Jump to content

Recommended Posts

My PC has been infected, I could use some help! It is the XP Anti-Spyware 2011 malware....I have MalwareBytes and Avast! on my system but neither caught it.

I have run the process up through the ComboFix log, which is running now, as detailed here; http://forums.malwarebytes.org/index.php?showtopic=79312

ComboFix 11-05-03.02 - Nick 05/04/2011 7:12.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.458 [GMT -4:00]

Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Nick\Local Settings\Application Data\beg.exe

c:\documents and settings\Nick\Local Settings\Application Data\ooo.exe

c:\documents and settings\Nick\WINDOWS

.

.

((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))

.

.

2011-05-04 01:46 . 2011-05-04 01:53 -------- d-----w- C:\32788R22FWJFW.0.tmp

2011-05-04 01:27 . 2011-05-04 01:46 -------- d-----w- c:\documents and settings\Nick\Application Data\U3

2011-05-02 22:52 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-18 17:25 . 2011-01-15 22:59 40112 ----a-w- c:\windows\avastSS.scr

2011-04-18 17:25 . 2011-01-15 22:59 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-04-18 17:17 . 2011-01-15 22:59 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-04-18 17:16 . 2011-01-15 22:59 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-04-18 17:16 . 2011-01-15 22:59 102488 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-04-18 17:16 . 2011-01-15 22:59 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-04-18 17:13 . 2011-01-15 22:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-04-18 17:13 . 2011-01-15 22:59 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-04-18 17:12 . 2011-01-15 22:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-03-07 05:33 . 2004-08-11 22:12 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2004-08-11 22:00 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-11 22:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-18 20:36 . 2009-06-21 20:03 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-02-18 20:36 . 2007-11-13 03:03 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-02-17 19:00 . 2004-08-11 22:00 832512 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 19:00 . 2004-08-11 22:00 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-02-17 19:00 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 19:00 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll

2011-02-17 13:18 . 2004-08-11 22:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2004-08-11 22:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:32 . 2009-04-15 01:18 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-17 11:44 . 2004-08-11 22:00 389120 ----a-w- c:\windows\system32\html.iec

2011-02-15 12:56 . 2004-08-11 22:00 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-11 13:25 . 2004-08-11 22:11 229888 ----a-w- c:\windows\system32\fxscover.exe

2011-02-09 13:53 . 2004-08-11 22:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-11 22:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33 . 2004-08-11 22:00 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-04-18 17:25 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ooVoo.exe"="c:\program files\ooVoo\oovoo.exe" [2010-02-10 18784440]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-15 159744]

"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]

"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]

"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]

"Boingo Wi-Fi"="c:\program files\Boingo\Boingo Wi-Fi\Boingo.lnk" [2011-05-04 2179]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-9-13 50688]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2010-12-08 18:11 87424 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest wsauth

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\ooVoo\\ooVoo.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\VMware\\VMware View\\Client\\bin\\vmware-remotemks.exe"=

"c:\\Program Files\\VMware\\VMware View\\Client\\bin\\wswc.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"42904:UDP"= 42904:UDP:Lime

"20:TCP"= 20:TCP:knight

"21:TCP"= 21:TCP:knight

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"443:TCP"= 443:TCP:ooVoo TCP port 443

"443:UDP"= 443:UDP:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

.

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [9/13/2007 2:23 AM 3456]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/2/2011 6:52 PM 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/15/2011 6:59 PM 307288]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 8:56 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 67656]

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 3:21 PM 79432]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/15/2011 6:59 PM 19544]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/2/2010 10:09 AM 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [4/17/2007 2:00 PM 12856]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/28/2007 9:03 PM 24652]

R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 6:00 PM 5120]

R2 wsnm;VMware View Client;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [8/26/2010 5:52 PM 494128]

R2 wsnm_usbctrl;VMware View USB Control;c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [8/26/2010 5:53 PM 793136]

R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 1:32 PM 97536]

R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/6/2008 4:38 PM 26624]

R3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\drivers\vmwvusb.sys [2/6/2011 5:56 PM 39984]

S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [9/30/2007 11:48 AM 58240]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 12872]

S3 XDva025;XDva025;\??\c:\windows\system32\XDva025.sys --> c:\windows\system32\XDva025.sys [?]

S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]

S3 XDva062;XDva062;\??\c:\windows\system32\XDva062.sys --> c:\windows\system32\XDva062.sys [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WUAUSERV

.

Contents of the 'Scheduled Tasks' folder

.

2011-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

2011-05-01 c:\windows\Tasks\Norton Security Scan for Nick.job

- c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-18 01:15]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.mystart.com?pr=oovoo2_0

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\windows\system32\biolsp.dll

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\*.windowsupdate

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

Trusted Zone: windowsupdate.com

Trusted Zone: windowsupdate.com\download

FF - ProfilePath - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\uk6kh7cd.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.mystart.com?pr=oovoo2_0

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: AIM Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\Alwil Software\Avast5\WebRep\FF

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-Aim6 - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-04 07:32

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1400)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\LMIinit.dll

.

- - - - - - - > 'lsass.exe'(1456)

c:\windows\system32\wsauth.dll

c:\windows\system32\biolsp.dll

.

- - - - - - - > 'explorer.exe'(4840)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\windows\system32\CDRTC.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\LMIRfsClientNP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\bcmwltry.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\windows\system32\msdtc.exe

c:\windows\stsystra.exe

c:\program files\Apoint\ApMsgFwd.exe

c:\program files\Boingo\Boingo Wi-Fi\Boingo Wi-Fi.exe

c:\program files\Apoint\HidFind.exe

c:\program files\Apoint\Apntex.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

.

**************************************************************************

.

Completion time: 2011-05-04 09:17:19 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-04 13:15

.

Pre-Run: 37,194,960,896 bytes free

Post-Run: 37,595,561,984 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 444FEFF36E2C3FB30E2B31AEB9207CA0

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.