View Full Version : Popup adware problem
I have an infection that gives me constant advertisement popups. iexplore.exe is in the memory all the time, so Iīm guessing it provides the windows for this piece of malware. Also, there is an exe called 8goxwMpn.exe in the memory - Iīm pretty sure itīs not supposed to be there.
I have tried numerous antivirus/-adware programs, but none have helped. And so, here I am! :) My HJT log:
--------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:38:12, on 11.8.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\8goxwMpn.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program
Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\eGOXW0PN.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200335492031
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware
2007\aawservice.exe
shelf life
2008-08-14, 04:23
hi step3
thats the entire hjt log?
you can try this;
to help show all files do this first:
FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
boot into safe mode.might want to copy/paste the safe mode part into notepad and save it so you can read it in safe mode.
to reach safe mode you would tap the f8 key during a computer restart, chose the first option safe mode. once at the safe mode desktop:
navigate to C:/Windows/system32
see if you can find and delete:
8goxwMpn.exe
while in safe mode also do this:
Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
still in safe mode:
Click Start>Run then type %temp%
Hit OK. Delete all the files you can.
click Start>Run then type %windir%\temp
hit ok. delete all the files you can
reboot normally, post a new hjt log. download and run malwarebytes.
link and directions:
Please download Malwarebytes' Anti-Malware to your desktop:
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
post the malwarebytes log.
Thanks for your help! I did what you asked - first of all, the logs:
HJT
---------------
Logfile of HijackThis v1.99.1
Scan saved at 18:39:32, on 16.8.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200335492031
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
---------------
MBAM
---------------
Malwarebytes' Anti-Malware 1.24
Database version: 1056
Windows 5.1.2600 Service Pack 2
18:36:36 16.8.2008
mbam-log-8-16-2008 (18-36-36).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 313100
Time elapsed: 1 hour(s), 1 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\zango 10.3.37.0 (Adware.Zango) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\res2 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\eGOXW0PN.dll (Trojan.BHO) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\ShoppingReport\cs\res2\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6P4WbWaT.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8goxwMpn.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
---------------
No more popups after the actions were taken. However, 8goxwMpn.exe is somehow renewed. It comes back to the HD and loads itself to RAM. How should I proceed?
shelf life
2008-08-17, 00:15
hi step3,
thanks for the info.
However, 8goxwMpn.exe is somehow renewed
I dont see it in the hjt log. lets see if sdfix can dig up anything.
link and directions:
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
I think I deleted the file before scanning with HJT. HJT does detect it whenever it has been renewed. So, there must be some other process that keeps copying the file back, no matter how many times itīs removed.
I will scan with SDFix.
shelf life
2008-08-17, 14:56
hi step3
malwarebytes log:
C:\WINDOWS\system32\8goxwMpn.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
8goxwMpn.exe is somehow renewed. It comes back to the HD and loads itself to RAM.
there must be some other process that keeps copying the file back, no matter how many times itīs removed
you are still seeing the process after removal?
Ok. I ran SDFix and HJT - the logs:
HJT
-------------
Logfile of HijackThis v1.99.1
Scan saved at 20:35:09, on 17.8.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\eGOXW0PN.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200335492031
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
----------------
SDFix
---------------
SDFix: Version 1.216
Run by Komulainen on su 17.08.2008 at 18:09
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-17 18:16:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:9f,1e,a6,c7,a1,af,c1,94,1d,eb,1e,74,86,31,d5,64,15,65,49,32,80,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e0,52,08,e9,f1,a9,06,52,d8,3e,f8,53,34,80,b2,d9,76,..
"khjeh"=hex:1e,df,d6,fd,a4,f6,ff,ab,63,88,17,22,18,cc,68,4c,f5,bc,0d,56,16,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:6f,c8,c9,cb,09,72,91,1c,7c,07,73,71,c9,23,32,30,3f,b3,29,1d,60,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:72,d3,c1,9e,0e,8d,e3,f6,69,ec,3c,14,b5,56,2b,d5,b1,c1,f7,47,76,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:9f,1e,a6,c7,a1,af,c1,94,1d,eb,1e,74,86,31,d5,64,15,65,49,32,80,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e0,52,08,e9,f1,a9,06,52,d8,3e,f8,53,34,80,b2,d9,76,..
"khjeh"=hex:1e,df,d6,fd,a4,f6,ff,ab,63,88,17,22,18,cc,68,4c,f5,bc,0d,56,16,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:6f,c8,c9,cb,09,72,91,1c,7c,07,73,71,c9,23,32,30,3f,b3,29,1d,60,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:72,d3,c1,9e,0e,8d,e3,f6,69,ec,3c,14,b5,56,2b,d5,b1,c1,f7,47,76,..
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:\\Pelit\\Warhammer 40k\\Dark Crusade\\Dawn of War - Dark Crusade\\DarkCrusade.exe"="D:\\Pelit\\Warhammer 40k\\Dark Crusade\\Dawn of War - Dark Crusade\\DarkCrusade.exe:*:Enabled:DarkCrusade"
"D:\\Pelit\\GoW\\Binaries\\WarGame-G4WLive.exe"="D:\\Pelit\\GoW\\Binaries\\WarGame-G4WLive.exe:*:Enabled:Gears of War"
"D:\\Pelit\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"="D:\\Pelit\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)"
"D:\\Pelit\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"="D:\\Pelit\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)"
"D:\\Pelit\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"="D:\\Pelit\\Sins of a Solar Empire\\Sins of a Solar Empire.exe:*:Enabled:Sins of a Solar Empire"
"D:\\Pelit\\Rise of Nations\\thrones.exe"="D:\\Pelit\\Rise of Nations\\thrones.exe:*:Enabled:Rise of Nations"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"D:\\Pelit\\Battle for Middle Earth II\\game.dat"="D:\\Pelit\\Battle for Middle Earth II\\game.dat:*:Enabled:The Battle for Middle-earth(tm) II"
"D:\\Pelit\\Battle for Middle Earth II\\Witch King\\game.dat"="D:\\Pelit\\Battle for Middle Earth II\\Witch King\\game.dat:*:Enabled:The Lord of the Rings, The Rise of the Witch-king"
"D:\\Pelit\\Battle for Middle Eath II\\game.dat"="D:\\Pelit\\Battle for Middle Eath II\\game.dat:*:Enabled:The Battle for Middle-earth(tm) II"
"C:\\Program Files\\Sony\\Media Manager for PSP 2.0\\MediaManager.exe"="C:\\Program Files\\Sony\\Media Manager for PSP 2.0\\MediaManager.exe:*:Enabled:Media Manager for PSP 2.0"
"D:\\Pelit\\Space Empires IV Gold\\Se4.exe"="D:\\Pelit\\Space Empires IV Gold\\Se4.exe:*:Enabled:Space Empires IV"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"D:\\Pelit\\Space Siege\\Space Siege\\SpaceSiege.exe"="D:\\Pelit\\Space Siege\\Space Siege\\SpaceSiege.exe:*:Enabled:Space Siege"
"D:\\Pelit\\Space Siege\\GPGNet\\GPG.Multiplayer.Client.exe"="D:\\Pelit\\Space Siege\\GPGNet\\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
Files with Hidden Attributes :
Thu 23 Dec 2004 76,568 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Fri 6 Oct 2006 673,678 A..H. --- "C:\Program Files\iolo\System Mechanic Professional 6\unins000.exe"
Sat 13 Nov 2004 37,376 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Finished!
---------------------
The 8goxwMpn.exe persists. I have thought all along that the name is just random gibberish, generated by the malware. There was another file that appeared earlier called 6P4WbWaT.exe - it can still be found from system32 as well. Also, HJT reports SASWINLO - could it be part of the problem?
shelf life
2008-08-17, 21:34
hi step3,
SASWINLO - could it be part of the problem
thats part of superantispyware
Do you have a resident antivirus on your computer?
we will see if combofix can dig up anything:
Download combofix from one of these links and save it to your Desktop:
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
I think I tried combofix already. Iīll run it anyway and post the log.
I have used some antivirus softwares. I tend not to have any running in the background, though. I scan with NOD32 from time to time.
shelf life
2008-08-18, 03:25
ok post the combofix log. you have superantispyware, does it come up clean after a scan?
It can find some minor objects, but nothing serious. Didnīt touch this problem anyway. I will post the combofix log today, not at home right now.
Ok, here are the fresh logs:
combofix
-------------------
ComboFix 08-08-17.03 - Komulainen 2008-08-18 19:51:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1615 [GMT 3:00]
Running from: C:\Documents and Settings\Komulainen\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Komulainen\UserData
C:\Documents and Settings\Komulainen\UserData\3MHJNTVK\iconState[1].xml
C:\Documents and Settings\Komulainen\UserData\3MHJNTVK\Tdy58[1].xml
C:\Documents and Settings\Komulainen\UserData\index.dat
C:\Documents and Settings\Komulainen\UserData\MOCYS6F9\showHideState[1].xml
C:\Documents and Settings\Komulainen\UserData\UT5MBYF4\IsOnIE6tbPromo[1].xml
C:\Documents and Settings\NetworkService\Cookies\system@date.ventivmedia[2].txt
C:\Program Files\Common Files\ssembl~1
C:\Program Files\ystem3~1
C:\WINDOWS\system32\eGOXW0PN.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.
2008-08-18 07:08 . 2008-08-18 08:33 <DIR> d-------- C:\JVC_DVD_ROM_PVD
2008-08-17 18:06 . 2008-08-17 18:06 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-17 18:00 . 2008-08-17 18:24 <DIR> d-------- C:\SDFix
2008-08-16 18:44 . 2008-08-16 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Media Center Programs
2008-08-16 18:41 . 2008-08-16 18:41 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-08-16 18:41 . 2008-08-16 18:41 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-08-16 11:50 . 2008-08-16 11:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-16 11:50 . 2008-08-16 11:50 <DIR> d-------- C:\Documents and Settings\Komulainen\Application Data\Malwarebytes
2008-08-16 11:50 . 2008-08-16 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-16 11:50 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-16 11:50 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-11 08:49 . 2008-02-01 09:50 245,760 --a------ C:\WINDOWS\JkDefragScreenSaver.exe
2008-08-11 08:49 . 2008-02-01 09:50 110,592 --a------ C:\WINDOWS\JkDefragScreenSaver.scr
2008-08-11 08:48 . 2008-08-11 19:49 <DIR> d-------- C:\Program Files\JKDefrag
2008-08-10 21:17 . 2008-08-10 21:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-09 13:22 . 2008-08-09 13:22 <DIR> d-------- C:\Program Files\Marsu-Fix
2008-08-09 13:22 . 2008-08-09 13:22 159,847 --a------ C:\WINDOWS\Marsu-Fix Uninstaller.exe
2008-08-09 13:11 . 2008-08-09 13:11 <DIR> d-------- C:\Program Files\ESET
2008-08-09 13:05 . 2008-08-09 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-08 19:02 . 2008-08-08 19:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-08 19:02 . 2008-08-08 19:02 <DIR> d-------- C:\Documents and Settings\Komulainen\Application Data\SUPERAntiSpyware.com
2008-08-08 19:02 . 2008-08-08 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-06 21:12 . 2008-08-06 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-26 19:46 . 2008-08-16 18:41 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-07-23 20:12 . 2008-07-23 20:12 <DIR> d-------- C:\Documents and Settings\Komulainen\Application Data\Gearbox Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 04:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-08-17 13:30 --------- d-----w C:\Program Files\Thumbs7
2008-08-17 13:30 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\fujifilm-fi-photo-manager
2008-08-16 18:11 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\Hamachi
2008-08-08 16:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 18:12 --------- d-----w C:\Program Files\Lavasoft
2008-08-04 19:12 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-28 17:12 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\teamspeak2
2008-07-26 12:54 --------- d-----w C:\Program Files\eMule
2008-07-19 12:08 --------- d-----w C:\Program Files\DOSBox-0.65
2008-07-15 09:18 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\uTorrent
2008-07-13 15:00 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\SPORE Creature Creator
2008-07-10 20:02 --------- d-----w C:\Program Files\Audacity
2008-07-08 10:59 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\InstallShield
2008-07-08 09:56 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-07-05 17:38 --------- d--h--r C:\Documents and Settings\Komulainen\Application Data\SecuROM
2008-07-01 20:35 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\Skype
2008-07-01 18:46 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\skypePM
2008-06-20 15:07 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-19 19:47 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.enc"= ITIG726.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"NMIndexingService"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"NBService"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"ekrn"=2 (0x2)
"EHttpSrv"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Pelit\\Rise of Nations\\thrones.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Sony\\Media Manager for PSP 2.0\\MediaManager.exe"=
"D:\\Pelit\\Space Empires IV Gold\\Se4.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\Pelit\\Space Siege\\Space Siege\\SpaceSiege.exe"=
"D:\\Pelit\\Space Siege\\GPGNet\\GPG.Multiplayer.Client.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54238:TCP"= 54238:TCP:BitComet 54238 TCP
"54238:UDP"= 54238:UDP:BitComet 54238 UDP
"50732:TCP"= 50732:TCP:BitComet 50732 TCP
"50732:UDP"= 50732:UDP:BitComet 50732 UDP
R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys [2003-10-31 12:22]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R1 SSHDRV77;SSHDRV77;C:\WINDOWS\system32\drivers\SSHDRV77.sys [2008-01-25 21:00]
R1 SSHDRV85;SSHDRV85;C:\WINDOWS\system32\drivers\SSHDRV85.sys [2008-01-25 19:39]
S3 bisapnp;bisapnp;C:\DOCUME~1\KOMULA~1\LOCALS~1\Temp\bisapnp.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7feda9aa-5ae1-11dd-af41-0011d8a9c016}]
\Shell\auto\command - J:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - J:\Knight.exe open
\Shell\find\command - J:\Knight.exe open
\Shell\install\command - J:\Knight.exe open
\Shell\open\command - J:\Knight.exe open
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-08-18 C:\WINDOWS\Tasks\At155.job
- C:\WINDOWS\system32\8goxwMpn.exe []
2008-08-17 C:\WINDOWS\Tasks\At45.job
- ?:\ []
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Komulainen\Application Data\Mozilla\Firefox\Profiles\uwqtzbcn.Antti\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.puolenkuunpelit.com/kauppa/default.php?cPath=328_330
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 19:53:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-18 19:57:02
ComboFix-quarantined-files.txt 2008-08-18 16:56:01
Pre-Run: 12,808,814,592 bytes free
Post-Run: 13,020,221,440 bytes free
159
-------------------------
HJT
----------------------------
Logfile of HijackThis v1.99.1
Scan saved at 20:00:12, on 18.8.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader -linkkiavustaja - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200335492031
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
-----------------------
shelf life
2008-08-18, 23:03
hi,
thanks for the info.
we will use combofix first to delete a file.
first:
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
Driver::
bisapnp
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on the desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.
next:
go to> Start>Run and type in: cmd then click Ok.
At the prompt copy and paste the following two lines click enter after each one is pasted in:
DEL C:\WINDOWS\Tasks\At*.job
DEL C:\WINDOWS\system32\8goxwMpn.exe
Then type exit press, click enter and reboot your machine
after the reboot rerun combofix again just to get another log.
post the two combofix logs please.
last:
lets get a service list;
Go to Start > Run and type: cmd, click ok. copy/paste whats below at the prompt and click enter.
sc query > c:\services.txt & start notepad c:\services.txt
notepad will open with a windows service list. please copy/paste the list in your reply also
Ok, the logs:
combofix 1:
-------------------
ComboFix 08-08-19.02 - Komulainen 2008-08-21 17:21:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1635 [GMT 3:00]
Running from: C:\Documents and Settings\Komulainen\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.
2008-08-18 20:01 . 2008-08-18 20:01 <DIR> d---s---- C:\Documents and Settings\Komulainen\UserData
2008-08-18 07:08 . 2008-08-19 07:20 <DIR> d-------- C:\JVC_DVD_ROM_PVD
2008-08-17 18:06 . 2008-08-17 18:06 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-17 18:00 . 2008-08-17 18:24 <DIR> d-------- C:\SDFix
2008-08-16 18:44 . 2008-08-16 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Media Center Programs
2008-08-16 18:41 . 2008-08-16 18:41 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-08-16 18:41 . 2008-08-16 18:41 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-08-16 11:50 . 2008-08-16 11:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-16 11:50 . 2008-08-16 11:50 <DIR> d-------- C:\Documents and Settings\Komulainen\Application Data\Malwarebytes
2008-08-16 11:50 . 2008-08-16 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-16 11:50 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-16 11:50 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-11 08:49 . 2008-02-01 09:50 245,760 --a------ C:\WINDOWS\JkDefragScreenSaver.exe
2008-08-11 08:49 . 2008-02-01 09:50 110,592 --a------ C:\WINDOWS\JkDefragScreenSaver.scr
2008-08-11 08:48 . 2008-08-11 19:49 <DIR> d-------- C:\Program Files\JKDefrag
2008-08-10 21:17 . 2008-08-10 21:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-09 13:22 . 2008-08-09 13:22 <DIR> d-------- C:\Program Files\Marsu-Fix
2008-08-09 13:22 . 2008-08-09 13:22 159,847 --a------ C:\WINDOWS\Marsu-Fix Uninstaller.exe
2008-08-09 13:11 . 2008-08-09 13:11 <DIR> d-------- C:\Program Files\ESET
2008-08-09 13:05 . 2008-08-09 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-08 19:02 . 2008-08-08 19:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-08 19:02 . 2008-08-08 19:02 <DIR> d-------- C:\Documents and Settings\Komulainen\Application Data\SUPERAntiSpyware.com
2008-08-08 19:02 . 2008-08-08 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-06 21:12 . 2008-08-06 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-26 19:46 . 2008-08-16 18:41 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-07-23 20:12 . 2008-07-23 20:12 <DIR> d-------- C:\Documents and Settings\Komulainen\Application Data\Gearbox Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 18:17 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\Hamachi
2008-08-19 03:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-08-17 13:30 --------- d-----w C:\Program Files\Thumbs7
2008-08-17 13:30 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\fujifilm-fi-photo-manager
2008-08-08 16:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 18:12 --------- d-----w C:\Program Files\Lavasoft
2008-08-04 19:12 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-28 17:12 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\teamspeak2
2008-07-26 12:54 --------- d-----w C:\Program Files\eMule
2008-07-19 12:08 --------- d-----w C:\Program Files\DOSBox-0.65
2008-07-15 09:18 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\uTorrent
2008-07-13 15:00 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\SPORE Creature Creator
2008-07-10 20:02 --------- d-----w C:\Program Files\Audacity
2008-07-08 10:59 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\InstallShield
2008-07-08 09:56 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-07-05 17:38 --------- d--h--r C:\Documents and Settings\Komulainen\Application Data\SecuROM
2008-07-01 20:35 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\Skype
2008-07-01 18:46 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\skypePM
2008-06-20 15:07 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-19 19:47 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.enc"= ITIG726.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"NMIndexingService"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"NBService"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"ekrn"=2 (0x2)
"EHttpSrv"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Pelit\\Rise of Nations\\thrones.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Sony\\Media Manager for PSP 2.0\\MediaManager.exe"=
"D:\\Pelit\\Space Empires IV Gold\\Se4.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\Pelit\\Space Siege\\Space Siege\\SpaceSiege.exe"=
"D:\\Pelit\\Space Siege\\GPGNet\\GPG.Multiplayer.Client.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54238:TCP"= 54238:TCP:BitComet 54238 TCP
"54238:UDP"= 54238:UDP:BitComet 54238 UDP
"50732:TCP"= 50732:TCP:BitComet 50732 TCP
"50732:UDP"= 50732:UDP:BitComet 50732 UDP
R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys [2003-10-31 12:22]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R1 SSHDRV77;SSHDRV77;C:\WINDOWS\system32\drivers\SSHDRV77.sys [2008-01-25 21:00]
R1 SSHDRV85;SSHDRV85;C:\WINDOWS\system32\drivers\SSHDRV85.sys [2008-01-25 19:39]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7feda9aa-5ae1-11dd-af41-0011d8a9c016}]
\Shell\auto\command - J:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - J:\Knight.exe open
\Shell\find\command - J:\Knight.exe open
\Shell\install\command - J:\Knight.exe open
\Shell\open\command - J:\Knight.exe open
*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Komulainen\Application Data\Mozilla\Firefox\Profiles\uwqtzbcn.Antti\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.puolenkuunpelit.com/kauppa/default.php?cPath=328_330
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 17:23:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-08-21 17:26:01
ComboFix-quarantined-files.txt 2008-08-21 14:24:59
ComboFix2.txt 2008-08-20 17:16:21
ComboFix3.txt 2008-08-18 16:57:03
Pre-Run: 12,978,352,128 bytes free
Post-Run: 12,965,617,664 bytes free
140
------------------------
combofix 2
------------------------
ComboFix 08-08-19.02 - Komulainen 2008-08-20 20:04:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1616 [GMT 3:00]
Running from: C:\Documents and Settings\Komulainen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Komulainen\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_bisapnp
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.
2008-08-18 20:01 . 2008-08-18 20:01 <DIR> d---s---- C:\Documents and Settings\Komulainen\UserData
2008-08-18 07:08 . 2008-08-19 07:20 <DIR> d-------- C:\JVC_DVD_ROM_PVD
2008-08-17 18:06 . 2008-08-17 18:06 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-17 18:00 . 2008-08-17 18:24 <DIR> d-------- C:\SDFix
2008-08-16 18:44 . 2008-08-16 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Media Center Programs
2008-08-16 18:41 . 2008-08-16 18:41 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-08-16 18:41 . 2008-08-16 18:41 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-08-16 11:50 . 2008-08-16 11:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-16 11:50 . 2008-08-16 11:50 <DIR> d-------- C:\Documents and Settings\Komulainen\Application Data\Malwarebytes
2008-08-16 11:50 . 2008-08-16 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-16 11:50 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-16 11:50 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-11 08:49 . 2008-02-01 09:50 245,760 --a------ C:\WINDOWS\JkDefragScreenSaver.exe
2008-08-11 08:49 . 2008-02-01 09:50 110,592 --a------ C:\WINDOWS\JkDefragScreenSaver.scr
2008-08-11 08:48 . 2008-08-11 19:49 <DIR> d-------- C:\Program Files\JKDefrag
2008-08-10 21:17 . 2008-08-10 21:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-09 13:22 . 2008-08-09 13:22 <DIR> d-------- C:\Program Files\Marsu-Fix
2008-08-09 13:22 . 2008-08-09 13:22 159,847 --a------ C:\WINDOWS\Marsu-Fix Uninstaller.exe
2008-08-09 13:11 . 2008-08-09 13:11 <DIR> d-------- C:\Program Files\ESET
2008-08-09 13:05 . 2008-08-09 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-08 19:02 . 2008-08-08 19:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-08 19:02 . 2008-08-08 19:02 <DIR> d-------- C:\Documents and Settings\Komulainen\Application Data\SUPERAntiSpyware.com
2008-08-08 19:02 . 2008-08-08 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-06 21:12 . 2008-08-06 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-26 19:46 . 2008-08-16 18:41 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-07-23 20:12 . 2008-07-23 20:12 <DIR> d-------- C:\Documents and Settings\Komulainen\Application Data\Gearbox Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 03:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-08-18 18:16 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\Hamachi
2008-08-17 13:30 --------- d-----w C:\Program Files\Thumbs7
2008-08-17 13:30 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\fujifilm-fi-photo-manager
2008-08-08 16:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 18:12 --------- d-----w C:\Program Files\Lavasoft
2008-08-04 19:12 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-28 17:12 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\teamspeak2
2008-07-26 12:54 --------- d-----w C:\Program Files\eMule
2008-07-19 12:08 --------- d-----w C:\Program Files\DOSBox-0.65
2008-07-15 09:18 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\uTorrent
2008-07-13 15:00 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\SPORE Creature Creator
2008-07-10 20:02 --------- d-----w C:\Program Files\Audacity
2008-07-08 10:59 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\InstallShield
2008-07-08 09:56 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-07-05 17:38 --------- d--h--r C:\Documents and Settings\Komulainen\Application Data\SecuROM
2008-07-01 20:35 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\Skype
2008-07-01 18:46 --------- d-----w C:\Documents and Settings\Komulainen\Application Data\skypePM
2008-01-19 19:47 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.enc"= ITIG726.acm
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"NMIndexingService"=3 (0x3)
"IDriverT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"NBService"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"ekrn"=2 (0x2)
"EHttpSrv"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Pelit\\Rise of Nations\\thrones.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Sony\\Media Manager for PSP 2.0\\MediaManager.exe"=
"D:\\Pelit\\Space Empires IV Gold\\Se4.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\Pelit\\Space Siege\\Space Siege\\SpaceSiege.exe"=
"D:\\Pelit\\Space Siege\\GPGNet\\GPG.Multiplayer.Client.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54238:TCP"= 54238:TCP:BitComet 54238 TCP
"54238:UDP"= 54238:UDP:BitComet 54238 UDP
"50732:TCP"= 50732:TCP:BitComet 50732 TCP
"50732:UDP"= 50732:UDP:BitComet 50732 UDP
R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys [2003-10-31 12:22]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R1 SSHDRV77;SSHDRV77;C:\WINDOWS\system32\drivers\SSHDRV77.sys [2008-01-25 21:00]
R1 SSHDRV85;SSHDRV85;C:\WINDOWS\system32\drivers\SSHDRV85.sys [2008-01-25 19:39]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7feda9aa-5ae1-11dd-af41-0011d8a9c016}]
\Shell\auto\command - J:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - J:\Knight.exe open
\Shell\find\command - J:\Knight.exe open
\Shell\install\command - J:\Knight.exe open
\Shell\open\command - J:\Knight.exe open
.
Contents of the 'Scheduled Tasks' folder
2008-08-20 C:\WINDOWS\Tasks\At45.job
- ?:\ []
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 20:08:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-20 20:16:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-20 17:15:20
ComboFix2.txt 2008-08-18 16:57:03
Pre-Run: 12,969,340,928 bytes free
Post-Run: 12,957,679,616 bytes free
154
--------------------------------------
services
------------------------------------
SERVICE_NAME: aawservice
DISPLAY_NAME: Ad-Aware 2007 Service
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: AudioSrv
DISPLAY_NAME: Windows Audio
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Browser
DISPLAY_NAME: Computer Browser
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: CryptSvc
DISPLAY_NAME: Cryptographic Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: DcomLaunch
DISPLAY_NAME: DCOM Server Process Launcher
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Dhcp
DISPLAY_NAME: DHCP Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: dmserver
DISPLAY_NAME: Logical Disk Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Dnscache
DISPLAY_NAME: DNS Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: ERSvc
DISPLAY_NAME: Error Reporting Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Eventlog
DISPLAY_NAME: Event Log
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: EventSystem
DISPLAY_NAME: COM+ Event System
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: FastUserSwitchingCompatibility
DISPLAY_NAME: Fast User Switching Compatibility
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: helpsvc
DISPLAY_NAME: Help and Support
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: HTTPFilter
DISPLAY_NAME: HTTP SSL
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: lanmanserver
DISPLAY_NAME: Server
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: lanmanworkstation
DISPLAY_NAME: Workstation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: LmHosts
DISPLAY_NAME: TCP/IP NetBIOS Helper
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Netman
DISPLAY_NAME: Network Connections
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Nla
DISPLAY_NAME: Network Location Awareness (NLA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: PlugPlay
DISPLAY_NAME: Plug and Play
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: PolicyAgent
DISPLAY_NAME: IPSEC Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: ProtectedStorage
DISPLAY_NAME: Protected Storage
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: RasMan
DISPLAY_NAME: Remote Access Connection Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: RemoteRegistry
DISPLAY_NAME: Remote Registry
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: RpcSs
DISPLAY_NAME: Remote Procedure Call (RPC)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: SamSs
DISPLAY_NAME: Security Accounts Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Schedule
DISPLAY_NAME: Schedule
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: seclogon
DISPLAY_NAME: Secondary Logon
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: SENS
DISPLAY_NAME: System Event Notification
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: SharedAccess
DISPLAY_NAME: Windows Firewall/Internet Connection Sharing (ICS)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: ShellHWDetection
DISPLAY_NAME: Shell Hardware Detection
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Spooler
DISPLAY_NAME: Print Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: srservice
DISPLAY_NAME: System Restore Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: SSDPSRV
DISPLAY_NAME: SSDP Discovery Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: stisvc
DISPLAY_NAME: Windows Image Acquisition (WIA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: TapiSrv
DISPLAY_NAME: Telephony
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: TermService
DISPLAY_NAME: Terminal Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: Themes
DISPLAY_NAME: Themes
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: TrkWks
DISPLAY_NAME: Distributed Link Tracking Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: UMWdf
DISPLAY_NAME: Windows User Mode Driver Framework
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: W32Time
DISPLAY_NAME: Windows Time
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: WebClient
DISPLAY_NAME: WebClient
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: winmgmt
DISPLAY_NAME: Windows Management Instrumentation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: wscsvc
DISPLAY_NAME: Security Center
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: wuauserv
DISPLAY_NAME: Automatic Updates
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: WZCSVC
DISPLAY_NAME: Wireless Zero Configuration
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
---------------------------------------
Iīm not sure of the order of the combofix logs. The first one was made first, anyway.
shelf life
2008-08-21, 23:53
hi,
ok thanks for the info. hows it looking on your end now.
please update and run superantispyware and post its log. you can get the log like this:
double-click the SUPERAntispyware icon on your desktop.
* Click Preferences . Click the Statistics/Logs tab .
Chose the latest scan result to copy/paste in reply
* Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
* It will open in your default text editor (Notepad).
* Please highlight everything , then right-click and choose copy.
* Click close and close again to exit the program.Paste the results in your reply. if there are alot of cookies listed you can edit them out
Ok. I have two logs - the first one is from a scan I did without updating the definitions, second after an update.
log 1
---------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/22/2008 at 07:31 PM
Application Version : 4.15.1000
Core Rules Database Version : 3531
Trace Rules Database Version: 1520
Scan type : Complete Scan
Total Scan Time : 01:49:04
Memory items scanned : 265
Memory threats detected : 0
Registry items scanned : 5375
Registry threats detected : 0
File items scanned : 303185
File threats detected : 15
Adware.Tracking Cookie
C:\Documents and Settings\Komulainen\Cookies\komulainen@ad.zanox[1].txt
C:\Documents and Settings\Komulainen\Cookies\komulainen@yieldmanager[1].txt
C:\Documents and Settings\Komulainen\Cookies\komulainen@blinck.112.2o7[1].txt
C:\Documents and Settings\Komulainen\Cookies\komulainen@atdmt[2].txt
C:\Documents and Settings\Komulainen\Cookies\komulainen@advertising[1].txt
C:\Documents and Settings\Komulainen\Cookies\komulainen@pro-market[1].txt
C:\Documents and Settings\Komulainen\Cookies\komulainen@partypoker[1].txt
C:\Documents and Settings\Komulainen\Cookies\komulainen@doubleclick[2].txt
C:\Documents and Settings\Komulainen\Cookies\komulainen@ad.yieldmanager[1].txt
C:\Documents and Settings\Komulainen\Cookies\komulainen@bluestreak[2].txt
C:\Documents and Settings\Komulainen\Cookies\komulainen@adserver.easyad[1].txt
Trojan.Unclassified/Solution
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20080817-204944-597.DLL
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20080817-213448-361.DLL
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EGOXW0PN.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CABAB8DB-3474-4049-BDD7-9C68607BF8BE}\RP2\A0000007.DLL
--------------------------
log 2
--------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/23/2008 at 00:27 AM
Application Version : 4.15.1000
Core Rules Database Version : 3544
Trace Rules Database Version: 1533
Scan type : Complete Scan
Total Scan Time : 01:49:13
Memory items scanned : 261
Memory threats detected : 0
Registry items scanned : 5376
Registry threats detected : 0
File items scanned : 303169
File threats detected : 2
Trojan.Unclassified/Solution
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CABAB8DB-3474-4049-BDD7-9C68607BF8BE}\RP5\A0000204.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CABAB8DB-3474-4049-BDD7-9C68607BF8BE}\RP5\A0000205.DLL
-------------------------------
Everything seems fine on the surface - no ads, no strange processes etc. How about the logs? Any more steps I should take?
shelf life
2008-08-24, 01:15
hi step3,
it looks good. why:
first superantispyware log:
the tracking cookies are not really much to be concerned about. cookies can be controlled from within the browser.
the:Trojan.Unclassified
are in hjt backups and your system restore point which we will remove as a last step.
if all looks good on your end:
you can remove combofix and sdfix with another download which will do it automatically for you:
Please download the OTMoveIt2 by OldTimer.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
* Save it to your desktop.
* Please double-click OTMoveIt2.exe to run it.
in the main window click the CleanUp! button and follow the prompts.
java version:
Vulnerabilities/exploits in versions of Sun Java may be responsible for some malware installs via your browser.
It is important to keep Sun Java up to date and also to remove older versions which may have vulnerabilites/exploits that can be taken advantage of to possibly introduce malware via your browser.
* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.
to check if you have the latest version of Java and to download the latest version:
http://www.java.com/en/download/installed.jsp
system restore points:
One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
keep malwarebytes and always check for updates before scanning with it. its a good habit to check for updates to it every few days, even if you dont scan with it. malware scanning is a function of your computer habits.
last: some info for you:
My Top Ten List
The Short Version:
1) Keep your OS, (Windows) browser (IE, FireFox) and software up to date.
2) Know what you are installing to your computer. Alot of software can come with unwanted add-ons. Do you trust the source?
3) Install, keep updated: antivirus and two anti-malware applications.
4) Don't click on links or install files you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message may be.
5) Don't click on ads/pop ups or offers from websites to install software to your computer.
6) Don't click on offers to "scan" your computer.
7) Set up and use limited accounts rather than administrator accounts.
8) Install and understand the limitations of a third party software firewall.
9) Consider using an alternate browser and E-mail client.
10) If your habits include visiting or installing files from: warez, crack sites or p2p networks you are much more likely to encounter malicious code. Do you trust the source?
longer version in link below
happy safe surfing
Alright, I will perform these actions. Thank you so much for your help!