malware question for alienrik

aliEnRIK

Open Malwarebytes and goto QUARANTINE

See if you can RESTORE all the ones you posted last ~

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\!!08165ea0-e946-11cf-9c87-00aa005127ed} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!7d559c10-9fe9-11d0-93f7-00aa0059ce02} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!7fc0b86e-5fa7-11d1-bc7c-00c04fd929db} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{abbe31d0-6dae-11d0-beca-00c04fd940be} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f5175861-2688-11d0-9c5e-00aa00a45957} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d8bd2030-6fc9-11d0-864f-00aa006809d9} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e3a8bde6-abce-11d0-bc4b-00c04fd929db} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e6cc6978-6b6e-11d0-beca-00c04fd940be} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e8bb6dc0-6b4e-11d0-92db-00a0c90c2bd7} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\!!08165ea0-e946-11cf-9c87-00aa005127ed} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\!!7d559c10-9fe9-11d0-93f7-00aa0059ce02} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\!!7fc0b86e-5fa7-11d1-bc7c-00c04fd929db} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\{abbe31d0-6dae-11d0-beca-00c04fd940be} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\{f5175861-2688-11d0-9c5e-00aa00a45957} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\{d8bd2030-6fc9-11d0-864f-00aa006809d9} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\{e3a8bde6-abce-11d0-bc4b-00c04fd929db} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\{e6cc6978-6b6e-11d0-beca-00c04fd940be} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\{e8bb6dc0-6b4e-11d0-92db-00a0c90c2bd7} (Trojan.BHO) -> Quarantined and deleted successfully.

GT60

Hi my beloved norton won't let combie fix run
Why do we want to restore the malware?
Wouldn't the kids put even more crap on the pc with firefox?
Ta niall

aliEnRIK

Then shut norton down whilst you run it

Toms found out that all those you posted last by Malwarebytes are FALSE POSITIVES (Meaning they shouldnt be deleted)

Firefox with noscript will prevent your kids getting anything nasty on your computer as explained

GT60

thomas01155 wrote: »

False positive http://www.malwarebytes.org/forums/index.php?showtopic=13532

just read the link and i can see the light i think.

I will read up on this firefox soon but if you have to start clicking to let something run the boys will have a field day i have only just got them use to norton's way of doing things.
Thank you both
I wll catch up tomorrow its bed time now up for work at 1.30am:eek:
A very big thank you again:A

GT60

Hi Alienrik
Here is the combofix log
Good luck and thanks

ComboFix 09-04-01.01 - nial 2009-04-03 14:46:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1366 [GMT 1:00]
Running from: c:\documents and settings\nial\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.
((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 16:47

---

d

---

w c:\program files\Trend Micro
2009-04-02 12:28

---

d

---

w c:\program files\Malwarebytes' Anti-Malware
2009-03-26 15:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 15:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-23 08:52

---

d

---

w c:\program files\Windows Live Safety Center
2009-03-23 08:39 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-23 08:39 7,386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-23 08:39 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-23 08:39 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-23 08:39

---

d

---

w c:\program files\Symantec
2009-03-12 09:03 36,400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-03-10 22:21 103,744 ----a-w c:\windows\system32\drivers\AnyDVD.sys
2009-03-07 13:10

---

d

---

w c:\program files\SUPERAntiSpyware
2009-02-26 07:42

---

d

---

w c:\program files\Microsoft Silverlight
2009-02-17 17:51

---

d

---

w c:\documents and settings\nial\Application Data\Vso
2009-02-17 17:11 24,232 ----a-w c:\windows\system32\drivers\ElbyCDIO.sys
2009-02-17 13:33 89,256 ----a-w c:\windows\system32\ElbyCDIO.dll
2009-02-15 15:59

---

d

---

w c:\documents and settings\Stephen.MR-2634FEFEC895.000\Application Data\Corel
2009-02-15 12:50 45,824 ----a-w c:\documents and settings\nial\Application Data\GDIPFONTCACHEV1.DAT
2009-02-13 21:55

---

d

---

w c:\program files\TalkTalk
2009-02-13 20:32

---

d

---

w c:\program files\Common Files\Wise Installation Wizard
2009-02-12 15:55

---

d

---

w c:\program files\Common Files\Ahead
2009-02-12 15:55

---

d

---

w c:\program files\Ahead
2009-02-12 14:44

---

d

---

w c:\program files\Common Files\Nero
2009-02-12 14:42

---

d

---

w c:\documents and settings\All Users\Application Data\Ahead
2009-02-11 14:26

---

d

---

w c:\documents and settings\All Users\Application Data\SupportSoft
2009-02-11 14:07

---

d

---

w c:\program files\Common Files\SupportSoft
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 15:12

---

d

---

w c:\program files\Nokia
2009-02-08 15:12

---

d

---

w c:\program files\Common Files\PCSuite
2009-02-08 15:12

---

d

---

w c:\program files\Common Files\Nokia
2009-02-08 15:08

---

d

---

w c:\documents and settings\All Users\Application Data\Installations
2009-02-07 19:26

---

d

---

w c:\documents and settings\Samuel.MR-2634FEFEC895\Application Data\Roxio
2009-02-06 18:47

---

d

---

w c:\program files\Coupon Printer
2008-09-12 15:55 81,920 ----a-w c:\documents and settings\nial\Application Data\ezpinst.exe
2008-09-12 15:55 47,360 ----a-w c:\documents and settings\nial\Application Data\pcouffin.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-01-26 15360]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-03-12 2587584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-26 185896]
"SoundMan"="SOUNDMAN.EXE" [2006-04-01 c:\windows\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-01-26 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"!!5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-02 10:32 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a

---

2008-12-03 13:47 1205760 c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a

---

2006-08-17 10:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a

---

2006-11-05 12:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a

---

2008-06-26 11:37 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SymEFA.sys [2009-03-23 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1005000.087\BHDrvx86.sys [2009-03-23 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1005000.087\cchpx86.sys [2009-03-23 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\!!0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090331.007\IDSXpx86.sys [2009-04-03 276344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
R2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCore.exe [2008-10-08 73464]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-03-23 115560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-05-23 13352]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\drivers\SaiHFF0C.sys [2004-06-11 56576]
S3 SaiNtSub;SaiNtSub;c:\windows\system32\drivers\SaiNtSub.sys [2008-05-03 19200]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\drivers\saiuFF0C.sys [2004-06-11 19584]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
.
Contents of the 'Scheduled Tasks' folder
2009-04-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
2009-03-09 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - nial.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe []
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe

.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.google.co.uk/ig
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-03 14:48:53
Windows 5.1.2600 Service Pack 3, v.5657 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

c:\windows\TEMP\TMP0000003E2C46F459E586BD24 524288 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(940)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-04-03 14:50:26
ComboFix-quarantined-files.txt 2009-04-03 13:50:23
Pre-Run: 302,023,872,512 bytes free
Post-Run: 302,259,294,208 bytes free
157 --- E O F --- 2009-04-03 13:09:43

aliEnRIK

Computer looks clean to me (Except for Norton )

Id recommend updating and running Superantispyware on a FULL scan just to be sure

GT60

Ok thank you

Glad i doubled checked before i went and did my normal stunt of just deleting everything.

Thanks again :T