my wallpaper kept changing
numerous "you must run your anti-viral" popups
on run of WMP or Task Manager, popups would say 'file infected' or 'missing codecs'. ignoring the prompt and re-running the program bypassed this so I knew it was false.
After researching a bit, I stumbled upon this thread where the user's problem was completely similar to my own, so I followed the steps presented in that thread to diagnose/remove the virus.
After running combofix and otl in that order, my computer's shown pretty much no signs of the infection, but as I frequently use this computer for banking, I'd like to make entirely sure that there is nothing still hiding in my system that shows no symptoms but can still be harmful.
I'm being precautious due to what Elster said in the thread
These are the most dangerous and most widespread type of Trojans. Backdoor Trojans provide the author or ‘master’ of the Trojan with the remote ‘administration’ of the victim's machine. Unlike legitimate remote administration utilities, they install, launch and run invisibly without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files as well as to harvest confidential data from the computer, log activity on the computer and more.
I'm pretty sure I cleaned my computer's temp data with CCleaner Before the infection, and obviously did no banking while I was infected, so I doubt no banking information could've been taken. I'll be changing my passwords anyways as soon as I'm sure my computer is totally rid of the infection.
Note: I used combofix Before I found the thread. I didn't know what I was doing when I used it and knew very little about the reprecussions it'd have on my system. I just followed the prompts like a gradeschooler. this is why combofix was used Before OTL, opposite order of the directions given in the thread.
I'll also be posting a combofix log as it had been requested in the other thread
sorry about the fullscan, did that by mistake.
MBAM Log [FULL scan prior to reboot]
Malwarebytes' Anti-Malware 1.44
Database version: 3546
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
12/01/2010 2:18:09 PM
mbam-log-2010-01-12 (14-18-09).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 203377
Time elapsed: 3 hour(s), 9 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 19
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\wusgdv.dll (Trojan.Hiloti) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: wusgdv.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: c:\windows\system32\winuid.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.Passwords) -> Data: system32\winuid.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\wusgdv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Sean\Application Data\ufxw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\InternetSecurity2010\IS2010.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\ubuqamalanunevif.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\helper32.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D85FECDB-DABE-4687-B8BF-5FD14A6164AA}\RP228\A0027412.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D85FECDB-DABE-4687-B8BF-5FD14A6164AA}\RP228\A0027426.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D85FECDB-DABE-4687-B8BF-5FD14A6164AA}\RP229\A0027532.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D85FECDB-DABE-4687-B8BF-5FD14A6164AA}\RP229\A0027539.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D85FECDB-DABE-4687-B8BF-5FD14A6164AA}\RP229\A0027567.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D85FECDB-DABE-4687-B8BF-5FD14A6164AA}\RP229\A0027554.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D85FECDB-DABE-4687-B8BF-5FD14A6164AA}\RP229\A0027710.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D85FECDB-DABE-4687-B8BF-5FD14A6164AA}\RP229\A0027692.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D85FECDB-DABE-4687-B8BF-5FD14A6164AA}\RP229\A0027711.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D85FECDB-DABE-4687-B8BF-5FD14A6164AA}\RP229\A0027732.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D85FECDB-DABE-4687-B8BF-5FD14A6164AA}\RP229\A0027755.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winuid.dll (Spyware.Passwords) -> Delete on reboot.
C:\_OTL\MovedFiles\01112010_230050\C_WINDOWS\system32\smss32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\01112010_230050\C_WINDOWS\system32\winlogon32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
MBAM Log [quick scan post reboot]
Malwarebytes' Anti-Malware 1.44
Database version: 3546
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
12/01/2010 3:09:24 PM
mbam-log-2010-01-12 (15-09-24).txt
Scan type: Quick Scan
Objects scanned: 121779
Time elapsed: 5 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER Log
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-12 14:21:14
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Sean\LOCALS~1\Temp\kwrcrpog.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwClose [0xB1E088B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB1BE9574]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcess [0xB1C6A930]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcessEx [0xB1C6AAA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSection [0xB1C6B540]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB1C6B190]
SSDT F7A5AA7C ZwCreateThread
SSDT F7A5AA8B ZwDeleteKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB1BE9A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB1BE914C]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadDriver [0xB1C692A0]
SSDT F7A5AA9A ZwLoadKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB1BE964E]
SSDT \??\C:\Program Files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwOpenProcess [0xB1E088E0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenSection [0xB1C6B370]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB1BE90F0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xB1C6BAD0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB1BE976E]
SSDT F7A5AAA4 ZwReplaceKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB1BE972E]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwResumeThread [0xB1C6BDD0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetContextThread [0xB1C6C150]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationFile [0xB1C6C770]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationProcess [0xB1C70160]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSecurityObject [0xB1C67EC0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB1BE98AE]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSuspendThread [0xB1C6BD80]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSystemDebugControl [0xB1C69600]
SSDT \??\C:\Program Files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateProcess [0xB1E08990]
SSDT \??\C:\Program Files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwTerminateThread [0xB1E08A30]
SSDT \??\C:\Program Files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectShim.sys (SafeConnect Application Activity Monitor Loader Driver./Sana Security, Inc. ) ZwWriteVirtualMemory [0xB1E08AD0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[284] [0xB1C66D40]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[285] [0xB1C66D50]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[286] [0xB1C66D60]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[287] [0xB1C66D80]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[288] [0xB1C66DA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[289] [0xB1C66DD0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[290] [0xB1C66DE0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[291] [0xB1C66E00]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[292] [0xB1C66E10]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[293] [0xB1C66ED0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[294] [0xB1C66FA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[295] [0xB1C66FE0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[296] [0xB1C67020]
Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) IoIsOperationSynchronous
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \FileSystem\Ntfs \Ntfs SafeConnectFilter.sys (SafeConnect Application Activity Monitor Filter Driver./Sana Security, Inc. )
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
---- Files - GMER 1.0.15 ----
File C:\Config.Msi 0 bytes
File C:\Config.Msi\2346df.rbf 55536 bytes
File C:\Config.Msi\234b6c.rbf 14576 bytes executable
File C:\Config.Msi\234b6e.rbf 723184 bytes executable
File C:\Config.Msi\234b6f.rbf 128240 bytes executable
File C:\Config.Msi\234b73.rbf 308976 bytes executable
File C:\Config.Msi\234b81.rbf 37104 bytes executable
File C:\Config.Msi\234b85.rbf 33008 bytes executable
File C:\Config.Msi\234b96.rbf 148208 bytes executable
File C:\Config.Msi\234ba6.rbf 622320 bytes executable
File C:\Config.Msi\234ba7.rbf 132336 bytes executable
File C:\Config.Msi\234b7a.rbf 39152 bytes executable
File C:\Config.Msi\234b89.rbf 278256 bytes executable
File C:\Program Files\SpywareBlaster 0 bytes
File C:\Program Files\SpywareBlaster\ckdatabase.dtb 9944 bytes
File C:\Program Files\SpywareBlaster\license.txt 16545 bytes
File C:\Program Files\SpywareBlaster\MSCOMCTL.OCX 1071088 bytes executable
File C:\Program Files\SpywareBlaster\readme.txt 755 bytes
File C:\Program Files\SpywareBlaster\rsdatabase.dtb 252241 bytes
File C:\Program Files\SpywareBlaster\sbautoupdate.exe 923176 bytes executable
File C:\Program Files\SpywareBlaster\sbdatabase.dtb 492431 bytes
File C:\Program Files\SpywareBlaster\sbdatabase2.dtb 60 bytes
File C:\Program Files\SpywareBlaster\sbdatabaseinf.dtb 28052 bytes
File C:\Program Files\SpywareBlaster\sbdatabaseinf2.dtb 60 bytes
File C:\Program Files\SpywareBlaster\sbhelp.chm 19759 bytes
File C:\Program Files\SpywareBlaster\sbinfo.dtb 21697 bytes
File C:\Program Files\SpywareBlaster\spywareblaster.exe 1340944 bytes executable
File C:\Program Files\SpywareBlaster\SQLite3SB.dll 417792 bytes executable
File C:\Program Files\SpywareBlaster\unins000.dat 6628 bytes
File C:\Program Files\SpywareBlaster\unins000.exe 695578 bytes
---- EOF - GMER 1.0.15 ----
OTL Log
All processes killed
========== OTL ==========
No active process named explorer.exe was found!
No active process named smss32.exe was found!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\smss32.exe deleted successfully.
C:\WINDOWS\system32\smss32.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
C:\WINDOWS\system32\helper32.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\ deleted successfully.
File C:\WINDOWS\System32\helper32.dll not found.
C:\WINDOWS\system32\winlogon32.exe moved successfully.
File C:\WINDOWS\System32\smss32.exe not found.
C:\WINDOWS\system32\IS15.exe moved successfully.
C:\WINDOWS\system32\41.exe moved successfully.
File C:\WINDOWS\System32\19169.exe not found.
File C:\WINDOWS\System32\26500.exe not found.
C:\WINDOWS\system32\6334.exe moved successfully.
C:\WINDOWS\system32\18467.exe moved successfully.
File C:\Documents and Settings\glp\Desktop\Internet Security 2010.lnk not found.
File C:\WINDOWS\System32\helper32.dll not found.
File C:\WINDOWS\System32\winlogon32.exe not found.
File C:\WINDOWS\System32\smss32.exe not found.
File C:\WINDOWS\System32\IS15.exe not found.
File C:\WINDOWS\System32\41.exe not found.
File C:\WINDOWS\System32\19169.exe not found.
File C:\WINDOWS\System32\26500.exe not found.
File C:\WINDOWS\System32\6334.exe not found.
File C:\Documents and Settings\glp\Desktop\Internet Security 2010.lnk not found.
File C:\WINDOWS\System32\18467.exe not found.
File C:\WINDOWS\System32\helper32.dll not found.
C:\WINDOWS\system32\warning.html moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Sean
->Temp folder emptied: 399302 bytes
->Temporary Internet Files folder emptied: 8727056 bytes
->Java cache emptied: 576405 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 2769 bytes
Total Files Cleaned = 12.00 mb
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.
OTL by OldTimer - Version 3.1.24.0 log created on 01112010_230050
Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_71c.dat not found!
Registry entries deleted on Reboot...
COMBOFIX Log
ComboFix 10-01-04.01 - Sean 11/01/2010 21:02:47.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2551.2100 [GMT -5:00]
Running from: c:\documents and settings\Sean\My Documents\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! antivirus 4.8.1335 [VPS 100111-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Rogers Online Protection Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Rogers Online Protection Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Application Data\{0200A1BD-B228-49E4-A0A2-0B2A14174311}
c:\documents and settings\Administrator\Local Settings\Application Data\{0200A1BD-B228-49E4-A0A2-0B2A14174311}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{0200A1BD-B228-49E4-A0A2-0B2A14174311}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{0200A1BD-B228-49E4-A0A2-0B2A14174311}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{0200A1BD-B228-49E4-A0A2-0B2A14174311}\install.rdf
c:\documents and settings\Sean\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
c:\documents and settings\Sean\Application Data\wiaserva.log
c:\documents and settings\Sean\Desktop\Internet Security 2010.lnk
c:\documents and settings\Sean\Start Menu\Internet Security 2010.lnk
c:\documents and settings\Sean\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
c:\documents and settings\Sean\Start Menu\Programs\Startup\lyesys32.exe
c:\documents and settings\Sean\Start Menu\Programs\Startup\Rainmeter.lnk
c:\program files\InternetSecurity2010
c:\program files\InternetSecurity2010\IS2010.exe
C:\s
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\41.exe
c:\windows\system32\491.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\helper32.dll
c:\windows\ubuqamalanunevif.dll
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.
2010-01-12 02:02 . 2010-01-12 02:02 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-01-12 01:35 . 2010-01-12 01:35 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-12 01:03 . 2009-02-13 19:22 95576 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-12 01:03 . 2009-02-13 16:31 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-12 01:03 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-12 01:03 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-12 01:03 . 2010-01-12 01:03 -------- d-----w- c:\program files\Avira
2010-01-12 01:03 . 2010-01-12 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-11 09:20 . 2010-01-11 09:20 0 ----a-w- c:\windows\Isokeguco.bin
2010-01-11 09:20 . 2010-01-12 01:29 120 ----a-w- c:\windows\Fwozuwipiqo.dat
2010-01-11 09:20 . 2010-01-11 09:20 -------- d-----w- c:\documents and settings\Sean\Local Settings\Application Data\{8D785E68-4DBC-4817-BD52-1B3E3476A6A9}
2010-01-11 09:16 . 2010-01-11 09:16 17408 ----a-w- c:\windows\system32\winlogon32.exe
2010-01-11 09:16 . 2010-01-11 09:16 17408 ----a-w- c:\windows\system32\smss32.exe
2009-12-31 23:29 . 2009-12-31 23:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-20 00:26 . 2009-12-20 00:26 -------- d-----w- c:\documents and settings\Sean\Application Data\Logitech
2009-12-20 00:26 . 2009-12-20 00:26 -------- d-----w- c:\documents and settings\Sean\Application Data\Leadertech
2009-12-20 00:16 . 2008-09-26 14:52 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2009-12-20 00:14 . 2008-11-07 21:37 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-12-20 00:14 . 2008-11-07 21:38 84496 ----a-w- c:\windows\system32\KemXML.dll
2009-12-20 00:14 . 2008-11-07 21:38 117264 ----a-w- c:\windows\system32\KemWnd.dll
2009-12-20 00:14 . 2008-11-07 21:38 145936 ----a-w- c:\windows\system32\KemUtil.dll
2009-12-20 00:14 . 2008-11-07 21:38 170512 ----a-w- c:\windows\system32\kemutb.dll
2009-12-20 00:14 . 2009-12-20 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-12-20 00:14 . 2009-12-20 00:26 -------- d-----w- c:\program files\Common Files\Logishrd
2009-12-20 00:14 . 2009-12-20 00:14 -------- d-----w- c:\program files\Logitech
2009-12-20 00:13 . 2009-12-20 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-12-20 00:04 . 2008-04-14 01:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-12-20 00:04 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-12-20 00:04 . 2008-04-13 19:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-12-20 00:04 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-12-20 00:04 . 2008-04-13 19:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-12-20 00:04 . 2008-04-13 19:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 02:57 . 2009-08-06 04:04 -------- d-----w- c:\documents and settings\Sean\Application Data\Skype
2010-01-12 02:56 . 2009-05-25 02:07 82165024 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-12 02:56 . 2009-05-25 02:07 1678368 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-12 02:19 . 2009-05-25 02:07 161456 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-12 02:19 . 2009-05-25 02:07 1107644 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-11 10:40 . 2010-01-11 10:40 -------- d-----w- c:\program files\Alwil Software
2010-01-11 09:39 . 2009-12-03 18:58 79488 ----a-w- c:\documents and settings\Sean\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-11 08:46 . 2009-08-14 01:08 -------- d-----w- c:\documents and settings\Sean\Application Data\uTorrent
2009-12-31 23:21 . 2009-10-19 18:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-30 10:10 . 2009-08-07 03:18 -------- d-----w- c:\documents and settings\Sean\Application Data\vlc
2009-12-30 02:16 . 2009-12-31 23:24 274432 --sh--r- c:\documents and settings\Sean\Application Data\ufxw.exe
2009-12-30 02:16 . 2009-12-31 23:24 274432 --sh--r- c:\documents and settings\Sean\Application Data\ufxw.exe
2009-12-20 00:16 . 2009-12-20 00:16 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-12-20 00:15 . 2009-12-20 00:15 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-12-20 00:15 . 2009-12-20 00:15 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-12-20 00:14 . 2009-05-24 23:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-08 17:28 . 2009-12-08 16:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-30 14:59 . 2009-08-06 04:06 -------- d-----w- c:\documents and settings\Sean\Application Data\skypePM
2009-11-15 18:49 . 2009-06-01 23:25 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-30 08:59 . 2009-10-30 08:59 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:45 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-14 07:20 . 2009-10-14 07:20 18440 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-10-09 25623336]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-12-24 289584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-07 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-25 136600]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"FixCamera"="c:\windows\FixCamera.exe" [2007-07-11 20480]
"tsnp2std"="c:\windows\tsnp2std.exe" [2007-10-10 270336]
"snp2std"="c:\windows\vsnp2std.exe" [2007-05-10 344064]
"RogersServicepointAgent.exe"="c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" [2009-02-27 3228912]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"smss32.exe"="c:\windows\system32\smss32.exe" [2010-01-11 17408]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-10 113664]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-12-19 809488]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-21 65588]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\winlogon32.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 21:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\winuid.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli wusgdv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/01/2010 5:40 AM 114768]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/01/2010 8:03 PM 108289]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/01/2010 5:40 AM 20560]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [19/12/2009 7:16 PM 10384]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 3:58 PM 693512]
R2 RadialpointSafeConnectAgent;Rogers Online Protection SafeConnectAgent;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\bin\SanaAgent.exe [14/11/2008 5:28 PM 4937752]
R3 Radialpoint Security Services;Rogers Online Protection;c:\program files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe [22/06/2009 9:48 AM 170736]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 5:28 PM 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 5:28 PM 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 5:28 PM 27376]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 3:58 PM 910600]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GTNDIS5
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Internet Security 2010 - c:\program files\InternetSecurity2010\IS2010.exe
HKLM-Run-Opuwufujufuxuze - c:\windows\ubuqamalanunevif.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 21:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(892)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
- - - - - - - > 'lsass.exe'(948)
c:\windows\wusgdv.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2648)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\wusgdv.dll
c:\windows\system32\jscript.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Rogers Online Protection\Rogers Online Protection\Fws.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\scrnsave.scr
c:\program files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgentComHandler.exe
.
**************************************************************************
.
Completion time: 2010-01-11 22:04:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-12 03:04
Pre-Run: 5,668,712,448 bytes free
Post-Run: 6,040,506,368 bytes free
- - End Of File - - CA23F6A2B227D8C384D3E0E469525A24
Edited by Serogost, 12 January 2010 - 03:12 PM.
Sign In
Create Account
