Bagle.IX and Download Bagle Trojan [RESOLVED]
Started by
Linda68
, Apr 11 2008 08:11 AM
This topic is locked
#16
Posted 11 April 2008 - 06:37 PM
JSntgRvr
-
- Global Moderator
-
- 11,591 posts
Global Moderator
#17
Posted 11 April 2008 - 06:44 PM
JSntgRvr
-
- Global Moderator
-
- 11,591 posts
Global Moderator
Did you upload the latest zip file to Bleeping?
#18
Posted 11 April 2008 - 07:07 PM
Linda68
- Topic Starter
-
- Member
-
- 97 posts
Member
Are you talking about combofix.txt, this isn't a zip? I think I just attached it as a document to one of my e-mails. I have now posted it to the bleeping site.
Maybe I missed a step somewhere?
If this isn't it, I'm not sure what zip file you are talking about...let me know and will get to you ASAP.
Linda
Maybe I missed a step somewhere?
If this isn't it, I'm not sure what zip file you are talking about...let me know and will get to you ASAP.
Linda
#19
Posted 11 April 2008 - 07:26 PM
JSntgRvr
-
- Global Moderator
-
- 11,591 posts
Global Moderator
Lets try that again.
Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..
Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:
http://www.bleepingc...e.php?channel=4
Please include a link to this topic in the message.
- Copy the entire contents of the Quote Box below to Notepad.
- Name the file as CFScript.txt
- Change the Save as Type to All Files
- and Save it on the desktop
File::
C:\WINDOWS\system32\drivers\srosa.sys
C:\Windows\System32\WINTEMS.EXE
C:\Windows\System32\MDELK.EXE
C:\Windows\System32\13219648.EXE
C:\Windows\System32\13213389.EXE
C:\Windows\System32\13204887.EXE
C:\Windows\System32\HLDRRR.EXE
C:\Windows\System32\ban_list.txt
C:\Windows\System32\Drivers\WINTEMS.EXE
C:\Windows\System32\Drivers\MDELK.EXE
C:\Windows\System32\Drivers\13219648.EXE
C:\Windows\System32\Drivers\13213389.EXE
C:\Windows\System32\Drivers\13204887.EXE
C:\Windows\System32\Drivers\HLDRRR.EXE
C:\Windows\System32\Drivers\ban_list.txt
C:\Windows\13219648.EXE
C:\Windows\13213389.EXE
C:\Windows\13204887.EXE
C:\RegCure 1.5.exe
C:\MGtools.exe
Driver::
srosa
Folder::
C:\WINDOWS\system32\drivers\downld
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SROSA]
Suspect::
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\hldrrr.exe.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\mdelk.exe.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\wintems.exe.vir
Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..
Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:
http://www.bleepingc...e.php?channel=4
Please include a link to this topic in the message.
#21
Posted 11 April 2008 - 08:00 PM
JSntgRvr
-
- Global Moderator
-
- 11,591 posts
Global Moderator
Better reading. Will check those files in a minute.
ComboFix 08-04-10.7 - Linda Kristina 2008-04-11 20:43:38.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.106 [GMT -5:00]
Running from: C:\Documents and Settings\Linda Kristina\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Linda Kristina\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\MGtools.exe
C:\RegCure 1.5.exe
C:\Windows\13204887.EXE
C:\Windows\13213389.EXE
C:\Windows\13219648.EXE
C:\Windows\System32\13204887.EXE
C:\Windows\System32\13213389.EXE
C:\Windows\System32\13219648.EXE
C:\Windows\System32\ban_list.txt
C:\Windows\System32\Drivers\13204887.EXE
C:\Windows\System32\Drivers\13213389.EXE
C:\Windows\System32\Drivers\13219648.EXE
C:\Windows\System32\Drivers\ban_list.txt
C:\Windows\System32\Drivers\HLDRRR.EXE
C:\Windows\System32\Drivers\MDELK.EXE
C:\WINDOWS\system32\drivers\srosa.sys
C:\Windows\System32\Drivers\WINTEMS.EXE
C:\Windows\System32\HLDRRR.EXE
C:\Windows\System32\MDELK.EXE
C:\Windows\System32\WINTEMS.EXE
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\MGtools.exe
C:\RegCure 1.5.exe
C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\13204887.exe
C:\WINDOWS\system32\drivers\downld\13219648.exe
C:\WINDOWS\system32\drivers\downld\2142560.exe
C:\WINDOWS\system32\drivers\downld\4203223.exe
C:\WINDOWS\system32\drivers\downld\4360239.exe
C:\WINDOWS\system32\drivers\downld\4414728.exe
C:\WINDOWS\system32\drivers\downld\4432483.exe
C:\WINDOWS\system32\drivers\downld\4574778.exe
C:\WINDOWS\system32\drivers\downld\4592744.exe
C:\WINDOWS\system32\drivers\downld\6237719.exe
C:\WINDOWS\system32\drivers\downld\6247032.exe
C:\WINDOWS\system32\drivers\downld\6385652.exe
C:\WINDOWS\system32\drivers\downld\6400433.exe
C:\WINDOWS\system32\drivers\downld\6489661.exe
C:\WINDOWS\system32\drivers\downld\6490623.exe
C:\WINDOWS\system32\drivers\downld\6498003.exe
C:\WINDOWS\system32\drivers\downld\6504823.exe
C:\WINDOWS\system32\drivers\downld\6724749.exe
C:\WINDOWS\system32\drivers\downld\8672580.exe
C:\Windows\System32\Drivers\HLDRRR.EXE
C:\Windows\System32\Drivers\MDELK.EXE
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SROSA
((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Malwarebytes
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 10:20 . 2008-04-11 11:52 <DIR> d-------- C:\Geeks_New
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-04-10 20:31 . 2008-04-10 21:49 <DIR> d-------- C:\paretologic
2008-04-09 21:51 . 2008-04-09 21:51 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Thinstall
2008-04-09 20:11 . 2008-04-09 21:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 20:11 . 2008-04-09 21:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-09 19:53 . 2008-04-09 19:53 <DIR> d-------- C:\Program Files\CCleaner
2008-04-09 07:42 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-09 07:42 . 2008-04-09 07:42 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\SUPERAntiSpyware.com
2008-04-08 21:05 . 2008-03-29 12:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-08 21:05 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-08 21:05 . 2008-03-29 12:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-08 21:05 . 2008-03-29 12:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-08 21:05 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-08 21:05 . 2008-03-29 12:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-08 21:05 . 2008-03-29 12:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-08 21:05 . 2008-03-29 12:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-08 21:05 . 2008-03-29 12:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-08 21:05 . 2008-03-29 12:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-05 17:10 . 2008-04-05 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2008-04-05 17:04 . 2008-04-05 18:12 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\U3
2008-04-05 17:03 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-05 10:09 . 2008-04-05 15:21 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-04-04 22:40 . 2006-10-26 20:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-04-04 22:36 . 2008-04-04 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 14:18 . 2008-03-21 14:18 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-21 14:17 . 2007-10-22 19:58 1,721,712 --------- C:\WINDOWS\system32\InetClnt.dll
2008-03-16 19:58 . 2008-03-16 19:58 <DIR> d--h----- C:\WINDOWS\PIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 01:28 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\ComcastToolbar
2008-04-10 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 19:21 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\Intuit
2008-03-21 19:17 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-20 12:03 --------- d-----w C:\Program Files\CrossTrainerII
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((( snapshot@2008-04-10_23.07.47.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-04 01:29:06 761,856 ----a-w C:\WINDOWS\gmer.exe
- 2008-04-10 00:09:44 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-11 04:08:54 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-10 00:09:44 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-11 04:08:54 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ParetoLogic Anti-Spyware"="C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2007-08-01 13:56 2643312]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll [2007-04-11 17:47 98304]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=C:\WINDOWS\pss\LaunchU3.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series (Copy 1) on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-04-10 22:21 79224 E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 15:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-03-10 16:16 204800 E:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-11-15 22:01 244512 C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-06 18:33 282624 E:\Program Files\QuickTime_4\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 E:\Program Files\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2006-08-07 02:04 688128 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\dnloads\\eMule\\eMule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\EMule Extracts\\EMule.46c\\emule.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"D:\\dnloads\\eMule\\eMule_II\\eMule.exe"=
"D:\\Program Files\\EMule\\emule.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 04:10]
R0 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 10:12]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 12:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282e89-0346-11dd-a3b2-000103c623f3}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 01:37:31 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-04-11 12:03:04 C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job"
- C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
"2008-04-11 05:33:00 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\Pareto_Update.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 20:48:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-04-11 20:52:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-12 01:52:34
ComboFix2.txt 2008-04-11 23:21:50
ComboFix3.txt 2008-04-11 18:40:35
ComboFix4.txt 2008-04-11 16:48:36
ComboFix5.txt 2008-04-11 15:36:42
Pre-Run: 981,520,384 bytes free
Post-Run: 942,456,832 bytes free
ComboFix 08-04-10.7 - Linda Kristina 2008-04-11 20:43:38.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.106 [GMT -5:00]
Running from: C:\Documents and Settings\Linda Kristina\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Linda Kristina\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\MGtools.exe
C:\RegCure 1.5.exe
C:\Windows\13204887.EXE
C:\Windows\13213389.EXE
C:\Windows\13219648.EXE
C:\Windows\System32\13204887.EXE
C:\Windows\System32\13213389.EXE
C:\Windows\System32\13219648.EXE
C:\Windows\System32\ban_list.txt
C:\Windows\System32\Drivers\13204887.EXE
C:\Windows\System32\Drivers\13213389.EXE
C:\Windows\System32\Drivers\13219648.EXE
C:\Windows\System32\Drivers\ban_list.txt
C:\Windows\System32\Drivers\HLDRRR.EXE
C:\Windows\System32\Drivers\MDELK.EXE
C:\WINDOWS\system32\drivers\srosa.sys
C:\Windows\System32\Drivers\WINTEMS.EXE
C:\Windows\System32\HLDRRR.EXE
C:\Windows\System32\MDELK.EXE
C:\Windows\System32\WINTEMS.EXE
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\MGtools.exe
C:\RegCure 1.5.exe
C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\13204887.exe
C:\WINDOWS\system32\drivers\downld\13219648.exe
C:\WINDOWS\system32\drivers\downld\2142560.exe
C:\WINDOWS\system32\drivers\downld\4203223.exe
C:\WINDOWS\system32\drivers\downld\4360239.exe
C:\WINDOWS\system32\drivers\downld\4414728.exe
C:\WINDOWS\system32\drivers\downld\4432483.exe
C:\WINDOWS\system32\drivers\downld\4574778.exe
C:\WINDOWS\system32\drivers\downld\4592744.exe
C:\WINDOWS\system32\drivers\downld\6237719.exe
C:\WINDOWS\system32\drivers\downld\6247032.exe
C:\WINDOWS\system32\drivers\downld\6385652.exe
C:\WINDOWS\system32\drivers\downld\6400433.exe
C:\WINDOWS\system32\drivers\downld\6489661.exe
C:\WINDOWS\system32\drivers\downld\6490623.exe
C:\WINDOWS\system32\drivers\downld\6498003.exe
C:\WINDOWS\system32\drivers\downld\6504823.exe
C:\WINDOWS\system32\drivers\downld\6724749.exe
C:\WINDOWS\system32\drivers\downld\8672580.exe
C:\Windows\System32\Drivers\HLDRRR.EXE
C:\Windows\System32\Drivers\MDELK.EXE
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SROSA
((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Malwarebytes
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 10:20 . 2008-04-11 11:52 <DIR> d-------- C:\Geeks_New
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic
2008-04-10 20:36 . 2008-04-10 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-04-10 20:31 . 2008-04-10 21:49 <DIR> d-------- C:\paretologic
2008-04-09 21:51 . 2008-04-09 21:51 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Thinstall
2008-04-09 20:11 . 2008-04-09 21:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 20:11 . 2008-04-09 21:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 19:54 . 2008-04-09 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-09 19:53 . 2008-04-09 19:53 <DIR> d-------- C:\Program Files\CCleaner
2008-04-09 07:42 . 2008-04-09 19:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-09 07:42 . 2008-04-09 07:42 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\SUPERAntiSpyware.com
2008-04-08 21:05 . 2008-03-29 12:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-08 21:05 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-08 21:05 . 2008-03-29 12:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-08 21:05 . 2008-03-29 12:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-08 21:05 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-08 21:05 . 2008-03-29 12:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-08 21:05 . 2008-03-29 12:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-08 21:05 . 2008-03-29 12:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-08 21:05 . 2008-03-29 12:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-08 21:05 . 2008-03-29 12:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-05 17:10 . 2008-04-05 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2008-04-05 17:04 . 2008-04-05 18:12 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\U3
2008-04-05 17:03 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-05 10:09 . 2008-04-05 15:21 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-04-04 22:40 . 2006-10-26 20:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-04-04 22:36 . 2008-04-04 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 14:18 . 2008-03-21 14:18 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-21 14:17 . 2007-10-22 19:58 1,721,712 --------- C:\WINDOWS\system32\InetClnt.dll
2008-03-16 19:58 . 2008-03-16 19:58 <DIR> d--h----- C:\WINDOWS\PIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 01:28 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\ComcastToolbar
2008-04-10 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 19:21 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\Intuit
2008-03-21 19:17 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-20 12:03 --------- d-----w C:\Program Files\CrossTrainerII
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((( snapshot@2008-04-10_23.07.47.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-04 01:29:06 761,856 ----a-w C:\WINDOWS\gmer.exe
- 2008-04-10 00:09:44 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-11 04:08:54 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-10 00:09:44 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-11 04:08:54 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ParetoLogic Anti-Spyware"="C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2007-08-01 13:56 2643312]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll [2007-04-11 17:47 98304]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=C:\WINDOWS\pss\LaunchU3.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series (Copy 1) on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-04-10 22:21 79224 E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 15:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-03-10 16:16 204800 E:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-11-15 22:01 244512 C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-06 18:33 282624 E:\Program Files\QuickTime_4\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 E:\Program Files\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2006-08-07 02:04 688128 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\dnloads\\eMule\\eMule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\EMule Extracts\\EMule.46c\\emule.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"D:\\dnloads\\eMule\\eMule_II\\eMule.exe"=
"D:\\Program Files\\EMule\\emule.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 04:10]
R0 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 10:12]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 12:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282e89-0346-11dd-a3b2-000103c623f3}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 01:37:31 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-04-11 12:03:04 C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job"
- C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
"2008-04-11 05:33:00 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\Pareto_Update.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 20:48:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-04-11 20:52:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-12 01:52:34
ComboFix2.txt 2008-04-11 23:21:50
ComboFix3.txt 2008-04-11 18:40:35
ComboFix4.txt 2008-04-11 16:48:36
ComboFix5.txt 2008-04-11 15:36:42
Pre-Run: 981,520,384 bytes free
Post-Run: 942,456,832 bytes free
#22
Posted 11 April 2008 - 08:03 PM
JSntgRvr
-
- Global Moderator
-
- 11,591 posts
Global Moderator
It isn't there. Can you run those programs and boot in Safe mode?
#23
Posted 11 April 2008 - 08:14 PM
JSntgRvr
-
- Global Moderator
-
- 11,591 posts
Global Moderator
Upload confirmed. Please test the computer.
#24
Posted 11 April 2008 - 08:15 PM
Linda68
- Topic Starter
-
- Member
-
- 97 posts
Member
I sent the file again to the website, let me know if you have it. If not, should I try running the entire process again in safe mode?
I actually have a wireless laptop that is sending the files to you. I have a networked connection to my infected desktop and I am just browsing from my latop for the files that are created on the desktop.
Could I just attach it to this e-mail instead of sending it to the other website?
Linda
I actually have a wireless laptop that is sending the files to you. I have a networked connection to my infected desktop and I am just browsing from my latop for the files that are created on the desktop.
Could I just attach it to this e-mail instead of sending it to the other website?
Linda
#25
Posted 11 April 2008 - 08:22 PM
JSntgRvr
-
- Global Moderator
-
- 11,591 posts
Global Moderator
Files were received, thank you. What I don't see is the Trojan in the log. I need you to test the computer by itself.I sent the file again to the website, let me know if you have it. If not, should I try running the entire process again in safe mode?
I actually have a wireless laptop that is sending the files to you. I have a networked connection to my infected desktop and I am just browsing from my latop for the files that are created on the desktop.
Could I just attach it to this e-mail instead of sending it to the other website?
Linda
#26
Posted 11 April 2008 - 08:24 PM
JSntgRvr
-
- Global Moderator
-
- 11,591 posts
Global Moderator
I'll be back in the morning to check on this topic. Good night! 
#27
Posted 11 April 2008 - 08:34 PM
Linda68
- Topic Starter
-
- Member
-
- 97 posts
Member
Safe Mode with Networking...booted me out immediately after pressing the key
Safe Mode without Networking...loaded several system files in DOS and then rebooted the machine
In Normal mode, I didn't get the crack.exe upon opening IE, but it still takes several minutes for the screen to work
Wow, wait a second!! Paretologic just popped up a message stating that is successfully prevented the Bagle virus from downloading ????
Safe Mode without Networking...loaded several system files in DOS and then rebooted the machine
In Normal mode, I didn't get the crack.exe upon opening IE, but it still takes several minutes for the screen to work
Wow, wait a second!! Paretologic just popped up a message stating that is successfully prevented the Bagle virus from downloading ????
#28
Posted 11 April 2008 - 09:26 PM
Linda68
- Topic Starter
-
- Member
-
- 97 posts
Member
Hi JSntgRvr 
Thanks for your Herculean effort today. I am going to retire and study for another class I am taking. I'll be online bright and early tomorrow morning to continue!!
Thanks Much!!
Thanks for your Herculean effort today. I am going to retire and study for another class I am taking. I'll be online bright and early tomorrow morning to continue!!
Thanks Much!!
#29
Posted 12 April 2008 - 08:07 AM
Linda68
- Topic Starter
-
- Member
-
- 97 posts
Member
Good Morning,
Is it best to remove paretologic? I can uninstall from Control Panel ...
Linda
Is it best to remove paretologic? I can uninstall from Control Panel ...
Linda
#30
Posted 12 April 2008 - 10:24 AM
JSntgRvr
-
- Global Moderator
-
- 11,591 posts
Global Moderator
Hi, Linda68
Lets remove Combofix:
Then download the latest version as follows:
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
Lets remove Combofix:
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Then download the latest version as follows:
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
