Windows XP Recovery, No DDS!

[timmyt224]

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: 4c8fcb5cc53aab716d810740fe59d025
Date first seen: 2009-03-07 01:14:18 (UTC)
Date last seen: 2011-06-09 11:13:19 (UTC)
Detection ratio: 0/42
_________________________________________________________________

Antivirus Version Last update Result
AhnLab-V3 2011.06.12.00 2011.06.11 -
AntiVir 7.11.9.159 2011.06.11 -
Antiy-AVL 2.0.3.7 2011.06.11 -
Avast 4.8.1351.0 2011.06.11 -
Avast5 5.0.677.0 2011.06.11 -
AVG 10.0.0.1190 2011.06.11 -
BitDefender 7.2 2011.06.11 -
CAT-QuickHeal 11.00 2011.06.11 -
ClamAV 0.97.0.0 2011.06.10 -
Commtouch 5.3.2.6 2011.06.11 -
Comodo 9029 2011.06.11 -
DrWeb 5.0.2.03300 2011.06.11 -
eSafe 7.0.17.0 2011.06.09 -
eTrust-Vet 36.1.8380 2011.06.10 -
F-Prot 4.6.2.117 2011.06.10 -
F-Secure 9.0.16440.0 2011.06.11 -
Fortinet 4.2.257.0 2011.06.11 -
GData 22 2011.06.11 -
Ikarus T3.1.1.104.0 2011.06.11 -
Jiangmin 13.0.900 2011.06.11 -
K7AntiVirus 9.106.4798 2011.06.10 -
Kaspersky 9.0.0.837 2011.06.11 -
McAfee 5.400.0.1158 2011.06.11 -
McAfee-GW-Edition 2010.1D 2011.06.11 -
Microsoft 1.6903 2011.06.11 -
NOD32 6198 2011.06.11 -
Norman 6.07.10 2011.06.10 -
nProtect 2011-06-11.01 2011.06.11 -
Panda 10.0.3.5 2011.06.11 -
PCTools 7.0.3.5 2011.06.10 -
Prevx 3.0 2011.06.11 -
Rising 23.61.04.07 2011.06.10 -
Sophos 4.66.0 2011.06.11 -
SUPERAntiSpyware 4.40.0.1006 2011.06.11 -
Symantec 20111.1.0.186 2011.06.11 -
TheHacker 6.7.0.1.228 2011.06.11 -
TrendMicro 9.200.0.1012 2011.06.11 -
TrendMicro-HouseCall 9.200.0.1012 2011.06.11 -
VBA32 3.12.16.1 2011.06.10 -
VIPRE 9551 2011.06.11 -
ViRobot 2011.6.11.4507 2011.06.11 -
VirusBuster 14.0.76.0 2011.06.11 -
MD5: 4c8fcb5cc53aab716d810740fe59d025
SHA1: da4e0035c58c0edb422eace57b35c90027e15f59
SHA256: 010eac43dbed700b73e4fc908faaf9f6a0168ebbd5d86751e49bc33aaa18bfa4
File size: 52352 bytes
Scan date: 2011-06-11 15:38:21 (UTC)

[ken545]

Hello Tim.

I had you check that file because it its corrupted or infected it will prevent TDSSKiller from running but it looks like its ok.

All SAS removed where tracking cookies


The reason I wanted you to try to hook up another computer to your cable modem was to detect if its infected but dont know if you did that yet.

Drag Combofix to the trash and lets grab a fresh new updated copy and run it please and post the log

[timmyt224]

ComboFix 11-06-11.01 - Tim 06/12/2011 12:51:19.7.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.150 [GMT -4:00]
Running from: C:\Documents and Settings\Tim\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Security Suite *Disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}


((((((((((((((((((((((((( Files Created from 2011-05-12 to 2011-06-12 )))))))))))))))))))))))))))))))


2011-06-08 11:01:15 . 2011-06-08 11:01:15 -------- d-----w- C:\Documents and Settings\Tim\Application Data\SUPERAntiSpyware.com
2011-06-08 11:01:15 . 2011-06-08 11:01:15 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-08 11:00:41 . 2011-06-10 14:37:47 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-06-07 23:58:26 . 2011-06-07 23:58:26 17480 ----a-w- C:\WINDOWS\system32\drivers\hitmanpro35.sys
2011-06-07 23:57:07 . 2011-06-07 23:57:43 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Hitman Pro
2011-06-07 11:44:52 . 2011-06-07 11:45:39 -------- d-----w- C:\rsit
2011-06-06 16:39:19 . 2011-06-06 16:39:19 -------- d-----w- C:\_OTL
2011-06-03 19:06:40 . 2011-06-03 19:06:40 260 ----a-w- C:\WINDOWS\system32\cmdVBS.vbs
2011-06-03 19:06:40 . 2011-06-03 19:06:40 256 ----a-w- C:\WINDOWS\system32\MSIevent.bat
2011-06-03 18:58:20 . 2011-06-03 18:58:21 65536 ----a-r- C:\Documents and Settings\Tim\Application Data\Microsoft\Installer\{730EF0E8-8B8E-4054-B2CE-5D4BA3BCE510}\NewShortcut1_011BB310849E4442B8017718F2C57FE0.exe
2011-06-03 18:58:20 . 2011-06-03 18:58:20 65536 ----a-r- C:\Documents and Settings\Tim\Application Data\Microsoft\Installer\{730EF0E8-8B8E-4054-B2CE-5D4BA3BCE510}\NewShortcut1_9E64A938C044442B9C8C104AA62BD820.exe
2011-06-03 18:58:20 . 2011-06-03 18:58:20 65536 ----a-r- C:\Documents and Settings\Tim\Application Data\Microsoft\Installer\{730EF0E8-8B8E-4054-B2CE-5D4BA3BCE510}\ARPPRODUCTICON.exe
2011-06-03 18:57:22 . 2011-06-03 19:06:46 -------- d-----w- C:\Program Files\Verizon
2011-06-03 00:44:27 . 2011-06-03 00:44:27 -------- d-----w- C:\WINDOWS\system32\wbem\Repository
2011-06-02 22:48:58 . 2011-06-02 22:48:58 -------- d-----w- C:\Program Files\ESET
2011-05-29 15:35:27 . 2011-06-03 00:41:39 -------- d-----w- C:\Program Files\ERUNT
2011-05-14 17:01:39 . 2011-05-14 17:01:40 404640 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-03-16 21:13:24 . 2011-01-03 21:44:08 137656 ----a-w- C:\WINDOWS\system32\drivers\avipbb.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Outpost]
@="{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
[HKEY_CLASSES_ROOT\CLSID\{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}]
C:\Program Files\Agnitum\Outpost Security Suite Free\op_shell.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 08:40:32 218032]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-23 15:00:06 2424192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 13:39:54 281768]
"OutpostMonitor"="C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" [BU]
"OutpostFeedBack"="C:\Program Files\Agnitum\Outpost Security Suite Free\feedback.exe" [BU]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2009-05-26 21:18:30 413696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 17:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21:41 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-10-07 15:10:04 932288 ----a-w- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15:10 40368 ----a-w- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-07-06 18:30:16 195072 ----a-w- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12:16 15360 ----a-w- C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04:00 122933 ----a-w- C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41:10 49152 ----a-w- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 13:32:24 77824 ----a-w- C:\WINDOWS\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 13:36:20 114688 ----a-w- C:\WINDOWS\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-09-20 13:35:40 94208 ----a-w- C:\WINDOWS\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12:44 221184 ----a-w- C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03:10 292128 ----a-w- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12:28 1695232 ----a-w- C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Transfer Monitor]
2009-09-15 23:47:36 479232 ----a-w- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18:30 413696 ----a-w- C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 12:56:14 236016 ----a-w- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44:46 248552 ----a-w- C:\Program Files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01:00 110592 ----a-w- C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter

R1 SandBox;SandBox;C:\WINDOWS\system32\drivers\SandBox.sys [2010-11-26 15:52:28 710696]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 18:25:48 12872]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 18:41:30 67656]
R2 acssrv;Agnitum Client Security Service;C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe [x]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [2011-04-27 12:25:27 136360]
R2 IHA_MessageCenter;IHA_MessageCenter;C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-05-24 20:02:04 143360]
R2 mrtRate;mrtRate; [x]
R3 afw;Agnitum firewall driver;C:\WINDOWS\system32\DRIVERS\afw.sys [2010-04-20 20:05:16 34280]
R3 afwcore;afwcore;C:\WINDOWS\system32\drivers\afwcore.sys [2010-09-27 20:40:28 267624]
R3 ASWFilt;ASWFilt;C:\WINDOWS\system32\Filt\ASWFilt.dll [2010-11-26 15:51:16 72352]
R3 FlyUsb;FLY Fusion;C:\WINDOWS\system32\DRIVERS\FlyUsb.sys [2009-11-10 14:27:06 18560]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;C:\WINDOWS\System32\svchost.exe [2008-04-14 00:12:36 14336]
R3 VBEngNT;VBEngNT;C:\WINDOWS\system32\drivers\VBEngNT.sys [2010-06-09 13:44:20 241088]
R3 VBFilt;VBFilt;C:\WINDOWS\system32\Filt\VBFilt.dll [2010-11-26 15:51:22 36288]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper


------- Supplementary Scan -------

uStart Page = hxxp://www.app.com/
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = localhost
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12

[timmyt224]

Ken, I currently have no access to another computer to verify if the modem is infected.

[ken545]

Hello Tim,

Just wanted to let you know that I will be away and offline from this evening until the end of the month, but this thread will still be open , another helper will step in and help you.

CF log looks ok, still being redirected to Scour ?

Its most likely where we havent looked, it may be in your add remove programs in the control panel

ProgramFiles%\scourtoolbar\uninstall.exe<--

[Dakeyras]

Hi.

I will be assisting your good self from this point onwards...

Please answer my colleagues last query(post #75) and we will go from there, thank you.

[Dakeyras]

Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh set of DDS logs and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.