Jump to content

Help required with suspected Whistler/Black virus


Recommended Posts

I need help removing a particular rootkit virus that Malwarebytes won't pick up. I think it's Whistler/Black.

As instructed here is the DDS copy and also see attached logs.

Regards,

Martin

DDS (Ver_10-03-17.01) - NTFSx86

Run by Martin at 18:08:07.59 on 02/08/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1235 [GMT 1:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\System32\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\1XConfig.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe

C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Program Files\UltraVNC\WinVNC.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Belkin\F5D7011\Belkinwcui.exe

C:\Program Files\Dell\Bluetooth Software\BTTray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Martin\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {1A1DAC8C-074D-440F-8707-7009A672D7D1} - No File

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [PCTVOICE] pctspk.exe

mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe

mRun: [ACT_APL] "c:\program files\act\act for windows\ACT_APL.exe"

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [\\bd-accounts\EPSON Stylus Photo R240 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiahe.exe /p44 "\\bd-accounts\EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"

mRun: [Auto EPSON Stylus Photo R240 Series on GLEN-BREWSTER] c:\windows\system32\spool\drivers\w32x86\3\e_fatiahe.exe /p52 "auto epson stylus photo r240 series on glen-brewster" /o24 "\\glen-brewster\EPSONSty" /M "Stylus Photo R240"

mRun: [Auto EPSON Stylus Photo R240 Series on GLENSYS] c:\windows\system32\spool\drivers\w32x86\3\e_fatiahe.exe /p46 "auto epson stylus photo r240 series on glensys" /o40 "\\glensys\EPSON Stylus Photo R240 Series" /M "Stylus Photo R240"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d7011\Belkinwcui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\dell\bluetooth software\BTTray.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\dell\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259865474515

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: {090F82C2-2605-444D-A951-FC7FD085A2A4} = 10.200.7.1

Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

Notify: Sebring - c:\windows\system32\LgNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\martin\applic~1\mozilla\firefox\profiles\jqrbgaek.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-15 64288]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-21 165456]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-2-28 532224]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-21 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-21 40384]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 1352832]

R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sact7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sACT7 [?]

R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-4-25 90112]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-21 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-21 40384]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-4-18 27632]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-16 136176]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-6-4 13224]

S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2010-4-18 86824]

S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2010-4-18 15016]

S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2010-4-18 114728]

S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2010-4-18 106208]

S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2010-4-18 26024]

S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2010-4-18 104744]

S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2010-4-18 109864]

S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.exe -i act7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.EXE -i ACT7 [?]

=============== Created Last 30 ================

2010-08-02 17:05:31 0 ----a-w- c:\documents and settings\martin\defogger_reenable

2010-08-02 15:28:26 0 d-----w- c:\program files\Exterminate It!

2010-07-31 13:52:49 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-07-31 13:52:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-07-21 08:57:18 3251 ----a-w- c:\windows\system32\wbem\Outlook_01cb28b2b8c69e4b.mof

2010-07-20 22:41:11 0 d-----w- c:\docume~1\alluse~1\applic~1\TomTom

2010-07-20 22:40:06 0 d-----w- c:\docume~1\martin\applic~1\TomTom

2010-07-20 22:39:27 0 d-----w- c:\program files\TomTom International B.V

2010-07-20 22:38:53 0 d-----w- c:\program files\TomTom HOME 2

2010-07-20 22:32:52 0 d-----w- c:\program files\TomTom DesktopSuite

2010-07-15 18:00:48 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-07-15 09:39:59 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-07-15 09:39:51 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-07-15 09:21:12 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}

2010-07-15 09:20:18 0 d-----w- c:\program files\Lavasoft

2010-07-14 07:25:43 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-13 21:23:06 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-12 17:55:34 0 d-----w- c:\docume~1\martin\applic~1\SUPERAntiSpyware.com

2010-07-12 17:55:34 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-07-12 17:55:19 0 d-----w- c:\program files\SUPERAntiSpyware

2010-07-12 17:45:15 0 d-----w- c:\program files\Trend Micro

2010-07-11 19:13:48 38848 ----a-w- c:\windows\avastSS.scr

==================== Find3M ====================

2010-06-26 09:54:22 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-06-23 12:51:22 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2010-06-04 21:00:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf

2010-06-04 21:00:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggflt_01007.Wdf

2010-06-04 21:00:54 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

2010-06-04 20:57:57 25512 ----a-w- c:\windows\system32\drivers\ggsemc.sys

2010-06-04 20:57:57 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys

2010-06-04 20:57:57 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2005-10-31 15:35:11 104 --sh--r- c:\windows\system32\40F49A663E.sys

2008-06-23 11:37:43 3140 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-02-22 20:05:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010022220100223\index.dat

============= FINISH: 18:10:06.27 ===============

Attach.zip

mbam_log_2010_08_02__19_35_24_.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Let's confirm that the infection is present.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi!

Finally got round to starting Combofix and followed instructions to the letter... it got to the "Scanning for infected files..." blue screen... expecting it to take 10-20mins, maybe 30mins... but it's been going an hour now and doesn't seem to be doing anything as it suggested in the instructions.

Will try and leave it until you reply - but doubt it will stay on that long...

Please advise.

Thanks,

Martin

Link to post
Share on other sites

After six hours of inactivity I reset PC and booted in safe mode and it worked. Requested new logs attached.

I await the next instruction.

Thanks for your help - very much appreciated!

Martin

Hi and welcome to Malwarebytes.

Let's confirm that the infection is present.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

DDS.txt

Attach.zip

ComboFix.txt

Link to post
Share on other sites

  • Staff

Hi Martin,

In the future please post all logs directly into your reply instead of attaching them.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Here are the two logs as requested...

Please advise next steps.... or is that it? Is my system clear now?

Thanks so much for your help. :D

Martin

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=745d1ec8c618e2419baaf1304444a8ba

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=false

# utc_time=2010-08-12 05:20:49

# local_time=2010-08-12 06:20:49 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 2671973 2671973 0 0

# compatibility_mode=768 16777215 100 0 12499397 12499397 0 0

# compatibility_mode=1024 16777215 100 0 14270966 14270966 0 0

# compatibility_mode=8192 67108863 100 0 434 434 0 0

# compatibility_mode=9217 16777214 75 70 4082506 4332766 0 0

# scanned=79338

# found=1

# cleaned=1

# scan_time=4989

C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Mebroot.mbr trojan (cleaned by deleting - quarantined) 69A2DA11BC1562A874949B1B67BCE73C C

Results of screen317's Security Check version 0.99.5

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

avast! Free Antivirus

ESET Online Scanner v3

ZoneAlarm

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 20

Out of date Java installed!

Adobe Flash Player 10.1.53.64

Adobe Reader 7.1.0

Out of date Adobe Reader installed!

Mozilla Firefox (3.6.8)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

Alwil Software Avast5 AvastSvc.exe

Zone Labs ZoneAlarm zlclient.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Hi Martin,

In the future please post all logs directly into your reply instead of attaching them.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Hi Martin,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

All done... thank you so much for helping me - I can usually fix virus problems myself as very competent user... but this one stumped me!

PC running much better now - I will only come back to you if I encounter further issues.

Once again, thank you! :) :)

Martin

Hi Martin,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

  • Staff

Glad to hear it.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :P

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.