Jump to content

Trojan keeps coming back when explorer/firefox opens


Recommended Posts

Attach.zipDear Malwarebytes

Please help. We have had a terribly persistent trojan (or trojans) that we can't seem to get off the machine. MBAM finds and clears it no trouble, but then as soon as explorer or firefox opens, everything gets infected again. We've tried many different programmes but nothing seems to shift it.

Here are some of the MBAM logs, spanning our complete misery from the last three days and Ive added the DDS text at the end along with an attached report. However, I canot get GMER Rootkit to run - it crashed twice, once with the blue screen and second just froze. I did manage to see lots of files on the frozen screenshot that looked scary, with hostintrusion listed such as\SystemRoot\system32\drivers\mfehidk.sys [HostIntrusionDetect] that I can list if needed.

Please please help.

>>>>>>>>>>>>>>>>>>>>>>

Malwarebytes' Anti-Malware 1.44

Database version: 3904

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

23/03/2010 15:41:16

mbam-log-2010-03-23 (15-41-16).txt

Scan type: Quick Scan

Objects scanned: 151543

Time elapsed: 10 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 9

Registry Values Infected: 2

Registry Data Items Infected: 6

Folders Infected: 1

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\rxup.rko (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe rxup.rko jrgsvde) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Maiken\Application Data\sdra64.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:

C:\WINDOWS\system32\rxup.rko (Backdoor.Bot) -> Delete on reboot.

C:\Documents and Settings\Max & Alex\Application Data\sdra64.exe (Trojan.PWS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sdra64.exe (Trojan.Zbot) -> Delete on reboot.

C:\WINDOWS\Temp\SFxn.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Documents and Settings\Maiken\Local Settings\Temp\pdfupd.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\Documents and Settings\Maiken\Local Settings\Temporary Internet Files\Content.IE5\9VSK003M\update[1].exe (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\Temp\E9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

>>>>>>>>>>>>>>>>>>>>>>>>>>>

Malwarebytes' Anti-Malware 1.44

Database version: 3904

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

25/03/2010 22:00:51

mbam-log-2010-03-25 (22-00-51).txt

Scan type: Quick Scan

Objects scanned: 140274

Time elapsed: 3 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

>>>>>>>>>>>>>>>>>>>>>>>>

Malwarebytes' Anti-Malware 1.44

Database version: 3904

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

26/03/2010 09:38:23

mbam-log-2010-03-26 (09-38-23).txt

Scan type: Full Scan (C:\|)

Objects scanned: 213013

Time elapsed: 1 hour(s), 9 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

>>>>>>>>>>>>>>>>>>>>>>>>

DDS (Ver_10-03-17.01) - NTFSx86

Run by Maiken at 18:43:51.95 on 26/03/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1530 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

svchost.exe "C:\WINDOWS\system32\aaclientk.exe"

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

svchost.exe "C:\WINDOWS\system32\$winnt$qt.exe"

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Pando Networks\Media Booster\PMB.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Documents and Settings\Maiken\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.bt.yahoo.com

uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/

uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: DWABrowserHlprObj Class: {2709d830-b643-4e72-9a1e-701cfffcf30c} - c:\windows\system32\dwabho.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe

mRun: [intelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"

mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"

mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe

mRun: [Motive SmartBridge] c:\progra~1\bthome~1\help\smartb~1\BTHelpNotifier.exe

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide

mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [ssAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe

mRun: [Ykurudivo] rundll32.exe "c:\windows\uvuwiqul.dll",Startup

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\btbroa~1.lnk - c:\program files\bt home hub\help\bin\matcli.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Notification Packages = scecli quxpnv.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\maiken\applic~1\mozilla\firefox\profiles\7vmck1rs.default\

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\program files\common files\motive\npMotive.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll

FF - HiddenExtension: XULRunner: {0EDDCE54-CE48-405E-AE63-E4D21A6C92E6} - c:\documents and settings\maiken\local settings\application data\{0EDDCE54-CE48-405E-AE63-E4D21A6C92E6}

FF - HiddenExtension: XULRunner: {520A6825-7BE0-426A-8558-7FA857AB12CC} - c:\windows\system32\config\systemprofile\local settings\application data\{520a6825-7be0-426a-8558-7fa857ab12cc}\

FF - HiddenExtension: XULRunner: {FB44792B-31E9-4F4C-B40F-521A1B089861} - c:\documents and settings\mark\local settings\application data\{FB44792B-31E9-4F4C-B40F-521A1B089861}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214664]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-6 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-6 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-6 144704]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-6 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-6 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-6 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-6-6 40552]

R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;c:\windows\system32\drivers\U2KG54L.SYS [2006-8-24 477696]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]

S2 LmHostsxmlprov;TCP/IP NetBIOS Helper LmHostsxmlprov;c:\windows\system32\1041k.exe srv --> c:\windows\system32\1041k.exe srv [?]

S2 McProxy SiteAdvisor Service;McAfee Proxy Service McProxy SiteAdvisor Service;c:\windows\system32\1041u.exe srv --> c:\windows\system32\1041u.exe srv [?]

S2 McProxySPTISRV;McAfee Proxy Service McProxySPTISRV;c:\windows\system32\aaclientk.exe srv --> c:\windows\system32\aaclientk.exe srv [?]

S2 SamSswinmgmt;Security Accounts Manager SamSswinmgmt;c:\windows\system32\12520437z.exe srv --> c:\windows\system32\12520437z.exe srv [?]

S2 TapiSrvRpcLocator;Telephony TapiSrvRpcLocator;c:\windows\system32\adsldpx.exe srv --> c:\windows\system32\adsldpx.exe srv [?]

S2 TapiSrvRpcLocatorEventSystem;Telephony TapiSrvRpcLocator TapiSrvRpcLocatorEventSystem;c:\windows\system32\$winnt$qt.exe srv --> c:\windows\system32\$winnt$qt.exe srv [?]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-6-6 34248]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-03-25 13:39:35 0 d-----w- c:\documents and settings\maiken\DoctorWeb

2010-03-25 12:27:12 0 d-----w- c:\docume~1\maiken\applic~1\SUPERAntiSpyware.com

2010-03-24 21:32:24 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-03-24 21:32:16 0 d-----w- c:\program files\SUPERAntiSpyware

2010-03-24 21:30:04 0 d-----w- c:\program files\common files\Wise Installation Wizard

2010-03-23 15:26:56 0 d-----w- c:\docume~1\maiken\applic~1\Malwarebytes

2010-03-23 15:26:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-23 15:26:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-03-23 15:26:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-23 15:26:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-23 10:45:31 3281 ----a-w- c:\windows\system32\adsmsextf.sys

2010-03-22 09:36:12 145 --s-a-w- c:\windows\system32\735654856.dat

2010-03-21 16:45:15 0 ----a-w- c:\windows\system32\$winnt$q.sys

2010-03-20 17:53:38 120 ----a-w- c:\windows\Xmefiracevenu.dat

2010-03-20 17:53:38 0 ----a-w- c:\windows\Vgijocupuwowoho.bin

2010-03-20 14:05:13 91975 --sha-w- c:\windows\system32\algn.sys

2010-03-20 14:01:58 32 --s-a-w- c:\windows\system32\1928962775.dat

2010-03-18 22:59:22 0 d-----w- c:\documents and settings\all users\SonicStage

2010-03-18 22:56:14 27255 ------w- c:\windows\system32\drivers\NWWMUSB.sys

2010-03-18 22:56:02 11510 ------w- c:\windows\system32\drivers\VMCUSB.sys

2010-03-18 22:56:02 0 d-----w- c:\program files\Sony Corporation

2010-03-18 22:54:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Sony Corporation

2010-03-18 22:54:03 0 d-----w- c:\program files\Sony

2010-03-18 22:53:19 0 d-----w- c:\program files\common files\Sony Shared

2010-03-06 11:33:21 0 d-----w- c:\program files\BTHomeHub

2010-02-28 21:06:41 293376 ------w- c:\windows\system32\browserchoice.exe

==================== Find3M ====================

2010-03-25 00:23:43 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-03-25 00:06:10 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys

2009-11-02 00:01:25 66936 -csha-w- c:\windows\dlinfo_0.drv

2008-07-11 16:00:48 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071120080712\index.dat

============= FINISH: 18:45:44.46 ===============

Link to post
Share on other sites

Hello Baggus

Welcome to Malwarebytes.

=====================

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

=====================

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

Dear Kahdah

Thank you so much for your very quick reply and your advice, which is much appreciated. We have installed combofix and ran it with firewall, virus scanner and spyware detection disabled. It started out fine and ran the windows recovery module first, downloading from microsoft. It then moved into autoscan and gave the message it was scanning for infected files and then up came a blue screen saying a problem has been detected and windows has been shut down to prevent damage.

AD-POOL_CALLER

Technical information

**STOP: 0x000000c2 (0x00000007, 0x00000cd4, 0x15FFF44D, 0x80535819)

We have left it on this screen for a while just in case but it doesnt look like it is doing anything.

What should we do now? Is there something that has interferred with Combofix or is this because of the malware?

Please help

>>>>>>>>>>>>>>>>>>>>>>>>>>

Hello Baggus

Welcome to Malwarebytes.

=====================

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

=====================

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

Dear Kahdah

I felt a little more confident after the system seemed to have recovered from the blue screen of death okay on restart. I tried to run Combofix again and this time it worked. It deleted some folders in application data for all users and then had to restart - on reloading it came up with an error message - error loading C;\windows\uvuwiqul.dll. The specified module could not be found.

Then combofix continued and produced the log report, posted below. I can't believe it - it actually feels like we might get our compter back.

Thanks so much for your help and sorry to panic at the first blue screen of death.

What would you like me to do now?

ComboFix 10-03-27.03 - Maiken 28/03/2010 12:10:11.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1494 [GMT 1:00]

Running from: c:\documents and settings\Maiken\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Maiken\Local Settings\Application Data\{0EDDCE54-CE48-405E-AE63-E4D21A6C92E6}

c:\documents and settings\Maiken\Local Settings\Application Data\{0EDDCE54-CE48-405E-AE63-E4D21A6C92E6}\chrome.manifest

c:\documents and settings\Maiken\Local Settings\Application Data\{0EDDCE54-CE48-405E-AE63-E4D21A6C92E6}\chrome\content\_cfg.js

c:\documents and settings\Maiken\Local Settings\Application Data\{0EDDCE54-CE48-405E-AE63-E4D21A6C92E6}\chrome\content\overlay.xul

c:\documents and settings\Maiken\Local Settings\Application Data\{0EDDCE54-CE48-405E-AE63-E4D21A6C92E6}\install.rdf

c:\documents and settings\Maiken\Local Settings\Temporary Internet Files\mcc1A.tmp

c:\documents and settings\Maiken\Local Settings\Temporary Internet Files\mcc43.tmp

c:\documents and settings\Maiken\Local Settings\Temporary Internet Files\mcc46.tmp

c:\documents and settings\Mark\Local Settings\Application Data\{FB44792B-31E9-4F4C-B40F-521A1B089861}

c:\documents and settings\Mark\Local Settings\Application Data\{FB44792B-31E9-4F4C-B40F-521A1B089861}\chrome.manifest

c:\documents and settings\Mark\Local Settings\Application Data\{FB44792B-31E9-4F4C-B40F-521A1B089861}\chrome\content\_cfg.js

c:\documents and settings\Mark\Local Settings\Application Data\{FB44792B-31E9-4F4C-B40F-521A1B089861}\chrome\content\overlay.xul

c:\documents and settings\Mark\Local Settings\Application Data\{FB44792B-31E9-4F4C-B40F-521A1B089861}\install.rdf

c:\documents and settings\Max & Alex\Local Settings\Application Data\{43F0EE47-2E5D-4EC7-8060-7DDE14A19BAE}

c:\documents and settings\Max & Alex\Local Settings\Application Data\{43F0EE47-2E5D-4EC7-8060-7DDE14A19BAE}\chrome.manifest

c:\documents and settings\Max & Alex\Local Settings\Application Data\{43F0EE47-2E5D-4EC7-8060-7DDE14A19BAE}\chrome\content\_cfg.js

c:\documents and settings\Max & Alex\Local Settings\Application Data\{43F0EE47-2E5D-4EC7-8060-7DDE14A19BAE}\chrome\content\overlay.xul

c:\documents and settings\Max & Alex\Local Settings\Application Data\{43F0EE47-2E5D-4EC7-8060-7DDE14A19BAE}\install.rdf

c:\windows\system32\735654856.dat

c:\windows\system32\accessxo.exe

c:\windows\system32\Thumbs.db

c:\windows\Temp\1366984223.exe

c:\windows\Temp\1497136083.exe

c:\windows\Temp\1772160173.exe

c:\windows\Temp\3388596735.exe

c:\windows\Temp\3462145289.exe

c:\windows\Temp\426809811.exe

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\uvuwiqul.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_LMHOSTSXMLPROV

-------\Legacy_MCPROXY_SITEADVISOR_SERVICE

-------\Legacy_RPCLOCATORVSS

-------\Legacy_SAMSSWINMGMT

-------\Legacy_TAPISRVRPCLOCATOR

-------\Service_LmHostsxmlprov

-------\Service_McProxy SiteAdvisor Service

-------\Service_RpcLocatorVSS

-------\Service_SamSswinmgmt

-------\Service_TapiSrvRpcLocator

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))

.

2010-03-26 14:19 . 2010-03-26 14:19 -------- d-----w- c:\documents and settings\Max & Alex\DoctorWeb

2010-03-25 18:37 . 2010-03-25 18:37 -------- d-----w- c:\documents and settings\Max & Alex\Application Data\SUPERAntiSpyware.com

2010-03-25 18:35 . 2010-03-26 14:18 -------- d-----w- c:\documents and settings\Max & Alex\Application Data\U3

2010-03-25 13:39 . 2010-03-25 13:39 -------- d-----w- c:\documents and settings\Maiken\DoctorWeb

2010-03-25 12:27 . 2010-03-25 12:27 -------- d-----w- c:\documents and settings\Maiken\Application Data\SUPERAntiSpyware.com

2010-03-24 22:46 . 2010-03-25 01:42 -------- d-----w- c:\documents and settings\Mark\DoctorWeb

2010-03-24 21:32 . 2010-03-24 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-03-24 21:32 . 2010-03-25 11:38 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-24 21:32 . 2010-03-24 21:32 -------- d-----w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com

2010-03-24 21:30 . 2010-03-24 21:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-03-23 20:56 . 2010-03-23 20:56 -------- d-----w- c:\documents and settings\Max & Alex\Application Data\Malwarebytes

2010-03-23 20:55 . 2010-03-23 20:55 120 ----a-w- c:\documents and settings\Max & Alex\Local Settings\Application Data\Xmefiracevenu.dat

2010-03-23 20:55 . 2010-03-23 20:55 0 ----a-w- c:\documents and settings\Max & Alex\Local Settings\Application Data\Vgijocupuwowoho.bin

2010-03-23 20:01 . 2010-03-23 20:01 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes

2010-03-23 15:26 . 2010-03-23 15:26 -------- d-----w- c:\documents and settings\Maiken\Application Data\Malwarebytes

2010-03-23 15:26 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-23 15:26 . 2010-03-23 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-23 15:26 . 2010-03-23 15:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-23 15:26 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-23 12:05 . 2010-03-23 12:05 -------- d-----w- c:\documents and settings\Max & Alex\Local Settings\Application Data\Identities

2010-03-23 12:04 . 2010-03-23 12:52 -------- d-sh--w- c:\documents and settings\Max & Alex\Application Data\lowsec

2010-03-23 10:45 . 2010-03-23 15:44 3281 ----a-w- c:\windows\system32\adsmsextf.sys

2010-03-22 12:29 . 2010-03-22 12:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-03-21 16:45 . 2010-03-25 00:24 0 ----a-w- c:\windows\system32\$winnt$q.sys

2010-03-20 17:53 . 2010-03-28 09:35 120 ----a-w- c:\windows\Xmefiracevenu.dat

2010-03-20 17:53 . 2010-03-28 09:35 0 ----a-w- c:\windows\Vgijocupuwowoho.bin

2010-03-20 17:49 . 2010-03-20 17:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-03-20 14:05 . 2010-03-25 00:54 91975 --sha-w- c:\windows\system32\algn.sys

2010-03-19 20:06 . 2010-03-19 20:06 -------- d-----w- c:\documents and settings\Mark\Application Data\Turbine

2010-03-18 22:59 . 2010-03-18 22:59 -------- d-----w- c:\documents and settings\All Users\SonicStage

2010-03-18 22:56 . 2001-08-31 15:07 27255 ------w- c:\windows\system32\drivers\NWWMUSB.sys

2010-03-18 22:56 . 2010-03-18 22:56 -------- d-----w- c:\program files\Sony Corporation

2010-03-18 22:56 . 2002-09-11 10:20 11510 ------w- c:\windows\system32\drivers\VMCUSB.sys

2010-03-18 22:54 . 2010-03-18 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation

2010-03-18 22:54 . 2010-03-18 22:56 -------- d-----w- c:\program files\Sony

2010-03-18 22:53 . 2010-03-18 22:59 -------- d-----w- c:\documents and settings\Maiken\Application Data\Sony Corporation

2010-03-18 22:53 . 2010-03-18 22:56 -------- d-----w- c:\program files\Common Files\Sony Shared

2010-03-06 11:33 . 2010-03-06 11:35 -------- d-----w- c:\program files\BTHomeHub

2010-03-01 20:37 . 2010-03-01 20:37 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\IBM

2010-02-28 21:06 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-26 20:38 . 2010-03-18 14:43 -------- d-----w- c:\documents and settings\Maiken\Local Settings\Application Data\Temp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-28 09:50 . 2009-11-04 21:48 -------- d-----w- c:\documents and settings\Maiken\Application Data\U3

2010-03-26 19:23 . 2004-08-03 21:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-03-26 19:23 . 2004-08-03 21:59 96512 ----a-w- c:\windows\system32\drivers\atapi.svs

2010-03-25 18:37 . 2010-03-25 18:37 52224 ----a-w- c:\documents and settings\Max & Alex\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-25 18:37 . 2010-03-25 18:37 117760 ----a-w- c:\documents and settings\Max & Alex\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-25 12:27 . 2010-03-25 12:27 52224 ----a-w- c:\documents and settings\Maiken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-25 12:27 . 2010-03-25 12:27 117760 ----a-w- c:\documents and settings\Maiken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-24 21:33 . 2010-03-24 21:33 52224 ----a-w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-24 21:33 . 2010-03-24 21:33 117760 ----a-w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-24 21:29 . 2009-12-17 17:39 -------- d-----w- c:\documents and settings\Mark\Application Data\U3

2010-03-18 22:56 . 2006-09-01 11:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-18 22:53 . 2006-09-01 11:52 -------- d-----w- c:\program files\Common Files\InstallShield

2010-02-17 20:26 . 2009-06-06 16:55 -------- d-----w- c:\program files\McAfee

2010-02-05 18:33 . 2007-03-14 19:50 -------- d-----w- c:\program files\Google

2010-02-03 13:57 . 2007-03-14 19:50 -------- d-----w- c:\documents and settings\Maiken\Application Data\Skype

2010-02-03 13:52 . 2008-05-15 16:54 -------- d-----w- c:\documents and settings\Maiken\Application Data\skypePM

2010-01-15 23:05 . 2010-01-15 23:05 290816 -c--a-w- c:\documents and settings\Maiken\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll

2010-01-15 23:05 . 2010-01-15 23:05 290816 -c--a-w- c:\documents and settings\Maiken\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll

2010-01-15 23:05 . 2010-01-15 23:05 290816 -c--a-w- c:\documents and settings\Maiken\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll

2010-01-15 23:05 . 2010-01-15 23:05 290816 -c--a-w- c:\documents and settings\Maiken\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll

2009-12-31 16:50 . 2004-09-16 12:59 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-11-02 00:01 . 2009-11-02 00:01 66936 -csha-w- c:\windows\dlinfo_0.drv

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-23 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-04-08 7081984]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]

"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-02-24 868352]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]

"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2006-10-4 217088]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58403:TCP"= 58403:TCP:Pando Media Booster

"58403:UDP"= 58403:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 66632]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [06/06/2009 17:58 93320]

R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;c:\windows\system32\drivers\U2KG54L.SYS [24/08/2006 05:44 477696]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 19:33 135664]

S2 McProxySPTISRV;McAfee Proxy Service McProxySPTISRV;c:\windows\system32\aaclientk.exe srv --> c:\windows\system32\aaclientk.exe srv [?]

S2 TapiSrvRpcLocatorEventSystem;Telephony TapiSrvRpcLocator TapiSrvRpcLocatorEventSystem;c:\windows\system32\$winnt$qt.exe srv --> c:\windows\system32\$winnt$qt.exe srv [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 12872]

.

Contents of the 'Scheduled Tasks' folder

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 18:33]

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 18:33]

2009-11-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-06 11:22]

2010-03-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-06 11:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://home.bt.yahoo.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Maiken\Application Data\Mozilla\Firefox\Profiles\7vmck1rs.default\

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Common Files\Motive\npMotive.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - HiddenExtension: XULRunner: {520A6825-7BE0-426A-8558-7FA857AB12CC} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{520A6825-7BE0-426A-8558-7FA857AB12CC}\

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe

HKLM-Run-Ykurudivo - c:\windows\uvuwiqul.dll

AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-28 12:18

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(7416)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\progra~1\BTHOME~1\Help\SMARTB~1\SBHook.dll

c:\progra~1\mcafee\SITEAD~1\saHook.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\progra~1\Yahoo!\browser\ycommon.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\BT Home Hub\Help\bin\mpbtn.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

.

**************************************************************************

.

Completion time: 2010-03-28 12:24:10 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-28 11:24

Pre-Run: 119,688,351,744 bytes free

Post-Run: 119,727,001,600 bytes free

- - End Of File - - 8DF6851A87B509FE56E32236BA8CC54A

Dear Kahdah

Thank you so much for your very quick reply and your advice, which is much appreciated. We have installed combofix and ran it with firewall, virus scanner and spyware detection disabled. It started out fine and ran the windows recovery module first, downloading from microsoft. It then moved into autoscan and gave the message it was scanning for infected files and then up came a blue screen saying a problem has been detected and windows has been shut down to prevent damage.

AD-POOL_CALLER

Technical information

**STOP: 0x000000c2 (0x00000007, 0x00000cd4, 0x15FFF44D, 0x80535819)

We have left it on this screen for a while just in case but it doesnt look like it is doing anything.

What should we do now? Is there something that has interferred with Combofix or is this because of the malware?

Please help

>>>>>>>>>>>>>>>>>>>>>>>>>>

Link to post
Share on other sites

Great sorry I couldn't reply faster than now I was out with the family all day yesterday.

Little bit more work to do now.

1. Open notepad and copy/paste the text in the codebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=44731&pid=223109&mode=threaded&start=0#entry223109

Driver::
McProxySPTISRV
TapiSrvRpcLocatorEventSystem

Collect::
c:\documents and settings\Max & Alex\Local Settings\Application Data\Xmefiracevenu.dat
c:\documents and settings\Max & Alex\Local Settings\Application Data\Vgijocupuwowoho.bin
c:\windows\system32\adsmsextf.sys
C:\windows\Xmefiracevenu.dat
C:\windows\Vgijocupuwowoho.bin
C:\windows\system32\aaclientk.exe
c:\windows\system32\$winnt$qt.exe

Folder::
c:\documents and settings\Max & Alex\Application Data\lowsec


DDS::
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites

Thank you so much for this help. Combofix ran after your last instructions and a message came up saying Parasites found

C:\windows\temp\logishrd\LVPrcInj01.dll

followed by rootkit activity at the same file. It then ran and rebooted then rebooted again and produced the following report.

I have nervously connected to the internet and this forum to post the following and I am hoping this won't have reinfected everything.

Combofix seemed to fail to upload anything via a browser so I will now follow your instructions to send the requested file.

Below is posted the report from the Combofix Log.

ComboFix 10-03-27.03 - Maiken 28/03/2010 16:36:20.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1607 [GMT 1:00]

Running from: c:\documents and settings\Maiken\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Maiken\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\documents and settings\Max & Alex\Local Settings\Application Data\Vgijocupuwowoho.bin

file zipped: c:\documents and settings\Max & Alex\Local Settings\Application Data\Xmefiracevenu.dat

file zipped: c:\windows\system32\adsmsextf.sys

file zipped: c:\windows\Vgijocupuwowoho.bin

file zipped: c:\windows\Xmefiracevenu.dat

.

The following files were disabled during the run:

c:\windows\TEMP\logishrd\LVPrcInj01.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Max & Alex\Application Data\lowsec

c:\documents and settings\Max & Alex\Application Data\lowsec\local.ds

c:\documents and settings\Max & Alex\Application Data\lowsec\user.ds

c:\documents and settings\Max & Alex\Local Settings\Application Data\Vgijocupuwowoho.bin

c:\documents and settings\Max & Alex\Local Settings\Application Data\Xmefiracevenu.dat

c:\windows\system32\adsmsextf.sys

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\Vgijocupuwowoho.bin

c:\windows\Xmefiracevenu.dat

c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . failed to delete

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MCPROXYSPTISRV

-------\Legacy_TAPISRVRPCLOCATOREVENTSYSTEM

-------\Service_McProxySPTISRV

-------\Service_TapiSrvRpcLocatorEventSystem

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))

.

2010-03-26 14:19 . 2010-03-26 14:19 -------- d-----w- c:\documents and settings\Max & Alex\DoctorWeb

2010-03-25 18:37 . 2010-03-25 18:37 52224 ----a-w- c:\documents and settings\Max & Alex\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-25 18:37 . 2010-03-25 18:37 117760 ----a-w- c:\documents and settings\Max & Alex\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-25 18:37 . 2010-03-25 18:37 -------- d-----w- c:\documents and settings\Max & Alex\Application Data\SUPERAntiSpyware.com

2010-03-25 18:37 . 2006-12-07 10:45 110592 ----a-w- c:\documents and settings\Max & Alex\Application Data\U3\temp\cleanup.exe

2010-03-25 18:36 . 2006-12-07 10:45 3096576 ---ha-w- c:\documents and settings\Max & Alex\Application Data\U3\temp\Launchpad Removal.exe

2010-03-25 18:35 . 2010-03-26 14:18 -------- d-----w- c:\documents and settings\Max & Alex\Application Data\U3

2010-03-25 13:39 . 2010-03-25 13:39 -------- d-----w- c:\documents and settings\Maiken\DoctorWeb

2010-03-25 12:27 . 2010-03-25 12:27 52224 ----a-w- c:\documents and settings\Maiken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-25 12:27 . 2010-03-25 12:27 117760 ----a-w- c:\documents and settings\Maiken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-25 12:27 . 2010-03-25 12:27 -------- d-----w- c:\documents and settings\Maiken\Application Data\SUPERAntiSpyware.com

2010-03-24 22:46 . 2010-03-25 01:42 -------- d-----w- c:\documents and settings\Mark\DoctorWeb

2010-03-24 21:33 . 2010-03-24 21:33 52224 ----a-w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-24 21:33 . 2010-03-24 21:33 117760 ----a-w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-24 21:32 . 2010-03-24 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-03-24 21:32 . 2010-03-25 11:38 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-24 21:32 . 2010-03-24 21:32 -------- d-----w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com

2010-03-24 21:30 . 2010-03-24 21:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-03-23 20:56 . 2010-03-23 20:56 -------- d-----w- c:\documents and settings\Max & Alex\Application Data\Malwarebytes

2010-03-23 20:01 . 2010-03-23 20:01 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes

2010-03-23 15:26 . 2010-03-23 15:26 -------- d-----w- c:\documents and settings\Maiken\Application Data\Malwarebytes

2010-03-23 15:26 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-23 15:26 . 2010-03-23 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-23 15:26 . 2010-03-23 15:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-23 15:26 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-23 12:05 . 2010-03-23 12:05 -------- d-----w- c:\documents and settings\Max & Alex\Local Settings\Application Data\Identities

2010-03-22 12:29 . 2010-03-22 12:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-03-21 16:45 . 2010-03-25 00:24 0 ----a-w- c:\windows\system32\$winnt$q.sys

2010-03-20 17:49 . 2010-03-20 17:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-03-20 14:05 . 2010-03-25 00:54 91975 --sha-w- c:\windows\system32\algn.sys

2010-03-19 20:06 . 2010-03-19 20:06 -------- d-----w- c:\documents and settings\Mark\Application Data\Turbine

2010-03-18 22:59 . 2010-03-18 22:59 -------- d-----w- c:\documents and settings\All Users\SonicStage

2010-03-18 22:56 . 2001-08-31 15:07 27255 ------w- c:\windows\system32\drivers\NWWMUSB.sys

2010-03-18 22:56 . 2010-03-18 22:56 -------- d-----w- c:\program files\Sony Corporation

2010-03-18 22:56 . 2002-09-11 10:20 11510 ------w- c:\windows\system32\drivers\VMCUSB.sys

2010-03-18 22:54 . 2010-03-18 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation

2010-03-18 22:54 . 2010-03-18 22:56 -------- d-----w- c:\program files\Sony

2010-03-18 22:53 . 2010-03-18 22:59 -------- d-----w- c:\documents and settings\Maiken\Application Data\Sony Corporation

2010-03-18 22:53 . 2010-03-18 22:56 -------- d-----w- c:\program files\Common Files\Sony Shared

2010-03-06 11:33 . 2010-03-06 11:35 -------- d-----w- c:\program files\BTHomeHub

2010-03-01 20:37 . 2010-03-01 20:37 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\IBM

2010-02-28 21:06 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-26 20:38 . 2010-03-18 14:43 -------- d-----w- c:\documents and settings\Maiken\Local Settings\Application Data\Temp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-28 09:50 . 2009-11-04 21:48 -------- d-----w- c:\documents and settings\Maiken\Application Data\U3

2010-03-26 19:23 . 2004-08-03 21:59 96512 ----a-w- c:\windows\system32\drivers\atapi.svs

2010-03-26 19:23 . 2004-08-03 21:59 96512 ------w- c:\windows\system32\drivers\atapi.sys

2010-03-24 21:29 . 2009-12-17 17:39 -------- d-----w- c:\documents and settings\Mark\Application Data\U3

2010-03-18 22:56 . 2006-09-01 11:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-18 22:53 . 2006-09-01 11:52 -------- d-----w- c:\program files\Common Files\InstallShield

2010-02-17 20:26 . 2009-06-06 16:55 -------- d-----w- c:\program files\McAfee

2010-02-05 18:33 . 2007-03-14 19:50 -------- d-----w- c:\program files\Google

2010-02-03 13:57 . 2007-03-14 19:50 -------- d-----w- c:\documents and settings\Maiken\Application Data\Skype

2010-02-03 13:52 . 2008-05-15 16:54 -------- d-----w- c:\documents and settings\Maiken\Application Data\skypePM

2010-01-15 23:05 . 2010-01-15 23:05 290816 -c--a-w- c:\documents and settings\Maiken\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll

2010-01-15 23:05 . 2010-01-15 23:05 290816 -c--a-w- c:\documents and settings\Maiken\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll

2010-01-15 23:05 . 2010-01-15 23:05 290816 -c--a-w- c:\documents and settings\Maiken\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll

2010-01-15 23:05 . 2010-01-15 23:05 290816 -c--a-w- c:\documents and settings\Maiken\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll

2009-12-31 16:50 . 2004-09-16 12:59 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-11-02 00:01 . 2009-11-02 00:01 66936 -csha-w- c:\windows\dlinfo_0.drv

.

((((((((((((((((((((((((((((( SnapShot@2010-03-28_11.18.25 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-03-28 15:43 . 2010-03-28 15:43 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat

+ 2010-03-28 15:34 . 2010-03-28 15:34 16384 c:\windows\Temp\Perflib_Perfdata_6f0.dat

- 2004-09-16 12:59 . 2010-03-28 09:36 52880 c:\windows\system32\perfc009.dat

+ 2004-09-16 12:59 . 2010-03-28 11:21 52880 c:\windows\system32\perfc009.dat

- 2005-08-09 11:15 . 2010-03-28 09:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2005-08-09 11:15 . 2010-03-28 15:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-03-28 15:16 . 2010-03-28 15:16 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2005-08-09 11:15 . 2010-03-28 09:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2004-09-16 12:59 . 2010-03-28 11:21 380658 c:\windows\system32\perfh009.dat

- 2004-09-16 12:59 . 2010-03-28 09:36 380658 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-23 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-04-08 7081984]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]

"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-02-24 868352]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]

"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2006-10-4 217088]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58403:TCP"= 58403:TCP:Pando Media Booster

"58403:UDP"= 58403:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 66632]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [06/06/2009 17:58 93320]

R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;c:\windows\system32\drivers\U2KG54L.SYS [24/08/2006 05:44 477696]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 19:33 135664]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 12872]

.

Contents of the 'Scheduled Tasks' folder

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 18:33]

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 18:33]

2009-11-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-06 11:22]

2010-03-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-06 11:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://home.bt.yahoo.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Maiken\Application Data\Mozilla\Firefox\Profiles\7vmck1rs.default\

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Common Files\Motive\npMotive.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - HiddenExtension: XULRunner: {520A6825-7BE0-426A-8558-7FA857AB12CC} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{520A6825-7BE0-426A-8558-7FA857AB12CC}\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-28 16:44

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(6988)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\progra~1\BTHOME~1\Help\SMARTB~1\SBHook.dll

c:\progra~1\mcafee\SITEAD~1\saHook.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\windows\system32\MsPMSPSv.exe

c:\windows\system32\rundll32.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\progra~1\Yahoo!\browser\ycommon.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\BT Home Hub\Help\bin\mpbtn.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

.

**************************************************************************

.

Completion time: 2010-03-28 16:48:22 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-28 15:48

ComboFix2.txt 2010-03-28 11:24

Pre-Run: 119,733,649,408 bytes free

Post-Run: 119,698,649,088 bytes free

- - End Of File - - 1DDCCDD7A9B65999338AD58A5D066813

Great sorry I couldn't reply faster than now I was out with the family all day yesterday.

Little bit more work to do now.

1. Open notepad and copy/paste the text in the codebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=44731&pid=223109&mode=threaded&start=0#entry223109

Driver::
McProxySPTISRV
TapiSrvRpcLocatorEventSystem

Collect::
c:\documents and settings\Max & Alex\Local Settings\Application Data\Xmefiracevenu.dat
c:\documents and settings\Max & Alex\Local Settings\Application Data\Vgijocupuwowoho.bin
c:\windows\system32\adsmsextf.sys
C:\windows\Xmefiracevenu.dat
C:\windows\Vgijocupuwowoho.bin
C:\windows\system32\aaclientk.exe
c:\windows\system32\$winnt$qt.exe

Folder::
c:\documents and settings\Max & Alex\Application Data\lowsec


DDS::
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites

Ok no worries about that file it said failed to delete it is a logitech file that is present on reboot.

Please submit the following files to one of these online file scanners.

(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

c:\windows\system32\$winnt$q.sys

c:\windows\system32\drivers\atapi.svs

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

================================

Also Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites

Scanned both of the files on both of those sites.

The first file c:\windows\system32\$winnt$q.sys

both sites said was empty (0 bytes).

The second file c:\windows\system32\drivers\atapi.svs

was uploaded to both and seemed to get similar reports which I have added below.

I have also uploaded the submit.zip to the bleepingcomputer site according to the link you gave. I hope I did all this correctly.

Thanks for everything.

Copy of both reports on the atapi file are posted below:

Filename: atapi.svs

Status: Scan finished. 0 out of 20 scanners reported malware.

Scan taken on: Sun 28 Mar 2010 19:01:48 (CET) Permalink

File size: 96512 bytes

Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit

MD5: 70e101be44cf34030b2e4a51bac3452c

SHA1: ec50a115fe1cf70a4bc36dc6e61ebfb79db6dc90

Packer (Kaspersky): PE_Patch

Scanners

2010-03-28 Found nothing 2010-03-28 Found nothing

2010-03-28 Found nothing 2010-03-28 Found nothing

2010-03-28 Found nothing 2010-03-28 Found nothing

2010-03-28 Found nothing 2010-03-28 Found nothing

2010-03-26 Found nothing 2010-03-28 Found nothing

2010-03-28 Found nothing 2010-03-28 Found nothing

2010-03-28 Found nothing 2010-03-26 Found nothing

2010-03-28 Found nothing 2010-03-28 Found nothing

2010-03-28 Found nothing 2010-03-26 Found nothing

2010-03-27 Found nothing 2010-03-27 Found nothing

VIRUS TOTAL FILESCAN

File atapi.svs received on 2010.03.28 17:10:27 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 1/42 (2.39%)

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.03.28 -

AhnLab-V3 5.0.0.2 2010.03.27 -

AntiVir 7.10.5.241 2010.03.26 -

Antiy-AVL 2.0.3.7 2010.03.26 -

Authentium 5.2.0.5 2010.03.28 -

Avast 4.8.1351.0 2010.03.28 -

Avast5 5.0.332.0 2010.03.28 -

AVG 9.0.0.787 2010.03.28 -

BitDefender 7.2 2010.03.28 -

CAT-QuickHeal 10.00 2010.03.27 -

ClamAV 0.96.0.0-git 2010.03.28 -

Comodo 4417 2010.03.28 -

DrWeb 5.0.1.12222 2010.03.28 -

eSafe 7.0.17.0 2010.03.28 -

eTrust-Vet 35.2.7391 2010.03.26 -

F-Prot 4.5.1.85 2010.03.27 -

F-Secure 9.0.15370.0 2010.03.28 -

Fortinet 4.0.14.0 2010.03.27 -

GData 19 2010.03.28 -

Ikarus T3.1.1.80.0 2010.03.28 -

Jiangmin 13.0.900 2010.03.28 -

K7AntiVirus 7.10.1004 2010.03.22 -

Kaspersky 7.0.0.125 2010.03.28 -

McAfee 5933 2010.03.27 -

McAfee+Artemis 5933 2010.03.27 -

McAfee-GW-Edition 6.8.5 2010.03.27 -

Microsoft 1.5605 2010.03.28 -

NOD32 4980 2010.03.28 -

Norman 6.04.10 2010.03.28 -

nProtect 2009.1.8.0 2010.03.28 -

Panda 10.0.2.2 2010.03.28 -

PCTools 7.0.3.5 2010.03.28 -

Prevx 3.0 2010.03.28 -

Rising 22.40.06.04 2010.03.28 -

Sophos 4.52.0 2010.03.28 -

Sunbelt 6101 2010.03.26 -

Symantec 20091.2.0.41 2010.03.28 Suspicious.Insight

TheHacker 6.5.2.0.246 2010.03.28 -

TrendMicro 9.120.0.1004 2010.03.28 -

VBA32 3.12.12.2 2010.03.27 -

ViRobot 2010.3.27.2248 2010.03.27 -

VirusBuster 5.0.27.0 2010.03.27 -

Additional information

File size: 96512 bytes

MD5...: 70e101be44cf34030b2e4a51bac3452c

SHA1..: ec50a115fe1cf70a4bc36dc6e61ebfb79db6dc90

SHA256: da1f6dd6139368f53f756c4956a524f8e29ff11d15b47bf197ef1d09f2eff0bf

ssdeep: 1536:PwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb

DD0uu:PQ+N74vkEZIxMohjsimBoDTRMBwFktZu

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x159f7

timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)

machinetype.......: 0x14c (I386)

( 9 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7

NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29

.rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708

.data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834

PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9

PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863

INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3

.rsrc 0x16780 0x3e0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab

.reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 3 imports )

> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress

> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR

> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

packers (Kaspersky): PE_Patch

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: IDE/ATAPI Port Driver

original name: atapi.sys

internal name: atapi.sys

file version.: 5.1.2600.5512 (xpsp.080413-2108)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

Link to post
Share on other sites

Great thanks.

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Thank you.

I updated and ran MBAM on a quick scan and there was nothing found - log is at end.

I tried to run ESET but after accepting the license agreement it opens a new window, hangs for a moment then in the bottom corner says Done next to an orange shield bearing an exclamation mark - I assume it isnt letting me allow the activex control. Is there an easy way to get this running - I looked in the ESET FAQ but couldnt find it.

What should I do to get it running?

MBAM log is below:

Malwarebytes' Anti-Malware 1.44

Database version: 3923

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

28/03/2010 18:43:34

mbam-log-2010-03-28 (18-43-34).txt

Scan type: Quick Scan

Objects scanned: 139858

Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

OK see if this one works any better.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Link to post
Share on other sites

Thanks ever so much. Kaspersky worked without any problems at all and seems to have found 3 infected files. It also saved the report as a browser firefox file. I am hoping that opening firefox won't cause some of the problems to re-emerge.

Please advise what is best for me to do now. I very much appreciate your help.

>>>>>>>>>>>>>>>>>>>>>>>>

KASPERSKY ONLINE SCANNER 7.0: scan report

Monday, March 29, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, March 29, 2010 11:25:42

Records in database: 3895780

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

C:\

D:\

E:\

F:\

G:\

H:\

Scan statistics

Objects scanned 82891

Threats found 2

Infected objects found 3

Suspicious objects found 0

Scan duration 01:56:58

File name Threat Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\accessxo.exe.vir Infected: Trojan.Win32.Cosmu.qse 1

C:\System Volume Information\_restore{65AD895D-0BE4-4CB4-B46C-1255E3356130}\RP1\A0001109.exe Infected: Trojan.Win32.Cosmu.qse 1

C:\WINDOWS\system32\algn.sys Infected: Backdoor.Win32.IRCNite.gk 1

Selected area has been scanned.

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://forums.malwarebytes.org/index.php?showtopic=44731&pid=222283&mode=threaded&start=0#entry222283

DDS::
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

Collect::
C:\WINDOWS\system32\algn.sys
c:\windows\system32\$winnt$q.sys
c:\windows\system32\735654856.dat

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. During this run Combofix will collect and automatically upload some sample files.

You will see it say Combofix needs to upload some samples.

If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

6. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

=============

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites

Thanks Kahdah - I do really appreciate the help you are giving us.

Combofix ran fine but didnt seem to send anything so I have uploaded the zipped malware file to the bleeping computer site as instructed.

It asked if I wanted to update Combofix when it started up, but I didnt. Let me know if you would like me to say yes to the Comnbofix update.

Here is the log from Combofix.

I can see something suspicious in that there is a running process still from a file in the explorer dll processes listed that was one of the files targeted for deletion:

c:\windows\TEMP\logishrd\LVPrcInj01.dll

Is there some malicious restore file that we havent taken out yet? Is it reloading this file when explorer is starting up?

Please let me know what we need to do next.

ComboFix 10-03-27.03 - Maiken 30/03/2010 12:56:06.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1576 [GMT 1:00]

Running from: c:\documents and settings\Maiken\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Maiken\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\windows\system32\$winnt$q.sys

file zipped: c:\windows\system32\algn.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Maiken\Local Settings\Temporary Internet Files\mcc10A.tmp

c:\documents and settings\Maiken\Local Settings\Temporary Internet Files\mcc97.tmp

c:\windows\system32\$winnt$q.sys

c:\windows\system32\algn.sys

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))

.

2010-03-26 14:19 . 2010-03-26 14:19 -------- d-----w- c:\documents and settings\Max & Alex\DoctorWeb

2010-03-25 18:37 . 2010-03-25 18:37 52224 ----a-w- c:\documents and settings\Max & Alex\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-25 18:37 . 2010-03-25 18:37 117760 ----a-w- c:\documents and settings\Max & Alex\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-25 18:37 . 2010-03-25 18:37 -------- d-----w- c:\documents and settings\Max & Alex\Application Data\SUPERAntiSpyware.com

2010-03-25 18:37 . 2006-12-07 10:45 110592 ----a-w- c:\documents and settings\Max & Alex\Application Data\U3\temp\cleanup.exe

2010-03-25 18:36 . 2006-12-07 10:45 3096576 ---ha-w- c:\documents and settings\Max & Alex\Application Data\U3\temp\Launchpad Removal.exe

2010-03-25 18:35 . 2010-03-26 14:18 -------- d-----w- c:\documents and settings\Max & Alex\Application Data\U3

2010-03-25 13:39 . 2010-03-25 13:39 -------- d-----w- c:\documents and settings\Maiken\DoctorWeb

2010-03-25 12:27 . 2010-03-25 12:27 52224 ----a-w- c:\documents and settings\Maiken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-25 12:27 . 2010-03-25 12:27 117760 ----a-w- c:\documents and settings\Maiken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-25 12:27 . 2010-03-25 12:27 -------- d-----w- c:\documents and settings\Maiken\Application Data\SUPERAntiSpyware.com

2010-03-24 22:46 . 2010-03-25 01:42 -------- d-----w- c:\documents and settings\Mark\DoctorWeb

2010-03-24 21:33 . 2010-03-24 21:33 52224 ----a-w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-24 21:33 . 2010-03-24 21:33 117760 ----a-w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-24 21:32 . 2010-03-24 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-03-24 21:32 . 2010-03-25 11:38 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-24 21:32 . 2010-03-24 21:32 -------- d-----w- c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com

2010-03-24 21:30 . 2010-03-24 21:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-03-23 20:56 . 2010-03-23 20:56 -------- d-----w- c:\documents and settings\Max & Alex\Application Data\Malwarebytes

2010-03-23 20:01 . 2010-03-23 20:01 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes

2010-03-23 15:26 . 2010-03-23 15:26 -------- d-----w- c:\documents and settings\Maiken\Application Data\Malwarebytes

2010-03-23 15:26 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-23 15:26 . 2010-03-23 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-23 15:26 . 2010-03-23 15:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-23 15:26 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-23 12:05 . 2010-03-23 12:05 -------- d-----w- c:\documents and settings\Max & Alex\Local Settings\Application Data\Identities

2010-03-22 12:29 . 2010-03-22 12:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-03-20 17:49 . 2010-03-20 17:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-03-19 20:06 . 2010-03-19 20:06 -------- d-----w- c:\documents and settings\Mark\Application Data\Turbine

2010-03-18 22:59 . 2010-03-18 22:59 -------- d-----w- c:\documents and settings\All Users\SonicStage

2010-03-18 22:56 . 2001-08-31 15:07 27255 ------w- c:\windows\system32\drivers\NWWMUSB.sys

2010-03-18 22:56 . 2010-03-18 22:56 -------- d-----w- c:\program files\Sony Corporation

2010-03-18 22:56 . 2002-09-11 10:20 11510 ------w- c:\windows\system32\drivers\VMCUSB.sys

2010-03-18 22:54 . 2010-03-18 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation

2010-03-18 22:54 . 2010-03-18 22:56 -------- d-----w- c:\program files\Sony

2010-03-18 22:53 . 2010-03-18 22:59 -------- d-----w- c:\documents and settings\Maiken\Application Data\Sony Corporation

2010-03-18 22:53 . 2010-03-18 22:56 -------- d-----w- c:\program files\Common Files\Sony Shared

2010-03-06 11:33 . 2010-03-06 11:35 -------- d-----w- c:\program files\BTHomeHub

2010-03-01 20:37 . 2010-03-01 20:37 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\IBM

2010-02-28 21:06 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-28 09:50 . 2009-11-04 21:48 -------- d-----w- c:\documents and settings\Maiken\Application Data\U3

2010-03-26 19:23 . 2004-08-03 21:59 96512 ----a-w- c:\windows\system32\drivers\atapi.svs

2010-03-26 19:23 . 2004-08-03 21:59 96512 ------w- c:\windows\system32\drivers\atapi.sys

2010-03-24 21:29 . 2009-12-17 17:39 -------- d-----w- c:\documents and settings\Mark\Application Data\U3

2010-03-18 22:56 . 2006-09-01 11:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-18 22:53 . 2006-09-01 11:52 -------- d-----w- c:\program files\Common Files\InstallShield

2010-02-17 20:26 . 2009-06-06 16:55 -------- d-----w- c:\program files\McAfee

2010-02-05 18:33 . 2007-03-14 19:50 -------- d-----w- c:\program files\Google

2010-02-03 13:57 . 2007-03-14 19:50 -------- d-----w- c:\documents and settings\Maiken\Application Data\Skype

2010-02-03 13:52 . 2008-05-15 16:54 -------- d-----w- c:\documents and settings\Maiken\Application Data\skypePM

2010-01-15 23:05 . 2010-01-15 23:05 290816 -c--a-w- c:\documents and settings\Maiken\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll

2010-01-15 23:05 . 2010-01-15 23:05 290816 -c--a-w- c:\documents and settings\Maiken\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll

2010-01-15 23:05 . 2010-01-15 23:05 290816 -c--a-w- c:\documents and settings\Maiken\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll

2010-01-15 23:05 . 2010-01-15 23:05 290816 -c--a-w- c:\documents and settings\Maiken\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll

2009-12-31 16:50 . 2004-09-16 12:59 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-11-02 00:01 . 2009-11-02 00:01 66936 -csha-w- c:\windows\dlinfo_0.drv

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-23 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-04-08 7081984]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]

"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-02-24 868352]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"Motive SmartBridge"="c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 462935]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2009-09-14 1584640]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]

"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

BT Broadband Desktop Help.lnk - c:\program files\BT Home Hub\Help\bin\matcli.exe [2006-10-4 217088]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58403:TCP"= 58403:TCP:Pando Media Booster

"58403:UDP"= 58403:UDP:Pando Media Booster

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 66632]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [06/06/2009 17:58 93320]

R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;c:\windows\system32\drivers\U2KG54L.SYS [24/08/2006 05:44 477696]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 19:33 135664]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 12872]

.

Contents of the 'Scheduled Tasks' folder

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 18:33]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 18:33]

2009-11-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-06 11:22]

2010-03-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-06 11:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://home.bt.yahoo.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: eset.eu\www

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Maiken\Application Data\Mozilla\Firefox\Profiles\7vmck1rs.default\

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Common Files\Motive\npMotive.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll

FF - HiddenExtension: XULRunner: {520A6825-7BE0-426A-8558-7FA857AB12CC} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{520A6825-7BE0-426A-8558-7FA857AB12CC}\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-30 13:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(7308)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\progra~1\BTHOME~1\Help\SMARTB~1\SBHook.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\windows\system32\MsPMSPSv.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\progra~1\Yahoo!\browser\ycommon.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\BT Home Hub\Help\bin\mpbtn.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

.

**************************************************************************

.

Completion time: 2010-03-30 13:08:37 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-30 12:08

ComboFix2.txt 2010-03-28 15:48

ComboFix3.txt 2010-03-28 11:24

Pre-Run: 119,632,265,216 bytes free

Post-Run: 119,742,566,400 bytes free

- - End Of File - - 6E390B2F33CBBA6639536120AD89D417

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://forums.malwarebytes.org/index.php?showtopic=44731&pid=222283&mode=threaded&start=0#entry222283

DDS::
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

Collect::
C:\WINDOWS\system32\algn.sys
c:\windows\system32\$winnt$q.sys
c:\windows\system32\735654856.dat

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. During this run Combofix will collect and automatically upload some sample files.

You will see it say Combofix needs to upload some samples.

If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

6. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

=============

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites

I can see something suspicious in that there is a running process still from a file in the explorer dll processes listed that was one of the files targeted for deletion:

c:\windows\TEMP\logishrd\LVPrcInj01.dll

Is there some malicious restore file that we havent taken out yet? Is it reloading this file when explorer is starting up?

No nothing malicious but that is a logitech file.

It reloads everyboot due to the software being installed.

How are things running?

Any problems?

Your logs are clean.

Link to post
Share on other sites

It seems to run really nicely - everything is much much faster now and I havent noticed any problems.

My goodness, does this mean it is healthy?

Is it worth us considering using different antivirus software to keep the computer clean? We don't surf or download hardly anything at all and I am at a loss how we got so horribly infected. We certainly will look into real-time malware protection.

You've been absolutely wonderful in the help you've given us. Thank you.

Let me know if we need to do anything else to check the computer is clean.

No nothing malicious but that is a logitech file.

It reloads everyboot due to the software being installed.

How are things running?

Any problems?

Your logs are clean.

Link to post
Share on other sites

You are welcome :rolleyes:

You could get infected no matter what protection you have installed.

But if you were to change over to another antivirus then I would choose Kaspersky.

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 18...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

I can't believe it! We have our computer back! Thanks from all of us here.

I removed Combofix as instructed and it gave two odd messages, both relating to the logitech file c:\windows\TEMP\logishrd\LVPrcInj01.dll that first it said was trying to attach to Combofix. Then it reported that it had detected rootkit activity at the same file address. However, Combofix was removed fine.

I then followed through with the clean up - downloaded and installed the latest Java (removing an earlier version). The computer crashed on reboot when removing java but seems to have removed it fine.

I then cleared the windows restore points by unchecking, and then reset the restore point by checking it again.

Just for good measure, I did a windows update from Microsoft (but nothing was there) and then did a Kapersky online scan of my computer and a pen drive I used during the process (transferring downloads from one computer to another), and everything was clean.

Thanks ever so much for all the help you have given us. I cannot thank you enough. You really are cyberspace superheroes.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.