Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Win32:Rootkit-gen [Rtk] [RESOLVED]

Started by jbayer327 , May 13 2008 05:30 PM

This topic is locked

#1
jbayer327

Posted 13 May 2008 - 05:30 PM

Member

Member
41 posts

I'm (unfortunately) a returning "customer" and hoping you guys can help me out again like you did the last time.

I ran an Avast scan earlier this evening and it informed me that I have two malwares and a virus. Specifically as follows:

file Name: C:\Program Files\ComboFix.exe\dd.cfexe\[Embedded#0a000]
malware name: Win32:Rootkit-gen [Rtk]
malware type: Rootkit

file name: C:\System Volume Information\_restore{12B6CB73-2705-47A8-A26A-BB7934E4BF8C}
malware name: Win32:Rootkit-gen [Rtk]
malware type: Rootkit

file name: C:\WINDOWS\quit.exe
malware name: Win32:Trojan-gen {VB}
malware type: Virus/Worm

I have taken your advice on the FYI page and have run the ATF Cleaner, the Malwarebytes' Anti-Malware Program, the SuperAntiSpyware Home Edition and the Hijack This Log Program/Uninstaller Log. I attempted to run the Panda Activescan but when I reached 94% of the download I received a virus alert message and it would allow me to go no further. The results of the scans I was able to perform are as follows:

Malwarebytes' Anti-Malware 1.12
Database version: 744

Scan type: Quick Scan
Objects scanned: 54227
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bndshell3.bho (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndshell3.bho.1 (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Services.cpi (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted success

----------------------

SUPERAntiSpyware Scan Log
Generated 05/13/2008 at 05:54 PM

Application Version : 3.6.1000

Core Rules Database Version : 3459
Trace Rules Database Version: 1450

Scan type : Complete Scan
Total Scan Time : 00:46:51

Memory items scanned : 601
Memory threats detected : 0
Registry items scanned : 5607
Registry threats detected : 12
File items scanned : 60100
File threats detected : 38

Adware.AdSponsor/ISM
HKLM\Software\Classes\CLSID\{1BAC9A2A-4755-43c3-A430-D3512C5B8A4E}
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}#AppID
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\Implemented Categories
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\InprocServer32
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\InprocServer32#ThreadingModel
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\ProgID
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\TypeLib
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\VersionIndependentProgID
C:\PROGRAM FILES\QDRDRIVE\QDRDRIVE8.DLL
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{1BAC9A2A-4755-43c3-A430-D3512C5B8A4E}

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media6degrees[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@partner2profit[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adinterax[3].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@50549199[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adinterax[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[5].txt
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@exitexchange[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media6degrees[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@partner2profit[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@partner2profit[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@partner2profit[3].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[2].txt

--------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:13, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LClock\LClock.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\V0230Mon.exe
C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\V0230Mon.exe
O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [addon_ql] C:\WINDOWS\system32\dgfix.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe

--
End of file - 9447 bytes

-------------------------

Adobe Flash Player Plugin
Adobe Reader 8.1.2
Advanced Video FX Engine
Apple Mobile Device Support
Apple Software Update
Avanquest update
avast! Antivirus
AVG Anti-Spyware 7.5
Bonjour
Creative Live! Cam Center
Creative Live! Cam Manager
Creative Live! Cam Video IM Pro Driver (1.01.03.0928)
Creative Live! Cam Video IM Pro User's Guide (English)
Creative Software AutoUpdate
Creative System Information
Google Earth
HijackThis 2.0.2
iTunes
Java™ 6 Update 3
Java™ 6 Update 5
Malwarebytes' Anti-Malware
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Motorola Driver Installation
Motorola Phone Tools
Mozilla Firefox (2.0.0.14)
Mozilla Thunderbird (2.0.0.9)
muvee autoProducer 4.1
QuickTime
Road Runner Medic 6.1
Shutterfly Plugin
SUPERAntiSpyware Free Edition
Webshots Desktop
Xvid 1.1.3 final uninstall
Yahoo! Messenger

Any assistance you can provide would be greatly appreciated as it was last time. Thank you for your time and help.

#2
greyknight17

Posted 13 May 2008 - 08:35 PM

Malware Expert

Visiting Consultant
16,560 posts

There's nothing much showing here....

Delete these files:

C:\Program Files\ComboFix.exe
C:\WINDOWS\quit.exe

1. Download combofix at http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

#3
jbayer327

Posted 13 May 2008 - 08:48 PM

Member

Topic Starter
Member
41 posts

Sorry, read that wrong. Give me one minute to delete that program.

Edited by jbayer327, 13 May 2008 - 08:49 PM.

#4
jbayer327

Posted 13 May 2008 - 09:04 PM

Member

Topic Starter
Member
41 posts

Thank you for your patience.

I was unable to find the C:\WINDOWS\quit.exe file when I searched my computer. I don't know if that is good or bad. I did uninstall the "old" ComboFix Program and reinstalled and here is the log with the results.

ComboFix 08-05-12.1 - Administrator 2008-05-13 22:03:52.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.599 [GMT -5:00]
Running from: C:\Program Files\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-13 22:03 . 2008-05-13 22:03 1,914,914 --a------ C:\Program Files\ComboFix.exe
2008-05-13 18:10 . 2008-05-13 18:10 812,344 --a------ C:\Program Files\HJTInstall.exe
2008-05-13 18:02 . 2008-05-13 18:02 <DIR> d-------- C:\Program Files\Panda Security
2008-05-13 17:03 . 2008-05-13 17:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-13 17:03 . 2008-05-13 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-13 17:03 . 2008-05-13 17:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-13 17:02 . 2008-05-13 17:02 5,797,152 --a------ C:\Program Files\SUPERAntiSpyware.exe
2008-05-13 16:52 . 2008-05-13 16:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-13 16:52 . 2008-05-13 16:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 16:52 . 2008-05-13 16:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-13 16:52 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-13 16:52 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-13 16:51 . 2008-05-13 16:51 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-13 16:51 . 2008-05-13 16:50 128,368 --a------ C:\Program Files\MBAM.exe
2008-05-13 16:48 . 2008-05-13 16:48 50,688 --a------ C:\Program Files\ATF_Cleaner.exe
2008-04-19 12:39 . 2008-04-19 12:39 <DIR> d-------- C:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 22:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-12 18:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-12 17:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Creative
2008-04-12 03:51 --------- d-----w C:\Program Files\QuickTime
2008-04-12 03:51 --------- d-----w C:\Program Files\iTunes
2008-04-12 03:51 --------- d-----w C:\Program Files\iPod
2008-04-12 03:51 --------- d-----w C:\Program Files\Bonjour
2008-04-12 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-12 03:50 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-12 03:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-12 03:49 59,782,440 ----a-w C:\Program Files\iTunesSetup.exe
2008-03-23 05:44 1,491,592 ----a-w C:\Program Files\install_flash_player.exe
2008-03-19 04:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-03-15 19:21 --------- d-----w C:\Program Files\Java
2008-02-07 21:56 642,796 ----a-w C:\Program Files\XviD-1.1.3-28062007.exe
2008-01-29 03:12 856,411 ----a-w C:\Program Files\ShutterflyPluginInstall.EXE
2007-12-28 01:09 58,368 ----a-w C:\Program Files\SamsungMonitor.exe
2007-12-12 00:22 23,224 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-11-11 03:42 6,391,520 ----a-w C:\Program Files\wbsamp5.exe
2007-10-13 21:16 7,028,144 ----a-w C:\Program Files\medic6.exe
2007-09-01 21:09 92,064 ----a-w C:\Documents and Settings\Administrator\mqdmmdm.sys
2007-09-01 21:09 9,232 ----a-w C:\Documents and Settings\Administrator\mqdmmdfl.sys
2007-09-01 21:09 79,328 ----a-w C:\Documents and Settings\Administrator\mqdmserd.sys
2007-09-01 21:09 66,656 ----a-w C:\Documents and Settings\Administrator\mqdmbus.sys
2007-09-01 21:09 6,208 ----a-w C:\Documents and Settings\Administrator\mqdmcmnt.sys
2007-09-01 21:09 5,936 ----a-w C:\Documents and Settings\Administrator\mqdmwhnt.sys
2007-09-01 21:09 4,048 ----a-w C:\Documents and Settings\Administrator\mqdmcr.sys
2007-09-01 21:09 25,600 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2007-09-01 21:09 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2007-07-11 00:19 15,732,984 ----a-w C:\Program Files\Google_Earth_BZXD.exe
2007-07-02 23:24 8,048,632 ----a-w C:\Program Files\yahoo750647.exe
.

------- Sigcheck -------

2006-01-31 12:11 360448 0601f83f6784c220ee302f03f702316e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 15:11 61952]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 14:56 15360]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2007-07-01 15:47 20480]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2004-10-08 12:06 196608]
"Creative Live! Cam Manager"="C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-09-06 09:42 143360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 17:58 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-19 12:27 65536]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 08:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 08:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 08:43 86016]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 10:51 57344]
"P17Helper"="P17.dll" [2005-05-03 06:38 64512 C:\WINDOWS\system32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-10-08 12:31 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-10-08 12:24 217088]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-08-16 01:12 24576]
"V0230Mon.exe"="C:\WINDOWS\V0230Mon.exe" [2006-09-06 12:01 32768]
"medicsp2"="C:\Program Files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 11:53 198184]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 15:11 61952]
"addon_ql"="C:\WINDOWS\system32\dgfix.exe" [2005-12-07 18:36 61606]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-03 14:56 388608 C:\WINDOWS\system32\cmd.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 12:59 44544]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-11-10 22:43:07 157008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-06-28 17:37:40 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-13 17:58 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);C:\Program Files\twc\medicsp2\bin\sprtsvc.exe [2007-03-07 11:54]
R3 V0230Vfx;V0230Vfx;C:\WINDOWS\system32\DRIVERS\V0230Vfx.sys [2006-03-23 12:00]
R3 V0230VID;Live! Cam Video IM Pro;C:\WINDOWS\system32\DRIVERS\V0230VID.sys [2006-09-28 12:01]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-06-28 09:31]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2004-10-08 06:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{089e3a3f-2815-11dc-bded-001a4d7963cf}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19f33b46-300d-11dc-bdf5-001a4d7963cf}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-07 20:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-03 12:37:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.25.1.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 22:04:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-13 22:05:03
ComboFix-quarantined-files.txt 2008-05-14 03:04:59
ComboFix2.txt 2008-05-14 02:45:04

Pre-Run: 93,703,151,616 bytes free
Post-Run: 93,694,865,408 bytes free

169

Edited by jbayer327, 13 May 2008 - 09:06 PM.

#5
greyknight17

Posted 14 May 2008 - 05:49 PM

Malware Expert

Visiting Consultant
16,560 posts

Try not to save everything you have inside the C:\Program Files\ folder. I see you have a lot of saved installers on that folder including Combofix. Please save it to your desktop instead as that's where we usually tell users to run Combofix from.

Download OTMoveIt2 at http://download.blee...r/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\quit.exe

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.

The virus scanner should not find those files anymore now.

#6
jbayer327

Posted 14 May 2008 - 05:56 PM

Member

Topic Starter
Member
41 posts

I tried that program and this is what I got:

File/Folder C:\WINDOWS\quit.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05142008_185731

Did I do something wrong?

Thanks again!

#7
jbayer327

Posted 14 May 2008 - 07:03 PM

Member

Topic Starter
Member
41 posts

I re-ran Avast and it is still telling me my computer is infected:

File Name: C:\System Volume Information\_restore{12B6CB73-2705-47A8-A26A-BB7934E4BF8C}\RP148\A0005008.exe\dd.cfexe\[Embedded#0a000]

Malware Name: Win32:Rootkit-gen [Rtk]

Malware Type: Rootkit

---------------------------------------
File Name: C:\System Volume Information\_restore{12B6CB73-2705-47A8-A26A-BB7934E4BF8C}\RP149\A0005063.exe\dd.cfexe\[Embedded#0a000]

Malware Name: Win32:Rootkit-gen [Rtk]

Malware Type: Rootkit

#8
jbayer327

Posted 15 May 2008 - 08:47 AM

Member

Topic Starter
Member
41 posts

As an update, I just wanted to let you know that it was suggested to me by an IT person at work to turn my system restore off, reboot my computer and turn system restore back on again. From everything I can see (i.e. a newly run Avast scan) that seems to have taken care of the problem as no malware or virus has been found, even when I ran Avast in safe mode. Of course, if you have any other thoughts on anything more I might need to do please let me know. I appreciate your help immensely.

#9
greyknight17

Posted 15 May 2008 - 06:41 PM

Malware Expert

Visiting Consultant
16,560 posts

Yes, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. That would have cleared your system restore points and created a new one for you

#10
greyknight17

Posted 15 May 2008 - 06:42 PM

Malware Expert

Visiting Consultant
16,560 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.