My google search results are hi-jacked and I'm sent to www.findend.com telling me I searched for "%28null%29" and most of my programs are damaged and won't open completely including iTunes and Photoshop.
I've run Malwarebytes and Super anti-spyware repeatedly this week to remove multiple trojans including one that captures the userinit.exe in Windows/system32 folder but they keep returning even though I've taken the machine offline.
I'm sick of this and want them off. What to do?
Here is the Hijack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:57 PM, on 9/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\COMMON~1\AOL\123309~1\EE\AOLHOS~1.EXE
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\PROGRA~1\COMMON~1\AOL\123309~1\EE\AOLServiceHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\verclsid.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\verclsid.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6441
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1233092913\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [B22327DAE92BEBA3] C:\WINDOWS\system32\B22327DAE92BEBA3.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [McAfee Update] C:\DOCUME~1\OWNER~1.SUN\LOCALS~1\Temp\mcupdate_1245187554.exe /insfin C:\DOCUME~1\OWNER~1.SUN\LOCALS~1\Temp\mcupdate_1245187554.ini /syncfin
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c986733a703344) (gupdate1c986733a703344) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 6184 bytes
Full Version: "Userinit" Trojan
Hi and welcome to Malwarebytes.
Please visit this webpage for instructions for running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
-screen317
Please visit this webpage for instructions for running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
-screen317
QUOTE (screen317 @ Sep 9 2009, 10:10 PM) 
Hi and welcome to Malwarebytes.
Please visit this webpage for instructions for running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
-screen317
Please visit this webpage for instructions for running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
- When the tool is finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
-screen317
Thankyou. Things already looking much better.
combfix log:
ComboFix 09-09-11.01 - Owner 09/11/2009 18:58.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.127 [GMT -10:00]
Running from: c:\documents and settings\Owner.Sunrise\Desktop\Download Folder\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 090817-0] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\documents and settings\Owner.Sunrise\Application Data\Microsoft\SystemBackup\browserui.dll
c:\documents and settings\Owner.Sunrise\Application Data\QUAD Backups
c:\documents and settings\Owner.Sunrise\Application Data\wiaserva.log
c:\documents and settings\Owner.Sunrise\My Documents\QUAD Registry Cleaner.lnk
c:\documents and settings\Owner.Sunrise\My Documents\Start Menu\Programs\QUAD Utilities
c:\documents and settings\Owner.Sunrise\My Documents\Start Menu\Programs\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner website.lnk
c:\documents and settings\Owner.Sunrise\My Documents\Start Menu\Programs\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner.lnk
c:\documents and settings\Owner.Sunrise\My Documents\Start Menu\Programs\QUAD Utilities\QUAD Registry Cleaner\Uninstall QUAD Registry Cleaner.lnk
c:\documents and settings\Owner.Sunrise\nah_eeuk.exe
c:\program files\Mozilla Firefox\chrome\amba.jar
c:\program files\QUAD Utilities
c:\program files\QUAD Utilities\QUAD Registry Cleaner\program.log
c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner website.url
c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner.exe
c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Scheduler.exe
c:\program files\QUAD Utilities\QUAD Registry Cleaner\Styles\Vista.cjstyles
c:\program files\QUAD Utilities\QUAD Registry Cleaner\uninst.exe
c:\program files\QUAD Utilities\QUAD Registry Cleaner\Vista Scheduler.dll
c:\recycler\S-1-5-21-3728475750-3151102117-1621348181-500
c:\windows\kb913800.exe
c:\windows\sonce122730.dat
c:\windows\sonce123198.dat
c:\windows\system32\a9k.bin
c:\windows\system32\fdclient.dll
c:\windows\system32\iosocket.dll
c:\windows\system32\sysloc
c:\windows\system32\UACmibwwkpfirnoouw.dat
c:\windows\system32\UACngipjwpmfqpxuvd.log
c:\windows\system32\wbem\grpconv.exe
c:\windows\system32\winuid.dll
c:\windows\system32\xdpod32.dll
c:\windows\zaponce53173.dat
c:\windows\zaponce53213.dat
c:\windows\zaponce53290.dat
D:\Autorun.inf
D:\install.exe
c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NEW_DRV
((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.
2009-09-12 05:11 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-12 05:11 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-12 05:11 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-09-12 05:11 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-09-12 00:22 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-12 00:22 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-12 00:22 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-12 00:22 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-12 00:22 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-12 00:22 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-12 00:22 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-12 00:22 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-12 00:21 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-12 00:21 . 2009-09-12 00:21 -------- d-----w- c:\program files\Alwil Software
2009-09-11 23:25 . 2009-09-11 23:25 4707 ----a-w- c:\windows\system32\z98a.bin
2009-09-10 01:20 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 05:22 . 2008-04-17 23:12 15464 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-08 05:22 . 2008-04-17 23:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-09-08 05:21 . 2009-09-08 05:21 -------- d-----w- c:\program files\iPod
2009-09-08 05:21 . 2009-09-08 05:22 -------- d-----w- c:\program files\iTunes
2009-09-08 05:21 . 2009-09-08 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-09-04 01:54 . 2009-09-04 01:54 -------- d-----w- c:\program files\FileASSASSIN
2009-09-03 05:19 . 2009-09-12 04:58 30720 ----a-w- c:\windows\system32\B22327DAE92BEBA3.exe
2009-08-31 17:10 . 2009-08-31 17:10 43008 ----a-w- c:\windows\system32\smyrp.dll
2009-08-22 00:01 . 2009-08-22 00:01 37376 ----a-w- c:\windows\system32\klif32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-12 05:16 . 2009-02-04 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-11 18:17 . 2009-01-27 19:49 26112 ----a-w- c:\windows\system32\userinit.exe
2009-09-08 05:21 . 2009-01-28 03:12 -------- d-----w- c:\program files\Common Files\Apple
2009-08-05 09:01 . 2009-01-27 19:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 03:17 . 2009-08-03 01:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2ED18044-7049-4E7A-A58D-4017348FCDB7}
2009-08-03 01:24 . 2009-08-03 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Native Instruments
2009-08-03 01:24 . 2009-07-31 17:54 -------- d-----w- c:\program files\Native Instruments
2009-07-31 18:01 . 2009-07-31 18:01 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{A215474F-E448-48A8-97F1-14D1C09A4235}
2009-07-31 17:55 . 2009-07-31 17:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{C59C4281-5384-43B2-9E48-2FA6F8967AB1}
2009-07-31 17:55 . 2009-07-31 17:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{902029B2-957E-4066-85FA-30DA31731718}
2009-07-31 17:54 . 2009-07-31 17:54 -------- d-----w- c:\program files\Common Files\Native Instruments
2009-07-17 19:01 . 2009-01-27 19:41 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 20:08 . 2009-01-27 19:50 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 03:07 . 2009-07-11 23:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-03 17:09 . 2009-01-27 19:49 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 22:13 . 2009-06-25 22:13 17408 ----a-w- c:\windows\system32\perfc5932.dat
2009-06-25 22:13 . 2009-06-25 22:13 1 ----a-w- c:\windows\system32\perfc7683.dat
2009-06-25 08:25 . 2009-01-27 19:49 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2009-01-27 19:48 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2009-01-27 19:48 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2009-01-27 19:47 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2009-01-27 19:46 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2009-01-27 19:44 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2009-01-27 19:44 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-19 01:37 . 2005-11-23 09:38 36624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 14:36 . 2009-01-27 19:49 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2009-01-27 19:43 81920 ----a-w- c:\windows\system32\fontsub.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"HostManager"="c:\program files\Common Files\AOL\1233092913\EE\AOLHostManager.exe" [2004-11-03 125528]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-06 413696]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"B22327DAE92BEBA3"="c:\windows\system32\B22327DAE92BEBA3.exe" [2009-09-12 30720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-30 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 22:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dbbin.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1233092913\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\3aLab\\iRadio\\iRadio.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"%windir%\\system32\\lsass.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/11/2009 2:22 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/11/2009 2:22 PM 20560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [1/27/2009 10:17 AM 200576]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S1 dbbin;SQL-T Database Driver;c:\windows\system32\dbbin.sys --> c:\windows\system32\dbbin.sys [?]
S2 gupdate1c986733a703344;Google Update Service (gupdate1c986733a703344);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 4:49 PM 133104]
S3 EchoIndigoDJ;Echo Indigo dj Service;c:\windows\system32\drivers\echondgo.sys [8/25/2003 10:33 AM 124160]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [1/27/2009 10:13 AM 69692]
S3 HDJCtrl;Hercules DJ Control MP3 Service;c:\windows\system32\drivers\HDJCTRL.sys [1/29/2009 7:34 PM 11008]
S3 HDJMidi;Hercules DJ Console MIDI;c:\windows\system32\drivers\hdjmidi.sys [1/29/2009 7:34 PM 39424]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/3/2009 7:45 PM 40160]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2/3/2009 7:50 PM 13504]
S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2/3/2009 7:50 PM 22304]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:34]
2009-09-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-04 04:16]
2009-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 02:49]
2009-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 02:49]
2009-09-12 c:\windows\Tasks\User_Feed_Synchronization-{6B735695-8054-425A-91F6-F2A39FB0C4CE}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 14:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6441
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.Sunrise\Application Data\Mozilla\Firefox\Profiles\8runbjqn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\extensions\info@google.com\components\FFLocal.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -
Notify-dbbin - dbbin.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 19:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\TEMP\_av_proI.tm~a02072\onefile.dld 0 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(888)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(2568)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\WLTRAY.EXE
c:\windows\system32\wscntfy.exe
c:\progra~1\COMMON~1\AOL\123309~1\EE\AOLServiceHost.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-12 19:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-12 05:23
Pre-Run: 6,975,586,304 bytes free
Post-Run: 6,982,553,600 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
287 --- E O F --- 2009-09-10 07:29
Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:06 PM, on 9/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\COMMON~1\AOL\123309~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\123309~1\EE\AOLServiceHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MX6441
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1233092913\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [B22327DAE92BEBA3] C:\WINDOWS\system32\B22327DAE92BEBA3.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c986733a703344) (gupdate1c986733a703344) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 6350 bytes
Whats next ?
Hi,
Before we continue, please go to VirusTotal, and upload the following file for analysis:
C:\WINDOWS\system32\B22327DAE92BEBA3.exe
Post the results in your reply.
Before we continue, please go to VirusTotal, and upload the following file for analysis:
C:\WINDOWS\system32\B22327DAE92BEBA3.exe
Post the results in your reply.
QUOTE (screen317 @ Sep 11 2009, 09:21 PM)
Hi,
Before we continue, please go to VirusTotal, and upload the following file for analysis:
C:\WINDOWS\system32\B22327DAE92BEBA3.exe
Post the results in your reply.
Before we continue, please go to VirusTotal, and upload the following file for analysis:
C:\WINDOWS\system32\B22327DAE92BEBA3.exe
Post the results in your reply.
Virus total scan results here:
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.13 Trojan-Dropper.Win32.Wlord!IK
AhnLab-V3 5.0.0.2 2009.09.12 -
AntiVir 7.9.1.14 2009.09.11 DR/Delphi.Gen
Antiy-AVL 2.0.3.7 2009.09.11 -
Authentium 5.1.2.4 2009.09.12 -
Avast 4.8.1351.0 2009.09.12 -
AVG 8.5.0.412 2009.09.12 -
BitDefender 7.2 2009.09.13 -
CAT-QuickHeal 10.00 2009.09.12 Win32.Backdoor.Phdet.gen!A.8
ClamAV 0.94.1 2009.09.13 -
Comodo 2300 2009.09.13 -
DrWeb 5.0.0.12182 2009.09.12 -
eSafe 7.0.17.0 2009.09.10 -
eTrust-Vet 31.6.6733 2009.09.11 -
F-Prot 4.5.1.85 2009.09.12 -
F-Secure 8.0.14470.0 2009.09.13 -
Fortinet 3.120.0.0 2009.09.12 -
GData 19 2009.09.13 -
Ikarus T3.1.1.72.0 2009.09.13 Trojan-Dropper.Win32.Wlord
Jiangmin 11.0.800 2009.09.12 -
K7AntiVirus 7.10.843 2009.09.12 -
Kaspersky 7.0.0.125 2009.09.13 -
McAfee 5739 2009.09.12 -
McAfee+Artemis 5739 2009.09.12 -
McAfee-GW-Edition 6.8.5 2009.09.13 Trojan.Dropper.Delphi.Gen
Microsoft 1.5005 2009.09.12 VirTool:Win32/Injector.gen!P
NOD32 4420 2009.09.13 -
Norman 6.01.09 2009.09.11 -
nProtect 2009.1.8.0 2009.09.12 -
Panda 10.0.2.2 2009.09.13 Suspicious file
PCTools 4.4.2.0 2009.09.11 -
Prevx 3.0 2009.09.13 -
Rising 21.46.60.00 2009.09.13 -
Sophos 4.45.0 2009.09.13 -
Sunbelt 3.2.1858.2 2009.09.12 -
Symantec 1.4.4.12 2009.09.13 -
TheHacker 6.3.4.4.402 2009.09.12 -
TrendMicro 8.950.0.1094 2009.09.12 -
VBA32 3.12.10.10 2009.09.11 -
ViRobot 2009.9.12.1932 2009.09.12 -
VirusBuster 4.6.5.0 2009.09.12 -
Additional information
File size: 30720 bytes
MD5...: 0e5e7bd282057662db900876ac55551a
SHA1..: 879cc49ffbb8625c0b33446bd7742f9d0aae6ead
SHA256: 672fdc98ebfc4f2464f1c47d6237483e48d16a81822c6762023eb9f1415975a8
ssdeep: 768:crjNb53pP75VEovD6Yotr1OPR5bPdRPZC4u:c3h53xMr4Pdt
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x226c
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)
( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x14e4 0x1600 6.28 4f7a93a088747443d8256db45db5090b
DATA 0x3000 0x5494 0x5600 7.96 a6d99fafb17ffed90365f075c5f7720b
BSS 0x9000 0x379 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xa000 0x1fe 0x200 4.03 1bbc469941dbd3e6e832d32abaf94d84
.tls 0xb000 0x4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xc000 0x18 0x200 0.20 3513355d908e1e90946c81cd71f650b6
.reloc 0xd000 0x1f0 0x200 5.97 468b825aa188278a89c4259d41234450
.rsrc 0xe000 0x200 0x200 1.80 7d76d9cdf9928586012cd85e0d43193d
( 4 imports )
> kernel32.dll: GetCurrentThreadId, ExitProcess, RtlUnwind, RaiseException, GetCommandLineA, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
> kernel32.dll: LoadLibraryA, GetProcAddress
> gdi32.dll: SetBkColor
> user32.dll: GetDC
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
How are we doing?
Hi,
Things are looking good.
Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.
Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:
Save this as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you. Post that log in your next reply.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.
Next, download my Security Check from here or here.
Let me know how things are running now and what issues remain.
-screen317
Things are looking good.
Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.
Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:
CODE
http://www.malwarebytes.org/forums/index.php?showtopic=24169
Collect::
C:\WINDOWS\system32\B22327DAE92BEBA3.exe
Collect::
C:\WINDOWS\system32\B22327DAE92BEBA3.exe
Save this as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you. Post that log in your next reply.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.
- Click Start Scanning.
- You should get a notification bar (on top) to install the ActiveX control.
- Click on it and select to install the ActiveX.
- Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
- In case you are having problems with installing the ActiveX/starting the scan, please read here.
- Click the Full System Scan button.
- It will start to download scanner components and databases. This can take a while.
- The main scan will start.
- Once the scan has finished scanning, click the Automatic cleaning (recommended) button
- It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
- The cleaning can take a while, so please be patient.
- Then click the Show report button and Copy/Paste what is present under results in your next reply.
Next, download my Security Check from here or here.
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Let me know how things are running now and what issues remain.
-screen317
QUOTE (screen317 @ Sep 13 2009, 09:28 PM)
Hi,
Things are looking good.
Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.
Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:
Save this as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you. Post that log in your next reply.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.
Next, download my Security Check from here or here.
Let me know how things are running now and what issues remain.
-screen317
Things are looking good.
Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.
Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:
CODE
http://www.malwarebytes.org/forums/index.php?showtopic=24169
Collect::
C:\WINDOWS\system32\B22327DAE92BEBA3.exe
Collect::
C:\WINDOWS\system32\B22327DAE92BEBA3.exe
Save this as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you. Post that log in your next reply.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.
- Click Start Scanning.
- You should get a notification bar (on top) to install the ActiveX control.
- Click on it and select to install the ActiveX.
- Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
- In case you are having problems with installing the ActiveX/starting the scan, please read here.
- Click the Full System Scan button.
- It will start to download scanner components and databases. This can take a while.
- The main scan will start.
- Once the scan has finished scanning, click the Automatic cleaning (recommended) button
- It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
- The cleaning can take a while, so please be patient.
- Then click the Show report button and Copy/Paste what is present under results in your next reply.
Next, download my Security Check from here or here.
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Let me know how things are running now and what issues remain.
-screen317
I've downloaded a new combo fix and and here is the log from today:
ComboFix 09-09-14.02 - Owner 09/14/2009 11:37.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.81 [GMT -10:00]
Running from: c:\documents and settings\Owner.Sunrise\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.Sunrise\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 090817-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
file zipped: c:\windows\system32\B22327DAE92BEBA3.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
c:\windows\system32\B22327DAE92BEBA3.exe
c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
.
((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.
2009-09-13 19:06 . 2009-09-13 19:06 30200 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-13 18:48 . 2009-09-13 18:49 -------- d-----w- c:\program files\Safari
2009-09-13 18:37 . 2009-09-13 18:37 -------- d-----w- c:\program files\iPod
2009-09-13 18:36 . 2009-09-13 18:38 -------- d-----w- c:\program files\iTunes
2009-09-13 18:36 . 2009-09-13 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-13 18:33 . 2009-09-13 18:34 -------- d-----w- c:\program files\QuickTime
2009-09-13 18:01 . 2009-09-13 18:01 -------- d-----w- c:\program files\Bonjour
2009-09-12 05:11 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-12 05:11 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-12 05:11 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-09-12 05:11 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-09-12 00:22 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-12 00:22 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-12 00:22 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-12 00:22 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-12 00:22 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-12 00:22 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-12 00:22 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-12 00:22 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-12 00:21 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-12 00:21 . 2009-09-12 00:21 -------- d-----w- c:\program files\Alwil Software
2009-09-11 23:25 . 2009-09-11 23:25 4707 ----a-w- c:\windows\system32\z98a.bin
2009-09-10 01:20 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 05:22 . 2009-05-19 00:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-08 05:22 . 2008-04-17 23:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-09-04 01:54 . 2009-09-04 01:54 -------- d-----w- c:\program files\FileASSASSIN
2009-08-31 17:10 . 2009-08-31 17:10 43008 ----a-w- c:\windows\system32\smyrp.dll
2009-08-22 00:01 . 2009-08-22 00:01 37376 ----a-w- c:\windows\system32\klif32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 07:18 . 2009-02-04 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-13 19:05 . 2009-01-28 03:16 -------- d-----w- c:\documents and settings\Owner.Sunrise\Application Data\Apple Computer
2009-09-13 18:37 . 2009-01-28 03:12 -------- d-----w- c:\program files\Common Files\Apple
2009-09-13 04:19 . 2009-06-04 05:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 03:41 . 2009-06-03 18:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-11 18:17 . 2009-01-27 19:49 26112 ------w- c:\windows\system32\userinit.exe
2009-09-11 00:54 . 2009-06-04 05:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-11 00:53 . 2009-06-04 05:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-05 09:01 . 2009-01-27 19:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 03:17 . 2009-08-03 01:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2ED18044-7049-4E7A-A58D-4017348FCDB7}
2009-08-03 01:24 . 2009-08-03 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Native Instruments
2009-08-03 01:24 . 2009-07-31 17:54 -------- d-----w- c:\program files\Native Instruments
2009-07-31 18:01 . 2009-07-31 18:01 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{A215474F-E448-48A8-97F1-14D1C09A4235}
2009-07-31 17:55 . 2009-07-31 17:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{C59C4281-5384-43B2-9E48-2FA6F8967AB1}
2009-07-31 17:55 . 2009-07-31 17:55 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{902029B2-957E-4066-85FA-30DA31731718}
2009-07-31 17:54 . 2009-07-31 17:54 -------- d-----w- c:\program files\Common Files\Native Instruments
2009-07-17 19:01 . 2009-01-27 19:41 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 20:08 . 2009-01-27 19:50 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 03:07 . 2009-07-11 23:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-03 17:09 . 2009-01-27 19:49 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 22:13 . 2009-06-25 22:13 17408 ----a-w- c:\windows\system32\perfc5932.dat
2009-06-25 22:13 . 2009-06-25 22:13 1 ----a-w- c:\windows\system32\perfc7683.dat
2009-06-25 08:25 . 2009-01-27 19:49 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2009-01-27 19:48 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2009-01-27 19:48 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2009-01-27 19:47 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2009-01-27 19:46 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2009-01-27 19:44 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2009-01-27 19:44 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-19 01:37 . 2005-11-23 09:38 36624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot@2009-09-12_05.15.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-13 18:30 . 2009-08-29 05:42 40448 c:\windows\system32\DRVSTORE\usbaapl_6DA28B91FF48C57089E4D2436654AFA4ECAD0622\usbaapl.sys
+ 2009-09-13 18:30 . 2009-08-29 05:42 17408 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\netaapl.sys
+ 2009-09-13 18:38 . 2009-05-19 00:17 26600 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
- 2008-08-29 17:53 . 2008-08-29 17:53 61440 c:\windows\system32\dnssd.dll
+ 2008-12-12 21:11 . 2008-12-12 21:11 61440 c:\windows\system32\dnssd.dll
+ 2008-12-12 21:18 . 2008-12-12 21:18 87336 c:\windows\system32\dns-sd.exe
- 2008-08-29 18:18 . 2008-08-29 18:18 87336 c:\windows\system32\dns-sd.exe
+ 2009-09-13 18:01 . 2009-09-13 18:01 86016 c:\windows\Installer\{07287123-B8AC-41CE-8346-3D777245C35B}\PrntWzrdIco.exe
+ 2009-09-13 18:38 . 2008-04-17 23:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll
+ 2009-09-13 18:31 . 2009-09-13 18:31 694272 c:\windows\Installer\237f8d.msi
+ 2009-09-13 18:39 . 2009-09-13 18:39 102400 c:\windows\Installer\{EC2A8F27-4FBF-4E41-B27B-FE822511B761}\iTunesIco.exe
+ 2009-09-13 18:49 . 2009-09-13 18:49 307200 c:\windows\Installer\{E56D39F8-2A9F-44B4-B068-A72E45A073E6}\SafariIco.exe
+ 2009-09-13 18:30 . 2009-08-29 05:42 2065696 c:\windows\system32\DRVSTORE\usbaapl_6DA28B91FF48C57089E4D2436654AFA4ECAD0622\usbaaplrc.dll
+ 2009-09-13 18:30 . 2009-08-29 05:42 1417504 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\wdfcoinstaller01005.dll
+ 2009-09-13 18:01 . 2009-09-13 18:01 1659392 c:\windows\Installer\9ea91.msi
+ 2009-09-13 18:49 . 2009-09-13 18:49 2487808 c:\windows\Installer\238546.msi
+ 2009-09-13 18:39 . 2009-09-13 18:39 4597248 c:\windows\Installer\238540.msi
+ 2009-09-13 18:33 . 2009-09-13 18:33 9013760 c:\windows\Installer\23821a.msi
+ 2009-09-13 18:30 . 2009-09-13 18:30 3310592 c:\windows\Installer\237f81.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-13 1994480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"HostManager"="c:\program files\Common Files\AOL\1233092913\EE\AOLHostManager.exe" [2004-11-03 125528]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-30 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-13 03:41 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dbbin.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1233092913\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\3aLab\\iRadio\\iRadio.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"%windir%\\system32\\lsass.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/11/2009 2:22 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/11/2009 2:22 PM 20560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [1/27/2009 10:17 AM 200576]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S1 dbbin;SQL-T Database Driver;c:\windows\system32\dbbin.sys --> c:\windows\system32\dbbin.sys [?]
S2 gupdate1c986733a703344;Google Update Service (gupdate1c986733a703344);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 4:49 PM 133104]
S3 EchoIndigoDJ;Echo Indigo dj Service;c:\windows\system32\drivers\echondgo.sys [8/25/2003 10:33 AM 124160]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [1/27/2009 10:13 AM 69692]
S3 HDJCtrl;Hercules DJ Control MP3 Service;c:\windows\system32\drivers\HDJCTRL.sys [1/29/2009 7:34 PM 11008]
S3 HDJMidi;Hercules DJ Console MIDI;c:\windows\system32\drivers\hdjmidi.sys [1/29/2009 7:34 PM 39424]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2/3/2009 7:50 PM 13504]
S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2/3/2009 7:50 PM 22304]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:34]
2009-09-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-04 04:16]
2009-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 02:49]
2009-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 02:49]
2009-09-14 c:\windows\Tasks\User_Feed_Synchronization-{6B735695-8054-425A-91F6-F2A39FB0C4CE}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 14:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6441
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.Sunrise\Application Data\Mozilla\Firefox\Profiles\8runbjqn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\extensions\info@google.com\components\FFLocal.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-B22327DAE92BEBA3 - c:\windows\system32\B22327DAE92BEBA3.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 11:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(884)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-09-14 11:48
ComboFix-quarantined-files.txt 2009-09-14 21:48
ComboFix2.txt 2009-09-12 05:23
Pre-Run: 12,684,849,152 bytes free
Post-Run: 12,819,230,720 bytes free
237 --- E O F --- 2009-09-10 07:29
Upload was successful
Hi,
Things are looking good.
Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.
Next, download my Security Check from here or here.
Let me know how things are running now and what issues remain.
-screen317
Things are looking good.
Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.
- Click Start Scanning.
- You should get a notification bar (on top) to install the ActiveX control.
- Click on it and select to install the ActiveX.
- Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
- In case you are having problems with installing the ActiveX/starting the scan, please read here.
- Click the Full System Scan button.
- It will start to download scanner components and databases. This can take a while.
- The main scan will start.
- Once the scan has finished scanning, click the Automatic cleaning (recommended) button
- It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
- The cleaning can take a while, so please be patient.
- Then click the Show report button and Copy/Paste what is present under results in your next reply.
Next, download my Security Check from here or here.
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Let me know how things are running now and what issues remain.
-screen317
QUOTE (screen317 @ Sep 15 2009, 12:33 PM)
Hi,
Things are looking good.
Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.
Next, download my Security Check from here or here.
Let me know how things are running now and what issues remain.
-screen317
Things are looking good.
Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.
- Click Start Scanning.
- You should get a notification bar (on top) to install the ActiveX control.
- Click on it and select to install the ActiveX.
- Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
- In case you are having problems with installing the ActiveX/starting the scan, please read here.
- Click the Full System Scan button.
- It will start to download scanner components and databases. This can take a while.
- The main scan will start.
- Once the scan has finished scanning, click the Automatic cleaning (recommended) button
- It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
- The cleaning can take a while, so please be patient.
- Then click the Show report button and Copy/Paste what is present under results in your next reply.
Next, download my Security Check from here or here.
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Let me know how things are running now and what issues remain.
-screen317
OK
My internet connection is to slow to finish the online scanner, but I'll try it again when I get a chance.
The results of the Security Check is below.
I've installed Outpost as a firewall, Avast Home edition, Spyware Blaster, Spybot and MVPS and it seems after the last running of Combofix all is good again and I see no problems.
I just have a couple questions if you don't mind.
1) Now that I have Outpost running, should I disable Windows firewall or keep that running as well?
2) Do you know what virus it is that hi-jacks my google search results? as this is the 2nd time I've had this problem come up.
Thanks so much for your help!
Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
avast! Antivirus
Outpost Firewall 2009
Antivirus out of date!
``````````````````````````````
Anti-malware/Other Utilities Check:
MVPS Hosts File
SpywareBlaster 4.2
SUPERAntiSpyware Free Edition
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Adobe Flash Player 10
Adobe Reader 7.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Alwil Software Avast4 aswUpdSv.exe
Alwil Software Avast4 ashServ.exe
Alwil Software Avast4 ashDisp.exe
Alwil Software Avast4 ashMaiSv.exe
Alwil Software Avast4 ashWebSv.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
Hi,
Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u
This uninstalls all of ComboFix's components.
Delete SecurityCheck.
After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):
Adobe Reader 7.0
Restart your computer.
Get the latest version of Adobe Reader.
Post the results from the F-Secure scan and let me know what issues remain.
-screen317
QUOTE (peppermint @ Sep 16 2009, 05:07 PM)
I've installed Outpost as a firewall, Avast Home edition, Spyware Blaster, Spybot and MVPS and it seems after the last running of Combofix all is good again and I see no problems.
Good to hear.QUOTE
1) Now that I have Outpost running, should I disable Windows firewall or keep that running as well?
Yes please disable Windows Firewall. It's not a good idea to have both running.QUOTE
2) Do you know what virus it is that hi-jacks my google search results? as this is the 2nd time I've had this problem come up.
This one was a mixture of different things. We call the general family the TDSS rootkit though.Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u
This uninstalls all of ComboFix's components.
Delete SecurityCheck.
After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):
Adobe Reader 7.0
Restart your computer.
Get the latest version of Adobe Reader.
Post the results from the F-Secure scan and let me know what issues remain.
-screen317
Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.
Other members who need assistance please start your own topic in a new thread. Thanks!
Other members who need assistance please start your own topic in a new thread. Thanks!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.