[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Virtumonde trojan/virus Help with Combofix?

Posted on 2009-05-01
26
Medium Priority
?
794 Views
Last Modified: 2013-11-22
I have a computer running XP Pro that is infected with the Virtumonde virus or trojan. I've ran Hijack This, Compfix, SpyBot, Vundo Fix, etc. The system is more stable but when I hooked it back up to the internet Virtumonde cam back. When I run SpyBot it takes it over. When I run Vundo Fix it finds a file zxugprcb.dll, and nothing will delete it. Attached is a the combfix file. I would like to attempt to clear this monster instead of starting over. Thanks!
0
Comment
Question by:csimike
  • 11
  • 9
  • 5
  • +1
26 Comments
 
LVL 16

Expert Comment

by:warturtle
ID: 24281644
I am going to suggest that you download MalwareBytes Anti-Malware from www.malwarebytes.org and after installation, reboot your PC in safe mode (without networking) and scan with it. If you're unable to install MalwareBytes, then download it again and save it with a different name like jabba.exe and then install and run it.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24281650
Running any scan in safe mode will generally have more success as compared to scanning in normal mode.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24282353
By the way, can you please send the ComboFix log?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:csimike
ID: 24282550
ok here is the log for the Combo fix and the malwarebytes. You can see on both of them there are files that it can't delete.
0
 

Author Comment

by:csimike
ID: 24282562
it's not attaching the file for some reason.

ComboFix 09-04-28.03 - XXXXXX 05/01/2009 15:00.5 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.771 [GMT -4:00]
Running from: E:\ComboFix.exe
FW: ZoneAlarm Firewall *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\zxugprcb.dll . . . . failed to delete

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFC


(((((((((((((((((((((((((   Files Created from 2009-06-01 to 2009-5-1  )))))))))))))))))))))))))))))))
.

2009-05-01 17:39 . 2009-05-01 17:39      --------      d-----w      c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-01 17:39 . 2009-04-06 19:32      15504      ----a-w      c:\windows\system32\drivers\mbam.sys
2009-05-01 17:39 . 2009-04-06 19:32      38496      ----a-w      c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 17:39 . 2009-05-01 17:39      --------      d-----w      c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 17:39 . 2009-05-01 18:29      --------      d-----w      c:\program files\Malwarebytes' Anti-Malware
2009-04-30 19:10 . 2009-05-01 11:40      --------      d-----w      C:\VundoFix Backups
2009-04-30 14:34 . 2009-03-19 19:13      184320      ----a-w      c:\windows\system32\InetCntrl0013.dll
2009-04-30 14:34 . 2009-02-03 18:35      39424      ----a-w      c:\windows\system32\drivers\BSafFltr.sys
2009-04-30 14:34 . 2007-06-04 14:55      29024      ----a-w      c:\windows\system32\drivers\bsofrwl.sys
2009-04-30 13:07 . 2009-04-30 13:07      --------      d-----w      c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-29 22:35 . 2009-04-29 22:35      --------      d-----w      c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-29 22:35 . 2009-04-30 14:19      --------      d-----w      c:\program files\SUPERAntiSpyware
2009-04-29 21:49 . 2009-04-29 21:49      --------      d-----w      c:\program files\Common Files\Wise Installation Wizard
2009-04-29 21:49 . 2009-04-29 21:49      --------      d-----w      c:\documents and settings\Administrator\Application Data\TrojanHunter
2009-04-29 20:47 . 2009-04-29 22:11      --------      d-----w      c:\program files\TrojanHunter 5.0
2009-04-28 21:14 . 2009-04-28 21:14      27648      ----a-w      c:\windows\system32\win32hlp.old (2).exe
2009-04-28 21:05 . 2009-04-28 21:05      104960      ----a-w      c:\windows\system32\dllcache\userinit.exe
2009-04-28 21:05 . 2009-04-28 21:05      28672      ----a-w      c:\windows\system32\loader49.exe
2009-04-16 18:58 . 2009-03-06 14:22      284160      ------w      c:\windows\system32\dllcache\pdh.dll
2009-04-16 18:58 . 2009-02-06 10:39      35328      ------w      c:\windows\system32\dllcache\sc.exe
2009-04-16 18:58 . 2009-02-09 12:10      401408      ------w      c:\windows\system32\dllcache\rpcss.dll
2009-04-16 18:58 . 2009-02-06 11:11      110592      ------w      c:\windows\system32\dllcache\services.exe
2009-04-16 18:58 . 2009-02-09 12:10      473600      ------w      c:\windows\system32\dllcache\fastprox.dll
2009-04-16 18:58 . 2009-02-06 10:10      227840      ------w      c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 18:58 . 2009-02-09 12:10      453120      ------w      c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 18:58 . 2009-02-09 12:10      729088      ------w      c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 18:58 . 2009-02-09 12:10      617472      ------w      c:\windows\system32\dllcache\advapi32.dll
2009-04-16 18:58 . 2009-02-09 12:10      714752      ------w      c:\windows\system32\dllcache\ntdll.dll
2009-04-16 18:57 . 2008-05-03 11:55      2560      ------w      c:\windows\system32\xpsp4res.dll
2009-04-16 18:57 . 2008-04-21 12:08      215552      ------w      c:\windows\system32\dllcache\wordpad.exe
2009-04-10 23:22 . 2009-04-10 23:22      --------      d-----w      c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-10 19:23 . 2009-04-10 19:23      --------      d-----w      c:\program files\Guitar Pro 5

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 16:49 . 2007-08-07 23:04      --------      d-----w      c:\program files\Spybot - Search & Destroy
2009-04-30 16:42 . 2007-02-25 01:39      --------      d-----w      c:\program files\Microsoft Money 2007
2009-04-30 16:38 . 2007-02-25 01:26      --------      d-----w      c:\program files\CCleaner
2009-04-30 12:57 . 2009-04-30 13:25      44032      ----a-w      c:\windows\Internet Logs\xDB1A.tmp
2009-04-30 11:45 . 2008-12-13 01:20      --------      d-----w      c:\program files\Unity
2009-04-30 11:39 . 2007-01-23 12:08      --------      d--h--w      c:\program files\InstallShield Installation Information
2009-04-30 11:38 . 2008-11-26 16:14      --------      d-----w      c:\program files\Cartoon Network
2009-04-30 11:35 . 2009-02-21 18:18      --------      d-----w      c:\program files\Apple Software Update
2009-04-29 20:00 . 2004-08-11 22:00      143872      ----a-w      c:\windows\system32\zxugprcb.dll
2009-04-29 20:00 . 2004-08-11 22:00      103424      ----a-w      c:\windows\system32\zjoxmno.dll
2009-04-26 23:39 . 2009-04-27 19:02      2621440      ----a-w      c:\windows\Internet Logs\xDB19.tmp
2009-04-24 19:52 . 2007-12-08 00:01      596300      --sha-w      c:\windows\system32\drivers\fidbox.idx
2009-04-24 19:52 . 2007-12-08 00:01      51857440      --sha-w      c:\windows\system32\drivers\fidbox.dat
2009-04-14 04:06 . 2008-10-04 12:55      256      ----a-w      c:\windows\system32\pool.bin
2009-04-10 19:27 . 2007-01-23 12:12      125856      ----a-w      c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 21:18 . 2008-05-08 11:15      21840      ----atw      c:\windows\system32\SIntfNT.dll
2009-04-04 21:18 . 2008-05-08 11:15      17212      ----atw      c:\windows\system32\SIntf32.dll
2009-04-04 21:18 . 2008-05-08 11:15      12067      ----atw      c:\windows\system32\SIntf16.dll
2009-03-30 22:45 . 2009-03-30 22:45      --------      d-----w      c:\program files\MSECache
2009-03-13 21:10 . 2009-03-13 21:10      --------      d-----w      c:\program files\Adobe Media Player
2009-03-13 21:10 . 2009-03-13 21:10      --------      d-----w      c:\program files\Common Files\Adobe AIR
2009-03-13 11:09 . 2008-07-02 12:59      34      ----a-w      c:\documents and settings\Mike Beatty\jagex_runescape_preferences.dat
2009-03-06 14:22 . 2004-08-11 22:00      284160      ----a-w      c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 22:00      826368      ----a-w      c:\windows\system32\wininet.dll
2009-02-26 22:11 . 2009-02-27 00:07      1881088      ----a-w      c:\windows\Internet Logs\xDB18.tmp
2009-02-26 22:07 . 2009-02-26 22:08      1881088      ----a-w      c:\windows\Internet Logs\xDB17.tmp
2009-02-25 08:13 . 2007-05-23 07:06      15247639      ----a-w      c:\windows\Internet Logs\tvDebug.zip
2009-02-20 18:09 . 2004-08-11 22:00      78336      ----a-w      c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-11 22:00      729088      ----a-w      c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 22:00      401408      ----a-w      c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 22:00      714752      ----a-w      c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 22:00      617472      ----a-w      c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-11 22:00      1846784      ----a-w      c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-11 22:00      110592      ----a-w      c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-11 22:00      2145280      ----a-w      c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 22:00      35328      ----a-w      c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59      2023936      ----a-w      c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-11 22:00      56832      ----a-w      c:\windows\system32\secur32.dll
.

(((((((((((((((((((((((((((((   SnapShot@2009-04-29_20.05.36   )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-11 22:00 . 2008-04-14 00:12      26112              c:\windows\system32\USERINIT.EXE
+ 2009-04-29 20:47 . 2009-04-29 20:47      59392              c:\windows\system32\streamhlp.dll
- 2008-05-22 23:28 . 2008-01-28 15:37      77824              c:\windows\system32\InetCntrl\UTIL\Unzip.dll
+ 2009-04-30 14:34 . 2008-01-28 16:37      77824              c:\windows\system32\InetCntrl\UTIL\Unzip.dll
+ 2009-04-30 14:34 . 2009-01-14 20:56      54512              c:\windows\system32\InetCntrl\StartInet.exe
+ 2009-04-30 14:34 . 2007-09-24 20:47      13888              c:\windows\system32\InetCntrl\SpOrder.Dll
- 2007-02-25 23:21 . 2007-09-24 19:47      13888              c:\windows\system32\InetCntrl\SpOrder.Dll
- 2007-02-25 23:21 . 2007-06-04 14:56      81920              c:\windows\system32\InetCntrl\PopupKil\popuphuk.dll
+ 2009-04-30 14:34 . 2007-06-04 14:55      81920              c:\windows\system32\InetCntrl\PopupKil\popuphuk.dll
+ 2009-04-30 14:34 . 2008-01-28 16:37      98304              c:\windows\system32\InetCntrl\Maint\Setup.dll
- 2008-05-22 23:28 . 2008-01-28 15:37      98304              c:\windows\system32\InetCntrl\Maint\Setup.dll
- 2007-02-25 23:21 . 2008-01-31 18:25      61440              c:\windows\system32\InetCntrl\FW\fwapi.dll
+ 2009-04-30 14:34 . 2008-01-29 20:41      61440              c:\windows\system32\InetCntrl\FW\fwapi.dll
+ 2009-04-30 14:34 . 2009-05-01 19:05      66722              c:\windows\system32\InetCntrl\Data\userpolicy.bin
- 2007-02-25 00:49 . 2009-04-29 20:03      32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-25 00:49 . 2009-05-01 19:04      32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-02-25 00:49 . 2009-04-29 20:03      32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-02-25 00:49 . 2009-05-01 19:04      32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-02-25 00:49 . 2009-04-29 20:03      32768              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-02-25 00:49 . 2009-05-01 19:04      32768              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-29 22:35 . 2009-04-29 22:35      65024              c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-04-29 22:35 . 2009-04-29 22:35      18944              c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2007-02-25 15:37 . 2009-04-17 07:02      23040              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-02-25 15:37 . 2009-04-30 18:13      23040              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-02-25 15:37 . 2009-04-30 18:13      61440              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-02-25 15:37 . 2009-04-17 07:02      61440              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-02-25 15:37 . 2009-04-17 07:02      27136              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-02-25 15:37 . 2009-04-30 18:13      27136              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-02-25 15:37 . 2009-04-30 18:13      11264              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-02-25 15:37 . 2009-04-17 07:02      11264              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-02-25 15:37 . 2009-04-17 07:02      12288              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-02-25 15:37 . 2009-04-30 18:13      12288              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-02-25 23:43 . 2009-04-01 19:33      2922              c:\windows\system32\InetCntrl\Data\firetmpl.bin
+ 2009-04-30 14:38 . 2009-04-30 14:38      2922              c:\windows\system32\InetCntrl\Data\firetmpl.bin
+ 2009-04-30 14:34 . 2008-11-12 13:41      5444              c:\windows\system32\InetCntrl\AV\config.dat
+ 2007-02-25 15:37 . 2009-04-30 18:13      4096              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-02-25 15:37 . 2009-04-17 07:02      4096              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-04-30 14:34 . 2008-12-17 21:09      151552              c:\windows\system32\InetCntrl\UTIL\XMLParse.dll
- 2008-05-22 23:28 . 2008-01-28 15:39      151552              c:\windows\system32\InetCntrl\UTIL\XMLParse.dll
+ 2009-04-30 14:34 . 2009-03-05 14:02      139264              c:\windows\system32\InetCntrl\UTIL\HTTP_Downloader.dll
- 2008-05-22 23:28 . 2008-01-28 15:37      139264              c:\windows\system32\InetCntrl\UTIL\HTTP_Downloader.dll
- 2007-02-25 23:21 . 2008-01-18 05:09      369960              c:\windows\system32\InetCntrl\PopupKil\BsafeBHO.dll
+ 2009-04-30 14:34 . 2008-01-17 19:13      369960              c:\windows\system32\InetCntrl\PopupKil\BsafeBHO.dll
+ 2009-04-30 14:34 . 2009-03-20 14:37      890200              c:\windows\system32\InetCntrl\Maint\Setup.exe
+ 2009-04-30 14:34 . 2009-03-30 13:51      841048              c:\windows\system32\InetCntrl\InetCntrl.exe
+ 2009-04-30 14:34 . 2008-12-29 20:14      294912              c:\windows\system32\InetCntrl\IM\BsecureIM.dll
- 2007-02-25 23:21 . 2008-01-31 18:25      294912              c:\windows\system32\InetCntrl\IM\BsecureIM.dll
+ 2007-02-25 23:21 . 2008-12-03 13:58      196608              c:\windows\system32\InetCntrl\Email\icat.dll
- 2007-02-25 23:21 . 2007-06-04 14:56      196608              c:\windows\system32\InetCntrl\Email\icat.dll
+ 2007-02-25 23:21 . 2008-12-03 13:58      114688              c:\windows\system32\InetCntrl\Email\contacts.dll
+ 2009-04-30 14:34 . 2009-03-19 20:13      249856              c:\windows\system32\InetCntrl\AV\BsafSavi.dll
+ 2007-02-25 15:37 . 2009-04-30 18:13      409600              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-02-25 15:37 . 2009-04-17 07:02      409600              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-02-25 15:37 . 2009-04-30 18:13      286720              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-02-25 15:37 . 2009-04-17 07:02      286720              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-02-25 15:37 . 2009-04-17 07:02      249856              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-02-25 15:37 . 2009-04-30 18:13      249856              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-02-25 15:37 . 2009-04-30 18:13      794624              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-02-25 15:37 . 2009-04-17 07:02      794624              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-02-25 15:37 . 2009-04-30 18:13      135168              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-02-25 15:37 . 2009-04-17 07:02      135168              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-02-25 15:37 . 2009-04-17 07:02      593920              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-02-25 15:37 . 2009-04-30 18:13      593920              c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-04-30 14:34 . 2009-03-06 12:50      1631472              c:\windows\system32\InetCntrl\Maint\ControlCenter.exe
+ 2009-04-30 14:34 . 2008-11-12 13:41      3092646              c:\windows\system32\InetCntrl\AV\mcscan32.dll
+ 2009-04-30 14:44 . 2009-05-01 18:18      1090093              c:\windows\system32\InetCntrl\AV\avvnames.dat
+ 2009-04-30 14:44 . 2009-05-01 18:18      2568685              c:\windows\system32\InetCntrl\AV\avvclean.dat
+ 2009-04-30 14:44 . 2009-05-01 18:18      67884333              c:\windows\system32\InetCntrl\AV\avvscan.dat
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9690767A-805D-49CF-BF83-9299C04202CB}]
2004-08-04 10:00      103424      ----a-w      c:\windows\system32\bkljveq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-27 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-30 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2009-04-13 1061536]
"InetCntrl"="c:\windows\system32\InetCntrl\InetCntrl.exe" [2009-03-30 841048]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05      356352      ----a-w      c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Beatty^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\Mike Beatty\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Beatty^Start Menu^Programs^Startup^ChkDisk.lnk]
path=c:\documents and settings\Mike Beatty\Start Menu\Programs\Startup\ChkDisk.lnk
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\SkillGround\\Games\\UTG\\Main.exe"=
"c:\\Program Files\\SkillGround\\Games\\WarPath\\System\\Warpath.exe"=
"c:\\Program Files\\SkillGround\\Games\\KungFu\\System\\KungFu.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S0 kdqitozh;kdqitozh;c:\windows\system32\drivers\kdqitozh.sys [2004-08-04 23424]
S1 bsofrwl;bsofrwl; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-03-17 65536]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


--- Other Services/Drivers In Memory ---

*Deregistered* - BSafeFilter

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1aaa266c-2f14-11de-a87b-0019b90ecf22}]
\Shell\AutoRun\command - E:\ImageViewer4.exe -COPYFILE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d17d1ebd-e64b-11dd-a20d-0019b90ecf22}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db30c78d-d889-11dd-a20a-0019b90ecf22}]
\Shell\AutoRun\command - E:\rcaeasyrip_setup.exe
\Shell\install\command - E:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - E:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - E:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - E:\rcaeasyrip_setup.exe /pdf_Spanish
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.charter.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZKxdm173RAUS
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: InetCntrl0013.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 15:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  


c:\windows\system32\drivers\ovfsthxvuwtjrnm.sys 81408 bytes executable
c:\windows\system32\ovfsthxjgoyuyxj.dll 18432 bytes executable
c:\windows\system32\ovfsthxveylatac.dat 1072589 bytes
c:\windows\system32\ovfsthxxbwppquk.dll 18432 bytes executable
c:\windows\system32\ovfsthxxsjklgvp.dll 59904 bytes executable
c:\windows\system32\ovfsthxxxpyhrxt.dat 43 bytes

scan completed successfully
hidden files: 6

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(604)
c:\windows\system32\InetCntrl0013.dll

- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\InetCntrl\PopupKil\popuphuk.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-01 15:08 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-01 19:08
ComboFix2.txt  2009-04-30 13:29
ComboFix3.txt  2009-04-30 12:03
ComboFix4.txt  2009-04-29 20:09

Pre-Run: 123,919,425,536 bytes free
Post-Run: 122,791,833,600 bytes free

292      --- E O F ---      2009-04-30 18:13
0
 

Author Comment

by:csimike
ID: 24282571
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/1/2009 2:58:35 PM
mbam-log-2009-05-01 (14-58-35).txt

Scan type: Quick Scan
Objects scanned: 77205
Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9690767a-805d-49cf-bf83-9299c04202cb} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9690767a-805d-49cf-bf83-9299c04202cb} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\bkljveq.dll (Trojan.BHO.H) -> Delete on reboot.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24282767
Thanks for sending the logs, I've composed a script for ComboFix which you will have to run. Copy the text below in bold in notepad and save it as CFScript.txt. Then drag and drop CFScript.txt on top of the ComboFix executable. This will generate another ComboFix log, please post that here and do a scan with SuperAntiSpyware or MalwareBytes and send me that report as well.

KILLALL::
File::
c:\windows\system32\ovfsthxjgoyuyxj.dll
c:\windows\system32\ovfsthxveylatac.dat
c:\windows\system32\ovfsthxxbwppquk.dll
c:\windows\system32\ovfsthxxsjklgvp.dll
c:\windows\system32\ovfsthxxxpyhrxt.dat
c:\WINDOWS\system32\bkljveq.dll
c:\windows\system32\zjoxmno.dll
c:\windows\system32\zxugprcb.dll
c:\windows\system32\loader49.exe
c:\windows\system32\zxugprcb.dll

Driver::
kdqitozh.sys
ovfsthxvuwtjrnm.sys

0
 

Author Comment

by:csimike
ID: 24282910
ComboFix 09-04-28.03 - 05/01/2009 15:49.6 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.606 [GMT -4:00]
Running from: E:\ComboFix.exe
Command switches used :: E:\CFScript.txt
FW: ZoneAlarm Firewall *enabled*
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\bkljveq.dll
c:\windows\system32\loader49.exe
c:\windows\system32\ovfsthxjgoyuyxj.dll
c:\windows\system32\ovfsthxveylatac.dat
c:\windows\system32\ovfsthxxbwppquk.dll
c:\windows\system32\ovfsthxxsjklgvp.dll
c:\windows\system32\ovfsthxxxpyhrxt.dat
c:\windows\system32\zjoxmno.dll
c:\windows\system32\zxugprcb.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\loader49.exe
c:\windows\system32\ovfsthxjgoyuyxj.dll
c:\windows\system32\ovfsthxveylatac.dat
c:\windows\system32\ovfsthxxbwppquk.dll
c:\windows\system32\ovfsthxxsjklgvp.dll
c:\windows\system32\ovfsthxxxpyhrxt.dat
c:\windows\system32\bkljveq.dll . . . . failed to delete
c:\windows\system32\zjoxmno.dll . . . . failed to delete
c:\windows\system32\zxugprcb.dll . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2009-06-01 to 2009-5-1  )))))))))))))))))))))))))))))))
.

2009-05-01 17:39 . 2009-05-01 17:39      --------      d-----w      c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-01 17:39 . 2009-04-06 19:32      15504      ----a-w      c:\windows\system32\drivers\mbam.sys
2009-05-01 17:39 . 2009-04-06 19:32      38496      ----a-w      c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 17:39 . 2009-05-01 17:39      --------      d-----w      c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 17:39 . 2009-05-01 18:29      --------      d-----w      c:\program files\Malwarebytes' Anti-Malware
2009-04-30 19:10 . 2009-05-01 11:40      --------      d-----w      C:\VundoFix Backups
2009-04-30 14:34 . 2009-03-19 19:13      184320      ----a-w      c:\windows\system32\InetCntrl0013.dll
2009-04-30 14:34 . 2009-02-03 18:35      39424      ----a-w      c:\windows\system32\drivers\BSafFltr.sys
2009-04-30 14:34 . 2007-06-04 14:55      29024      ----a-w      c:\windows\system32\drivers\bsofrwl.sys
2009-04-30 13:07 . 2009-04-30 13:07      --------      d-----w      c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-29 22:35 . 2009-04-29 22:35      --------      d-----w      c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-29 22:35 . 2009-04-30 14:19      --------      d-----w      c:\program files\SUPERAntiSpyware
2009-04-29 21:49 . 2009-04-29 21:49      --------      d-----w      c:\program files\Common Files\Wise Installation Wizard
2009-04-29 21:49 . 2009-04-29 21:49      --------      d-----w      c:\documents and settings\Administrator\Application Data\TrojanHunter
2009-04-29 20:47 . 2009-04-29 22:11      --------      d-----w      c:\program files\TrojanHunter 5.0
2009-04-28 21:14 . 2009-04-28 21:14      27648      ----a-w      c:\windows\system32\win32hlp.old (2).exe
2009-04-28 21:05 . 2009-04-28 21:05      104960      ----a-w      c:\windows\system32\dllcache\userinit.exe
2009-04-16 18:58 . 2009-03-06 14:22      284160      ------w      c:\windows\system32\dllcache\pdh.dll
2009-04-16 18:58 . 2009-02-06 10:39      35328      ------w      c:\windows\system32\dllcache\sc.exe
2009-04-16 18:58 . 2009-02-09 12:10      401408      ------w      c:\windows\system32\dllcache\rpcss.dll
2009-04-16 18:58 . 2009-02-06 11:11      110592      ------w      c:\windows\system32\dllcache\services.exe
2009-04-16 18:58 . 2009-02-09 12:10      473600      ------w      c:\windows\system32\dllcache\fastprox.dll
2009-04-16 18:58 . 2009-02-06 10:10      227840      ------w      c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 18:58 . 2009-02-09 12:10      453120      ------w      c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 18:58 . 2009-02-09 12:10      729088      ------w      c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 18:58 . 2009-02-09 12:10      617472      ------w      c:\windows\system32\dllcache\advapi32.dll
2009-04-16 18:58 . 2009-02-09 12:10      714752      ------w      c:\windows\system32\dllcache\ntdll.dll
2009-04-16 18:57 . 2008-05-03 11:55      2560      ------w      c:\windows\system32\xpsp4res.dll
2009-04-16 18:57 . 2008-04-21 12:08      215552      ------w      c:\windows\system32\dllcache\wordpad.exe
2009-04-10 23:22 . 2009-04-10 23:22      --------      d-----w      c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-10 19:23 . 2009-04-10 19:23      --------      d-----w      c:\program files\Guitar Pro 5

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 16:49 . 2007-08-07 23:04      --------      d-----w      c:\program files\Spybot - Search & Destroy
2009-04-30 16:42 . 2007-02-25 01:39      --------      d-----w      c:\program files\Microsoft Money 2007
2009-04-30 16:38 . 2007-02-25 01:26      --------      d-----w      c:\program files\CCleaner
2009-04-30 12:57 . 2009-04-30 13:25      44032      ----a-w      c:\windows\Internet Logs\xDB1A.tmp
2009-04-30 11:45 . 2008-12-13 01:20      --------      d-----w      c:\program files\Unity
2009-04-30 11:39 . 2007-01-23 12:08      --------      d--h--w      c:\program files\InstallShield Installation Information
2009-04-30 11:38 . 2008-11-26 16:14      --------      d-----w      c:\program files\Cartoon Network
2009-04-30 11:35 . 2009-02-21 18:18      --------      d-----w      c:\program files\Apple Software Update
2009-04-29 20:00 . 2004-08-11 22:00      143872      ----a-w      c:\windows\system32\zxugprcb.dll
2009-04-29 20:00 . 2004-08-11 22:00      103424      ----a-w      c:\windows\system32\zjoxmno.dll
2009-04-26 23:39 . 2009-04-27 19:02      2621440      ----a-w      c:\windows\Internet Logs\xDB19.tmp
2009-04-24 19:52 . 2007-12-08 00:01      596300      --sha-w      c:\windows\system32\drivers\fidbox.idx
2009-04-24 19:52 . 2007-12-08 00:01      51857440      --sha-w      c:\windows\system32\drivers\fidbox.dat
2009-04-14 04:06 . 2008-10-04 12:55      256      ----a-w      c:\windows\system32\pool.bin
2009-04-10 19:27 . 2007-01-23 12:12      125856      ----a-w      c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 21:18 . 2008-05-08 11:15      21840      ----atw      c:\windows\system32\SIntfNT.dll
2009-04-04 21:18 . 2008-05-08 11:15      17212      ----atw      c:\windows\system32\SIntf32.dll
2009-04-04 21:18 . 2008-05-08 11:15      12067      ----atw      c:\windows\system32\SIntf16.dll
2009-03-30 22:45 . 2009-03-30 22:45      --------      d-----w      c:\program files\MSECache
2009-03-13 21:10 . 2009-03-13 21:10      --------      d-----w      c:\program files\Adobe Media Player
2009-03-13 21:10 . 2009-03-13 21:10      --------      d-----w      c:\program files\Common Files\Adobe AIR
2009-03-13 11:09 . 2008-07-02 12:59      34      ----a-w      c:\documents and settings\Mike Beatty\jagex_runescape_preferences.dat
2009-03-06 14:22 . 2004-08-11 22:00      284160      ----a-w      c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 22:00      826368      ----a-w      c:\windows\system32\wininet.dll
2009-02-26 22:11 . 2009-02-27 00:07      1881088      ----a-w      c:\windows\Internet Logs\xDB18.tmp
2009-02-26 22:07 . 2009-02-26 22:08      1881088      ----a-w      c:\windows\Internet Logs\xDB17.tmp
2009-02-25 08:13 . 2007-05-23 07:06      15247639      ----a-w      c:\windows\Internet Logs\tvDebug.zip
2009-02-20 18:09 . 2004-08-11 22:00      78336      ----a-w      c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-11 22:00      729088      ----a-w      c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 22:00      401408      ----a-w      c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 22:00      714752      ----a-w      c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 22:00      617472      ----a-w      c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-11 22:00      1846784      ----a-w      c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-11 22:00      110592      ----a-w      c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-11 22:00      2145280      ----a-w      c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 22:00      35328      ----a-w      c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59      2023936      ----a-w      c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-11 22:00      56832      ----a-w      c:\windows\system32\secur32.dll
.

(((((((((((((((((((((((((((((   SnapShot_2009-05-01_19.05.37   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-30 14:34 . 2009-05-01 19:53      66722              c:\windows\system32\InetCntrl\Data\userpolicy.bin
- 2009-04-30 14:34 . 2009-05-01 19:05      66722              c:\windows\system32\InetCntrl\Data\userpolicy.bin
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9690767A-805D-49CF-BF83-9299C04202CB}]
2004-08-04 10:00      103424      ----a-w      c:\windows\system32\bkljveq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-27 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-30 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2009-04-13 1061536]
"InetCntrl"="c:\windows\system32\InetCntrl\InetCntrl.exe" [2009-03-30 841048]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05      356352      ----a-w      c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Beatty^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\Mike Beatty\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Beatty^Start Menu^Programs^Startup^ChkDisk.lnk]
path=c:\documents and settings\Mike Beatty\Start Menu\Programs\Startup\ChkDisk.lnk
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\SkillGround\\Games\\UTG\\Main.exe"=
"c:\\Program Files\\SkillGround\\Games\\WarPath\\System\\Warpath.exe"=
"c:\\Program Files\\SkillGround\\Games\\KungFu\\System\\KungFu.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S0 kdqitozh;kdqitozh;c:\windows\system32\drivers\kdqitozh.sys [2004-08-04 23424]
S1 bsofrwl;bsofrwl; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-03-17 65536]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


--- Other Services/Drivers In Memory ---

*Deregistered* - BSafeFilter

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1aaa266c-2f14-11de-a87b-0019b90ecf22}]
\Shell\AutoRun\command - E:\ImageViewer4.exe -COPYFILE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d17d1ebd-e64b-11dd-a20d-0019b90ecf22}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db30c78d-d889-11dd-a20a-0019b90ecf22}]
\Shell\AutoRun\command - E:\rcaeasyrip_setup.exe
\Shell\install\command - E:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - E:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - E:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - E:\rcaeasyrip_setup.exe /pdf_Spanish
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.charter.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZKxdm173RAUS
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: InetCntrl0013.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 15:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  


c:\windows\system32\drivers\ovfsthxvuwtjrnm.sys 81408 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(600)
c:\windows\system32\InetCntrl0013.dll

- - - - - - - > 'explorer.exe'(2900)
c:\windows\system32\InetCntrl\PopupKil\popuphuk.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-01 15:57 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-01 19:57
ComboFix2.txt  2009-05-01 19:08
ComboFix3.txt  2009-04-30 13:29
ComboFix4.txt  2009-04-30 12:03
ComboFix5.txt  2009-05-01 19:48

Pre-Run: 122,765,639,680 bytes free
Post-Run: 122,761,502,720 bytes free

235      --- E O F ---      2009-04-30 18:13
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24283006
You can also try to use FileAssasin from within MalwareBytes. If you goto More Tools and click on File Assassin button and select the following files 1 at a time:

c:\windows\system32\bkljveq.dll
c:\windows\system32\zjoxmno.dll
c:\windows\system32\zxugprcb.dll

That should get rid of these files.
0
 

Author Comment

by:csimike
ID: 24283253
It won't delete them. I said it can't delete file must reboot... reboot and nothing happens
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24283486
Hmm.. there are 2 options which we can use to finish off this infection:

Option 1: Open registry editor to manually delete entries relating to above files and then scan with MalwareBytes after that and/or run ComboFix.

ovfsthxvuwtjrnm.sys
bkljveq.dll
zjoxmno.dll
zxugprcb.dll

Option 2: Download Knoppix Live CD, which will allow you to boot into Knoppix Linux without installing anything at all.  Delete the below files and reboot your PC in safe mode (Windows) and run MalwareBytes/ComboFix scan again.

c:\windows\system32\drivers\ovfsthxvuwtjrnm.sys
c:\windows\system32\bkljveq.dll
c:\windows\system32\zjoxmno.dll
c:\windows\system32\zxugprcb.dll

0
 
LVL 16

Expert Comment

by:warturtle
ID: 24283565
Hmmm... I should have provided more information. When you open registry editor by doing regedit and search for a string, you can press F3 to continue searching instead of having to manually open the Find dialog and click Next. Once you find a key and delete it, you can press F3 to resume search and it will continue.

Secondly, Knoppix ISO can be downloaded from www.knoppix.com.

There is yet another option, its called as VirtuMundoBeGone.exe. It can be downloaded from the webpage: http://www.bleepingcomputer.com/malware-removal/remove-vundo-virtumonde . Its the last option. Best to do this in safe mode (without networking).
0
 

Author Comment

by:csimike
ID: 24283687
VirtuMundoBeGone didn't do anything.. when I go do down load the Knoppix it just gives me a list of indexes... not sure if that's not over my head. The regedit woun't let me delete the files either
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24283778
Try the following:

a) From Device Manager -> Show hidden peripherals
      Disable ovfsthxvuwtjrnm.sys where (in non plug and play peripherals)

b) Download Avenger (http://swandog46.geekstogo.com/avenger.zip) and unzip to your desktop.
Run Avenger, copy & paste the following text in Input script Box:

Drivers to delete:
ovfsthxvuwtjrnm.sys

Click on Execute, followed by yes on other and reboot.

c) Reboot in safe mode

d) Drag and drop the CFScript on top of ComboFix again.

e) Check the msconfig for any obvious strange startup entries and disable them from starting up.

I am quite hopeful that the above suggestions should work fine and resolve the problem.
0
 

Author Comment

by:csimike
ID: 24283921
I still can't delete these:
c:\windows\system32\bkljveq.dll . . . . failed to delete
c:\windows\system32\zjoxmno.dll . . . . failed to delete
c:\windows\system32\zxugprcb.dll . . . . failed to delete
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24284164
Hmm... I suggest that you do an online Kaspersky Scan to find out the actual source of these infections, if we finish the source its very likely that other things won't regenerate. Its based at: http://www.kaspersky.co.uk/virusscanner . After the loading is done, click on Scan Settings before starting the scan and check 'Extended Database' and then scan the full system with it.

This scan should tell us about the source of the current infection as well as any other infections that are yet to be caught. This scan won't remove infections but only report them.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 24284427

That file in  one of your extenal drive you know I assume?

Thanks for the heads up warturtle.
When we make a script also we need to make sure that we also remove the registry entries showing in the CF log not just the files because some particular nasties may cause the system unbootable if you remove the file and leave their loading points.


Run combofix again using this script. (this is base on the latest log I haven't check the other one.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\zxugprcb.dll
c:\windows\system32\zjoxmno.dll
c:\windows\system32\bkljveq.dll
c:\windows\system32\drivers\kdqitozh.sys
c:\windows\system32\drivers\ovfsthxvuwtjrnm.sys

Driver::
kdqitozh
bsofrwl

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9690767A-805D-49CF-BF83-9299C04202CB}]
------------------------------------------------------------------------
3. Save the above as CFScript.txt on the same location as combofix.exe
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 
 
 
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24284548
warturtle no ofense intended but in addition to missing the loading point,
Your CF script directive below is not right, please don't make a script unless you know for sure how to do it, or have someone check it first before posting.
>>>"Driver::
kdqitozh.sys
ovfsthxvuwtjrnm.sys"<<<


You also instructed to use Avenger with this command below:
>>>"Drivers to delete:
ovfsthxvuwtjrnm.sys"<<<

To use that command to remove a driver in avenger you must make sure that that's really the 'driver name' (the 'Service name' in services.msc console) we can't just assume it is(and I don't see it in the log).
And once we know the driver name we must also use a driver-specific Avenger command "Files to delete" to remove the physical driver.
0
 

Author Comment

by:csimike
ID: 24284557
I think it deleted the file, but when it rebooted it is in a chkdsk now say it's a dirty volume?

ComboFix 09-04-28.03 - Mike Beatty 05/01/2009 21:44.9 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.810 [GMT -4:00]
Running from: E:\ComboFix.exe
Command switches used :: E:\CFScript.txt
FW: ZoneAlarm Firewall *enabled*

FILE ::
c:\windows\system32\bkljveq.dll
c:\windows\system32\drivers\kdqitozh.sys
c:\windows\system32\drivers\ovfsthxvuwtjrnm.sys
c:\windows\system32\zjoxmno.dll
c:\windows\system32\zxugprcb.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bkljveq.dll
c:\windows\system32\drivers\kdqitozh.sys
c:\windows\system32\drivers\ovfsthxvuwtjrnm.sys
c:\windows\system32\zjoxmno.dll
c:\windows\system32\zxugprcb.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BSOFRWL
-------\Legacy_KDQITOZH
-------\Service_bsofrwl
-------\Service_kdqitozh
-------\Service_ovfsthxdadoeoxn


(((((((((((((((((((((((((   Files Created from 2009-06-02 to 2009-5-2  )))))))))))))))))))))))))))))))
.

2009-05-02 01:47 . 2009-05-02 01:47      888      ----a-w      c:\windows\system32\ovfsthxknrkcicc.dat
2009-05-01 23:43 . 2009-05-01 23:43      43      ----a-w      c:\windows\system32\ovfsthxxxpyhrxt.dat
2009-05-01 23:09 . 2009-05-01 23:09      --------      d-----w      c:\program files\Common Files\Gibinsoft Shared
2009-05-01 23:09 . 2009-05-01 23:09      --------      d-----w      c:\program files\GiPo@Utilities
2009-05-01 23:02 . 2009-05-01 23:02      18432      ----a-w      c:\windows\system32\ovfsthxxbwppquk.dll
2009-05-01 23:02 . 2009-05-01 23:02      18432      ----a-w      c:\windows\system32\ovfsthxjgoyuyxj.dll
2009-05-01 23:02 . 2009-05-02 01:44      11160      ----a-w      c:\windows\system32\ovfsthxveylatac.dat
2009-05-01 23:02 . 2009-05-01 23:02      59904      ----a-w      c:\windows\system32\ovfsthxxsjklgvp.dll
2009-05-01 22:04 . 2009-05-01 22:04      --------      d-----w      c:\program files\Unlocker
2009-05-01 17:39 . 2009-05-01 17:39      --------      d-----w      c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-01 17:39 . 2009-04-06 19:32      15504      ----a-w      c:\windows\system32\drivers\mbam.sys
2009-05-01 17:39 . 2009-04-06 19:32      38496      ----a-w      c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 17:39 . 2009-05-01 17:39      --------      d-----w      c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 17:39 . 2009-05-01 18:29      --------      d-----w      c:\program files\Malwarebytes' Anti-Malware
2009-04-30 19:10 . 2009-05-01 23:04      --------      d-----w      C:\VundoFix Backups
2009-04-30 14:34 . 2009-03-19 19:13      184320      ----a-w      c:\windows\system32\InetCntrl0013.dll
2009-04-30 14:34 . 2009-02-03 18:35      39424      ----a-w      c:\windows\system32\drivers\BSafFltr.sys
2009-04-30 14:34 . 2007-06-04 14:55      29024      ----a-w      c:\windows\system32\drivers\bsofrwl.sys
2009-04-30 13:07 . 2009-04-30 13:07      --------      d-----w      c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-29 22:35 . 2009-04-29 22:35      --------      d-----w      c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-29 22:35 . 2009-04-30 14:19      --------      d-----w      c:\program files\SUPERAntiSpyware
2009-04-29 21:49 . 2009-04-29 21:49      --------      d-----w      c:\program files\Common Files\Wise Installation Wizard
2009-04-29 21:49 . 2009-04-29 21:49      --------      d-----w      c:\documents and settings\Administrator\Application Data\TrojanHunter
2009-04-29 20:47 . 2009-04-29 22:11      --------      d-----w      c:\program files\TrojanHunter 5.0
2009-04-28 21:14 . 2009-04-28 21:14      27648      ----a-w      c:\windows\system32\win32hlp.old (2).exe
2009-04-28 21:05 . 2009-04-28 21:05      104960      ----a-w      c:\windows\system32\dllcache\userinit.exe
2009-04-16 18:58 . 2009-03-06 14:22      284160      ------w      c:\windows\system32\dllcache\pdh.dll
2009-04-16 18:58 . 2009-02-06 10:39      35328      ------w      c:\windows\system32\dllcache\sc.exe
2009-04-16 18:58 . 2009-02-09 12:10      401408      ------w      c:\windows\system32\dllcache\rpcss.dll
2009-04-16 18:58 . 2009-02-06 11:11      110592      ------w      c:\windows\system32\dllcache\services.exe
2009-04-16 18:58 . 2009-02-09 12:10      473600      ------w      c:\windows\system32\dllcache\fastprox.dll
2009-04-16 18:58 . 2009-02-06 10:10      227840      ------w      c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 18:58 . 2009-02-09 12:10      453120      ------w      c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 18:58 . 2009-02-09 12:10      729088      ------w      c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 18:58 . 2009-02-09 12:10      617472      ------w      c:\windows\system32\dllcache\advapi32.dll
2009-04-16 18:58 . 2009-02-09 12:10      714752      ------w      c:\windows\system32\dllcache\ntdll.dll
2009-04-16 18:57 . 2008-05-03 11:55      2560      ------w      c:\windows\system32\xpsp4res.dll
2009-04-16 18:57 . 2008-04-21 12:08      215552      ------w      c:\windows\system32\dllcache\wordpad.exe
2009-04-10 23:22 . 2009-04-10 23:22      --------      d-----w      c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-10 19:23 . 2009-04-10 19:23      --------      d-----w      c:\program files\Guitar Pro 5

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 01:44 . 2004-08-11 22:00      23424      ----a-w      c:\windows\system32\drivers\jtrhfisq.sys
2009-04-30 16:49 . 2007-08-07 23:04      --------      d-----w      c:\program files\Spybot - Search & Destroy
2009-04-30 16:42 . 2007-02-25 01:39      --------      d-----w      c:\program files\Microsoft Money 2007
2009-04-30 16:38 . 2007-02-25 01:26      --------      d-----w      c:\program files\CCleaner
2009-04-30 12:57 . 2009-04-30 13:25      44032      ----a-w      c:\windows\Internet Logs\xDB1A.tmp
2009-04-30 11:45 . 2008-12-13 01:20      --------      d-----w      c:\program files\Unity
2009-04-30 11:39 . 2007-01-23 12:08      --------      d--h--w      c:\program files\InstallShield Installation Information
2009-04-30 11:38 . 2008-11-26 16:14      --------      d-----w      c:\program files\Cartoon Network
2009-04-30 11:35 . 2009-02-21 18:18      --------      d-----w      c:\program files\Apple Software Update
2009-04-26 23:39 . 2009-04-27 19:02      2621440      ----a-w      c:\windows\Internet Logs\xDB19.tmp
2009-04-24 19:52 . 2007-12-08 00:01      596300      --sha-w      c:\windows\system32\drivers\fidbox.idx
2009-04-24 19:52 . 2007-12-08 00:01      51857440      --sha-w      c:\windows\system32\drivers\fidbox.dat
2009-04-14 04:06 . 2008-10-04 12:55      256      ----a-w      c:\windows\system32\pool.bin
2009-04-10 19:27 . 2007-01-23 12:12      125856      ----a-w      c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 21:18 . 2008-05-08 11:15      21840      ----atw      c:\windows\system32\SIntfNT.dll
2009-04-04 21:18 . 2008-05-08 11:15      17212      ----atw      c:\windows\system32\SIntf32.dll
2009-04-04 21:18 . 2008-05-08 11:15      12067      ----atw      c:\windows\system32\SIntf16.dll
2009-03-30 22:45 . 2009-03-30 22:45      --------      d-----w      c:\program files\MSECache
2009-03-13 21:10 . 2009-03-13 21:10      --------      d-----w      c:\program files\Adobe Media Player
2009-03-13 21:10 . 2009-03-13 21:10      --------      d-----w      c:\program files\Common Files\Adobe AIR
2009-03-13 11:09 . 2008-07-02 12:59      34      ----a-w      c:\documents and settings\Mike Beatty\jagex_runescape_preferences.dat
2009-03-06 14:22 . 2004-08-11 22:00      284160      ----a-w      c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 22:00      826368      ----a-w      c:\windows\system32\wininet.dll
2009-02-26 22:11 . 2009-02-27 00:07      1881088      ----a-w      c:\windows\Internet Logs\xDB18.tmp
2009-02-26 22:07 . 2009-02-26 22:08      1881088      ----a-w      c:\windows\Internet Logs\xDB17.tmp
2009-02-25 08:13 . 2007-05-23 07:06      15247639      ----a-w      c:\windows\Internet Logs\tvDebug.zip
2009-02-20 18:09 . 2004-08-11 22:00      78336      ----a-w      c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-11 22:00      729088      ----a-w      c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 22:00      401408      ----a-w      c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 22:00      714752      ----a-w      c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 22:00      617472      ----a-w      c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-11 22:00      1846784      ----a-w      c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-11 22:00      110592      ----a-w      c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-11 22:00      2145280      ----a-w      c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 22:00      35328      ----a-w      c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59      2023936      ----a-w      c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-11 22:00      56832      ----a-w      c:\windows\system32\secur32.dll
.

(((((((((((((((((((((((((((((   SnapShot_2009-05-01_19.05.37   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-30 14:34 . 2009-05-02 01:51      66722              c:\windows\system32\InetCntrl\Data\userpolicy.bin
- 2009-04-30 14:34 . 2009-05-01 19:05      66722              c:\windows\system32\InetCntrl\Data\userpolicy.bin
+ 2007-02-25 00:49 . 2009-05-02 01:41      32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-02-25 00:49 . 2009-05-01 19:04      32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-25 00:49 . 2009-05-02 01:41      32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-02-25 00:49 . 2009-05-01 19:04      32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-02-25 00:49 . 2009-05-02 01:41      32768              c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-02-25 00:49 . 2009-05-01 19:04      32768              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-05-01 23:09 . 2009-05-01 23:09      14336              c:\windows\Installer\{9F185C48-595B-401A-A1D6-AAB324890DC4}\IconCBE855212.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-27 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-30 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2009-04-13 1061536]
"InetCntrl"="c:\windows\system32\InetCntrl\InetCntrl.exe" [2009-03-30 841048]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05      356352      ----a-w      c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Beatty^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\Mike Beatty\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Beatty^Start Menu^Programs^Startup^ChkDisk.lnk]
path=c:\documents and settings\Mike Beatty\Start Menu\Programs\Startup\ChkDisk.lnk
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\SkillGround\\Games\\UTG\\Main.exe"=
"c:\\Program Files\\SkillGround\\Games\\WarPath\\System\\Warpath.exe"=
"c:\\Program Files\\SkillGround\\Games\\KungFu\\System\\KungFu.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-03-17 65536]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - KDQITOZH
*Deregistered* - BSafeFilter

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1aaa266c-2f14-11de-a87b-0019b90ecf22}]
\Shell\AutoRun\command - E:\ImageViewer4.exe -COPYFILE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d17d1ebd-e64b-11dd-a20d-0019b90ecf22}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db30c78d-d889-11dd-a20a-0019b90ecf22}]
\Shell\AutoRun\command - E:\rcaeasyrip_setup.exe
\Shell\install\command - E:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - E:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - E:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - E:\rcaeasyrip_setup.exe /pdf_Spanish
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.charter.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZKxdm173RAUS
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: InetCntrl0013.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 21:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(596)
c:\windows\system32\InetCntrl0013.dll

- - - - - - - > 'explorer.exe'(2332)
c:\program files\Unlocker\UnlockerHook.dll
c:\windows\system32\InetCntrl\PopupKil\popuphuk.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-02 21:55 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-02 01:55
ComboFix2.txt  2009-05-01 22:45
ComboFix3.txt  2009-05-01 21:51
ComboFix4.txt  2009-05-01 19:57
ComboFix5.txt  2009-05-02 01:43

Pre-Run: 123,797,213,184 bytes free
Post-Run: 122,727,567,360 bytes free

242      --- E O F ---      2009-04-30 18:13
0
 
LVL 6

Expert Comment

by:nettek0300
ID: 24284573
If it did not delete the files, you most likely will need to boot from a device other than the hard drive you are scanning so that the files it is trying to delete are not in use.  This could be a CD or another hard drive if you can connect to drives up to one PC.  Boot off of the good drive and then scan the bad one.  If you do that, I recommend having virus software running on the good drive so that it does not get infected.  The best bet is to boot off of a utility CD and then scan the drive.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24284592
The dat files are showing now. Try this script with combofix.

File::
c:\windows\system32\ovfsthxknrkcicc.dat
c:\windows\system32\ovfsthxxxpyhrxt.dat
c:\windows\system32\ovfsthxveylatac.dat

Rootkit::
c:\windows\system32\ovfsthxxbwppquk.dll
c:\windows\system32\ovfsthxjgoyuyxj.dll
c:\windows\system32\ovfsthxxsjklgvp.dll
c:\windows\system32\drivers\jtrhfisq.sys

0
 

Author Comment

by:csimike
ID: 24284623
ComboFix 09-04-28.03 - Mike Beatty 05/01/2009 22:30.10 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.536 [GMT -4:00]
Running from: E:\ComboFix.exe
Command switches used :: E:\CFScript.txt
FW: ZoneAlarm Firewall *enabled*
 * Created a new restore point

FILE ::
c:\windows\system32\ovfsthxknrkcicc.dat
c:\windows\system32\ovfsthxveylatac.dat
c:\windows\system32\ovfsthxxxpyhrxt.dat
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\jtrhfisq.sys
c:\windows\system32\ovfsthxjgoyuyxj.dll
c:\windows\system32\ovfsthxknrkcicc.dat
c:\windows\system32\ovfsthxveylatac.dat
c:\windows\system32\ovfsthxxbwppquk.dll
c:\windows\system32\ovfsthxxsjklgvp.dll
c:\windows\system32\ovfsthxxxpyhrxt.dat
c:\windows\system32\sfcfiles.dat

.
(((((((((((((((((((((((((   Files Created from 2009-06-02 to 2009-5-2  )))))))))))))))))))))))))))))))
.

2009-05-01 23:09 . 2009-05-01 23:09      --------      d-----w      c:\program files\Common Files\Gibinsoft Shared
2009-05-01 23:09 . 2009-05-01 23:09      --------      d-----w      c:\program files\GiPo@Utilities
2009-05-01 22:04 . 2009-05-01 22:04      --------      d-----w      c:\program files\Unlocker
2009-05-01 17:39 . 2009-05-01 17:39      --------      d-----w      c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-01 17:39 . 2009-04-06 19:32      15504      ----a-w      c:\windows\system32\drivers\mbam.sys
2009-05-01 17:39 . 2009-04-06 19:32      38496      ----a-w      c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 17:39 . 2009-05-01 17:39      --------      d-----w      c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 17:39 . 2009-05-01 18:29      --------      d-----w      c:\program files\Malwarebytes' Anti-Malware
2009-04-30 19:10 . 2009-05-01 23:04      --------      d-----w      C:\VundoFix Backups
2009-04-30 14:34 . 2009-03-19 19:13      184320      ----a-w      c:\windows\system32\InetCntrl0013.dll
2009-04-30 14:34 . 2009-02-03 18:35      39424      ----a-w      c:\windows\system32\drivers\BSafFltr.sys
2009-04-30 14:34 . 2007-06-04 14:55      29024      ----a-w      c:\windows\system32\drivers\bsofrwl.sys
2009-04-30 13:07 . 2009-04-30 13:07      --------      d-----w      c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-29 22:35 . 2009-04-29 22:35      --------      d-----w      c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-29 22:35 . 2009-04-30 14:19      --------      d-----w      c:\program files\SUPERAntiSpyware
2009-04-29 21:49 . 2009-04-29 21:49      --------      d-----w      c:\program files\Common Files\Wise Installation Wizard
2009-04-29 21:49 . 2009-04-29 21:49      --------      d-----w      c:\documents and settings\Administrator\Application Data\TrojanHunter
2009-04-29 20:47 . 2009-04-29 22:11      --------      d-----w      c:\program files\TrojanHunter 5.0
2009-04-28 21:14 . 2009-04-28 21:14      27648      ----a-w      c:\windows\system32\win32hlp.old (2).exe
2009-04-28 21:05 . 2009-04-28 21:05      104960      ----a-w      c:\windows\system32\dllcache\userinit.exe
2009-04-16 18:58 . 2009-03-06 14:22      284160      ------w      c:\windows\system32\dllcache\pdh.dll
2009-04-16 18:58 . 2009-02-06 10:39      35328      ------w      c:\windows\system32\dllcache\sc.exe
2009-04-16 18:58 . 2009-02-09 12:10      401408      ------w      c:\windows\system32\dllcache\rpcss.dll
2009-04-16 18:58 . 2009-02-06 11:11      110592      ------w      c:\windows\system32\dllcache\services.exe
2009-04-16 18:58 . 2009-02-09 12:10      473600      ------w      c:\windows\system32\dllcache\fastprox.dll
2009-04-16 18:58 . 2009-02-06 10:10      227840      ------w      c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 18:58 . 2009-02-09 12:10      453120      ------w      c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 18:58 . 2009-02-09 12:10      729088      ------w      c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 18:58 . 2009-02-09 12:10      617472      ------w      c:\windows\system32\dllcache\advapi32.dll
2009-04-16 18:58 . 2009-02-09 12:10      714752      ------w      c:\windows\system32\dllcache\ntdll.dll
2009-04-16 18:57 . 2008-05-03 11:55      2560      ------w      c:\windows\system32\xpsp4res.dll
2009-04-16 18:57 . 2008-04-21 12:08      215552      ------w      c:\windows\system32\dllcache\wordpad.exe
2009-04-10 23:22 . 2009-04-10 23:22      --------      d-----w      c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-10 19:23 . 2009-04-10 19:23      --------      d-----w      c:\program files\Guitar Pro 5

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 02:35 . 2007-05-23 07:06      16862709      ----a-w      c:\windows\Internet Logs\tvDebug.zip
2009-05-02 02:34 . 2007-12-08 00:01      597524      --sha-w      c:\windows\system32\drivers\fidbox.idx
2009-05-02 02:34 . 2007-12-08 00:01      51857440      --sha-w      c:\windows\system32\drivers\fidbox.dat
2009-04-30 16:49 . 2007-08-07 23:04      --------      d-----w      c:\program files\Spybot - Search & Destroy
2009-04-30 16:42 . 2007-02-25 01:39      --------      d-----w      c:\program files\Microsoft Money 2007
2009-04-30 16:38 . 2007-02-25 01:26      --------      d-----w      c:\program files\CCleaner
2009-04-30 12:57 . 2009-04-30 13:25      44032      ----a-w      c:\windows\Internet Logs\xDB1A.tmp
2009-04-30 11:45 . 2008-12-13 01:20      --------      d-----w      c:\program files\Unity
2009-04-30 11:39 . 2007-01-23 12:08      --------      d--h--w      c:\program files\InstallShield Installation Information
2009-04-30 11:38 . 2008-11-26 16:14      --------      d-----w      c:\program files\Cartoon Network
2009-04-30 11:35 . 2009-02-21 18:18      --------      d-----w      c:\program files\Apple Software Update
2009-04-26 23:39 . 2009-04-27 19:02      2621440      ----a-w      c:\windows\Internet Logs\xDB19.tmp
2009-04-14 04:06 . 2008-10-04 12:55      256      ----a-w      c:\windows\system32\pool.bin
2009-04-10 19:27 . 2007-01-23 12:12      125856      ----a-w      c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 21:18 . 2008-05-08 11:15      21840      ----atw      c:\windows\system32\SIntfNT.dll
2009-04-04 21:18 . 2008-05-08 11:15      17212      ----atw      c:\windows\system32\SIntf32.dll
2009-04-04 21:18 . 2008-05-08 11:15      12067      ----atw      c:\windows\system32\SIntf16.dll
2009-03-30 22:45 . 2009-03-30 22:45      --------      d-----w      c:\program files\MSECache
2009-03-13 21:10 . 2009-03-13 21:10      --------      d-----w      c:\program files\Adobe Media Player
2009-03-13 21:10 . 2009-03-13 21:10      --------      d-----w      c:\program files\Common Files\Adobe AIR
2009-03-13 11:09 . 2008-07-02 12:59      34      ----a-w      c:\documents and settings\Mike Beatty\jagex_runescape_preferences.dat
2009-03-06 14:22 . 2004-08-11 22:00      284160      ----a-w      c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 22:00      826368      ----a-w      c:\windows\system32\wininet.dll
2009-02-26 22:11 . 2009-02-27 00:07      1881088      ----a-w      c:\windows\Internet Logs\xDB18.tmp
2009-02-26 22:07 . 2009-02-26 22:08      1881088      ----a-w      c:\windows\Internet Logs\xDB17.tmp
2009-02-20 18:09 . 2004-08-11 22:00      78336      ----a-w      c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-11 22:00      729088      ----a-w      c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 22:00      401408      ----a-w      c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 22:00      714752      ----a-w      c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 22:00      617472      ----a-w      c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-11 22:00      1846784      ----a-w      c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-11 22:00      110592      ----a-w      c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-11 22:00      2145280      ----a-w      c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 22:00      35328      ----a-w      c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59      2023936      ----a-w      c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-11 22:00      56832      ----a-w      c:\windows\system32\secur32.dll
.

(((((((((((((((((((((((((((((   SnapShot_2009-05-01_19.05.37   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-30 14:34 . 2009-05-02 02:35      66722              c:\windows\system32\InetCntrl\Data\userpolicy.bin
- 2009-04-30 14:34 . 2009-05-01 19:05      66722              c:\windows\system32\InetCntrl\Data\userpolicy.bin
+ 2007-02-25 00:49 . 2009-05-02 01:41      32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-02-25 00:49 . 2009-05-01 19:04      32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-02-25 00:49 . 2009-05-02 01:41      32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-02-25 00:49 . 2009-05-01 19:04      32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-02-25 00:49 . 2009-05-02 01:41      32768              c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-02-25 00:49 . 2009-05-01 19:04      32768              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-05-01 23:09 . 2009-05-01 23:09      14336              c:\windows\Installer\{9F185C48-595B-401A-A1D6-AAB324890DC4}\IconCBE855212.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-27 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-30 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2009-04-13 1061536]
"InetCntrl"="c:\windows\system32\InetCntrl\InetCntrl.exe" [2009-03-30 841048]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05      356352      ----a-w      c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Beatty^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\Mike Beatty\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike Beatty^Start Menu^Programs^Startup^ChkDisk.lnk]
path=c:\documents and settings\Mike Beatty\Start Menu\Programs\Startup\ChkDisk.lnk
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\SkillGround\\Games\\UTG\\Main.exe"=
"c:\\Program Files\\SkillGround\\Games\\WarPath\\System\\Warpath.exe"=
"c:\\Program Files\\SkillGround\\Games\\KungFu\\System\\KungFu.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-03-17 65536]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


--- Other Services/Drivers In Memory ---

*Deregistered* - BSafeFilter

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1aaa266c-2f14-11de-a87b-0019b90ecf22}]
\Shell\AutoRun\command - E:\ImageViewer4.exe -COPYFILE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d17d1ebd-e64b-11dd-a20d-0019b90ecf22}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db30c78d-d889-11dd-a20a-0019b90ecf22}]
\Shell\AutoRun\command - E:\rcaeasyrip_setup.exe
\Shell\install\command - E:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - E:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - E:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - E:\rcaeasyrip_setup.exe /pdf_Spanish
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.charter.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=ZKxdm173RAUS
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: InetCntrl0013.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 22:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(596)
c:\windows\system32\InetCntrl0013.dll

- - - - - - - > 'explorer.exe'(2436)
c:\windows\system32\InetCntrl\PopupKil\popuphuk.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\program files\Spybot - Search & Destroy\SDHelper.dll
c:\windows\System32\DLA\DLASHX_W.DLL
c:\windows\system32\DLAAPI_W.DLL
c:\windows\System32\DLA\DLACResW.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-02 22:41 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-02 02:40
ComboFix2.txt  2009-05-02 01:55
ComboFix3.txt  2009-05-01 22:45
ComboFix4.txt  2009-05-01 21:51
ComboFix5.txt  2009-05-02 02:30

Pre-Run: 122,690,674,688 bytes free
Post-Run: 122,696,617,984 bytes free

241      --- E O F ---      2009-04-30 18:13
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24284645

CF deleted those... now we'll see if they come back...
If they come back... run a Kaspersky online scanner as warturtle had suggested and show us the report.
0
 

Author Comment

by:csimike
ID: 24284810
here's the Kaspersky scan:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
 Saturday, May 2, 2009
 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
 Kaspersky Online Scanner  version: 7.0.26.13
 Program database last update: Saturday, May 02, 2009 00:39:41
 Records in database: 2118498
--------------------------------------------------------------------------------

Scan settings:
      Scan using the following database: extended
      Scan archives: yes
      Scan mail databases: yes

Scan area - Critical Areas:
      C:\Documents and Settings\All Users\Start Menu\Programs\Startup
      C:\Documents and Settings\Mike Beatty\Start Menu\Programs\Startup
      C:\Program Files
      C:\WINDOWS

Scan statistics:
      Files scanned: 59208
      Threat name: 2
      Infected objects: 2
      Suspicious objects: 0
      Duration of the scan: 00:59:53


File name / Threat name / Threats count
C:\WINDOWS\pss\ChkDisk.dllStartup      Infected: Trojan-Spy.Win32.Agent.amjg      1
C:\WINDOWS\system32\win32hlp.old (2).exe      Infected: Trojan-Dropper.Win32.Agent.amnc      1

The selected area was scanned.
0
 

Author Comment

by:csimike
ID: 24284837
Malwarebytes let me delete those files.... maybe this is the begining to the end
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24293769
That's great!

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

The above process will remove Combofix and its files, delete the created backup and reset System Restore.

In case you're not aware, there's also an option to award points to more than one experts by clicking the "Accept Multiple Solutions" tab.

Thanks!
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question