Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan Alureon.gen!U & Alureon.CT [Closed]

Started by paulmo , Nov 19 2009 04:28 PM

  • This topic is locked This topic is locked

#1
paulmo
Posted 19 November 2009 - 04:28 PM

paulmo

    Member

  • Member
  • PipPip
  • 19 posts
Hello,
Thank you for reading.

I've been trying to rid my system of an Alureon trojan for over two weeks, to no avail. Other trojans etc seem also be loading themselves.

It seemed to switch off my firewall when it loaded itself onto my machine. I had up-to-date AVG free on my machine, but this wouldn't stop it. I've since used Malwarebytes, SUPERAntispyware, Ad-Aware, Spybot Search& Destroy. These initially picked some things up, but didn't remove the problem.

I've swapped AVG free for Microsoft Security Essentials, which regularly detects the trojan - but it seems to come back when I reconnect to the Web.

Microsoft Security Essentials calls the first one it detected TrojanDownloader:Win32/Renos.JI The next one (and most frequent returner) is Trojan:Win32/Alureon.gen!U. Others it's detected are Exploit:Java/CVE-2008-5353.A ; Trojan:Java/Selace.D ; Trojan:Java/Selace.E ; VirTool:Win32/Injector.gen!Z ; TrojanDownloader:Win32/Obitel and Trojan:Win32/Alureon.CT

I'm out of my depth and not sure what else to do. I hope your forum can help.

I've tried to follow the Malware and Spyware Cleaning Guide

TFC seemed to work ok & removed files

SysRestorePoint downloaded but wouldn't work. Possibly related, Windows own system restore wouldn't allow me to roll back to an earlier version when I first noticed problems a couple of weeks back

ERUNT seems to have worked ok

I re-ran Malwarebytes and append the log below. I assume the log won't have everything as I'd run Malwarebytes a few times before finding this forum.

I downloaded and ran RootRepeal. It finished running within a second or two which makes me wonder whether it has run properly. It generated a report which I'll append below.

OTL downloaded and started the quick scan, but stalled three times a few seconds in whilst 'Scanning NetSvcs settings...'


Any thoughts / advice very much appreciated. I'm just a general computer user, so please accept my apologies if I've not understood the instructions fully.


Appended Logs / Reports:

Malwarebytes

Malwarebytes' Anti-Malware 1.41
Database version: 3195
Windows 5.1.2600 Service Pack 3

18/11/2009 21:44:02
mbam-log-2009-11-18 (21-44-02).txt

Scan type: Quick Scan
Objects scanned: 116335
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tdlcmd.dll (Rootkit.Agent) -> Quarantined and deleted successfully.


RootRepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/18 21:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF57CC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7CDD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF2177000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf77df87e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf77dfbfe

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf59760b0

==EOF==

I've noticed that my machine no longer plays sound / music since the infection started.

Any help / guidance much appreciated

Thanks / Paul
  • 0

Advertisements

#2
Rorschach112
Posted 19 November 2009 - 04:56 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
paulmo
Posted 19 November 2009 - 05:55 PM

paulmo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Rorschach112,

Many thanks for the quick response!

I've run the Combofix and appended the log below. When it initially started to run it came up with a message which read "Rootkit!! ComboFix has detected the presence of rootkit activity and needs to reboot the machine"

It all seemed to run ok after the reboot

Appended is the C:\ComboFix.txt log:


ComboFix 09-11-19.05 - Owner 19/11/2009 23:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.483 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Common Files\Companion Wizard
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\system32\stera.log
c:\windows\system32\wbem\proquota.exe

----- BITS: Possible infected sites -----

hxxp://opt3.biz
Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :)
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN


((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-19 23:29 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-18 21:35 . 2009-11-18 21:36 -------- d-----w- c:\program files\ERUNT
2009-11-18 21:25 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe
2009-11-09 00:02 . 2009-11-09 00:02 -------- d-----w- c:\documents and settings\user1\Application Data\Malwarebytes
2009-11-08 23:57 . 2009-11-08 22:56 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-08 22:57 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-08 22:55 . 2009-11-08 22:55 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-08 22:35 . 2009-11-08 22:35 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-08 22:35 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-08 22:32 . 2009-11-08 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-08 22:32 . 2009-11-08 22:32 -------- d-----w- c:\program files\Lavasoft
2009-11-07 21:00 . 2009-11-07 21:00 -------- d-----w- c:\program files\CCleaner
2009-11-06 23:59 . 2009-11-06 23:59 -------- d-----w- c:\documents and settings\Administrator.DELL\Local Settings\Application Data\Mozilla
2009-11-06 23:58 . 2009-11-06 23:58 35064 ----a-w- c:\documents and settings\Administrator.DELL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-06 23:55 . 2009-11-06 23:55 117760 ----a-w- c:\documents and settings\Administrator.DELL\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-06 23:55 . 2009-11-06 23:55 -------- d-----w- c:\documents and settings\Administrator.DELL\Application Data\SUPERAntiSpyware.com
2009-11-06 22:54 . 2009-11-06 22:54 -------- d-----w- c:\documents and settings\Administrator.DELL\Application Data\Malwarebytes
2009-11-06 22:49 . 2009-11-16 22:01 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-06 22:48 . 2009-11-06 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-06 22:48 . 2009-11-06 22:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-06 22:48 . 2009-11-06 22:48 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-11-06 22:47 . 2009-11-06 22:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-06 22:45 . 2009-11-06 22:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-06 22:45 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 22:45 . 2009-11-06 22:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 22:45 . 2009-11-06 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-06 22:45 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 01:53 . 2009-11-05 01:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth
2009-11-05 00:36 . 2009-09-23 16:37 34112 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-05 00:36 . 2009-09-23 16:37 32448 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-05 00:36 . 2009-09-23 16:37 330072 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe.exe
2009-11-05 00:36 . 2009-09-23 16:37 51168 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlus_Helper.dll
2009-11-05 00:36 . 2009-09-23 16:37 22352 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-10-30 01:04 . 2009-10-30 01:04 -------- d-----w- C:\175ab6c6496184de98bc5fabcf486801
2009-10-30 00:59 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-30 00:59 . 2009-08-06 19:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-10-28 21:30 . 2009-10-28 21:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-10-26 23:09 . 2009-10-26 23:15 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-25 14:18 . 2009-10-25 14:18 -------- d-----w- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 23:37 . 2008-03-24 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-11-19 23:34 . 2008-09-26 20:32 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-11-11 01:09 . 2006-09-23 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-08 23:50 . 2006-04-03 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-08 22:52 . 2006-04-03 21:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-02 20:42 . 2009-10-02 20:34 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 17:44 . 2008-08-27 21:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-28 21:27 . 2008-05-19 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-28 01:12 . 2006-03-26 15:06 35064 ----a-w- c:\documents and settings\user1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-27 21:58 . 2005-12-17 21:49 35064 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 13:30 . 2008-09-26 20:35 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-10-14 20:08 . 2008-03-24 21:42 -------- d-----w- c:\program files\Kontiki
2009-09-25 05:37 . 2005-06-17 22:49 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2006-05-06 16:42 . 2006-10-25 12:31 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-12 443968]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-12 2000112]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 136600]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Motive SmartBridge"="c:\progra~1\BLUEYO~1\SMARTB~1\MotiveSB.exe" [2006-04-21 438359]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
blueyonder Instant Support Tool.lnk - c:\program files\blueyonder IST\bin\blueyonder-istconfig.exe [2008-8-13 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\msbsyn32.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 15:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/11/2009 22:57 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 11:17 1179232]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 17:19 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-11-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:56]

2009-06-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2009-11-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.altavista.com/
mStart Page = hxxp://www.altavista.com/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
Trusted Zone: boxesandbubbles.co.uk\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6mrxbm9r.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.altavista.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-RunServices-Window Monitor - winmon32.exe
HKU-Default-Run-OEM32 Tools - sres32.exe
HKU-Default-Run-Window Monitor - winmon32.exe
HKU-Default-RunServices-Window Monitor - winmon32.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 23:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3016)
c:\progra~1\BLUEYO~1\SMARTB~1\SBHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\blueyonder IST\bin\blueyonder-istupdate.exe
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\blueyonder IST\bin\mpbtn.exe
c:\progra~1\Motive\ASSTCO~1\MOTIVE~1.EXE
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-11-19 23:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-19 23:41

Pre-Run: 109,490,790,400 bytes free
Post-Run: 109,365,837,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - D97E6820DA570224B9150EE0020A9F49

Thanks / Paul
  • 0

#4
Rorschach112
Posted 20 November 2009 - 05:48 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\stu2.exe
c:\windows\system32\msbsyn32.exe
Mia::
c:\windows\system32\eventlog.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#5
paulmo
Posted 20 November 2009 - 03:20 PM

paulmo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks Rorschach112,

That seemed to run smoothly. Combofix asked to update at the start, which I permitted. Log report is as follows:

ComboFix 09-11-20.02 - Owner 20/11/2009 20:54.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.555 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Created a new restore point

FILE ::
"c:\windows\system32\msbsyn32.exe"
"c:\windows\system32\stu2.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\pciide.sys
c:\windows\system32\stu2.exe

c:\windows\system32\eventlog.dll was missing
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-20 to 2009-11-20 )))))))))))))))))))))))))))))))
.

2009-11-20 21:01 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-20 21:01 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-11-19 23:29 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-18 21:35 . 2009-11-18 21:36 -------- d-----w- c:\program files\ERUNT
2009-11-09 00:02 . 2009-11-09 00:02 -------- d-----w- c:\documents and settings\user1\Application Data\Malwarebytes
2009-11-08 23:57 . 2009-11-08 22:56 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-08 22:57 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-08 22:55 . 2009-11-08 22:55 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-08 22:35 . 2009-11-08 22:35 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-08 22:35 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-08 22:32 . 2009-11-08 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-08 22:32 . 2009-11-08 22:32 -------- d-----w- c:\program files\Lavasoft
2009-11-07 21:00 . 2009-11-07 21:00 -------- d-----w- c:\program files\CCleaner
2009-11-06 23:59 . 2009-11-06 23:59 -------- d-----w- c:\documents and settings\Administrator.DELL\Local Settings\Application Data\Mozilla
2009-11-06 23:58 . 2009-11-06 23:58 35064 ----a-w- c:\documents and settings\Administrator.DELL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-06 23:55 . 2009-11-06 23:55 117760 ----a-w- c:\documents and settings\Administrator.DELL\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-06 23:55 . 2009-11-06 23:55 -------- d-----w- c:\documents and settings\Administrator.DELL\Application Data\SUPERAntiSpyware.com
2009-11-06 22:54 . 2009-11-06 22:54 -------- d-----w- c:\documents and settings\Administrator.DELL\Application Data\Malwarebytes
2009-11-06 22:49 . 2009-11-16 22:01 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-06 22:48 . 2009-11-06 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-06 22:48 . 2009-11-06 22:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-06 22:48 . 2009-11-06 22:48 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-11-06 22:47 . 2009-11-06 22:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-06 22:45 . 2009-11-06 22:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-11-06 22:45 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 22:45 . 2009-11-06 22:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 22:45 . 2009-11-06 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-06 22:45 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 01:53 . 2009-11-05 01:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth
2009-11-05 00:36 . 2009-09-23 16:37 34112 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-05 00:36 . 2009-09-23 16:37 32448 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-05 00:36 . 2009-09-23 16:37 330072 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe.exe
2009-11-05 00:36 . 2009-09-23 16:37 51168 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlus_Helper.dll
2009-11-05 00:36 . 2009-09-23 16:37 22352 ----a-w- c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\lthweqgr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-10-30 01:04 . 2009-10-30 01:04 -------- d-----w- C:\175ab6c6496184de98bc5fabcf486801
2009-10-30 00:59 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-30 00:59 . 2009-08-06 19:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-10-28 21:30 . 2009-10-28 21:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-10-26 23:09 . 2009-10-26 23:15 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-25 14:18 . 2009-10-25 14:18 -------- d-----w- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 21:07 . 2008-03-24 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-11-20 21:04 . 2008-09-26 20:32 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-11-11 01:09 . 2006-09-23 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-08 23:50 . 2006-04-03 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-08 22:52 . 2006-04-03 21:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-02 20:42 . 2009-10-02 20:34 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 17:44 . 2008-08-27 21:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-28 21:27 . 2008-05-19 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-28 01:12 . 2006-03-26 15:06 35064 ----a-w- c:\documents and settings\user1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-27 21:58 . 2005-12-17 21:49 35064 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 13:30 . 2008-09-26 20:35 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-10-14 20:08 . 2008-03-24 21:42 -------- d-----w- c:\program files\Kontiki
2009-09-25 05:37 . 2005-06-17 22:49 667136 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:18 . 2003-07-16 20:36 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-07-16 20:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2003-07-16 20:46 247326 ----a-w- c:\windows\system32\strmdll.dll
2006-05-06 16:42 . 2006-10-25 12:31 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-19_23.33.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-20 21:06 . 2009-11-20 21:06 16384 c:\windows\Temp\Perflib_Perfdata_cb8.dat
- 2009-11-18 21:26 . 2009-11-19 23:32 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-18 21:26 . 2009-11-20 21:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-11-10 03:41 . 2009-11-20 21:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-11-10 03:41 . 2009-11-19 23:32 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-11-10 03:41 . 2009-11-20 21:03 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-11-10 03:41 . 2009-11-19 23:32 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-12 443968]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-12 2000112]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Window Monitor"="winmon32.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 136600]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Motive SmartBridge"="c:\progra~1\BLUEYO~1\SMARTB~1\MotiveSB.exe" [2006-04-21 438359]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
blueyonder Instant Support Tool.lnk - c:\program files\blueyonder IST\bin\blueyonder-istconfig.exe [2008-8-13 217088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\msbsyn32.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 15:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/11/2009 22:57 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 11:17 1179232]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 17:19 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-11-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:56]

2009-06-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2009-11-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.altavista.com/
mStart Page = hxxp://www.altavista.com/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
Trusted Zone: boxesandbubbles.co.uk\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6mrxbm9r.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.altavista.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 21:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1060)
c:\progra~1\BLUEYO~1\SMARTB~1\SBHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Kontiki\KService.exe
.
**************************************************************************
.
Completion time: 2009-11-20 21:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-20 21:12
ComboFix2.txt 2009-11-19 23:41

Pre-Run: 109,192,843,264 bytes free
Post-Run: 109,159,993,344 bytes free

- - End Of File - - D76A059F1CD15627CCAA7FFF31E4109F

Best wishes / Paul
  • 0

#6
Rorschach112
Posted 20 November 2009 - 04:42 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#7
paulmo
Posted 20 November 2009 - 05:51 PM

paulmo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello again,

Seems to have gone a bit astray. I downloaded and ran the TFC. It seemed to run ok, deleted around 62Mb of temp files and then rebooted.

On starting up again, a blue error screen came up with the following message:

" A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F to check from hard drive corruption, and then restart your computer.

Technical information:

*** STOP: 0x0000007B (0xF7B86528, 0XC0000034, 0x00000000, 0x00000000) "

When I restart, the same screen comes up.

Safe mode leads to the same screen

I can opt for the Microsoft Windows Recovery Console, which runs and stops with the following text on screen:

"Microsoft Windows XP™ Recovery Console.

The Recovery Console provides system repair and recovery functionality.

Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows installation would you like to log onto (To cancel, press ENTER)? "

I'm typing this from a laptop as I can't get beyond those error screens on the infected desktop computer at the moment. I don't know what I should enter at the above Recovery Console prompt.

I hadn't run the Malwarebytes or Kapersky programmes - just the TFC followed by reboot.

Any thoughts?

Thanks / Paul
  • 0

#8
Rorschach112
Posted 20 November 2009 - 06:04 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
start the machine, keep pressing F8, select Last known good configuration

that get you back in ?
  • 0

#9
paulmo
Posted 20 November 2009 - 06:24 PM

paulmo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Alas no,

F8 gets me to a "Windows Advanced Options Menu" with several options

If I select "Last Known Good Configuration", it just goes to a screen asking me to choose between Microsoft Windows Recovery Console & Microsoft Windows XP Home Edition. If I select the XP option, it leads to the blue screen error message described in prev message. If I select the Recovery Console it brings me to the Recovery Console screen described in prev message.

At the base of the screen that asks to pick between the XP and Recovery Console options, the following text appears:

" For troubleshooting and advanced startup options for Windows, press F8

Last Known Good Configuration (your most recent settings that worked) " (This line in Blue)

If I press F8 again it returns me to the Windows Advanced Options Menu

Best wishes / Paul
  • 0

#10
Rorschach112
Posted 21 November 2009 - 05:41 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

We will have to create a small 'fix CD' to solve this problem.
Please download RC.ISO and save it somewhere you can find it.
Also download MagicISO and install it.

Start MagicISO. You should see a window informing you about the full version of MagicISO.
In the bottom right select Try It! and the program will open.
Click on File and then on Open and navigate to the RC.ISO file you downloaded. Select it, and click Open.

First, we'll need to add a clean version of userinit.exe to the current RC.ISO
  • In the upper right pane, double click on the i386 folder.
  • Right click in the upper right pane and select Add Files...
  • Navigate to C:\Windows\System32 and select userinit.exe
  • Then click Open to add userinit.exe to the CD image.
  • Click File and select Save As...
  • Name the file RCplus and save it somewhere you can find it.
Next, we'll need to burn the newly created image to a disk that we can use to fix the problem.
  • Put a blank CD-R disk in your CD burner and close the tray. If an AutoPlay window opens, close it.
  • Click on Tools and select Burn CD/DVD with ISO.... A window will appear.
  • Click on the little folder to the right of CD/DVD Image File then navigate to the newly created RCplus.iso Image file and click Open.
  • In the CD/DVD Writing Speed drop-down menu choose the 8X setting.
  • Under Format make sure that Mode 1 is selected.
  • And finally, click on the Burn it! button to burn RCplus.iso to disk.
Once the disk is burned, put it in the machine you want to fix and restart it.
Boot to the CD just as you would with a Windows XP disk.
At the Welcome to Setup screen, press R to enter the Recovery Console.
Choose the installation to be repaired by number (usually 1) and press Enter.
When you are asked for the Administrator password, enter the password or leave it blank (default) and press Enter.

At the C:\Windows> prompt, type the following commands pressing Enter after each one. Note: Watch the spaces.

D:
cd i386
copy userinit.exe c:\windows\system32
exit

After putting in the third command, you should receive the message 1 file copied which will indicate that the operation succeeded.
Now take out the CD and reboot your computer to normal mode. Try to log in and it should let you back in.
  • 0

#11
paulmo
Posted 21 November 2009 - 09:37 AM

paulmo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
No joy I'm afraid,

Computer is still defaulting to the same blue screen error message.

There were a couple of slight deviations which may be relevant. Firtly, in the final set of instructions, it didn't ask me for an Administrator password.

Then, after entering the line:

copy userinit.exe c:\windows\system32

It asked whether I wished to overwrite the existing userinit.exe file. I replied yes and it gave the '1 file copied' message. However, when booting again from hard drive (with cd removed) the same blue screen error message appears.

I tried the instructions in full a second time with another blank cd, but with the same result.

Best wishes / Paul
  • 0

#12
Rorschach112
Posted 21 November 2009 - 10:46 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Head over to the windows xp forum, its better if they help you. Tell them I sent you over and that your userinit.exe file got damaged
  • 0

#13
paulmo
Posted 21 November 2009 - 11:30 AM

paulmo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello,

I've started a thread on the 'Windows XP™, 2000, 2003, NT' forum:

http://www.geekstogo...ed-t259214.html

Please correct anything that I may have inadvertantly misrepresented.

Is there much hope of me seeing my files again, or do you think the prognosis is bleak?

Thanks for your help with this

Best wishes / Paul
  • 0

#14
Rorschach112
Posted 21 November 2009 - 01:42 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
that's perfect, we should be able to fix this

tell wannabe1 that you have a full ERUNT backup as well
  • 0

#15
Rorschach112
Posted 29 November 2009 - 09:31 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP