Jump to content

Recommended Posts

As I posted earlier here

http://www.malwarebytes.org/forums/index.php?showtopic=35351

MBAM 1.43 can install but not run, even in safe mode. it opens to the scan tab for about 5 seconds, then shuts down. I also renamed mbam.exe to Winlogon.exe, no change in behavior.

This is Win XP SP3. Process Explorer doesn't show anything like the SystemSecurity process or other problems that I can see. Rootrepeal v. 1.3.5.0 found nothing, reported no suspicious sys files. In safe mode I ran 3 versions of rkill then SDFix, which found nothing. Superantispyware 4.32.0.1000 found nothing. Combofix found nothing, (but deleted qmgr0.dat and qmgr1.dat from docs & settings ...\microsoft\network\downloader\ where I suspect they were supposed to be.)

I brought an installation file for Avira over on a thumb drive, but it would not install. I thought it might just need to have an internet connection to install properly, but that's not the explanation: The steps described above were done with the computer offline, so I reconnected to the internet and I was blocked from accessing the Avira site. I could reach and download Avast, but it would not install. (So I took the computer offline again.)

So I think it's safe to say that computer is infected with malware, perhaps a new 2010 version of mebroot? What do you have that might remove or even detect it?

Is it likely to have spread itself to other computers on the same network? (It only had the Windows firewall, and Symantec AV.) What can I check the other computers with, for this bug?

I've run defogger. DDS would not run. I ran the GMER Rootkit Scanner and it found a copy of the MBR in sector 60. (Previous mebroot versions stored the mbr in sector 62, right?) However I didn't see any other suspicious notices as it was scanning, just files related to the AV programs. When it finished scanning I clicked 'Save' and GMER immediately disappeared, shut down, without giving me a chance to save the log as txt. Tell me where to look for a log, but I couldn't find one saved. That was done in normal mode, I'm now repeating it in safe mode, but I don't expect better results.

So, as of now there are no logs I can post.

Thanks for helping with this

RT

Link to post
Share on other sites

While running GMER in safe mode, before it ended I clicked in the area where it displays what it finds (just to see if I could copy it to clipboard); it immediately crashed. I haven't re-run it in safe mode, assume it wouldn't see anything more than it did in normal mode (but in safe mode it wasn't finding the antivirus program files it found in normal mode before rebooting)

catchme.exe ver 0.3.1398 shows nothing when run in normal mode or in safe mode.

I couldn't see results from mbr.exe when run in normal mode - when I entered mbr.exe in Run, the dos window closed too fast to see; then when I opened the dos prompt it reset the active desktop and the dos prompt didn't stay open. So I went to safe mode to run mbr.exe ver 0.3.7 from the dos prompt; it said user & kernel ok. Copy of MBR has been found in sector 60!

Hard to believe it's just coincidence about not being able to run all those antimalware tools.

Link to post
Share on other sites

DDS ran successfully in safe mode.

dds.txt:

DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL

Run by Owner at 0:56:28.93 on Mon 01/04/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.757 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe

mRun: [PostCopy] c:\windows\system32\belkin\f5u109\PostCopy.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [VTTimer] VTTimer.exe

mRun: [VTTrayp] VTtrayp.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [soundMan] SOUNDMAN.EXE

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe

mRun: [Airlink101 Airlink101 WLAN Monitor] c:\program files\airlink101\airlink101 wlan monitor\WLANmon.exe

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\proces~1.lnk - c:\program files\process explorer\procexp.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbwebconnector\QBWebConnector.exe

IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: isqft.com\www

Trusted Zone: isqft.com\www

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1261091594480

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\p5p1979t.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]

S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-1-3 486280]

S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-2 38224]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-6-18 550272]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]

=============== Created Last 30 ================

2010-01-04 08:21:57 77312 ----a-w- C:\mbr.exe

2010-01-04 06:11:10 0 ----a-w- c:\documents and settings\owner\defogger_reenable

2010-01-04 04:16:37 217088 ----a-w- c:\windows\system32\aIPH.dll

2010-01-04 04:08:26 692224 ----a-w- c:\windows\system32\ANIWZCS2.dll

2010-01-04 04:08:26 49152 ----a-w- c:\windows\system32\JJAKEn.dll

2010-01-04 04:08:26 49152 ----a-w- c:\windows\system32\AQCKGen.dll

2010-01-04 04:08:26 45115 ----a-w- c:\windows\system32\ANICtl.dll

2010-01-04 04:08:26 262144 ----a-w- c:\windows\system32\wnicapi.dll

2010-01-04 04:08:26 245760 ----a-w- c:\windows\system32\WlanApp.dll

2010-01-04 04:08:26 1327189 ----a-w- c:\windows\system32\odSupp_M.dll

2010-01-04 04:08:09 48128 ----a-w- c:\windows\system32\ANIO64.sys

2010-01-04 04:08:09 36864 ----a-w- c:\windows\system32\ANIOApi.dll

2010-01-04 04:08:09 28195 ----a-w- c:\windows\system32\ANIO.sys

2010-01-04 04:08:09 16997 ----a-w- c:\windows\system32\ANIO.VXD

2010-01-04 04:08:09 11904 ----a-w- c:\windows\system32\anio4.sys

2010-01-04 01:58:06 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-01-04 01:57:57 1238408 ----a-w- c:\windows\system32\zpeng25.dll

2010-01-04 01:57:57 0 d-----w- c:\windows\system32\ZoneLabs

2010-01-04 01:57:55 422437 ----a-w- c:\windows\system32\vsconfig.xml

2010-01-04 01:57:55 0 d-----w- c:\program files\Zone Labs

2010-01-04 01:56:40 0 d-----w- c:\windows\Internet Logs

2010-01-04 01:14:04 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-01-04 01:13:51 0 d-----w- c:\program files\SUPERAntiSpyware

2010-01-04 01:13:51 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com

2010-01-04 01:00:53 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-01-04 00:56:28 0 d-----w- c:\windows\ERUNT

2010-01-04 00:53:55 0 d-----w- C:\SDFix

2010-01-04 00:31:32 0 d-----w- c:\program files\common files\Wise Installation Wizard

2010-01-03 21:01:12 7 ----a-w- c:\windows\system32\ANIWZCSUSERNAME

2010-01-03 20:13:36 0 d--h--w- c:\windows\PIF

2010-01-03 20:01:06 0 d-----w- c:\program files\ANI

2010-01-03 20:00:56 0 d-----w- c:\program files\Airlink101

2010-01-03 05:29:13 98816 ----a-w- c:\windows\sed.exe

2010-01-03 05:29:13 77312 ----a-w- c:\windows\MBR.exe

2010-01-03 05:29:13 261632 ----a-w- c:\windows\PEV.exe

2010-01-03 05:29:13 161792 ----a-w- c:\windows\SWREG.exe

2010-01-02 22:31:42 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes

2010-01-02 22:31:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-02 22:31:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-02 22:31:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-02 22:31:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-02 21:56:17 0 d-----w- c:\program files\Process Explorer

2009-12-17 23:24:31 0 d--h--w- c:\windows\system32\GroupPolicy

2009-12-17 23:09:22 0 d-----w- c:\temp\produkey

2009-12-17 23:07:32 8086544 ----a-w- c:\temp\Firefox Setup 3.5.6.exe

2009-12-17 22:52:35 0 d-----w- c:\program files\CCleaner

2009-12-17 22:52:09 3326576 ----a-w- c:\temp\ccsetup226.exe

2009-12-17 22:49:36 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-17 21:30:59 0 d-----w- c:\program files\Windows Installer Clean Up

2009-12-17 21:30:43 359656 ----a-w- c:\temp\msicuu2.exe

2009-12-17 21:29:38 27386280 ----a-w- c:\temp\AdbeRdr920_en_US.exe

2009-12-17 21:22:34 0 d-----w- c:\windows\system32\appmgmt

2009-12-09 19:03:38 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll

2009-12-09 19:03:38 265728 -c----w- c:\windows\system32\dllcache\http.sys

2009-12-09 19:03:38 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll

2009-12-09 19:03:35 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2009-12-09 19:03:34 79872 -c----w- c:\windows\system32\dllcache\raschap.dll

2009-12-09 19:03:34 149504 -c----w- c:\windows\system32\dllcache\rastls.dll

2009-12-09 19:03:23 270336 -c----w- c:\windows\system32\dllcache\oakley.dll

==================== Find3M ====================

2009-10-29 07:46:59 832512 ------w- c:\windows\system32\wininet.dll

2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-19 21:06:40 223232 ------w- c:\windows\system32\wksprt.exe

2009-10-19 21:06:38 46080 ------w- c:\windows\system32\TSWbPrxy.exe

2009-10-19 21:06:38 36864 ------w- c:\windows\system32\tsgQec.dll

2009-10-19 21:06:38 12800 ------w- c:\windows\system32\wksprtPS.dll

2009-10-19 21:06:38 1033728 ----a-w- c:\windows\system32\mstsc.exe

2009-10-19 21:06:36 2689024 ----a-w- c:\windows\system32\mstscax.dll

2009-10-19 21:06:34 44544 ------w- c:\windows\system32\MsRdpWebAccess.dll

2009-10-19 21:06:34 130560 ------w- c:\windows\system32\aaclient.dll

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-08 22:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2009-10-08 22:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2009-10-08 22:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll

============= FINISH: 0:57:20.62 ===============

On 12/16, Symantek AV quarantined bloodhound.pdf.18, shortly after that the computer slowed down tremendously, outlook had problems. DDS.txt says produkey shows up in c:\temp\ on 12/17, the owner claims she did not download it. Produkey has something to do with MS office keys. However, from the time of day it appeared, I think it was probably used by the owner's other friend who helped retrieve some Outlook email etc before shutting the computer down

Symantek AV ran a startup scan on the morning of Dec 17th. I ran a full scan with Symantec (not updated) today and it quarantined produkey. (I then uninstalled Symantec -apparently successfully- , thinking maybe it was preventing MBAM from running.)

Attach.txt shows Event Viewer Messages From Past Week, and DDS.txt shows Created Last 30, however the computer was not used from 12/17/09 to Jan 2

Attach.zip

Link to post
Share on other sites

OK, I finally managed to get my new USB wireless adapter to work on that computer. So I fired up Internet Explorer for the first time since I've had the computer here. It got redirected to two evil sites, and Nod32 (which I had installed without problem, although I could not install Avira or Avast) immediately caught some malware files and submitted them to Eset. Who knows what may have slipped past Nod32.

(The sites were specific pages at bitardhqpaid.com and maoospar.com, just FYI)

(Last time I had the computer access the internet, I used Firefox which did not get redirected, so I saw no clear evidence of a problem.)

So this IS MALWARE which was undetected by the other tools, and which managed to stop MBAM from running more than about 3 seconds. Be careful out there!

Link to post
Share on other sites

Bump - It has been 3 days since I originally posted

(But there are also some threads even older than this which haven't yet been addressed. Must be a lot of malware out there)

While waiting, I also tried drweb-cureit.exe, and retried some of the tools I used before, nothing shows any specific malware that was obvious to me. (I'd be glad to run them again for you)

Though there are some unidentified toolbars in the log:

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

and there may be other clues that I can't see.

Even though none of the tools I tried can ID the source of the problem, MSIE is getting redirected to malware sites, MBAM will only run for a couple seconds before it shuts down, and Avast & Avira were blocked from being installed.

thanks!

RT

Link to post
Share on other sites

A couple more clues:

Sophos antirootkit scanner found only one item:

Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi9

This suggests TSPY_KATES.SMOD, apparently

Trend Micro Housecall found only one item:

C:\Documents and Settings\Owner\Local Settings\temp\ghv.old

which it said was cryp_kates

"This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

TSPY_KATES "

I left both of these alone -need to go back and deal with them.

Link to post
Share on other sites

  • Root Admin

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

combofix.txt followed by HijackThis.log

==========================================

ComboFix 10-01-04.01 - Owner 01/10/2010 17:52:41.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.575 [GMT -8:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\1.tmp

c:\windows\system32\2.tmp

.

((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))

.

2010-01-08 03:28 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-01-08 02:13 . 2010-01-08 02:13 -------- d-----w- c:\program files\Sophos

2010-01-08 01:06 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-08 01:06 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-08 01:06 . 2010-01-08 01:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-06 03:29 . 2010-01-06 03:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2010-01-06 03:24 . 2010-01-06 03:24 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-01-05 22:48 . 2010-01-05 22:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-01-05 18:33 . 2010-01-05 18:33 -------- d-----w- c:\program files\Realtek AC97

2010-01-04 22:11 . 2010-01-04 22:11 -------- d-----w- c:\program files\ESET

2010-01-04 22:11 . 2010-01-04 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-01-04 09:39 . 2010-01-04 09:39 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-01-04 08:21 . 2010-01-04 08:14 77312 ----a-w- C:\mbr.exe

2010-01-04 04:16 . 2007-11-22 02:36 217088 ----a-w- c:\windows\system32\aIPH.dll

2010-01-04 04:08 . 2008-01-02 18:24 692224 ----a-w- c:\windows\system32\ANIWZCS2.dll

2010-01-04 04:08 . 2007-12-11 23:36 245760 ----a-w- c:\windows\system32\WlanApp.dll

2010-01-04 04:08 . 2007-10-09 03:13 262144 ----a-w- c:\windows\system32\wnicapi.dll

2010-01-04 04:08 . 2006-09-26 21:49 45115 ----a-w- c:\windows\system32\ANICtl.dll

2010-01-04 04:08 . 2005-10-27 16:55 49152 ----a-w- c:\windows\system32\JJAKEn.dll

2010-01-04 04:08 . 2005-10-20 02:19 49152 ----a-w- c:\windows\system32\AQCKGen.dll

2010-01-04 04:08 . 2005-10-20 02:19 1327189 ----a-w- c:\windows\system32\odSupp_M.dll

2010-01-04 04:08 . 2007-11-22 02:46 36864 ----a-w- c:\windows\system32\ANIOApi.dll

2010-01-04 04:08 . 2007-05-13 00:39 48128 ----a-w- c:\windows\system32\ANIO64.sys

2010-01-04 04:08 . 2007-05-13 00:39 28195 ----a-w- c:\windows\system32\ANIO.sys

2010-01-04 04:08 . 2007-05-13 00:39 11904 ----a-w- c:\windows\system32\anio4.sys

2010-01-04 01:58 . 2010-01-04 01:58 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-01-04 01:58 . 2009-11-22 23:42 69000 ----a-w- c:\windows\system32\zlcomm.dll

2010-01-04 01:58 . 2009-11-22 23:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll

2010-01-04 01:57 . 2010-01-04 01:58 -------- d-----w- c:\windows\system32\ZoneLabs

2010-01-04 01:57 . 2009-11-22 23:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll

2010-01-04 01:57 . 2010-01-04 01:57 -------- d-----w- c:\program files\Zone Labs

2010-01-04 01:56 . 2010-01-11 01:58 -------- d-----w- c:\windows\Internet Logs

2010-01-04 01:14 . 2010-01-06 03:24 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-01-04 01:14 . 2010-01-04 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-01-04 01:13 . 2010-01-05 22:49 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-01-04 01:13 . 2010-01-04 01:13 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2010-01-04 01:00 . 2010-01-04 01:00 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-01-04 00:56 . 2010-01-04 00:56 -------- d-----w- c:\windows\ERUNT

2010-01-03 20:13 . 2010-01-03 20:13 -------- d--h--w- c:\windows\PIF

2010-01-03 20:01 . 2010-01-04 04:08 -------- d-----w- c:\program files\ANI

2010-01-03 20:00 . 2010-01-04 04:15 -------- d-----w- c:\program files\Airlink101

2010-01-02 22:31 . 2010-01-08 01:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2010-01-02 22:31 . 2010-01-08 01:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-02 21:56 . 2010-01-02 21:57 -------- d-----w- c:\program files\Process Explorer

2009-12-17 23:24 . 2009-12-17 23:24 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-12-17 23:19 . 2009-12-17 23:19 -------- d-----w- c:\windows\system32\zh-TW

2009-12-17 23:09 . 2010-01-03 11:05 -------- d-----w- c:\temp\produkey

2009-12-17 23:07 . 2009-12-17 23:07 8086544 ----a-w- c:\temp\Firefox Setup 3.5.6.exe

2009-12-17 22:52 . 2009-12-17 22:52 -------- d-----w- c:\program files\CCleaner

2009-12-17 22:52 . 2009-12-17 22:52 3326576 ----a-w- c:\temp\ccsetup226.exe

2009-12-17 22:49 . 2009-12-17 22:49 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-17 22:48 . 2009-12-17 22:48 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-12-17 22:46 . 2009-12-17 22:46 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-17 21:31 . 2009-12-17 21:31 3584 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe

2009-12-17 21:30 . 2009-12-17 21:31 -------- d-----w- c:\program files\Windows Installer Clean Up

2009-12-17 21:30 . 2009-12-17 21:30 359656 ----a-w- c:\temp\msicuu2.exe

2009-12-17 21:29 . 2009-12-10 21:11 27386280 ----a-w- c:\temp\AdbeRdr920_en_US.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-08 04:13 . 2010-01-04 03:08 5594367 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2010-01-05 21:22 . 2005-07-29 12:28 -------- d-----w- c:\program files\AvRack

2010-01-04 04:17 . 2005-07-29 12:12 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-12-17 22:50 . 2005-07-29 12:25 -------- d-----w- c:\program files\Common Files\AOL

2009-12-17 22:50 . 2005-07-29 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2009-12-17 22:48 . 2005-07-29 12:24 -------- d-----w- c:\program files\Java

2009-12-17 22:46 . 2005-07-29 12:15 -------- d-----w- c:\program files\Google

2009-12-17 21:33 . 2005-07-29 12:28 -------- d-----w- c:\program files\Common Files\Adobe

2009-12-17 21:30 . 2008-08-04 17:30 -------- d-----w- c:\program files\MSECache

2009-12-08 12:02 . 2009-12-08 12:02 -------- d-----w- c:\program files\Microsoft Silverlight

2009-12-04 01:47 . 2009-11-23 16:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Costco Photo Organizer

2009-12-02 10:31 . 2009-02-11 22:29 869664 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\DownloadQB19\EPatch\qbpatch.exe

2009-11-30 16:39 . 2009-02-11 22:29 205576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe

2009-11-30 16:39 . 2009-02-11 22:29 1087752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\IntuitSyncManager.exe

2009-11-30 16:39 . 2009-08-12 07:44 852784 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\dblgen11.dll

2009-11-30 16:39 . 2009-08-12 07:44 2168112 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll

2009-11-24 12:04 . 2009-11-24 12:04 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2009-11-23 17:00 . 2009-11-23 16:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Printer Info Cache

2009-11-23 16:53 . 2009-11-23 16:53 -------- d-----w- c:\program files\Common Files\HP

2009-11-23 16:53 . 2009-11-23 16:53 -------- d-----w- c:\program files\Costco

2009-11-23 16:52 . 2009-11-23 16:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Costco Photo Viewer US

2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-17 12:03 . 2009-11-17 12:03 -------- d-----w- c:\program files\Windows Media Connect 2

2009-11-16 17:06 . 2009-11-16 17:06 96408 ----a-w- c:\windows\system32\drivers\epfwtdir.sys

2009-11-16 17:03 . 2009-11-16 17:03 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys

2009-11-16 16:56 . 2009-11-16 16:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys

2009-11-06 09:01 . 2009-08-12 07:44 787760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\dblgen10.dll

2009-11-06 09:01 . 2009-08-12 07:44 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\dblib10.dll

2009-11-06 09:01 . 2009-08-12 07:44 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll

2009-11-06 09:01 . 2009-08-12 07:44 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll

2009-11-06 09:01 . 2009-08-12 07:44 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe

2009-11-06 09:01 . 2009-08-12 07:44 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\dbcon10.dll

2009-11-06 09:01 . 2009-08-12 07:44 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\mlsock10.dll

2009-11-06 09:01 . 2009-08-12 07:44 263472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll

2009-11-06 09:01 . 2009-08-12 07:44 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 9.0\Components\SyncMgr\OCD\Sybase10\dbtool10.dll

2009-10-29 07:46 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll

2009-10-29 07:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-19 21:06 . 2009-10-19 21:06 223232 ------w- c:\windows\system32\wksprt.exe

2009-10-19 21:06 . 2009-10-19 21:06 46080 ------w- c:\windows\system32\TSWbPrxy.exe

2009-10-19 21:06 . 2009-10-19 21:06 12800 ------w- c:\windows\system32\wksprtPS.dll

2009-10-19 21:06 . 2008-09-04 18:11 36864 ------w- c:\windows\system32\tsgQec.dll

2009-10-19 21:06 . 2004-08-26 18:00 1033728 ----a-w- c:\windows\system32\mstsc.exe

2009-10-19 21:06 . 2004-08-26 18:00 2689024 ----a-w- c:\windows\system32\mstscax.dll

2009-10-19 21:06 . 2009-10-19 21:06 44544 ------w- c:\windows\system32\MsRdpWebAccess.dll

2009-10-19 21:06 . 2008-09-04 18:08 130560 ------w- c:\windows\system32\aaclient.dll

2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll

2001-12-04 00:09 . 2008-08-28 18:35 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-17 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-15 966656]

"PostCopy"="c:\windows\system32\Belkin\F5U109\PostCopy.exe" [2001-07-26 20480]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-17 149280]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"VTTimer"="VTTimer.exe" [2005-03-08 53248]

"VTTrayp"="VTtrayp.exe" [2005-03-12 147456]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-29 98304]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"SoundMan"="SOUNDMAN.EXE" [2005-05-13 67584]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]

"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]

"Airlink101 Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2007-12-01 1949696]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Process Explorer.lnk - c:\program files\Process Explorer\procexp.exe [2010-1-2 3550592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk

backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1122639952\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2004-11-03 03:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]

2004-11-15 22:04 135168 ----a-w- c:\program files\Digital Media Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

2005-03-08 10:33 53248 ----a-w- c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

2005-03-12 00:33 147456 ----a-w- c:\windows\system32\VTTrayp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Common Files\\AOL\\1122639952\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11/16/2009 9:03 AM 108792]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [11/16/2009 9:06 AM 96408]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/16/2009 9:04 AM 735960]

R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [6/18/2007 1:25 PM 550272]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

Trusted Zone: isqft.com\www

Trusted Zone: isqft.com\www

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p5p1979t.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-10 18:02

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\3.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)

c:\windows\system32\wininet.dll

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(620)

c:\windows\system32\wininet.dll

.

Completion time: 2010-01-10 19:21:45

ComboFix-quarantined-files.txt 2010-01-11 03:21

Pre-Run: 117,243,002,880 bytes free

Post-Run: 117,236,133,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A417740FDE11007BB52F89769DA9B113

==============================================

==============================================

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 8:25:55 PM, on 1/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Process Explorer\procexp.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\Belkin\F5U109\PostCopy.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

O4 - HKLM\..\Run: [Airlink101 Airlink101 WLAN Monitor] C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: Process Explorer.lnk = C:\Program Files\Process Explorer\procexp.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1261091594480

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fbdomain.net

O17 - HKLM\Software\..\Telephony: DomainName = fbdomain.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fbdomain.net

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll

O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 7871 bytes

Link to post
Share on other sites

  • Root Admin

Are you using the Anti-Virus portion of ZoneAlarm or just the firewall?

You have portions of Sophos AV also running. You should only have 1 Anti-Virus program installed.

Please run the following.

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

That should restart the computer and run a Disk Check for you. If disk check does not run in a DOS screen please let me know.

After it comes back up then run the following. Temporarily disable your Anti-Virus

Please try this on the computer that is having an issue.

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

2. Restart your computer (very important).

3. Download and run this utility. mbam-clean.exe

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here. mbam-setup.exe

Note: You will need to reactivate the program using the license you were sent

Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.

Restart the computer again and verify that MBAM is in the task tray and that you can run a quick scan and all is working as expected and if possible post back the log.

Make sure to re-enable your Anti-Virus.

Link to post
Share on other sites

It's a huge relief to have the recovery console installed, please thank the ComboFix author for that! ...as well as for the whole rest of ComboFix

I'm using only the ZoneAlarm firewall, not the antivirus program.

I ran a Sophos anti-rootkit scan recently, but do not have it running now as far as I know; there are no Sophos processes running that I can see. I assumed the Sophos entry

c:\program files\Sophos

was left over from the rootkit scan. What shows that it's still running?

Re checkdisk: for some reason DOS screens don't open or stay open in normal mode on this computer, that didn't work, so I started it in safe mode.

Will respond with results when it's done -it's now starting stage 4 of 5

thanks

(I'm betting MBAM still won't run more than a couple seconds; we'll see. Because I'm still blocked from the Avira website; & Avira & Avast still can't be installed. Also, I can't update the trial version of NOD32 that I just installed, though that might conceivably be because registration is required for updates, and the trial version can't register? But that wouldn't seem to be an effective trial version, right? So NOD32 is still running on the December 2009 definitions that it downloaded with. The only items it's finding on the hard drive are the anti-malware tools I've used. But it did intercept some malware that MSIE downloaded when it was redirected a couple days ago.)

Link to post
Share on other sites

After chkdsk there's a new file, c:\pagefile.sys , 3,145,728 Kb -what can be done to recover lost files? (probably they aren't critical, though)

After uninstalling MBAM, rebooting, running the clean program, rebooting, reinstalling MBAM,

it still won't stay running for longer than a few seconds. This time it stayed running long enough to connect and BEGIN downloading an update, but it shut down before finishing.

So I have no log to post

Link to post
Share on other sites

  • Root Admin

Okay please download the random GMER file from here: http://www.gmer.net/

Then run it. Don't scan anything, just let it run by itself for a minute and it should return something. Try to write down what it says or take a screen shot.

If it just will not run then try this other one.

RootRepeal - Rootkit Detector

    Close ALL applications and as many items in the task tray that will stop and exit.

  • Please download the following tool:
    RootRepeal - Rootkit Detector

  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

Link to post
Share on other sites

GMER screenshot.JPG is attached (just run, no scan). I thought GMER had finished what it was doing, but wasn't completely sure

Here's content of RRTT_RootRepeal.txt:

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/01/11 00:32

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF449F000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7AFE000 Size: 8192 File Visible: No Signed: -

Status: -

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xF7B46000 Size: 7872 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF64B1000 Size: 49152 File Visible: No Signed: -

Status: -

SSDT

-------------------

#: 019 Function Name: NtAssignProcessToJobObject

Status: Hooked by "<unknown>" at address 0x85c7f8a0

#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46df630

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46d8d80

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46fd070

#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46dfe40

#: 047 Function Name: NtCreateProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46f6d30

#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46f7150

#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf4701240

#: 056 Function Name: NtCreateWaitablePort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46dffb0

#: 062 Function Name: NtDeleteFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46d9c60

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46fe780

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46fe160

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46f5e70

#: 098 Function Name: NtLoadKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46ff080

#: 099 Function Name: NtLoadKey2

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46ff2b0

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46d9750

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46f9450

#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46f9020

#: 192 Function Name: NtRenameKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf4700430

#: 193 Function Name: NtReplaceKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46ffa40

#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46df180

#: 204 Function Name: NtRestoreKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47000d0

#: 210 Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46df910

#: 224 Function Name: NtSetInformationFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46da080

#: 237 Function Name: NtSetSecurityObject

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47008e0

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46fd970

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "<unknown>" at address 0x85c7f6d0

#: 254 Function Name: NtSuspendThread

Status: Hooked by "<unknown>" at address 0x85c7f4f0

#: 255 Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46f7d20

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf466d0b0

#: 258 Function Name: NtTerminateThread

Status: Hooked by "<unknown>" at address 0x85c7f310

Stealth Objects

-------------------

Object: Hidden Code [ETHREAD: 0x85dac448]

Process: System Address: 0x85c7d930 Size: 1000

Shadow SSDT

-------------------

#: 460 Function Name: NtUserMessageCall

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46ddd80

#: 475 Function Name: NtUserPostMessage

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46ddee0

#: 476 Function Name: NtUserPostThreadMessage

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46de030

#: 491 Function Name: NtUserRegisterRawInputDevices

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46db710

#: 502 Function Name: NtUserSendInput

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf46de470

==EOF==

I'll be back Monday AM; thanks!

post-28813-1263199446_thumb.jpg

Link to post
Share on other sites

  • Root Admin

It looks like ZoneAlarm may be interfering with the reading of this.

Please temporarily uninstall ZoneAlarm (make sure you backup your settings and have a copy of your key to re-install)

Then also disable your Anti-Virus and run a new scan with both Root Repeal and GMER and send back either logs or screen shot if needed.

Thanks.

Once that's done re-enable your AV and for now just use the built-in Windows firewall. Once we're all done you can re-install ZoneAlarm.

I may have to have you run Combofix again though to remove the Sophos if it still there, but we'll get to that next.

Link to post
Share on other sites

I uninstalled the Sophos anti-rootkit program and deleted c:\Program Files\Sophos

I uninstalled ZoneAlarm and followed up by following the directions here, except I did not alter the registry:

http://server.iad.liveperson.net/hc/s-2846...amp;action=view

As I was deleting files in %temp%, the entry for ghv.old disappeared for a split second then reappeared.

See my earlier post where this file suggested

cryp_kates - "This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware: TSPY_KATES "

I also exited SuperAntiSpyware and disabled Nod32 before doing the scans you asked for.

Screenshot of GMER result is attached, RootRepeal log is below:

======================================

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/01/11 18:45

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF599F000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7AE4000 Size: 8192 File Visible: No Signed: -

Status: -

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xF7B38000 Size: 7872 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEC82C000 Size: 49152 File Visible: No Signed: -

Status: -

SSDT

-------------------

#: 019 Function Name: NtAssignProcessToJobObject

Status: Hooked by "<unknown>" at address 0x85d9d8a0

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0x85d9ccb0

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0x85d9d0d0

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "<unknown>" at address 0x85d9d6d0

#: 254 Function Name: NtSuspendThread

Status: Hooked by "<unknown>" at address 0x85d9d4f0

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf5b2e0b0

#: 258 Function Name: NtTerminateThread

Status: Hooked by "<unknown>" at address 0x85d9d310

Stealth Objects

-------------------

Object: Hidden Code [ETHREAD: 0x85ff3020]

Process: System Address: 0x85d9b930 Size: 1000

==EOF==

post-28813-1263265392_thumb.jpg

Link to post
Share on other sites

  • Root Admin

My mistake. This actually looks more like the Daonol infection - I over looked it and my mentor Mieke helped me out here.

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

Please zip up this file: C:\Documents and Settings\Owner\Local Settings\temp\ghv.old

and attach it in your next reply.

Then AFTER you zip up a copy for me and save it, run the following.

**************************************************************

* Open hijackthis, click 'config' (bottom right)

Choose the tab 'misc Tools' on top.

Choose 'delete a file on reboot'

In the field, copy and paste next:

C:\Documents and Settings\Owner\Local Settings\temp\ghv.old

Click open.

Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok

Your system should reboot now.

**************************************************************

Then after reboot open Regedit and browse to this key and see if you can see it and remove it.

If not then let me know.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi9

make sure you only remove the midi9 key in the Registry and no others.

**************************************************************

Then we'll finish up with some other scans to make sure you're clean

Link to post
Share on other sites

Thank Mieke!

MBAM ran, updated, did not find anything

=============================

Malwarebytes' Anti-Malware 1.44

Database version: 3546

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

1/12/2010 1:36:52 AM

mbam-log-2010-01-12 (01-36-52).txt

Scan type: Quick Scan

Objects scanned: 117209

Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.