We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Please help me!
Comments
-
After doing what you said and trying to delete that file, it still appears to be on the log..also I can not download SP3 for some reason..it keeps failing on automatic updates, do I need a disk for it?
Many thanks for your help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:13:22, on 08/04/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Broadband Toolbar Loader - {776a9d06-e178-4aa0-aee4-b4de3a64ad28} - C:\Program Files\AOL Broadband Toolbar\aolbbtb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Broadband Toolbar - {e6ed7f95-e571-4f81-8757-5eb11252703d} - C:\Program Files\AOL Broadband Toolbar\aolbbtb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1204909232\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Pnuyowizew] rundll32.exe "C:\WINDOWS\onenutowuwuqec.dll",Startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YVIBBBHA8C] C:\DOCUME~1\Natesha\LOCALS~1\Temp\Qnw.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [Getdo] rundll32.exe "C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Update\flacor.dat""
O4 - HKCU\..\Run: [Helper] C:\Documents and Settings\Natesha\Application Data\Helper\bin\liveu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Update Service (gupdate1ca116298c1cc8) (gupdate1ca116298c1cc8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP2\RpcAgentSrv.exe
--
End of file - 6696 bytes0 -
TICK and FIX these in hijack this ~
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pnuyowizew] rundll32.exe "C:\WINDOWS\onenutowuwuqec.dll",Startup
O4 - HKCU\..\Run: [YVIBBBHA8C] C:\DOCUME~1\Natesha\LOCALS~1\Temp\Qnw.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [Helper] C:\Documents and Settings\Natesha\Application Data\Helper\bin\liveu.exe
(PS ~ dont even attempt to install a SERVICE PACK whilst your infected):idea:0 -
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download:idea:0 -
Ok, I done what you said, I left Combo running as I had to go work, but I will post the log later...
I am still getting error messages saying certain files can't be found or opened.
Thanks0 -
Yep it certainly seems you're still infected with something. HiJackThis is behind the times so misses a lot. There are better tools but I'm not yet trained on these. I will bow out to aliEnRIK's experience since he's trained to use Combofix, though I do have one question isn't this
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
just a click to call plugin for windows live messenger?0 -
Yep it certainly seems you're still infected with something. HiJackThis is behind the times so misses a lot. There are better tools but I'm not yet trained on these. I will bow out to aliEnRIK's experience since he's trained to use Combofix, though I do have one question isn't this
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
just a click to call plugin for windows live messenger?
Its a dead link so pointless leaving it there:idea:0 -
Ok, here is the Combo fix log..sorry for the delay in posting, I have been out all day! Cheers
ComboFix 10-04-08.06 - Natesha 09/04/2010 22:26:54.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.675 [GMT 1:00]
Running from: c:\documents and settings\Natesha\Desktop\QWERTY.exe
.
((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-04-09 )))))))))))))))))))))))))))))))
.
2010-04-09 10:03 . 2010-04-09 10:03
d-sh--w- c:\documents and settings\Dana\PrivacIE
2010-04-09 10:00 . 2010-04-09 10:00
d-sh--w- c:\documents and settings\Dana\IETldCache
2010-04-09 07:40 . 2004-08-04 10:00 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2010-04-09 07:40 . 2004-08-04 10:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-04-08 22:09 . 2010-04-08 22:09 9830 ----a-w- C:\exefix.reg
2010-04-08 22:06 . 2010-04-08 22:06
d-sh--w- c:\documents and settings\Natesha\IECompatCache
2010-04-08 22:04 . 2010-04-08 22:04
d-sh--w- c:\documents and settings\Natesha\PrivacIE
2010-04-08 22:00 . 2010-04-08 22:00
d-sh--w- c:\documents and settings\Natesha\IETldCache
2010-04-08 21:32 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-08 21:32 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-04-08 21:32 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-04-08 21:32 . 2010-02-25 10:54 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-04-08 21:32 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-08 21:32 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-04-08 21:32 . 2010-04-09 19:02
d
w- c:\windows\ie8updates
2010-04-08 21:32 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-08 21:29 . 2010-04-08 21:32
dc-h--w- c:\windows\ie8
2010-04-08 20:44 . 2010-04-08 20:44 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-04-08 20:43 . 2010-04-08 20:53
d
w- c:\documents and settings\All Users\Application Data\NOS
2010-04-08 20:43 . 2010-04-08 20:43
d
w- c:\program files\NOS
2010-04-08 20:42 . 2010-04-08 20:42 503808 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a1c5c3e-n\msvcp71.dll
2010-04-08 20:42 . 2010-04-08 20:42 499712 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a1c5c3e-n\jmc.dll
2010-04-08 20:42 . 2010-04-08 20:42 348160 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a1c5c3e-n\msvcr71.dll
2010-04-08 20:42 . 2010-04-08 20:42 61440 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4c10a8be-n\decora-sse.dll
2010-04-08 20:42 . 2010-04-08 20:42 12800 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4c10a8be-n\decora-d3d.dll
2010-04-08 18:44 . 2010-04-08 18:44 5918775 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-07 21:54 . 2010-04-07 21:54
d
w- c:\documents and settings\Natesha\Local Settings\Application Data\avG
2010-04-07 21:09 . 2010-04-07 21:09
d
w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2010-04-07 21:02 . 2010-04-07 21:02
d
w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\AOL Broadband Toolbar
2010-04-07 20:55 . 2010-04-07 20:55 52224 ----a-w- c:\windows\system32\config\systemprofile\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-07 20:55 . 2010-04-07 20:55 117760 ----a-w- c:\windows\system32\config\systemprofile\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-07 20:55 . 2010-04-07 20:55
d
w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\AOL
2010-04-07 20:54 . 2010-04-07 20:54
d
w- c:\windows\system32\config\systemprofile\Application Data\SUPERAntiSpyware.com
2010-04-07 20:54 . 2010-04-07 20:54
d
w- c:\documents and settings\All Users\Application Data\avG
2010-04-07 20:54 . 2010-04-07 20:54
d
w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\avG
2010-04-07 09:29 . 2010-04-08 19:15 0 ----a-w- c:\windows\Wsesoh.bin
2010-04-07 09:29 . 2010-04-08 19:15 120 ----a-w- c:\windows\Pxixan.dat
2010-04-07 09:26 . 2010-04-07 09:26
d
w- c:\windows\system32\config\systemprofile\Application Data\AOL
2010-04-07 00:14 . 2010-04-07 00:14
d
w- c:\documents and settings\Natesha\Application Data\Helper
2010-04-06 22:16 . 2010-04-06 22:16 52224 ----a-w- c:\documents and settings\Natesha\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-03 15:47 . 2010-04-03 15:47
d
w- c:\documents and settings\Givvaunhna.HENRY-23D2558B5\Local Settings\Application Data\AOL Broadband Toolbar
2010-03-21 20:35 . 2010-03-21 20:35
d
w- c:\documents and settings\Dana\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-09 07:18 . 2009-05-13 14:27 117760 ----a-w- c:\documents and settings\Natesha\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-09 02:13 . 2008-03-06 18:28 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-04-08 22:55 . 2008-05-21 09:37
d
w- c:\program files\Spybot - Search & Destroy
2010-04-08 20:43 . 2008-07-17 20:06
d
w- c:\program files\Common Files\Java
2010-04-08 20:40 . 2008-08-14 17:38
d
w- c:\program files\Java
2010-04-08 18:46 . 2008-03-27 22:36
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 21:57 . 2009-07-30 22:05
d
w- c:\documents and settings\Natesha\Application Data\vlc
2010-04-07 00:15 . 2009-08-19 20:53
d
w- c:\documents and settings\Natesha\Application Data\Skype
2010-04-06 23:08 . 2009-08-19 21:04
d
w- c:\documents and settings\Natesha\Application Data\skypePM
2010-04-06 22:06 . 2008-03-27 23:09
d
w- c:\program files\SUPERAntiSpyware
2010-04-06 22:02 . 2008-12-27 17:13 2316 ----a-w- c:\documents and settings\All Users\Application Data\xml2B7.tmp
2010-04-06 22:02 . 2008-12-27 17:13 13901 ----a-w- c:\documents and settings\All Users\Application Data\xml2B6.tmp
2010-04-06 22:02 . 2008-12-27 17:13 9036 ----a-w- c:\documents and settings\All Users\Application Data\xml2B5.tmp
2010-03-29 23:46 . 2008-12-27 12:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2008-12-27 12:23 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-09 03:28 . 2008-12-27 17:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24 . 2006-03-04 03:33 916480
w- c:\windows\system32\wininet.dll
2010-02-22 19:59 . 2010-02-22 19:59 152576 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-22 19:58 . 2010-02-22 19:58 79488 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-19 19:05 . 2010-02-19 19:05
d
w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-02-12 10:03 . 2010-03-03 09:47 293376
w- c:\windows\system32\browserchoice.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-06 2010864]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"HostManager"="c:\program files\Common Files\AOL\1204909232\ee\AOLSoftware.exe" [2006-11-14 50736]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-03-16 127037]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Ulead Photo Express Calendar Checker"="c:\program files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 69632]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-20 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 15:11 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-03-11 11:36 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AOL\\RC\\regClient.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0 VR\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\aol\\1204909232\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP2\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP2\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [29/02/2008 17:03 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [29/02/2008 17:03 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [20/07/2009 11:58 108289]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 17:51 12872]
S2 gupdate1ca116298c1cc8;Google Update Service (gupdate1ca116298c1cc8);c:\program files\Google\Update\GoogleUpdate.exe [30/07/2009 23:06 133104]
S3 DCamUSBPremier;Digital Camera;c:\windows\system32\drivers\MPIXVID.SYS [17/07/2008 19:45 104593]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP2\RpcAgentSrv.exe [27/12/2008 17:43 98488]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2010-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 22:06]
2010-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 22:06]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-09 22:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x865DFAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7656fc3
\Driver\ACPI -> ACPI.sys @ 0xf74e9cb8
\Driver\atapi -> atapi.sys @ 0xf74a17b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
- - - - - - - > 'explorer.exe'(1580)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-09 22:38:49
ComboFix-quarantined-files.txt 2010-04-09 21:38
ComboFix2.txt 2010-04-09 10:07
ComboFix3.txt 2008-03-27 22:28
Pre-Run: 224,189,231,104 bytes free
Post-Run: 224,153,767,936 bytes free
- - End Of File - - D9B39FE7ECD3B64BE0D1547383AD349B0 -
Still infected I see
Open notepad and copy/paste the text in RED below
File::
c:\windows\Wsesoh.bin
c:\windows\Pxixan.dat
Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.:idea:0 -
Your also infected with rootkits
Try Sophos to remove them ~
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html:idea:0 -
Here is the ComboFix, I will now do that other thing you said for the rootkits
ComboFix 10-04-09.06 - Natesha 10/04/2010 13:42:48.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.642 [GMT 1:00]
Running from: c:\documents and settings\Natesha\Desktop\QWERTY.exe
Command switches used :: c:\documents and settings\Natesha\Desktop\CFScript.txt
FILE ::
"c:\windows\Pxixan.dat"
"c:\windows\Wsesoh.bin"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\glppkv.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Service_qyxhxiu
((((((((((((((((((((((((( Files Created from 2010-03-10 to 2010-04-10 )))))))))))))))))))))))))))))))
.
2010-04-10 01:55 . 2010-04-10 01:55 61440 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3c17f364-n\decora-sse.dll
2010-04-10 01:55 . 2010-04-10 01:55 503808 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2673e453-n\msvcp71.dll
2010-04-10 01:55 . 2010-04-10 01:55 499712 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2673e453-n\jmc.dll
2010-04-10 01:55 . 2010-04-10 01:55 348160 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2673e453-n\msvcr71.dll
2010-04-10 01:55 . 2010-04-10 01:55 12800 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3c17f364-n\decora-d3d.dll
2010-04-09 21:50 . 2010-04-09 21:50
d
w- C:\_OTL
2010-04-09 10:03 . 2010-04-09 10:03
d-sh--w- c:\documents and settings\Dana\PrivacIE
2010-04-09 10:00 . 2010-04-09 10:00
d-sh--w- c:\documents and settings\Dana\IETldCache
2010-04-09 07:40 . 2004-08-04 10:00 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2010-04-09 07:40 . 2004-08-04 10:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-04-08 22:09 . 2010-04-08 22:09 9830 ----a-w- C:\exefix.reg
2010-04-08 22:06 . 2010-04-08 22:06
d-sh--w- c:\documents and settings\Natesha\IECompatCache
2010-04-08 22:04 . 2010-04-08 22:04
d-sh--w- c:\documents and settings\Natesha\PrivacIE
2010-04-08 22:00 . 2010-04-08 22:00
d-sh--w- c:\documents and settings\Natesha\IETldCache
2010-04-08 21:32 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-04-08 21:32 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-04-08 21:32 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-04-08 21:32 . 2010-02-25 10:54 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-04-08 21:32 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-08 21:32 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-04-08 21:32 . 2010-04-09 19:02
d
w- c:\windows\ie8updates
2010-04-08 21:32 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-04-08 21:29 . 2010-04-08 21:32
dc-h--w- c:\windows\ie8
2010-04-08 20:44 . 2010-04-08 20:44 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-04-08 20:43 . 2010-04-08 20:53
d
w- c:\documents and settings\All Users\Application Data\NOS
2010-04-08 20:43 . 2010-04-08 20:43
d
w- c:\program files\NOS
2010-04-08 20:42 . 2010-04-08 20:42 503808 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a1c5c3e-n\msvcp71.dll
2010-04-08 20:42 . 2010-04-08 20:42 499712 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a1c5c3e-n\jmc.dll
2010-04-08 20:42 . 2010-04-08 20:42 348160 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4a1c5c3e-n\msvcr71.dll
2010-04-08 20:42 . 2010-04-08 20:42 61440 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4c10a8be-n\decora-sse.dll
2010-04-08 20:42 . 2010-04-08 20:42 12800 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4c10a8be-n\decora-d3d.dll
2010-04-08 18:44 . 2010-04-08 18:44 5918775 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-07 21:09 . 2010-04-07 21:09
d
w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2010-04-07 21:02 . 2010-04-07 21:02
d
w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\AOL Broadband Toolbar
2010-04-07 20:55 . 2010-04-07 20:55 52224 ----a-w- c:\windows\system32\config\systemprofile\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-07 20:55 . 2010-04-07 20:55 117760 ----a-w- c:\windows\system32\config\systemprofile\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-07 20:55 . 2010-04-07 20:55
d
w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\AOL
2010-04-07 20:54 . 2010-04-07 20:54
d
w- c:\windows\system32\config\systemprofile\Application Data\SUPERAntiSpyware.com
2010-04-07 20:54 . 2010-04-07 20:54
d
w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\avG
2010-04-07 09:26 . 2010-04-07 09:26
d
w- c:\windows\system32\config\systemprofile\Application Data\AOL
2010-04-06 22:16 . 2010-04-06 22:16 52224 ----a-w- c:\documents and settings\Natesha\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-03 15:47 . 2010-04-03 15:47
d
w- c:\documents and settings\Givvaunhna.HENRY-23D2558B5\Local Settings\Application Data\AOL Broadband Toolbar
2010-03-21 20:35 . 2010-03-21 20:35
d
w- c:\documents and settings\Dana\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 12:56 . 2008-05-21 09:37
d
w- c:\program files\Spybot - Search & Destroy
2010-04-09 22:30 . 2009-05-13 14:27 117760 ----a-w- c:\documents and settings\Natesha\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-09 02:13 . 2008-03-06 18:28 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-04-08 20:43 . 2008-07-17 20:06
d
w- c:\program files\Common Files\Java
2010-04-08 20:40 . 2008-08-14 17:38
d
w- c:\program files\Java
2010-04-08 18:46 . 2008-03-27 22:36
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 21:57 . 2009-07-30 22:05
d
w- c:\documents and settings\Natesha\Application Data\vlc
2010-04-07 00:15 . 2009-08-19 20:53
d
w- c:\documents and settings\Natesha\Application Data\Skype
2010-04-06 23:08 . 2009-08-19 21:04
d
w- c:\documents and settings\Natesha\Application Data\skypePM
2010-04-06 22:06 . 2008-03-27 23:09
d
w- c:\program files\SUPERAntiSpyware
2010-04-06 22:02 . 2008-12-27 17:13 2316 ----a-w- c:\documents and settings\All Users\Application Data\xml2B7.tmp
2010-04-06 22:02 . 2008-12-27 17:13 13901 ----a-w- c:\documents and settings\All Users\Application Data\xml2B6.tmp
2010-04-06 22:02 . 2008-12-27 17:13 9036 ----a-w- c:\documents and settings\All Users\Application Data\xml2B5.tmp
2010-03-29 23:46 . 2008-12-27 12:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2008-12-27 12:23 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-09 03:28 . 2008-12-27 17:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24 . 2006-03-04 03:33 916480
w- c:\windows\system32\wininet.dll
2010-02-22 19:59 . 2010-02-22 19:59 152576 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-22 19:58 . 2010-02-22 19:58 79488 ----a-w- c:\documents and settings\Natesha\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-19 19:05 . 2010-02-19 19:05
d
w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-02-12 10:03 . 2010-03-03 09:47 293376
w- c:\windows\system32\browserchoice.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-06 2010864]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 344064]
"HostManager"="c:\program files\Common Files\AOL\1204909232\ee\AOLSoftware.exe" [2006-11-14 50736]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-03-16 127037]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Ulead Photo Express Calendar Checker"="c:\program files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 69632]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-20 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 15:11 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-03-11 11:36 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AOL\\RC\\regClient.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0 VR\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\aol\\1204909232\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP2\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP2\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [29/02/2008 17:03 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [29/02/2008 17:03 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [20/07/2009 11:58 108289]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 17:51 12872]
S2 gupdate1ca116298c1cc8;Google Update Service (gupdate1ca116298c1cc8);c:\program files\Google\Update\GoogleUpdate.exe [30/07/2009 23:06 133104]
S3 DCamUSBPremier;Digital Camera;c:\windows\system32\drivers\MPIXVID.SYS [17/07/2008 19:45 104593]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP2\RpcAgentSrv.exe [27/12/2008 17:43 98488]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 22:06]
2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 22:06]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 13:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x865D8AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7656fc3
\Driver\ACPI -> ACPI.sys @ 0xf74e9cb8
\Driver\atapi -> atapi.sys @ 0xf74a17b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
- - - - - - - > 'explorer.exe'(3084)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-10 14:05:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-10 13:05
ComboFix2.txt 2010-04-09 21:38
ComboFix3.txt 2010-04-09 10:07
ComboFix4.txt 2008-03-27 22:28
Pre-Run: 226,241,679,360 bytes free
Post-Run: 226,268,942,336 bytes free
- - End Of File - - 9D160656D5F66370A44A1149A66B02500
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455K Spending & Discounts
- 246.6K Work, Benefits & Business
- 602.9K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards