]File::C:\Check2.txtADS:: Save this as CFScript.txt and place it on your desktop. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.ComboFix SHOULD NOT be used unless requested by a forum helper ----------------------------------------------------------------------------------------Step 2Kaspersky Online Scanner .Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normalNOTE:- This scan is best done from IE (Internet Explorer)NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As AdminGo Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.htmlRead the Requirements and limitations before you click Accept.Once the database has downloaded, click My Computer in the left paneNow go and put the kettle on !When the scan has completed, click Save Report As... Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.**Note**To optimize scanning time and produce a more sensible report for review:Close any open programs.Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.----------------------------------------------------------------------------------------Logs/Information to Post in ReplyPlease post the following logs/Information in your replySome of the logs I request will be quite large, You may need to split them over a couple of replies.Combofix LogKaspersky LogHow are things running now ? Link to post Share on other sites More sharing options...
Recommended Posts