Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hello guys i need your help again many trojans in my lab top

Started by danny0 , Jan 05 2008 10:34 AM

  • Please log in to reply

#16
danny0
Posted 27 January 2008 - 11:33 AM

danny0

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Incident Status Location

Adware:adware/exact.bargainbuddy Not disinfected c:\windows\system32\bbchk.exe
Dialer:dialer.bny Not disinfected c:\windows\pcconfig.dat
Adware:adware/sidesearch Not disinfected c:\program files\Lycos
Adware:adware/powerscan Not disinfected Windows Registry
Dialer:dialer.je Not disinfected hkey_current_user\software\Webdialer
Adware:adware/exact.cashback Not disinfected Windows Registry
Dialer:dialer.yz Not disinfected hkey_classes_root\clsid\{02C20140-76F8-4763-83D5-B660107B7A90}
Adware:adware/cws Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/exact.searchbar Not disinfected Windows Registry
Spyware:spyware/clearsearch Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Danny Brown\Cookies\danny [email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Danny Brown\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Danny Brown\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Danny Brown\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Downloads\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Downloads\ComboFix.exe[nircmd.cfexe]
Possible Virus. Not disinfected C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\Setup.exe
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20080117-222115-770-PowerReg Scheduler.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\QooBox\Quarantine\C\Program Files\CashBack\bb_welcome.html.vir
Adware:Adware/Exact.BargainBuddy Not disinfected C:\QooBox\Quarantine\C\Program Files\CashBack\bb_welcome1.swf.vir
Adware:Adware/Exact.BargainBuddy Not disinfected C:\QooBox\Quarantine\C\Program Files\CashBack\icon.gif.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\HbTools\Bin\4.8.0.0\HbtSrv.exe.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\HbTools\Bin\4.8.2.0\HbtAds.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\HbTools\Bin\4.8.2.0\HbtCoreSrv.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\HbTools\Bin\4.8.2.0\HbtHostIE.dll.vir
Spyware:Generic Adware Not disinfected C:\QooBox\Quarantine\C\Program Files\HbTools\Bin\4.8.2.0\HbtHostOE.dll.vir
Spyware:Generic Adware Not disinfected C:\QooBox\Quarantine\C\Program Files\HbTools\Bin\4.8.2.0\HbtHostOL.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\HbTools\Bin\4.8.2.0\HbtWallpaper.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\Bin\4.8.4.0\Redemption.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SBClientSinkPS.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SBOLExp.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SBOLExt.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SBSrvPS.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SBTrayAppPS.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SBUIRes.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SBUISkin.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbWallpaper.dll.vir
Adware:Adware/IST Not disinfected C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SpamBlocker.exe.vir
Hacktool:HackTool/SRunner.B Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\instsrv.exe.vir
Adware:Adware/Exact.BargainBuddy Not disinfected C:\temp\bb_welcome.html
Adware:Adware/Exact.BargainBuddy Not disinfected C:\temp\bb_welcome1.swf
Adware:Adware/Exact.BargainBuddy Not disinfected C:\temp\icon.gif
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\SYSTEM32\exclean.exe
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\SYSTEM32\netut80ex.vxd[C:/WINDOWS/system32/exdl.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\SYSTEM32\netut80ex.vxd[C:/WINDOWS/system32/mqexdlm.srg]
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\SYSTEM32\netut80ex.vxd[C:/WINDOWS/system32/exul.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\SYSTEM32\netut80ex.vxd[C:/WINDOWS/system32/javexulm.vxd]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\SYSTEM32\netut80ex.vxd[C:/WINDOWS/system32/msexreg.exe]
Hacktool:HackTool/SRunner.B Not disinfected C:\WINDOWS\SYSTEM32\netut80ex.vxd[C:/WINDOWS/system32/instsrv.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\SYSTEM32\netut80ex.vxd[C:/WINDOWS/system32/exclean.exe]
Adware:Adware/eZula Not disinfected C:\WINDOWS\SYSTEM32\psis80ex.ax[C:/WINDOWS/system32/mscb.dll]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\SYSTEM32\psis80ex.ax[C:/Program Files/CashBack/bb_welcome1.swf]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\SYSTEM32\psis80ex.ax[C:/Program Files/CashBack/bb_welcome.html]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\SYSTEM32\psis80ex.ax[C:/Program Files/CashBack/icon.gif]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\SYSTEM32\psis80ex.ax[C:/Program Files/CashBack/bin/cashback.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\SYSTEM32\psis80ex.ax[C:/Program Files/CashBack/bin/cb.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\SYSTEM32\psis80ex.ax[C:/Program Files/CashBack/bin/flash.exe]
  • 0

Advertisements

#17
RiP
Posted 27 January 2008 - 01:02 PM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Hello danny0 :)

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\bbchk.exe
c:\windows\pcconfig.dat
C:\temp\bb_welcome.html
C:\temp\bb_welcome1.swf
C:\temp\icon.gif
C:\WINDOWS\SYSTEM32\exclean.exe
C:\WINDOWS\SYSTEM32\netut80ex.vxd
C:\WINDOWS\SYSTEM32\psis80ex.ax
Folder::
c:\program files\Lycos
Registry::
[-hkey_current_user\software\Webdialer]
[-hkey_classes_root\clsid\{02C20140-76F8-4763-83D5-B660107B7A90}]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#18
danny0
Posted 27 January 2008 - 08:22 PM

danny0

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
ComboFix 08-01-23.1C - Danny Brown 2008-01-27 21:10:55.5 - NTFSx86
Running from: C:\Documents and Settings\Danny Brown\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Danny Brown\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Lycos
c:\program files\Lycos\sstu.exe
C:\WINDOWS\ORUN32.EXE
C:\WINDOWS\system32\CMMGR32.EXE

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-27 21:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 09:41 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-01-23 08:02 . 2008-01-23 09:25 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-01-23 08:02 . 2008-01-23 09:25 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-23 08:02 . 2008-01-23 09:25 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-01-23 08:01 . 2008-01-23 10:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-01-14 22:44 . 2008-01-17 22:14 <DIR> d-------- C:\Program Files\Navilog1
2008-01-11 21:41 . 2008-01-11 21:41 <DIR> d-------- C:\WINDOWS\Sun
2008-01-11 21:39 . 2008-01-23 10:16 <DIR> d-------- C:\Program Files\Google
2008-01-11 21:38 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-01-11 21:36 . 2008-01-11 21:38 <DIR> d-------- C:\Program Files\Java
2008-01-11 21:33 . 2008-01-11 21:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-09 04:49 . 2008-01-14 01:41 268 --ah----- C:\sqmdata19.sqm
2008-01-09 04:49 . 2008-01-14 01:41 244 --ah----- C:\sqmnoopt19.sqm
2008-01-09 03:43 . 2008-01-13 19:36 268 --ah----- C:\sqmdata18.sqm
2008-01-09 03:43 . 2008-01-13 19:36 244 --ah----- C:\sqmnoopt18.sqm
2008-01-09 03:28 . 2008-01-13 16:08 268 --ah----- C:\sqmdata17.sqm
2008-01-09 03:28 . 2008-01-13 16:08 244 --ah----- C:\sqmnoopt17.sqm
2008-01-08 19:16 . 2008-01-13 11:40 268 --ah----- C:\sqmdata16.sqm
2008-01-08 19:16 . 2008-01-13 11:40 244 --ah----- C:\sqmnoopt16.sqm
2008-01-08 19:13 . 2008-01-23 10:22 <DIR> d-------- C:\Program Files\StumbleUpon
2008-01-08 18:07 . 2008-01-13 04:38 268 --ah----- C:\sqmdata15.sqm
2008-01-08 18:07 . 2008-01-13 04:38 244 --ah----- C:\sqmnoopt15.sqm
2008-01-08 17:00 . 2008-01-13 02:21 268 --ah----- C:\sqmdata14.sqm
2008-01-08 17:00 . 2008-01-13 02:21 244 --ah----- C:\sqmnoopt14.sqm
2008-01-08 11:17 . 2008-01-12 23:02 268 --ah----- C:\sqmdata13.sqm
2008-01-08 11:17 . 2008-01-12 23:02 244 --ah----- C:\sqmnoopt13.sqm
2008-01-08 04:44 . 2008-01-27 12:58 268 --ah----- C:\sqmdata12.sqm
2008-01-08 04:44 . 2008-01-27 12:58 244 --ah----- C:\sqmnoopt12.sqm
2008-01-08 02:23 . 2008-01-24 09:34 268 --ah----- C:\sqmdata11.sqm
2008-01-08 02:23 . 2008-01-24 09:34 244 --ah----- C:\sqmnoopt11.sqm
2008-01-07 23:49 . 2002-08-29 05:00 57,398 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\imjpdadm.exe
2008-01-07 23:49 . 2002-08-29 05:00 45,109 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\imjpuex.exe
2008-01-07 21:07 . 2008-01-23 17:02 268 --ah----- C:\sqmdata10.sqm
2008-01-07 21:07 . 2008-01-23 17:02 244 --ah----- C:\sqmnoopt10.sqm
2008-01-07 14:25 . 2008-01-23 08:28 268 --ah----- C:\sqmdata09.sqm
2008-01-07 14:25 . 2008-01-23 08:28 244 --ah----- C:\sqmnoopt09.sqm
2008-01-06 19:18 . 2008-01-18 19:04 268 --ah----- C:\sqmdata08.sqm
2008-01-06 19:18 . 2008-01-18 19:04 244 --ah----- C:\sqmnoopt08.sqm
2008-01-06 18:57 . 2008-01-07 00:06 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-01-06 18:56 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-01-06 18:52 . 2008-01-07 11:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2008-01-06 18:51 . 2008-01-07 11:30 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-06 17:13 . 2008-01-06 17:13 <DIR> d-------- C:\Program Files\RegVac Registry Cleaner
2008-01-06 15:47 . 2008-01-06 15:47 2,560 --a------ C:\WINDOWS\SYSTEM32\bitcometres.dll
2008-01-06 15:46 . 2008-01-08 19:13 <DIR> d-------- C:\Downloads
2008-01-06 15:45 . 2008-01-06 17:07 <DIR> d-------- C:\Program Files\BitComet
2008-01-06 04:23 . 2008-01-18 00:51 268 --ah----- C:\sqmdata07.sqm
2008-01-06 04:23 . 2008-01-18 00:51 244 --ah----- C:\sqmnoopt07.sqm
2008-01-05 23:42 . 2008-01-17 16:00 268 --ah----- C:\sqmdata06.sqm
2008-01-05 23:42 . 2008-01-17 16:00 244 --ah----- C:\sqmnoopt06.sqm
2008-01-05 21:04 . 2008-01-16 13:19 268 --ah----- C:\sqmdata05.sqm
2008-01-05 21:04 . 2008-01-16 13:19 244 --ah----- C:\sqmnoopt05.sqm
2008-01-05 17:05 . 2008-01-16 12:56 268 --ah----- C:\sqmdata04.sqm
2008-01-05 17:05 . 2008-01-16 12:56 244 --ah----- C:\sqmnoopt04.sqm
2008-01-05 15:25 . 2008-01-23 10:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-05 15:23 . 2008-01-05 15:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 11:23 . 2008-01-05 11:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-02 11:45 . 2008-01-16 12:14 268 --ah----- C:\sqmdata03.sqm
2008-01-02 11:45 . 2008-01-16 12:14 244 --ah----- C:\sqmnoopt03.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 15:23 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-23 15:23 --------- d-----w C:\Program Files\Windows Desktop Search
2008-01-23 15:16 --------- d-----w C:\Program Files\Digital Line Detect
2008-01-05 20:45 --------- d-----w C:\Program Files\Ubiquiti Networks
2008-01-05 20:45 --------- d-----w C:\Program Files\Dell Modem-On-Hold
2008-01-05 08:06 --------- d-----w C:\Program Files\Windows Live
2003-06-07 00:13 207,759 -c--a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\PROGRA~1\WINDOW~4\MESSEN~1\msnmsgr.exe" [2007-08-16 15:19 5728112]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2002-12-13 16:05 225280]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-10-11 12:30 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-10-11 12:29 561152]
"SAITEKAUTOCONFIGURE"="C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe" [2001-01-19 16:34 45056]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2003-06-06 19:06 26112]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 05:50 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 03:50 188416]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59 126976]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 10:18 28672]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2002-11-01 16:47 208560]
"ConMgr.exe"="C:\Program Files\EarthLink 5.0\ConMgr.exe" [ ]
"CARPService"="carpserv.exe" [2003-01-23 15:06 4608 C:\WINDOWS\SYSTEM32\carpserv.exe]
"SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-05-03 10:40 4341760]
"MCCInstall"="D:\Intro\AA\MCCInstall\English\MCCInstall.exe" [ ]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2005-03-15 07:58 53248]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-05 01:57 579072]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2008-01-05 01:57 406528]
"ALiUSBfix"="C:\WINDOWS\system32\ALiUSB20.exe" [2002-08-30 07:47 84992]
"ACU"="C:\Program Files\Ubiquiti Networks\ACU.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2008-01-05 01:57 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AOL 7.0 Tray Icon.lnk - C:\Program Files\AOL 7.0\aoltray.exe [2003-06-06 19:06:02 32839]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-06-06 19:03:39 24576]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 14:40:46 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 DLPortIO;DriverLINX Port I/O Driver;C:\WINDOWS\System32\DRIVERS\DLPortIO.SYS [1999-01-10 12:00]
S1 oxmf;OXPCI Bus enumerator;C:\WINDOWS\system32\DRIVERS\oxmf.sys [2003-11-06 21:39]
S1 oxser;OX16C95x Serial port driver;C:\WINDOWS\system32\DRIVERS\oxser.sys [2003-11-06 21:39]
S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys [2003-02-04 22:04]
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys [2003-02-04 22:04]
S3 ADM8511;PA090 USB ETHERNET 10/100 ;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2002-01-16 15:02]
S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\system32\DRIVERS\alcan5ln.sys [2002-05-03 10:41]
S3 cyzport;Cyclades-Z Port Driver;C:\WINDOWS\system32\DRIVERS\cyzport.sys [2001-08-17 13:50]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-23 21:12]
S3 Oxmfuf;Filter driver for OX16PCI954 ports;C:\WINDOWS\system32\DRIVERS\oxmfuf.sys [2003-11-06 21:39]
S3 SRC;Ubiquiti Wireless SRC/XR2 Network Adapter Service;C:\WINDOWS\system32\DRIVERS\netsr.sys [2007-03-13 08:32]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 02:00:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-14 08:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 21:15:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 21:18:09
ComboFix-quarantined-files.txt 2008-01-28 02:17:32
ComboFix2.txt 2008-01-18 03:39:55
.
2008-01-10 08:09:24 --- E O F ---
  • 0

#19
danny0
Posted 27 January 2008 - 08:31 PM

danny0

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:01 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\WINDOW~4\MESSEN~1\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe /autorun
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [MCCInstall] D:\Intro\AA\MCCInstall\English\MCCInstall.exe -Step=9 -Settings
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ALiUSBfix] C:\WINDOWS\system32\ALiUSB20.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Ubiquiti Networks\ACU.exe" -nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\PROGRA~1\WINDOW~4\MESSEN~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZZ
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Super Range Cardbus Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 9642 bytes
  • 0

#20
RiP
Posted 28 January 2008 - 11:02 PM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for his/her Operating System## Important ##
As we do not know the name of the file that's downloaded, you have to save the file as RC.exe to the root of SystemDrive e.g. C:\RC.exe


Please, download the latest copy of ComboFix.exe => http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
RecoveryConsole::
C:\RC.EXE
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\CF-RC.txt. Post that log in your next reply.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall

## Important ##
This is a precautionary measure. Please do not reboot the machine until we have reviewed the log & responded to you.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP