Jump to content

WINDOWS\system32\UAClhbftiqwab.db (Rootkit.TDSS)


Fergie
 Share

Recommended Posts

Hello,

Last night I initiated a Malwarebytes update & Full Scan (Database 2728 - Finger Prints 129162). This morning I found that it had detected "C:\WINDOWS\system32\UAClhbftiqwab.db (Rootkit.TDSS)". I selected the 'Fix Selected' option and allowed 'Malwarebytes' to remove and reboot the pc.

I also updated and initiated a 'SUPERAntispyware (Database 4081 - Trace 2021)', Full Scan. This returned the message 'no threats found' as did AVG.

As etra caution I launched 'Zonealarm' then tried to update it. I the error 'no permission to install the updated exe' (I am administrator and have full permissions)'. Whilst this appears not to be a major issue (as I have a router firewall and run AVG), I thought that it might be related to the 'Rootkit.TDSS' that was discovered earlier and prompted me to investigate the matter further.

I examined the Malwarebytes log and searched the internet for some info about the 'Rootkit.TDSS'. One result led me to a thread that explained that 'Malwarebytes' initiall removes the threat, but that the infection is so deeply rooted, that it will re-appear if you have an open internet connection.

Another thread that I discovered provided information about where and how to remove the infection. It explained that you should open 'device manager' and select the 'show hidden devices', then to select the 'Non Plug and Play' branch. It then advised you to locate the files labeld 'TDxyx' (where 'xyx' are substituted for random variables).

There where no visable files, however, I discovered that were several drivers that appear to have unusual names (in my rookie opinion). Some of these also have yellow marks next to them. PartMgr (Yellow Mark), Catchme, dmboot etc..

I have only looked at some of the advice and not performed anything other than complete the proccedure that is advised here. I thought that the information might be of usefull assistance and that I have attempted some resolve before just coming to the forum.

As instructed, below are the two logs from 'Malware & Hijack',

----------------------------------

Malwarebytes' Anti-Malware 1.40

Database version: 2728

Windows 5.1.2600 Service Pack 2

02/09/2009 08:58:33

mbam-log-2009-09-02 (08-58-05).txt

Scan type: Full Scan (C:\|D:\|G:\|)

Objects scanned: 215028

Time elapsed: 2 hour(s), 27 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\UAClhbftiqwab.db (Rootkit.TDSS) -> No action taken.

----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:35:37, on 02/09/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Words+, Inc\EZ KeysXP\WplServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Sweex\Installer\WINXP\SWU.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\mmc.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Sweex WiFi Utility.lnk = C:\Program Files\Sweex\Installer\WINXP\SWU.exe

O9 - Extra button:

Link to post
Share on other sites

Hi Fergie and welcome to Malwarebytes!

Download RootRepeal:

http://rootrepeal.googlepages.com/RootRepeal.zip

  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.

Link to post
Share on other sites

Hi Kenny,

Thank you for the welcome, prompt response and your instructions.

The link you provided seemed to have exceeded bandwith, so I located the below site, located the file and installed it on 'C drive' in a new folder called 'rr download'.

'http://rootrepeal.googlepages.com/

Version 1.3.5

Download: RootRepeal.rar

MD5 (of the EXE): 880D7A26B7BB6B00A0709E75F149B83D

SHA-1 (of the EXE): 1943798277BBB1C396A980C58D077F5A57636932'

The results of the scan are below.

----------------------------------

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/02 13:15

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP2

==================================================

Hidden/Locked Files

-------------------

Path: C:\WINDOWS\msdownld.tmp\msdownld.tmp

Status: Locked to the Windows API!

Path: C:\WINDOWS\mui\mui

Status: Locked to the Windows API!

Path: C:\WINDOWS\ftpcache\ftpcache

Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config

Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard

Status: Locked to the Windows API!

Path: C:\WINDOWS\addins\addins

Status: Locked to the Windows API!

Path: C:\WINDOWS\PIF\PIF

Status: Locked to the Windows API!

Path: C:\WINDOWS\Minidump\Minidump

Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1025\1025

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1028\1028

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1031\1031

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1037\1037

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1041\1041

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1042\1042

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1054\1054

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\2052\2052

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\3076\3076

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\3com_dmi\3com_dmi

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\export\export

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wins\wins

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\dhcp\dhcp

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\ShellExt\ShellExt

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\xircom\xircom

Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98

Status: Locked to the Windows API!

Path: C:\WINDOWS\security\logs\logs

Status: Locked to the Windows API!

Path: C:\WINDOWS\java\classes\classes

Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib

Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo

Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Status: Locked to the Windows API!

Path: C:\WINDOWS\Cache\Adobe Reader 6.0\Adobe Reader 6.0

Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d1\d1

Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d2\d2

Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d3\d3

Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d4\d4

Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d5\d5

Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d6\d6

Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d7\d7

Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d8\d8

Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp

Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog

Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\ErrorRep\QHEADLES\QHEADLES

Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\ErrorRep\QSIGNOFF\QSIGNOFF

Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\UserDumps

Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\sample\sample

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\disdn\disdn

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\Macromed\update\update

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\mui\dispspec\dispspec

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wbem\snmp\snmp

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\appmgmt\S-1-5-21-1935655697-1417001333-682003330-1003\S-1-5-21-1935655697-1417001333-682003330-1003

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets

Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\Config\News\News

Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wbem\mof\bad\bad

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\ZoneLabs\Updates\TrialScreens\TrialScreens

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\ZoneLabs\Updates\updcomponent\updcomponent

Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Status: Locked to the Windows API!

---------------------------------------------

Thanks

Fergie

Link to post
Share on other sites

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Hi Kenny,

I have followed and executed your instructions.

After adjusting the Firefox settings, I went to the link provided for 'Combofix' and saved it as 'Combo-fix', to my desktop.

I then printed a hard copy of your post, followed the link to 'BC forum' and disabled 'AVG 8.5' resident Shield as instucted.

After closing my firefox browser, I executed 'combo-fix' from my desktop. It asked me to verify that I had downloaded from a legitimate source etc, which I confirmed.

It went on to informed me that I did not have the 'windows recovery console present' and continued. 'Combo-fix' then attempted to connect to what appeared to be a 'microsoft website'. It failed to connect and stated that there was 'no connection'. At no point did I interfere with anything, I just observed the whole proccess and made some notes for this post.

'Combo-fix' completed approx 50+ stages and then displayed the log. I had to reboot twice to regain an internet connection. I hope that the above info is also of use.

Below is the 'Combo-fix' and 'Hijack log'. I re-activated 'AVG 8.5 resident shield' prior to executing the latest 'Hijack log'.

-----------------------------------------

ComboFix 09-09-01.07 - Mike Ferguson 02/09/2009 18:30.3.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.206 [GMT 1:00]

Running from: c:\documents and settings\Mike Ferguson\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))

.

2009-09-02 12:06 . 2009-09-02 12:15 -------- d-----w- C:\rr download

2009-09-02 08:35 . 2009-09-02 08:35 -------- d-----w- c:\program files\Trend Micro

2009-09-01 11:51 . 2009-09-01 11:51 -------- d-----w- c:\program files\Windows Installer Clean Up

2009-09-01 11:50 . 2009-09-01 13:34 -------- d-----w- c:\program files\MSECACHE

2009-09-01 11:39 . 2009-09-01 11:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-01 11:09 . 2009-09-01 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2009-09-01 11:09 . 2009-09-01 11:09 -------- d-----w- c:\documents and settings\Mike Ferguson\Application Data\Yahoo!

2009-09-01 11:09 . 2009-09-01 11:09 -------- d-----w- c:\program files\Yahoo!

2009-09-01 10:54 . 2006-01-18 12:55 290918 ----a-w- c:\windows\system32\Install7x.dll

2009-09-01 10:54 . 2005-11-30 10:33 2048 ----a-w- c:\windows\system32\drivers\rt73.bin

2009-09-01 10:54 . 2005-05-17 15:24 311296 ----a-w- c:\windows\system32\AegisI5.exe

2009-09-01 10:54 . 2009-09-01 10:54 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-09-01 10:53 . 2009-09-01 10:55 -------- d-----w- c:\program files\Sweex

2009-08-31 23:08 . 2009-09-02 17:27 -------- d-s---w- C:\ComboFix

2009-08-31 13:46 . 2009-08-31 13:49 105683 ----a-w- C:\MGlogs.zip

2009-08-31 13:46 . 2009-08-31 13:49 -------- d-----w- C:\MGtools

2009-08-27 09:12 . 2009-08-27 09:12 -------- d-s---w- c:\documents and settings\Administrator\UserData

2009-08-27 00:07 . 2009-08-27 00:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-26 23:53 . 2009-08-26 23:56 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-26 23:50 . 2009-08-27 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-26 23:50 . 2009-08-26 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-26 23:50 . 2009-08-26 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-26 23:45 . 2009-08-26 23:45 -------- d-----w- c:\documents and settings\Mike Ferguson\Application Data\Malwarebytes

2009-08-26 23:45 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-26 23:45 . 2009-08-31 06:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-26 23:45 . 2009-08-26 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-26 23:45 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-26 22:48 . 2009-08-26 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-08-26 22:48 . 2009-09-01 12:30 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-26 22:48 . 2009-08-26 22:48 -------- d-----w- c:\documents and settings\Mike Ferguson\Application Data\SUPERAntiSpyware.com

2009-08-26 22:17 . 2009-08-31 12:56 -------- d-----w- C:\Major geek downloads

2009-08-26 20:55 . 2009-08-26 20:55 -------- d-----w- c:\program files\CCleaner

2009-08-26 20:55 . 2009-08-26 20:55 1033448 ----a-w- C:\ccsetup222_slim.exe

2009-08-26 11:42 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-08-26 11:27 . 2009-08-26 11:29 60857536 ----a-w- C:\Ad-AwareAE.exe

2009-08-25 21:08 . 2009-08-25 21:08 -------- d-----w- C:\spoolerlogs

2009-08-23 15:15 . 2009-08-23 15:15 -------- d-----w- c:\program files\sina

2009-08-23 15:13 . 2009-08-23 15:13 -------- d-----w- c:\program files\MYP2P EPL MEDIA PLAYER

2009-08-23 15:13 . 2009-08-23 15:13 -------- d-----w- c:\windows\MYP2P EPL MEDIA PLAYER

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-02 17:35 . 2007-09-24 13:21 195086368 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-09-02 08:01 . 2007-09-24 13:21 2285852 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-09-01 10:53 . 2005-06-17 00:41 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-31 12:54 . 2008-05-31 11:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-31 12:31 . 2005-08-10 19:21 -------- d-----w- c:\program files\DivX

2009-08-29 15:14 . 2009-01-27 01:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-29 15:14 . 2008-11-07 14:59 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-29 15:14 . 2008-11-07 14:59 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-26 22:40 . 2008-05-18 16:28 -------- d-----w- c:\program files\Lavasoft

2009-08-26 22:40 . 2008-05-12 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-08-26 22:34 . 2009-01-29 15:03 -------- d-----w- c:\program files\SWiSH v2.01

2009-08-26 22:34 . 2005-11-12 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-08-26 22:31 . 2005-06-24 15:46 -------- d-----w- c:\program files\Java

2009-08-26 22:23 . 2007-08-15 22:08 -------- d-----w- c:\program files\BitZip

2009-08-26 22:23 . 2005-07-08 01:14 -------- d-----w- c:\program files\Ares

2009-08-26 22:11 . 2008-05-18 13:44 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-26 22:09 . 2008-05-18 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-01 11:40 . 2008-10-04 03:17 -------- d-----w- c:\program files\Terrapin FTP

2009-08-01 10:35 . 2008-08-29 08:47 256 ----a-w- c:\windows\system32\pool.bin

2009-07-24 13:13 . 2008-04-28 21:07 -------- d-----w- c:\program files\Free Music Zilla

2009-07-16 20:20 . 2005-08-18 15:17 -------- d-----w- c:\documents and settings\Mike Ferguson\Application Data\Canon

2009-06-12 08:20 . 2009-06-12 08:20 571320 ----a-w- c:\windows\HPISExe.dat

2008-02-07 20:46 . 2008-02-07 20:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-02-07 20:46 . 2008-02-07 20:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-02-07 20:46 . 2008-02-07 20:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-02-07 20:46 . 2008-02-07 20:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-02-07 20:46 . 2008-02-07 20:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-02-07 20:46 . 2008-02-07 20:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-02-07 20:46 . 2008-02-07 20:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2007-06-21 17:39 . 2007-06-21 17:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll

2007-03-16 16:27 . 2007-03-16 16:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2007-03-16 16:27 . 2007-03-16 16:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2007-03-16 16:27 . 2007-03-16 16:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2007-06-21 17:39 . 2007-06-21 17:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-02-07 20:46 . 2008-02-07 20:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

------- Sigcheck -------

[-] 2001-08-23 12:00 47616 A510B91253544D56B5712D66BE8371E9 c:\windows\$NtServicePackUninstall$\eventlog.dll

[7] 2004-08-04 07:56 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\ServicePackFiles\i386\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!

.

((((((((((((((((((((((((((((( SnapShot@2009-08-31_19.43.31 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-08-31 12:37 . 2009-08-31 12:37 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

+ 2009-09-01 13:35 . 2009-09-01 13:35 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

- 2009-08-31 12:37 . 2009-08-31 12:37 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

+ 2009-09-01 13:35 . 2009-09-01 13:35 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

+ 2008-07-04 13:16 . 2006-01-12 18:46 252928 c:\windows\system32\drivers\rt73.sys

- 2008-07-04 13:16 . 2007-03-13 12:53 252928 c:\windows\system32\drivers\rt73.sys

+ 2004-05-07 12:47 . 2005-10-17 18:50 245376 c:\windows\system32\drivers\rt2500usb.sys

+ 2009-09-01 11:51 . 2009-09-01 11:51 472064 c:\windows\Installer\4a57b.msi

+ 2009-09-01 13:35 . 2009-09-01 13:35 1516544 c:\windows\Installer\100041.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-29 2007832]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-07-01 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-1-15 118784]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Sweex WiFi Utility.lnk - c:\program files\Sweex\Installer\WINXP\SWU.exe [2009-9-1 598016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-29 15:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [26/08/2009 12:42 64160]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/11/2008 15:59 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/04/2009 21:09 108552]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [27/01/2009 02:51 297752]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [23/02/2008 16:46 24652]

R2 WplServ;Words+ Switch Input Service;c:\program files\Words+, Inc\EZ KeysXP\WplServ.exe [26/01/2006 10:27 126581]

R3 mouclassfiltr;Upper Class Filter Driver;c:\windows\system32\drivers\mouclassfiltr.sys [10/09/2008 10:19 12672]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]

S3 FCBZEGYG;FCBZEGYG;c:\docume~1\ADMINI~1\LOCALS~1\Temp\FCBZEGYG.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\FCBZEGYG.exe [?]

S3 ZAYGABRXFO;ZAYGABRXFO;c:\docume~1\ADMINI~1\LOCALS~1\Temp\ZAYGABRXFO.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\ZAYGABRXFO.exe [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Connection Wizard,ShellNext = iexplore

IE: {{022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com

DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - hxxp://iptv.zgzcw.com/pCastCtl_1.0.0.89_20080808.cab

FF - ProfilePath - c:\documents and settings\Mike Ferguson\Application Data\Mozilla\Firefox\Profiles\a9atdk24.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-02 18:35

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2648)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-09-02 18:38

ComboFix-quarantined-files.txt 2009-09-02 17:38

ComboFix2.txt 2009-08-31 22:16

ComboFix3.txt 2009-08-31 19:47

ComboFix4.txt 2009-08-31 13:34

Pre-Run: 8,435,924,992 bytes free

Post-Run: 8,451,764,224 bytes free

213

-----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:38:19, on 02/09/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Words+, Inc\EZ KeysXP\WplServ.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Sweex\Installer\WINXP\SWU.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-21-1935655697-1417001333-682003330-1003\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Sweex WiFi Utility.lnk = C:\Program Files\Sweex\Installer\WINXP\SWU.exe

O9 - Extra button:

Link to post
Share on other sites

Good evening Kenny,

I have completed the posted instructions and 'Malwarebytes' has delivered a report (listed below). Before I carried out the instructions I printed a hard copy and closed my browser and my notepad.

After I executed 'Hijack' and ticked the boxes next to '09 - Extra button..' & '023 - Service ZAYGABRXFO...' I was instructed to re-boot the pc so that 'Hijack' could complete the removal task.

At this stage I allowed the re-boot, I hope that my decision to allow the pc to re-boot was correct and that you didn't require me to execute 'Malwarbytes' before 'Hijack' executed the reboot?

Below is the 'Malwarebytes log'

--------------------------

Malwarebytes' Anti-Malware 1.40

Database version: 2732

Windows 5.1.2600 Service Pack 2

02/09/2009 21:29:07

mbam-log-2009-09-02 (21-29-07).txt

Scan type: Quick Scan

Objects scanned: 107745

Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

----------------------------

Regards

/Fergie

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

FCopy::
c:\windows\$NtServicePackUninstall$\eventlog.dll | c:\windows\system32\eventlog.dll

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Good Morning Kenny,

Many thanks for the script.

After I carried out your instructions and dragged the 'txt file' onto the 'combo.exe' it succesfully executed and asked me to disable AVG (which I did). 'Combofix' then informed me that I had no 'windows recovery console' and attempted to conect to microsoft but failed because there was no apparent connection. It continued to run and produced the below report.

As soon as 'combofix' had produced the report I executed 'Hijack' and saved both reports. At this stage I had not re-activated AVG. I re-booted and then activated AVG.

---------------------------------------------

ComboFix 09-09-01.07 - Mike Ferguson 03/09/2009 8:41.4.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.193 [GMT 1:00]

Running from: c:\documents and settings\Mike Ferguson\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Mike Ferguson\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\eventlog.dll --> c:\windows\system32\eventlog.dll

.

((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))

.

2009-09-03 07:41 . 2009-09-03 07:41 -------- d-----w- c:\windows\LastGood

2009-09-03 07:41 . 2004-08-04 07:56 55808 -c--a-w- c:\windows\system32\dllcache\eventlog.dll

2009-09-03 07:41 . 2004-08-04 07:56 55808 ----a-w- c:\windows\system32\eventlog.dll

2009-09-02 12:06 . 2009-09-02 12:15 -------- d-----w- C:\rr download

2009-09-02 08:35 . 2009-09-02 08:35 -------- d-----w- c:\program files\Trend Micro

2009-09-01 11:51 . 2009-09-01 11:51 -------- d-----w- c:\program files\Windows Installer Clean Up

2009-09-01 11:50 . 2009-09-01 13:34 -------- d-----w- c:\program files\MSECACHE

2009-09-01 11:39 . 2009-09-01 11:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-01 11:09 . 2009-09-01 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2009-09-01 11:09 . 2009-09-01 11:09 -------- d-----w- c:\documents and settings\Mike Ferguson\Application Data\Yahoo!

2009-09-01 11:09 . 2009-09-01 11:09 -------- d-----w- c:\program files\Yahoo!

2009-09-01 10:54 . 2006-01-18 12:55 290918 ----a-w- c:\windows\system32\Install7x.dll

2009-09-01 10:54 . 2005-11-30 10:33 2048 ----a-w- c:\windows\system32\drivers\rt73.bin

2009-09-01 10:54 . 2005-05-17 15:24 311296 ----a-w- c:\windows\system32\AegisI5.exe

2009-09-01 10:54 . 2009-09-01 10:54 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-09-01 10:53 . 2009-09-01 10:55 -------- d-----w- c:\program files\Sweex

2009-08-31 23:08 . 2009-09-02 17:27 -------- d-s---w- C:\ComboFix

2009-08-31 13:46 . 2009-08-31 13:49 105683 ----a-w- C:\MGlogs.zip

2009-08-31 13:46 . 2009-08-31 13:49 -------- d-----w- C:\MGtools

2009-08-27 09:12 . 2009-08-27 09:12 -------- d-s---w- c:\documents and settings\Administrator\UserData

2009-08-27 00:07 . 2009-08-27 00:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-26 23:53 . 2009-08-26 23:56 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-26 23:50 . 2009-08-27 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-26 23:50 . 2009-08-26 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-26 23:50 . 2009-08-26 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-26 23:45 . 2009-08-26 23:45 -------- d-----w- c:\documents and settings\Mike Ferguson\Application Data\Malwarebytes

2009-08-26 23:45 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-26 23:45 . 2009-08-31 06:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-26 23:45 . 2009-08-26 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-26 23:45 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-26 22:48 . 2009-08-26 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-08-26 22:48 . 2009-09-01 12:30 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-08-26 22:48 . 2009-08-26 22:48 -------- d-----w- c:\documents and settings\Mike Ferguson\Application Data\SUPERAntiSpyware.com

2009-08-26 22:17 . 2009-08-31 12:56 -------- d-----w- C:\Major geek downloads

2009-08-26 20:55 . 2009-08-26 20:55 -------- d-----w- c:\program files\CCleaner

2009-08-26 20:55 . 2009-08-26 20:55 1033448 ----a-w- C:\ccsetup222_slim.exe

2009-08-26 11:42 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-08-26 11:27 . 2009-08-26 11:29 60857536 ----a-w- C:\Ad-AwareAE.exe

2009-08-25 21:08 . 2009-08-25 21:08 -------- d-----w- C:\spoolerlogs

2009-08-23 15:15 . 2009-08-23 15:15 -------- d-----w- c:\program files\sina

2009-08-23 15:13 . 2009-08-23 15:13 -------- d-----w- c:\program files\MYP2P EPL MEDIA PLAYER

2009-08-23 15:13 . 2009-08-23 15:13 -------- d-----w- c:\windows\MYP2P EPL MEDIA PLAYER

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-03 07:47 . 2007-09-24 13:21 195340320 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-09-02 23:41 . 2007-09-24 13:21 2291204 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-09-01 10:53 . 2005-06-17 00:41 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-31 12:54 . 2008-05-31 11:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-31 12:31 . 2005-08-10 19:21 -------- d-----w- c:\program files\DivX

2009-08-29 15:14 . 2009-01-27 01:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-29 15:14 . 2008-11-07 14:59 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-29 15:14 . 2008-11-07 14:59 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-26 22:40 . 2008-05-18 16:28 -------- d-----w- c:\program files\Lavasoft

2009-08-26 22:40 . 2008-05-12 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-08-26 22:34 . 2009-01-29 15:03 -------- d-----w- c:\program files\SWiSH v2.01

2009-08-26 22:34 . 2005-11-12 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-08-26 22:31 . 2005-06-24 15:46 -------- d-----w- c:\program files\Java

2009-08-26 22:23 . 2007-08-15 22:08 -------- d-----w- c:\program files\BitZip

2009-08-26 22:23 . 2005-07-08 01:14 -------- d-----w- c:\program files\Ares

2009-08-26 22:11 . 2008-05-18 13:44 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-26 22:09 . 2008-05-18 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-01 11:40 . 2008-10-04 03:17 -------- d-----w- c:\program files\Terrapin FTP

2009-08-01 10:35 . 2008-08-29 08:47 256 ----a-w- c:\windows\system32\pool.bin

2009-07-24 13:13 . 2008-04-28 21:07 -------- d-----w- c:\program files\Free Music Zilla

2009-07-16 20:20 . 2005-08-18 15:17 -------- d-----w- c:\documents and settings\Mike Ferguson\Application Data\Canon

2009-06-12 08:20 . 2009-06-12 08:20 571320 ----a-w- c:\windows\HPISExe.dat

2008-02-07 20:46 . 2008-02-07 20:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-02-07 20:46 . 2008-02-07 20:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-02-07 20:46 . 2008-02-07 20:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-02-07 20:46 . 2008-02-07 20:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-02-07 20:46 . 2008-02-07 20:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-02-07 20:46 . 2008-02-07 20:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-02-07 20:46 . 2008-02-07 20:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2007-06-21 17:39 . 2007-06-21 17:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll

2007-03-16 16:27 . 2007-03-16 16:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2007-03-16 16:27 . 2007-03-16 16:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2007-03-16 16:27 . 2007-03-16 16:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2007-06-21 17:39 . 2007-06-21 17:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-02-07 20:46 . 2008-02-07 20:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-31_19.43.31 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-03 07:41 . 2001-08-23 12:00 47616 c:\windows\LastGood\system32\eventlog.dll

- 2009-08-31 12:37 . 2009-08-31 12:37 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

+ 2009-09-01 13:35 . 2009-09-01 13:35 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

+ 2009-09-01 13:35 . 2009-09-01 13:35 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

- 2009-08-31 12:37 . 2009-08-31 12:37 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

- 2008-07-04 13:16 . 2007-03-13 12:53 252928 c:\windows\system32\drivers\rt73.sys

+ 2008-07-04 13:16 . 2006-01-12 18:46 252928 c:\windows\system32\drivers\rt73.sys

+ 2004-05-07 12:47 . 2005-10-17 18:50 245376 c:\windows\system32\drivers\rt2500usb.sys

+ 2009-09-01 11:51 . 2009-09-01 11:51 472064 c:\windows\Installer\4a57b.msi

+ 2009-09-01 13:35 . 2009-09-01 13:35 1516544 c:\windows\Installer\100041.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-29 2007832]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-07-01 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-1-15 118784]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Sweex WiFi Utility.lnk - c:\program files\Sweex\Installer\WINXP\SWU.exe [2009-9-1 598016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-29 15:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [26/08/2009 12:42 64160]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/11/2008 15:59 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/04/2009 21:09 108552]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [27/01/2009 02:51 297752]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [23/02/2008 16:46 24652]

R2 WplServ;Words+ Switch Input Service;c:\program files\Words+, Inc\EZ KeysXP\WplServ.exe [26/01/2006 10:27 126581]

R3 mouclassfiltr;Upper Class Filter Driver;c:\windows\system32\drivers\mouclassfiltr.sys [10/09/2008 10:19 12672]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]

S3 FCBZEGYG;FCBZEGYG;c:\docume~1\ADMINI~1\LOCALS~1\Temp\FCBZEGYG.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\FCBZEGYG.exe [?]

S4 ZAYGABRXFO;ZAYGABRXFO;c:\docume~1\ADMINI~1\LOCALS~1\Temp\ZAYGABRXFO.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\ZAYGABRXFO.exe [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Connection Wizard,ShellNext = iexplore

DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - hxxp://iptv.zgzcw.com/pCastCtl_1.0.0.89_20080808.cab

FF - ProfilePath - c:\documents and settings\Mike Ferguson\Application Data\Mozilla\Firefox\Profiles\a9atdk24.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-03 08:47

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1988)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-09-03 8:50

ComboFix-quarantined-files.txt 2009-09-03 07:49

ComboFix2.txt 2009-09-02 17:38

ComboFix3.txt 2009-08-31 22:16

ComboFix4.txt 2009-08-31 19:47

ComboFix5.txt 2009-09-03 07:38

Pre-Run: 8,421,281,792 bytes free

Post-Run: 8,386,637,824 bytes free

200

--------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:52:08, on 03/09/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Words+, Inc\EZ KeysXP\WplServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Sweex WiFi Utility.lnk = C:\Program Files\Sweex\Installer\WINXP\SWU.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games

Link to post
Share on other sites

Hi Kenny,

The machine seems to be running and loading smoother, i.e; the 'windows start up intro' actually starts when the desktop appears, where as before it was delayed by about 2 minutes or so. Not that its a bad thing if it went away and never played again! :):D

However, I have just tried to update 'zonealarm' again and recieved the message 'This patch package could not be opened. Contact the application vendor to verify that this is a valid Windows installer patch package'.

Should I continue with this or remove it and try a fresh install of 'Zonealarm', please forgive me for sounding a little paranoid, but after this episode I'm exercising caution!

My other concerns are with the reports.

'Combofix - S4 ZAYGABRXFO;ZAYGABRXFO;....'

'Hijack - O23 - Service: FCBZEGYG - Unknown owner...'

I know that you asked me to remove a file with the same name 'ZAYGABRXFO' earlier. Should I be concerned.

Last, I noticed that whilst I was updating my forum profile, and went to upload a picture, the uploader displayed my $avg$ virus vault. The folder was of the same appearance as that of a folder that is usually hidden, but the user has opted to display hidden files.

Within that vault were several pictures of me and my son on the beach etc. I appreciate that this may be a seperate issue and a matter for AVG.

Many many thanks

Mike

Link to post
Share on other sites

Hi Mike

As far for 'zonealarm let me check on this. We are not done yet, I wanted to get a update on how you computer is running. Also, with AVG I want to run a scan and we'll deal with the temp services after the scan.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Next

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases

    [*]Click on My Computer under Scan.

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Please post this log in your next reply.

Upgrading Java:

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u16-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")

Note: Kaspersky does not remove anything but will provide a log of anything it finds. So, we can remove it with another tool. Kaspersky is very thorough of finding infection and it takes a while to run. You might want to grab your favor beverage.. :-)

Link to post
Share on other sites

Quick update Kenny, scan is running, current progress is 14% with elapsed time of 1hr 14 mins. Thought it best to let you know as a matter of courtesy.

regards

Mike

Link to post
Share on other sites

Hi Kenny,

I hope you are okay?

It took me several attempts to get the scan to complete. It became un-responsive and locked the pc up, hence the delay in replying.

below is the log

--------------------------

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Saturday, September 5, 2009

Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Friday, September 04, 2009 17:56:45

Records in database: 2746008

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

H:\

Scan statistics:

Objects scanned: 107708

Threats found: 7

Infected objects found: 18

Suspicious objects found: 4

Scan duration: 03:18:57

File name / Threat / Threats count

C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1

C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

D:\asasas\downloads\VNC\vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2

D:\asasas\downloads\VNC\vnc-3.3.7-x86_win32.rar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2

D:\asasas\Master My Documents\mIRC\v.rar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2

D:\asasas\outlook.pst Suspicious: Password-protected-EXE 1

D:\asasas\outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1

D:\asasas\outlook.pst Infected: Email-Worm.Win32.NetSky.r 1

D:\asasas\pst\outlook.pst Suspicious: Password-protected-EXE 1

D:\asasas\pst\outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1

D:\asasas\pst\outlook.pst Infected: Email-Worm.Win32.NetSky.r 1

D:\New Install AVG Zone\Down Loads New Install\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1

D:\New Install AVG Zone\Down Loads New Install\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

D:\sent.pst Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2

D:\sent.pst Infected: not-a-virus:Client-IRC.Win32.mIRC.603 4

Selected area has been scanned.

-----------------------

Regards

Mike

Link to post
Share on other sites

Hi Mike.... ;)

Delete these mails from Outlook:

D:\asasas\outlook.pst Suspicious: Password-protected-EXE 1

D:\asasas\outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1

D:\asasas\outlook.pst Infected: Email-Worm.Win32.NetSky.r 1

D:\asasas\pst\outlook.pst Suspicious: Password-protected-EXE 1

D:\asasas\pst\outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload 1

D:\asasas\pst\outlook.pst Infected: Email-Worm.Win32.NetSky.r 1

Next

[OTMoveIt

Please download OTM by OldTimer and save it to your desktop

  • Double-click OTM.exe to run it.
  • Copy the lines in the codebox below. ( Make sure you include :Processes )

:processes
explorer.exe
:files
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FCBZEGYG.exe
D:\asasas\downloads\VNC\vnc-3.3.7-x86_win32.exe
D:\asasas\Master My Documents\mIRC\v.rar
:Folders
C:\Program Files\RealVNC
:commands
[start explorer]
[emptytemp]

Return to OTMoveIt3, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Click Ok to allow OTM reboot your machine.

After reboot, a log file will appear. Copy the contents to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTM

Link to post
Share on other sites

Hiya Kenny,

Got a slight problem,

only one of them files exist.

D:\asasas\outlook.pst (which i deleted)

non of the others can be seen in the folder. Folder view is set show all types of hidden files. I have just checked AVG and the latest scan doesn't show that anything had been removed. I havn't initiated any other scans i.e malwarebytes or superanti..

So i'm going to wait for you to tell me how to proccede.

Regards

Mike

Link to post
Share on other sites

Hi Kenny,

Hope ya well?

I thought that Kaparski was only scanner and didn't remove anything.

Here is the log

---------------------

All processes killed

========== PROCESSES ==========

No active process named explorer.exe was found!

========== FILES ==========

File/Folder C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FCBZEGYG.exe not found.

D:\asasas\downloads\VNC\vnc-3.3.7-x86_win32.exe moved successfully.

D:\asasas\Master My Documents\mIRC\v.rar moved successfully.

Error: Unable to interpret <:Folders> in the current context!

Error: Unable to interpret <C:\Program Files\RealVNC> in the current context!

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Guest

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: LocalService

->Temp folder emptied: 0 bytes

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

->Temporary Internet Files folder emptied: 33170 bytes

User: Mike Ferguson

->Temp folder emptied: 80706289 bytes

File delete failed. C:\Documents and Settings\Mike Ferguson\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

->Temporary Internet Files folder emptied: 37582592 bytes

->Java cache emptied: 13553674 bytes

->FireFox cache emptied: 98126497 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes

C:\WINDOWS\msdownld.tmp\msdownld.tmp folder deleted successfully.

C:\WINDOWS\msdownld.tmp folder deleted successfully.

%systemroot% .tmp files removed: 1321801 bytes

%systemroot%\System32 .tmp files removed: 2675729 bytes

Windows Temp folder emptied: 16384 bytes

RecycleBin emptied: 721658364 bytes

Total Files Cleaned = 911.40 mb

OTM by OldTimer - Version 3.0.0.6 log created on 09082009_192759

Files moved on Reboot...

Registry entries deleted on Reboot...

-------------------------------------

Regards

Mike

Link to post
Share on other sites

Hi Kenny,

The weekend was fine thanks, but they just go by so fast, as I'm sure you will agree!

I located the folder, deleted it, emptied the re-cycle bin and initiated 'Hijack'.

below is the log

--------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:24:50, on 08/09/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Words+, Inc\EZ KeysXP\WplServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Sweex\Installer\WINXP\SWU.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Sweex WiFi Utility.lnk = C:\Program Files\Sweex\Installer\WINXP\SWU.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games

Link to post
Share on other sites

Hi Mike, We need to remove this Service:

Close all other windows except for hijackthis, perform a scan and put a check against the following item and click 'fix checked'.

O23 - Service: FCBZEGYG - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FCBZEGYG.exe (file missing)

Go to start > run and copy and paste next command in the field and hit enter:

sc delete FCBZEGYG

And let me know if it's still there in your log?

Link to post
Share on other sites

Good Afternoon Kenny,

I initiated 'Hijack' and fixed 'O23 - Service: FCBZEGYG...'

'Hijack' insisted on a re-boot, so I let it complete the proccess. Once rebooted I went to 'start > run' and typed 'sc delete FCBZEGYG'. A command prompt box flashed on the screen for a for a split second.

I initiated 'Hijack' again to confirm that the file has been removed. I have posted this below so you can check I have done everything correctly.

---------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:56:02, on 09/09/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Words+, Inc\EZ KeysXP\WplServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Sweex\Installer\WINXP\SWU.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Sweex WiFi Utility.lnk = C:\Program Files\Sweex\Installer\WINXP\SWU.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games

Link to post
Share on other sites

That got it.... :huh: I'll add you has a friend if you don't mind.

Some final items:

Follow these steps to uninstall Combofix and all of its files and components.

  • Click START then RUN
  • Now type ComboFix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Cleanup.png

Remove all but the most recent Restore Point on Windows XP

You should
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is
:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Here is some useful information on keeping your computer clean:

  1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
  2. Here are two great Preventive programs

:

  1. SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
  2. Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.

  1. Red for Warning
  2. Yellow for Use Caution
  3. Green for Safe
  4. Grey for Unknown

Here are the link to install SiteAdisor in Internet Explorer and Firefox

Now you should Clean up your PC

Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Secunia software inspector & update checker

Malware And Spyware Tips

It was a pleasure working with you Mike...

Kenny

Link to post
Share on other sites

Good Evening Kenny,

I have followed your advice and carried out the System restore tasks, Downloaded - 'SpywareBlaster', 'Surf Safe McAfee's SiteAdisor', 'Spybot - Search & Destroy' and read 'Tony Kleins' thread. I'm going to do some more house keeping (clean up old files) and then run 'Secunia Online Software'.

Last but not least, I'm going to be subscribing to a 'Blog'... apparently the dude that runs the 'Blog' seems to his stuff :huh: .

One final Log below...

--------------------

Logfile of Mike Ferguson 09-09-09

File Stored & Never Forgotten.

Platform: Gratitude

Boot mode: Ecstatic With Joy!

Running processes:

C:\WINDOWS\Thank you Kenny

----------------------

It would be a privilege to be able to remain your friend.

May I take this opportunity before the thread closes to once again Thank You for all your time, patience and help that you have given to me. Please could you also pass on my many thanks to the whole Malwarebytes team.

I wish you nothing but the very best of good health and a prosperous future,

Kindest Regards

Mike

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.