15 replies to this topic

[jamessheaj]

Hey i can't get rid of this rootkit.tdss malware bytes finds it but whenever i restart it comes back. Here are the logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:57 PM, on 8/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\program files\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garena.com/portal/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O3 - Toolbar: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe

--
End of file - 5364 bytes

MBAM Log

Malwarebytes' Anti-Malware 1.40
Database version: 2720
Windows 5.1.2600 Service Pack 2

8/31/2009 10:14:13 PM
mbam-log-2009-08-31 (22-14-13).txt

Scan type: Quick Scan
Objects scanned: 89403
Time elapsed: 6 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmutavnklv (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[jamessheaj]

ComboFix 09-09-01.08 - Owner 09/02/2009 18:33:38.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.656 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\S-1-5-21-1640842703-1133726716-3335999617-1003
C:\WINDOWS\system32\bJPWayay.ini2
C:\WINDOWS\system32\Drivers\joef.sys


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmutavnklv
-------\Legacy_TDSSSERV
-------\Service_kbiwkmutavnklv
-------\Service_tdssserv


((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-09-01 02:16:39 . 2009-09-01 02:16:39 0 d-----w- C:\Program Files\Trend Micro
2009-08-31 17:48:38 . 2009-08-31 17:48:38 0 d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-31 17:48:26 . 2009-08-31 17:48:29 0 d-----w- C:\Program Files\SUPERAntiSpyware
2009-08-31 17:48:26 . 2009-08-31 17:48:26 0 d-----w- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2009-08-31 01:48:46 . 2009-08-31 01:48:46 604140 --sha-w- C:\WINDOWS\system32\drivers\ISwift3.dat
2009-08-31 01:43:29 . 2009-08-31 01:43:29 94643 ----a-w- C:\WINDOWS\system32\drivers\klick.dat
2009-08-31 01:43:29 . 2009-08-31 01:43:29 105395 ----a-w- C:\WINDOWS\system32\drivers\klin.dat
2009-08-31 01:42:29 . 2009-09-02 18:39:21 0 d-----w- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2009-08-31 01:42:29 . 2009-08-31 01:42:29 0 d-----w- C:\Program Files\Kaspersky Lab
2009-08-31 01:38:55 . 2009-08-31 01:38:55 0 d-----w- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-08-30 23:53:51 . 2009-08-31 01:40:11 0 d-----w- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-08-30 21:04:21 . 2009-08-30 21:04:21 0 d-----w- C:\_OTM
2009-08-30 19:42:39 . 2009-08-31 02:00:29 45344 ----a-w- C:\WINDOWS\system32\drivers\gfa9804.sys
2009-08-13 21:43:08 . 2009-08-13 21:43:08 0 d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\Cranium
2009-08-12 18:31:54 . 2008-10-10 08:52:38 452440 ----a-w- C:\WINDOWS\system32\d3dx10_40.dll
2009-08-12 18:31:54 . 2008-10-10 08:52:38 2036576 ----a-w- C:\WINDOWS\system32\D3DCompiler_40.dll
2009-08-12 18:31:50 . 2008-10-10 08:52:38 4379984 ----a-w- C:\WINDOWS\system32\D3DX9_40.dll
2009-08-12 18:31:46 . 2007-04-04 22:53:42 81768 ----a-w- C:\WINDOWS\system32\xinput1_3.dll
2009-08-12 18:31:44 . 2009-08-12 18:31:44 0 d-----w- C:\WINDOWS\Logs
2009-08-12 18:31:42 . 2009-08-24 01:45:43 0 d-----w- C:\Program Files\Heroes of Newerth
2009-08-12 06:20:50 . 2009-08-15 01:30:23 0 d-----w- C:\temp\RipBot264temp
2009-08-12 06:20:46 . 2009-08-12 06:20:50 0 d-----w- C:\Temp
2009-08-11 18:48:36 . 2009-08-11 18:48:36 0 d-----w- C:\Program Files\Common Files\eSellerate
2009-08-11 04:38:44 . 2009-08-11 05:28:02 0 d-----w- C:\Program Files\Encoding The juGGaKNot Way
2009-08-11 04:24:35 . 2009-08-11 04:24:35 0 d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\www.doom9.net
2009-08-11 04:15:11 . 2009-08-11 05:21:58 0 d-----w- C:\Program Files\megui
2009-08-09 03:55:22 . 2009-08-09 03:55:22 0 d-----w- C:\clips
2009-08-09 03:41:59 . 2009-08-09 03:41:59 0 d-----w- C:\Program Files\Haali
2009-08-09 03:39:43 . 2009-06-20 20:15:36 85504 ----a-w- C:\WINDOWS\system32\ff_vfw.dll
2009-08-09 03:39:42 . 2008-09-29 16:31:02 60273 ----a-w- C:\WINDOWS\system32\pthreadGC2.dll
2009-08-09 03:39:41 . 2009-08-09 03:39:44 0 d-----w- C:\Program Files\ffdshow
2009-08-08 17:17:23 . 2000-08-23 21:00:40 33280 ----a-w- C:\WINDOWS\system32\HUFFYUV.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 22:40:28 . 2008-09-05 00:21:04 0 d-----w- C:\Program Files\Steam
2009-09-02 22:37:54 . 2008-08-26 03:49:58 0 d-----w- C:\Documents and Settings\Owner\Application Data\mIRC
2009-09-02 18:42:18 . 2008-08-26 03:49:58 0 d-----w- C:\Program Files\mIRC
2009-08-31 21:36:19 . 2009-03-28 22:09:32 0 d-----w- C:\Documents and Settings\Owner\Application Data\U3
2009-08-31 17:48:06 . 2008-08-26 03:48:55 0 d-----w- C:\Program Files\Common Files\Wise Installation Wizard
2009-08-31 06:09:31 . 2008-09-10 00:52:16 0 d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2009-08-30 21:36:05 . 2008-08-26 05:15:49 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-30 04:54:34 . 2009-01-09 00:15:35 0 d-----w- C:\Program Files\CEVO
2009-08-29 01:11:06 . 2008-11-11 16:42:08 0 d-----w- C:\Program Files\compLexity Demo Player
2009-08-11 04:38:57 . 2009-06-16 18:47:29 0 d-----w- C:\Program Files\AviSynth 2.5
2009-08-08 23:47:19 . 2008-08-26 07:30:26 30800 ----a-w- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 18:38:42 . 2008-09-14 18:09:35 2502 ----a-w- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2009-08-03 17:36:28 . 2008-08-26 05:15:54 38160 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36:06 . 2008-08-26 05:15:55 19096 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2009-08-01 02:35:55 . 2008-08-26 07:38:40 0 d-----w- C:\Program Files\Warcraft III
2009-08-01 02:07:50 . 2009-01-20 01:03:00 22328 ----a-w- C:\WINDOWS\system32\drivers\PnkBstrK.sys
2009-08-01 02:07:50 . 2009-01-20 01:03:00 22328 ----a-w- C:\Documents and Settings\Owner\Application Data\PnkBstrK.sys
2009-08-01 02:07:40 . 2009-01-20 01:02:42 107832 ----a-w- C:\WINDOWS\system32\PnkBstrB.exe
2009-08-01 02:07:32 . 2009-01-20 01:02:39 2246144 ----a-w- C:\WINDOWS\system32\pbsvc.exe
2009-08-01 02:00:50 . 2009-01-20 01:02:39 66872 ----a-w- C:\WINDOWS\system32\PnkBstrA.exe
2009-08-01 01:59:09 . 2009-08-01 01:59:09 0 d-----w- C:\Program Files\Windows Installer Clean Up
2009-08-01 01:58:56 . 2009-08-01 01:58:56 0 d-----w- C:\Program Files\MSECACHE
2009-07-31 21:41:25 . 2008-12-06 20:48:19 0 d-----w- C:\Program Files\Garena
2009-07-30 19:08:23 . 2009-07-29 00:33:25 0 d-----w- C:\Program Files\Pokemon World Online
2009-07-24 03:52:14 . 2008-09-09 23:07:08 272632 ----a-w- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-22 18:01:18 . 2009-07-22 18:01:01 0 d-----w- C:\Program Files\iTunes
2009-07-22 18:01:18 . 2009-07-22 18:01:01 0 d-----w- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-22 18:01:05 . 2009-07-22 18:01:05 0 d-----w- C:\Program Files\iPod
2009-07-22 18:01:03 . 2008-08-26 22:44:44 0 d-----w- C:\Program Files\Common Files\Apple
2009-07-22 18:00:32 . 2008-08-26 22:48:31 0 d-----w- C:\Program Files\Bonjour
2009-07-22 18:00:14 . 2009-07-22 17:59:31 0 d-----w- C:\Program Files\QuickTime
2009-07-22 17:57:58 . 2008-08-26 22:44:44 0 d-----w- C:\Documents and Settings\All Users\Application Data\Apple
2009-07-10 16:36:37 . 2008-12-17 20:00:59 0 d-----w- C:\Documents and Settings\Owner\Application Data\vlc
2009-07-09 16:16:16 . 2009-07-22 17:57:51 2060288 ----a-w- C:\WINDOWS\system32\usbaaplrc.dll
2009-07-09 16:16:16 . 2008-08-26 22:45:52 39424 ----a-w- C:\WINDOWS\system32\drivers\usbaapl.sys
2009-07-03 19:48:56 . 2009-07-03 19:48:56 219664 ----a-w- C:\WINDOWS\system32\klogon.dll
2009-07-03 19:45:12 . 2009-07-03 19:45:12 27507 ----a-w- C:\WINDOWS\system32\drivers\klopp.dat
2009-06-15 18:01:00 . 2009-06-15 18:01:00 128016 ----a-w- C:\WINDOWS\system32\drivers\kl1.sys
2009-06-14 15:03:21 . 2009-06-14 15:03:21 25328 ---ha-w- C:\WINDOWS\system32\mlfcache.dat
2009-06-07 22:33:53 . 2008-08-26 03:42:26 99313 ----a-w- C:\WINDOWS\War3Unin.dat
2008-12-18 21:15:54 . 2008-12-18 21:15:54 1012 ----a-w- C:\Program Files\drggwn.txt
.

[miekiemoes]

Hi,

Your log is incomplete.
Please repost it and make sure everything is included.

Also, Go to next site:
http://www.virustota.../en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\drivers\gfa9804.sys

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

[jamessheaj]

thats all that is in the log.. i guess ill scan again and send the new log

[miekiemoes]

Yes please, scan again. Also, please make sure your Antivirus is disabled, because it may interfere with Combofix.

[jamessheaj]

ComboFix 09-09-03.02 - Owner 09/03/2009 14:19.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.668 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\31228.msi
c:\windows\system32\_000010_.tmp.dll
.
---- Previous Run -------
.
c:\windows\system32\bJPWayay.ini2
c:\windows\system32\Drivers\joef.sys



.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmutavnklv
-------\Legacy_TDSSSERV
-------\Service_kbiwkmutavnklv
-------\Service_tdssserv


((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-03 12:28 . 2009-09-03 12:28 -------- d-----w- c:\windows\ServicePackFiles
2009-09-02 22:59 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-09-02 22:59 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-09-02 22:59 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-09-02 22:59 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-09-02 22:59 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-09-02 22:59 . 2009-02-06 16:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2009-09-02 22:59 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-09-02 22:59 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2009-09-02 22:59 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-09-02 22:59 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-09-02 22:51 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-09-02 22:49 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-09-01 02:16 . 2009-09-01 02:16 -------- d-----w- c:\program files\Trend Micro
2009-08-31 17:48 . 2009-08-31 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-31 17:48 . 2009-08-31 17:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-31 17:48 . 2009-08-31 17:48 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-08-31 01:48 . 2009-08-31 01:48 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-08-31 01:43 . 2009-08-31 01:43 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-08-31 01:43 . 2009-08-31 01:43 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-08-31 01:42 . 2009-09-03 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-08-31 01:42 . 2009-08-31 01:42 -------- d-----w- c:\program files\Kaspersky Lab
2009-08-31 01:38 . 2009-08-31 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-08-30 23:53 . 2009-08-31 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-30 21:04 . 2009-08-30 21:04 -------- d-----w- C:\_OTM
2009-08-30 19:42 . 2009-08-31 02:00 45344 ----a-w- c:\windows\system32\drivers\gfa9804.sys
2009-08-13 21:43 . 2009-08-13 21:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Cranium
2009-08-12 18:31 . 2008-10-10 08:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-08-12 18:31 . 2008-10-10 08:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-08-12 18:31 . 2008-10-10 08:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-08-12 18:31 . 2007-04-04 22:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2009-08-12 18:31 . 2009-08-12 18:31 -------- d-----w- c:\windows\Logs
2009-08-12 18:31 . 2009-08-24 01:45 -------- d-----w- c:\program files\Heroes of Newerth
2009-08-12 06:20 . 2009-08-15 01:30 -------- d-----w- c:\temp\RipBot264temp
2009-08-12 06:20 . 2009-08-12 06:20 -------- d-----w- C:\Temp
2009-08-11 18:48 . 2009-08-11 18:48 -------- d-----w- c:\program files\Common Files\eSellerate
2009-08-11 04:38 . 2009-08-11 05:28 -------- d-----w- c:\program files\Encoding The juGGaKNot Way
2009-08-11 04:24 . 2009-08-11 04:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\www.doom9.net
2009-08-11 04:15 . 2009-08-11 05:21 -------- d-----w- c:\program files\megui
2009-08-09 03:55 . 2009-08-09 03:55 -------- d-----w- C:\clips
2009-08-09 03:41 . 2009-08-09 03:41 -------- d-----w- c:\program files\Haali
2009-08-09 03:39 . 2009-06-20 20:15 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-08-09 03:39 . 2008-09-29 16:31 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-08-09 03:39 . 2009-08-09 03:39 -------- d-----w- c:\program files\ffdshow
2009-08-08 17:17 . 2000-08-23 21:00 33280 ----a-w- c:\windows\system32\HUFFYUV.DLL
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 18:10 . 2008-09-05 00:21 -------- d-----w- c:\program files\Steam
2009-09-03 18:09 . 2009-03-20 16:32 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-02 23:04 . 2008-08-26 03:49 -------- d-----w- c:\documents and settings\Owner\Application Data\mIRC
2009-09-02 23:03 . 2008-08-26 03:49 -------- d-----w- c:\program files\mIRC
2009-08-31 21:36 . 2009-03-28 22:09 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-08-31 17:48 . 2008-08-26 03:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-31 06:09 . 2008-09-10 00:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-30 21:36 . 2008-08-26 05:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 04:54 . 2009-01-09 00:15 -------- d-----w- c:\program files\CEVO
2009-08-29 01:11 . 2008-11-11 16:42 -------- d-----w- c:\program files\compLexity Demo Player
2009-08-11 04:38 . 2009-06-16 18:47 -------- d-----w- c:\program files\AviSynth 2.5
2009-08-08 23:47 . 2008-08-26 07:30 30800 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 18:38 . 2008-09-14 18:09 2502 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-08-05 09:11 . 2005-03-23 16:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2008-08-26 05:15 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-08-26 05:15 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 02:35 . 2008-08-26 07:38 -------- d-----w- c:\program files\Warcraft III
2009-08-01 02:07 . 2009-01-20 01:03 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-01 02:07 . 2009-01-20 01:03 22328 ----a-w- c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2009-08-01 02:07 . 2009-01-20 01:02 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-01 02:07 . 2009-01-20 01:02 2246144 ----a-w- c:\windows\system32\pbsvc.exe
2009-08-01 02:00 . 2009-01-20 01:02 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-08-01 01:59 . 2009-08-01 01:59 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-08-01 01:58 . 2009-08-01 01:58 -------- d-----w- c:\program files\MSECACHE
2009-07-31 21:41 . 2008-12-06 20:48 -------- d-----w- c:\program files\Garena
2009-07-30 19:08 . 2009-07-29 00:33 -------- d-----w- c:\program files\Pokemon World Online
2009-07-29 04:53 . 2005-03-23 16:52 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2005-03-23 16:52 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-22 18:01 . 2009-07-22 18:01 -------- d-----w- c:\program files\iTunes
2009-07-22 18:01 . 2009-07-22 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-22 18:01 . 2009-07-22 18:01 -------- d-----w- c:\program files\iPod
2009-07-22 18:01 . 2008-08-26 22:44 -------- d-----w- c:\program files\Common Files\Apple
2009-07-22 18:00 . 2008-08-26 22:48 -------- d-----w- c:\program files\Bonjour
2009-07-22 18:00 . 2009-07-22 17:59 -------- d-----w- c:\program files\QuickTime
2009-07-22 17:57 . 2008-08-26 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-17 18:55 . 2005-03-23 16:52 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2005-03-23 16:53 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 16:36 . 2008-12-17 20:00 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2009-07-09 16:16 . 2009-07-22 17:57 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-09 16:16 . 2008-08-26 22:45 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-03 19:48 . 2009-07-03 19:48 219664 ----a-w- c:\windows\system32\klogon.dll
2009-07-03 19:45 . 2009-07-03 19:45 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-06-26 16:18 . 2005-03-23 16:53 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2005-03-23 16:52 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-15 18:01 . 2009-06-15 18:01 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-06-14 15:03 . 2009-06-14 15:03 25328 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-12 11:50 . 2005-03-23 16:52 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2005-03-23 16:52 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2005-03-23 16:53 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-07 22:33 . 2008-08-26 03:42 99313 ----a-w- c:\windows\War3Unin.dat
2008-12-18 21:15 . 2008-12-18 21:15 1012 ----a-w- c:\program files\drggwn.txt
.

------- Sigcheck -------

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
[-] 2008-08-26 05:01 502272 9B1BD82BD0761B5BA986AF66D2809C30 c:\windows\system32\winlogon.exe

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\termsrv.dll
[-] 2008-08-26 05:01 295424 40FFC19A8D4875E9E19CECDC76EF9201 c:\windows\system32\termsrv.dll


c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8087-36EE87E26986}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2009-06-10 1217784]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
R3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [8/26/2008 2:49 AM 31872]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [12/15/2008 5:22 PM 127496]
S0 gfa9804;gfa9804;\SystemRoot\\SystemRoot\System32\drivers\gfa9804.sys --> \SystemRoot\\SystemRoot\System32\drivers\gfa9804.sys [?]
S1 fca013aa.sys;fca013aa.sys;\??\c:\windows\System32\drivers\fca013aa.sys --> c:\windows\System32\drivers\fca013aa.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garena.com/portal/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\oaqaxjcb.default\
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 14:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-09-03 14:29
ComboFix-quarantined-files.txt 2009-09-03 18:27

Pre-Run: 99,066,687,488 bytes free
Post-Run: 99,091,136,512 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
224 --- E O F --- 2009-09-02 22:49

Thank you for your help

[jamessheaj]

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.03 -
AhnLab-V3 5.0.0.2 2009.09.03 -
AntiVir 7.9.1.8 2009.09.03 -
Antiy-AVL 2.0.3.7 2009.09.03 -
Authentium 5.1.2.4 2009.09.03 -
Avast 4.8.1335.0 2009.09.03 -
AVG 8.5.0.409 2009.09.03 -
BitDefender 7.2 2009.09.03 -
CAT-QuickHeal 10.00 2009.09.02 -
ClamAV 0.94.1 2009.09.03 -
Comodo 2196 2009.09.03 -
DrWeb 5.0.0.12182 2009.09.03 -
eSafe 7.0.17.0 2009.09.03 -
eTrust-Vet 31.6.6718 2009.09.03 -
F-Prot 4.5.1.85 2009.09.03 -
F-Secure 8.0.14470.0 2009.09.03 -
Fortinet 3.120.0.0 2009.09.03 -
GData 19 2009.09.03 -
Ikarus T3.1.1.72.0 2009.09.03 -
Jiangmin 11.0.800 2009.09.03 -
K7AntiVirus 7.10.835 2009.09.03 -
Kaspersky 7.0.0.125 2009.09.03 -
McAfee 5730 2009.09.03 -
McAfee+Artemis 5730 2009.09.03 -
McAfee-GW-Edition 6.8.5 2009.09.03 -
Microsoft 1.5005 2009.09.03 -
NOD32 4392 2009.09.03 -
Norman 6.01.09 2009.09.03 -
nProtect 2009.1.8.0 2009.09.03 -
Panda 10.0.2.2 2009.09.03 -
PCTools 4.4.2.0 2009.09.03 -
Prevx 3.0 2009.09.03 -
Rising 21.45.14.00 2009.09.01 -
Sophos 4.45.0 2009.09.03 -
Sunbelt 3.2.1858.2 2009.09.02 -
Symantec 1.4.4.12 2009.09.03 -
TheHacker 6.3.4.3.396 2009.09.03 -
TrendMicro 8.950.0.1094 2009.09.03 -
VBA32 3.12.10.10 2009.09.03 -
ViRobot 2009.9.3.1916 2009.09.03 -
VirusBuster 4.6.5.0 2009.09.03 -
Additional information
File size: 45344 bytes
MD5...: 475155fe1d926882914b9ca1c8cba3c9
SHA1..: e6ea36040e39d0cda82607d2b1cfc5021f65f17d
SHA256: 74b02151a98902d35faedf384562842ca405d227fed2eeaf38311e4488449a19
ssdeep: 768:aoExso+5BV/FzTsvHsXLLFJ4dJQPtaA21gs5kJMcEqmRp24CesjHQtEc7Nzw
kIin:aa5vJAvlAPopOsTcEq41f7NzolI3Ep0
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!

for virus online! thanks

[jamessheaj]

File gfa9804.sys received on 2009.09.03 18:32:28 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)

[miekiemoes]

Hi,

This doesn't look good here since some systemfiles appear to be patched and another one is missing.
The best/easiest way to deal with this is to update to Service Pack 3 (because you need to update anyway)
This will replace the infected files with a clean copy and replace the missing file as well.

But before you update, I suggest to backup important files you don't want to loose anyway. This because malware causes instable systems.

Also, Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Windows\System32\drivers\gfa9804.sys

Select it and click ok:
Then click the Send File button below.

Let me know in your next reply once you uploaded the file.

[jamessheaj]

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

[miekiemoes]

Hi,

The file can be deleted (looks like a file dropped by malware). You shouldn't have any problems with deleting it, because I don't see how it is loaded since it's not even a MZ file.
Please delete C:\Windows\System32\drivers\gfa9804.sys
Also delete c:\windows\System32\drivers\fca013aa.sys if still present.

Then, go to start > run and copy and paste next commands in the field:

sc delete gfa9804

Hit enter,

sc delete fca013aa.sys

Hit enter.

Then, update your Windows to service Pack 3.
Once service pack 3 is installed, reboot at least 2 times.
Then after the update and reboots, rescan with Combofix again and post the log in your next reply.

[jamessheaj]

how can i update to service pack 3? I don't feel like reforming

[jamessheaj]

anyway thank you for the help I'm scanning again with malware bytes seeing if anything comes up

[miekiemoes]

Please see here for the different ways (via Windows update and manually):
http://support.microsoft.com/kb/322389

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.