Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Member
    Join Date
    Sep 2009
    Posts
    5
    Points
    0

    Default BDS/Tofsee.F.7 infection

    I am pretty new to this but I have some experience with computers. My AV (Avira) caught detected this backdoor.gen variant but had no detailed info on this malware on their website . But it did manage to delete the infected files. I then turned to Super Antispyware but could not detect anything.

    So now it was up to Malwarebytes' Anti-Malware and it found 4 infected files. The log is below:

    Malwarebytes' Anti-Malware 1.40
    Database version: 2770
    Windows 5.1.2600 Service Pack 3

    10/09/2009 12:11:46
    mbam-log-2009-09-10 (12-11-46).txt

    Scan type: Quick Scan
    Objects scanned: 105826
    Time elapsed: 10 minute(s), 32 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 1
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Cyrus\gipsw.exe \s) Good: (Userinit.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Cyrus\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Cyrus\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Cyrus\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Cyrus\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


    It deleted successfully and rescanned and it was clean. So now I am using Hajckthis and I have posted the log below. Can anyone help and see if there is anything nasty still in my computer?

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:39:12, on 11/09/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
    C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Program Files\BlackBYTE Free Speech\bin\blackbyte-gui.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\vVX3000.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKP.EXE
    C:\Program Files\MozyHome\mozystat.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
    O4 - HKLM\..\Run: [blackbyte-gui] C:\Program Files\BlackBYTE Free Speech\bin\blackbyte-gui.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
    O4 - HKLM\..\Run: [xkwkkp] C:\WINDOWS\system32\xkwkkp.exe \u
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [EPSON Stylus Office TX600FW(Network) copy1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKP.EXE /FU "C:\DOCUME~1\Cyrus\LOCALS~1\Temp\E_S3C.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [EPSON Stylus Office TX600FW(Network) (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKP.EXE /FU "C:\WINDOWS\TEMP\E_S19.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1229377392531
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1229964710359
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
    O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\BlackBYTE Free Speech\bin\blackbyteserv.exe

    --
    End of file - 7886 bytes


    Thnx

    Cyrus

  2. #2
    Moderator Forum Moderator JohnB151's Avatar
    Join Date
    Mar 2009
    Location
    The Netherlands
    Posts
    951
    Points
    38

    Default

    Hi Cyrus and welcome to the Help2Go forums.
    My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

    HijackThis logs can take some time to research, so please be patient with me. I know that you need
    your computer working as quickly as possible, and I will work hard to help see that happens.

    These rules are good for you to know:

    • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
    • The fixes are specific to your problem and should only be used for this issue on this machine.
    • It's often worth reading through these instructions and printing them for ease of reference.
    • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    • If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me how long it will take so the topic will not be closed.



    These rules are to make my voluntary work more comfortable:

    • Please be patient. The work I do is voluntary and I also have a private life (school, work, friends and hobbies).
    • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
    • Please reply to this thread. Do not start a new topic.
    • Also, don't post logs as attachments. Other helpers like to view the logs as well and opening a lot of attachments is irritating. It can also contain malware.



    Finally, please make a uninstall list using HijackThis
    To access the Uninstall Manager you would do the following:

    • Start HijackThis
    • Click on the Open The Misc Tool Section button
    • Click on the Open Uninstall Manager button.
    • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic.



    Regards,
    John.

  3. #3
    Member
    Join Date
    Sep 2009
    Posts
    5
    Points
    0

    Default

    Hi John,

    Thanks for helping out I have posted the Hijack uninstall log below:

    7-Zip 4.57
    ABBYY FineReader 6.0 Sprint
    Acrobat.com
    Acrobat.com
    Adobe AIR
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1.2
    Any Video Converter 2.6.7
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Avira AntiVir Premium
    BlackBYTE 1.0.1.019
    Bonjour
    Callcentric Softphone
    CCleaner (remove only)
    Choice Guard
    Convert
    CopyTrans Suite Remove Only
    DeepBurner v1.9.0.228
    DivX Codec
    DivX Converter
    Emirates TravelDesk
    Epson Easy Photo Print 2
    Epson Event Manager
    EPSON Scan
    EPSON Stylus Office BX600FW_Office TX600FW_SX600FW Manual
    EPSON TX600FW Series Printer Uninstall
    EPSON Web-To-Page
    EpsonNet Config V3
    EpsonNet Print
    Exact Audio Copy 0.99pb4
    Express Rip
    FastStone Capture 5.3
    Filofax Address Book Demo
    FormatFactory
    getPlus(R) for Adobe
    High Definition Audio Driver Package - KB835221
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    iPhone Configuration Utility
    IrfanView (remove only)
    iTunes
    Java(TM) 6 Update 13
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft LifeCam
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    MobileMe Control Panel
    Mozilla Firefox (3.0.13)
    MozyHome Remote Backup
    MSVCRT
    OGA Notifier 1.7.0105.35.0
    PeaZip 2.6.3
    Pre-Registration
    PrimoPDF -- brought to you by Nitro PDF Software
    Prism Video Converter
    QuickTime
    RAIDar 4.1.3
    Safari
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 8 (KB917734)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Segoe UI
    SigmaTel Audio
    SKYLINK 2-in-1 Phone Utility
    Skype™ 3.8
    Smart Defrag 1.20
    Some PDF to Word Converter 1.5
    SUPERAntiSpyware Free Edition
    Switch Sound File Converter
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB973815)
    WavePad Sound Editor
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows XP Service Pack 3

    Cheers
    Cyrus

  4. #4
    Moderator Forum Moderator JohnB151's Avatar
    Join Date
    Mar 2009
    Location
    The Netherlands
    Posts
    951
    Points
    38

    Default

    Hi Cyrus,

    I'd like you to check a file for malware.

    Step 1: Show your hidden files
    To enable the viewing of Hidden files follow these steps:

    • Close all programs so that you are at your desktop.
    • Double-click on the My Computer icon (or click Start, then select My Computer)
    • Select the Tools menu and click Folder Options.
    • After the new window appears select the View tab.
    • Put a checkmark in the checkbox labeled Display the contents of system folders.
    • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
    • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
    • Remove the checkmark from the checkbox labeled Hide protected operating system files.
    • Press the Apply button and then the OK button and shutdown My Computer.
      Now your computer is configured to show all hidden files.



    Step 2: Upload malware for scanning



    C:\WINDOWS\system32\xkwkkp.exe
    • Click Browse and browse to the destination of the file in the above box.
    • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programs.
    • After a while, a window will open, with details of what the scans found.
    • Save the complete results in a Notepad/Word document on your desktop.



    Please post that log.

    Regards,
    John.

  5. #5
    Member
    Join Date
    Sep 2009
    Posts
    5
    Points
    0

    Default

    Hi John,

    I enabled the hidden files and did a thorough search in the C:\WINDOWS\system32 but could not find the file you specified. I have attached a screenshot of what I in the sys 32 folder. Please can you advise the next step?

    BR
    Cyrus
    Attached Images

  6. #6
    Moderator Forum Moderator JohnB151's Avatar
    Join Date
    Mar 2009
    Location
    The Netherlands
    Posts
    951
    Points
    38

    Default

    Hi Cyrus,

    That is good; means the file is gone already Let's run some other scanners.

    Please copy the fix to Word, or print it, because you won't always have internet access!

    Step 1: Download and Run ComboFix
    Please visit this webpage for download links, and instructions for running the tool:
    A guide and tutorial on using ComboFix

    Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to disable your anti virus program please see this:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    Go on with the ComboFix guide when it opens its log please close it.

    Remember that the ComboFix log is saved here: C:\ComboFix.txt

    Step 2: Download and Run Gmer
    Download Gmer to your Desktop and unzip it to your Desktop.
    http://www.gmer.net/gmer.zip

    Disconnect from internet and close running programs.
    There is a small chance this application may crash your computer so save any work you have open.
    Double click gmer.exe.
    Let the gmer.sys driver load if asked.
    If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
    If no warning....
    Click the rootkit tab
    To the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.
    Once done click the Copy button.
    Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

    Step 3: Post logs
    Please post the following in a reply to this topic (use multiple posts if needed):

    • Tell me what you know about the BlackBYTE program as it shows up everywhere in your log and there is not a lot of information about it.
    • Let me know what version of Avira you have. I see that you have a paid one, but do you have Premium or Security Suite?
    • New HJT log
    • ComboFix log
    • Gmer log



    Regards,
    John.

  7. #7
    Member
    Join Date
    Sep 2009
    Posts
    5
    Points
    0

    Default

    Hi John,

    After my last post I was infected again. My AV (Avira) caught and deleted the files. A recan show no further detections. I did see in a split second the AV notifications showing the name of that previous file you mentioned (xkwkkp.exe) in the system32 folder. But since then I have not found it again.
    The AV log is posted below:

    16/09/2009 09:31 [Scanner] Malware found
    The file 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir
    Desktop\TEMP\WEBGUARD\00041906.js.gz'
    contained a virus or unwanted program 'HTML/Rce.Gen' [virus]
    Action(s) taken:
    An error has occurred and the file was not deleted. ErrorID: 26004.
    The source file could not be found.
    Attempting to perform action using the ARK library.
    Error in ARK library.
    The file is scheduled for deleting after reboot.

    16/09/2009 07:53 [Webguard] Malware found
    When accessing data from the URL,
    "http://goldpassport.hyatt.com/gp/en/scripts/quickbook.js.jsp"
    a virus or unwanted program 'HTML/Rce.Gen' [virus] was found.
    Action taken: Move file to quarantine

    16/09/2009 07:53 [Webguard] Malware found
    When accessing data from the URL,
    "http://goldpassport.hyatt.com/gp/en/scripts/quickbook.js.jsp"
    a virus or unwanted program 'HTML/Rce.Gen' [virus] was found.
    Action taken: Move file to quarantine

    16/09/2009 07:52 [Webguard] Malware found
    When accessing data from the URL,
    "http://goldpassport.hyatt.com/gp/en/scripts/quickbook.js.jsp"
    a virus or unwanted program 'HTML/Rce.Gen' [virus] was found.
    Action taken: Move file to quarantine

    16/09/2009 07:51 [Guard] Malware found
    Virus or unwanted program 'HTML/Rce.Gen [virus]'
    detected in file 'C:\Documents and Settings\Verity\Local Settings\Temporary
    Internet Files\Content.IE5\5YHTSUWC\quickbook_1.1.js[1].jsp.
    Action performed: Move file to quarantine

    16/09/2009 07:51 [Guard] Malware found
    Virus or unwanted program 'HTML/Rce.Gen [virus]'
    detected in file 'C:\Documents and Settings\Verity\Local Settings\Temporary
    Internet Files\Content.IE5\5YHTSUWC\quickbook_1.1.js[1].jsp.
    Action performed: Move file to quarantine

    16/09/2009 07:49 [Guard] Malware found
    Virus or unwanted program 'HTML/Rce.Gen [virus]'
    detected in file 'C:\Documents and Settings\Verity\Local Settings\Temporary
    Internet Files\Content.IE5\XOAKEEHX\quickbook_1.1.js[1].jsp.
    Action performed: Move file to quarantine

    16/09/2009 07:49 [Guard] Malware found
    Virus or unwanted program 'HTML/Rce.Gen [virus]'
    detected in file 'C:\Documents and Settings\Verity\Local Settings\Temporary
    Internet Files\Content.IE5\XOAKEEHX\quickbook_1.1.js[1].jsp.
    Action performed: Move file to quarantine

    16/09/2009 07:48 [Webguard] Malware found
    When accessing data from the URL,
    "http://goldpassport.hyatt.com/gp/en/scripts/quickbook.js.jsp"
    a virus or unwanted program 'HTML/Rce.Gen' [virus] was found.
    Action taken: Move file to quarantine

    To answer your questions in the previous post:

    1) BlackBYTE is my vpn software I have been using it for almost 12 months without any problems. It is annual paid subscription. (blackbytesnetwork.com)
    2) Yes I have Premium Avira
    3) Logs are below (they seem to have come back clean)


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 00:13:55, on 21/09/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
    C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Program Files\BlackBYTE Free Speech\bin\blackbyte-gui.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\vVX3000.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MozyHome\mozystat.exe
    c:\program files\avira\antivir desktop\avcenter.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
    O4 - HKLM\..\Run: [blackbyte-gui] C:\Program Files\BlackBYTE Free Speech\bin\blackbyte-gui.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-21-484763869-1979792683-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Verity')
    O4 - HKUS\S-1-5-21-484763869-1979792683-839522115-1004\..\Run: [SKYLINK 2-in-1 Phone Utility] C:\Program Files\SkyLink\SKYLINK 2-in-1 Phone Utility\SKYLINK 2-in-1 Phone Utility.exe (User 'Verity')
    O4 - HKUS\S-1-5-21-484763869-1979792683-839522115-1004\..\Run: [EPSON Stylus Office TX600FW(Network)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKP.EXE /FU "C:\WINDOWS\TEMP\E_SE8.tmp" /EF "HKCU" (User 'Verity')
    O4 - HKUS\S-1-5-21-484763869-1979792683-839522115-1004\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Verity')
    O4 - HKUS\S-1-5-21-484763869-1979792683-839522115-1004\..\Run: [EPSON Stylus Office TX600FW(Network) (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKP.EXE /FU "C:\DOCUME~1\Verity\LOCALS~1\Temp\E_S1F.tmp" /EF "HKCU" (User 'Verity')
    O4 - HKUS\S-1-5-21-484763869-1979792683-839522115-1004\..\Run: [Rapportexe] "C:\Documents and Settings\Verity\Application Data\Trusteer\Rapport\app\bin\RapportService.exe" -start -after_boot (User 'Verity')
    O4 - HKUS\S-1-5-21-484763869-1979792683-839522115-1004\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Verity')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1229377392531
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1229964710359
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
    O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\BlackBYTE Free Speech\bin\blackbyteserv.exe

    --
    End of file - 9141 bytes


    *************************************************************************



    ComboFix 09-09-18.02 - Cyrus 19/09/2009 12:44.1.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.135 [GMT 4:00]
    Running from: c:\documents and settings\Cyrus\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
    .

    ((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))
    .

    2009-09-16 04:23 . 2009-09-16 04:23 -------- d-----w- c:\documents and settings\Verity\Application Data\Malwarebytes
    2009-09-12 14:37 . 2009-09-12 14:37 18792 ---ha-w- c:\windows\system32\mlfcache.dat
    2009-09-12 03:56 . 2009-09-12 03:57 -------- d-----w- c:\program files\iPhone Configuration Utility
    2009-09-12 03:53 . 2009-09-12 03:53 -------- d-----w- c:\program files\iPod
    2009-09-12 03:53 . 2009-09-12 03:54 -------- d-----w- c:\program files\iTunes
    2009-09-12 03:53 . 2009-09-12 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-09-12 03:48 . 2009-09-12 03:49 -------- d-----w- c:\program files\QuickTime
    2009-09-11 04:37 . 2009-09-11 04:37 -------- d-----w- c:\program files\Trend Micro
    2009-09-10 07:56 . 2009-09-10 07:56 -------- d-----w- c:\documents and settings\Cyrus\Application Data\Malwarebytes
    2009-09-10 07:56 . 2009-08-03 09:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-10 07:56 . 2009-09-10 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-09-10 07:56 . 2009-09-10 07:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-09-10 07:56 . 2009-08-03 09:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-09-10 05:10 . 2009-09-10 05:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2009-09-10 05:06 . 2009-09-10 05:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2009-09-10 04:06 . 2009-09-10 04:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2009-09-10 04:05 . 2009-09-10 04:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2009-09-10 04:05 . 2009-09-10 05:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
    2009-09-09 05:46 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
    2009-09-02 04:30 . 2009-09-02 04:31 -------- d-----w- c:\program files\NETGEAR ReadyNAS
    2009-08-30 17:37 . 2009-08-30 17:37 -------- d-sh--w- c:\documents and settings\Verity\IECompatCache
    2009-08-29 07:15 . 2009-09-18 04:32 -------- d-----w- c:\documents and settings\Verity\Tracing
    2009-08-22 06:45 . 2009-08-22 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
    2009-08-22 06:45 . 2009-08-22 06:45 -------- d-----w- c:\documents and settings\Verity\Application Data\Trusteer
    2009-08-21 14:01 . 2009-09-15 10:25 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-08-21 06:49 . 2009-08-21 07:02 -------- d-----w- c:\documents and settings\Verity\Application Data\PeaZip

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-19 08:39 . 2008-12-20 17:26 -------- d-----w- c:\documents and settings\Cyrus\Application Data\Apple Computer
    2009-09-15 15:59 . 2008-12-20 16:29 -------- d-----w- c:\documents and settings\Cyrus\Application Data\Skype
    2009-09-15 15:33 . 2008-12-20 16:30 -------- d-----w- c:\documents and settings\Cyrus\Application Data\skypePM
    2009-09-12 14:34 . 2008-12-30 13:17 -------- d-----w- c:\documents and settings\Verity\Application Data\Apple Computer
    2009-09-12 03:56 . 2009-04-06 13:34 -------- d-----w- c:\program files\Safari
    2009-09-12 03:53 . 2008-12-20 17:24 -------- d-----w- c:\program files\Common Files\Apple
    2009-09-10 04:06 . 2008-12-15 22:00 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-09-10 03:53 . 2009-03-31 07:45 -------- d-----w- c:\program files\Microsoft Silverlight
    2009-09-03 01:20 . 2008-12-24 06:06 -------- d-----w- c:\documents and settings\Cyrus\Application Data\U3
    2009-08-30 13:20 . 2009-08-27 17:08 664 ----a-w- c:\documents and settings\Verity\Local Settings\Application Data\d3d9caps.tmp
    2009-08-28 15:42 . 2009-04-06 15:05 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
    2009-08-28 15:42 . 2008-12-20 17:24 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2009-08-24 13:38 . 2009-01-01 17:20 -------- d-----w- c:\documents and settings\Verity\Application Data\Skype
    2009-08-24 12:57 . 2009-01-05 09:49 -------- d-----w- c:\documents and settings\Verity\Application Data\skypePM
    2009-08-21 12:39 . 2009-07-15 10:30 664 ----a-w- c:\documents and settings\Verity\Local Settings\Application Data\d3d9caps.dat
    2009-08-17 18:28 . 2009-08-16 17:43 -------- d-----w- c:\documents and settings\Cyrus\Application Data\PeaZip
    2009-08-16 17:43 . 2009-08-16 17:42 -------- d-----w- c:\program files\PeaZip
    2009-08-16 09:58 . 2009-08-16 09:58 18824 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-08-11 17:35 . 2009-04-19 05:34 -------- d-----w- c:\program files\epson
    2009-08-05 12:50 . 2009-03-24 18:40 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2009-08-05 09:01 . 2002-08-29 02:41 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-08-03 11:07 . 2009-08-03 11:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
    2009-08-03 11:07 . 2009-08-03 11:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
    2009-08-03 11:07 . 2009-08-03 11:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
    2009-07-17 19:01 . 2002-08-29 02:40 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-12 08:21 . 2004-08-04 07:56 233472 ------w- c:\windows\system32\wmpdxm.dll
    2009-07-03 17:09 . 2006-06-23 07:33 915456 ----a-w- c:\windows\system32\wininet.dll
    2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
    2009-06-25 08:25 . 2002-09-20 17:49 54272 ----a-w- c:\windows\system32\wdigest.dll
    2009-06-25 08:25 . 2002-08-29 02:41 56832 ----a-w- c:\windows\system32\secur32.dll
    2009-06-25 08:25 . 2002-08-29 02:41 147456 ----a-w- c:\windows\system32\schannel.dll
    2009-06-25 08:25 . 2002-08-29 02:41 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-06-25 08:25 . 2002-08-29 02:41 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2009-06-24 11:18 . 2002-09-20 17:47 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
    @="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
    [HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
    2009-05-15 09:04 2833208 ----a-w- c:\program files\MozyHome\mozyshell.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
    @="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
    [HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
    2009-05-15 09:04 2833208 ----a-w- c:\program files\MozyHome\mozyshell.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-08 1994480]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\System32\igfxtray.exe" [2006-03-23 94208]
    "igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2006-03-23 77824]
    "igfxpers"="c:\windows\System32\igfxpers.exe" [2006-03-23 118784]
    "blackbyte-gui"="c:\program files\BlackBYTE Free Speech\bin\blackbyte-gui.exe" [2008-05-23 114176]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-24 209153]
    "VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
    "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-5-15 2871608]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-08 04:29 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Callcentric\\Callcentric Softphone\\Callcentric.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Program Files\\EpsonNet\\EpsonNet Config V3\\ENConfig.exe"=
    "c:\\Program Files\\Epson Software\\Easy Photo Print\\EPQuicker.exe"=
    "c:\\WINDOWS\\twain_32\\escndv\\escndv.exe"=
    "c:\\Program Files\\NETGEAR ReadyNAS\\RAIDar.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*isabled:@xpsp2res.dll,-22009

    R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [07/04/2009 01:09 53752]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [04/12/2008 13:50 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [04/12/2008 13:50 74480]
    R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [24/03/2009 22:40 194817]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/03/2009 22:40 108289]
    R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [24/03/2009 22:40 434945]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [04/12/2008 13:50 7408]
    R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [03/06/2007 15:39 25472]
    R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [31/12/2008 01:35 16896]
    S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [21/12/2008 20:50 33752]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:34]

    2009-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-1979792683-839522115-1004Core.job
    - c:\documents and settings\Verity\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-29 16:14]

    2009-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-1979792683-839522115-1004UA.job
    - c:\documents and settings\Verity\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-29 16:14]

    2009-09-19 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 11:07]

    2009-09-06 c:\windows\Tasks\SmartDefrag.job
    - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-04-20 05:22]

    2009-09-19 c:\windows\Tasks\User_Feed_Synchronization-{590DC89D-AA86-41C0-9A3C-3F793DAF563D}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 00:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Cyrus\Application Data\Mozilla\Firefox\Profiles\jlhv3i22.default\
    FF - prefs.js: browser.search.selectedEngine - Creative Commons
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2009-09-19 12:52
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    "Installed"="1"
    @=""

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    "NoChange"="1"
    "Installed"="1"
    @=""

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    "Installed"="1"
    @=""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(836)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(892)
    c:\program files\Avira\AntiVir Desktop\avsda.dll

    - - - - - - - > 'explorer.exe'(3988)
    c:\windows\system32\WININET.dll
    c:\program files\MozyHome\mozyshell.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\SUPERAntiSpyware\SASSEH.DLL
    c:\program files\Avira\AntiVir Desktop\shlext.dll
    c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
    c:\program files\Epson Software\Easy Photo Print\EPTBL.dll
    c:\program files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    c:\program files\Microsoft Office\OFFICE11\msohev.dll
    .
    Completion time: 2009-09-19 12:54
    ComboFix-quarantined-files.txt 2009-09-19 08:54

    Pre-Run: 114,947,633,152 bytes free
    Post-Run: 117,347,721,216 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    223 --- E O F --- 2009-09-18 06:20


    **************************************************************************


    GMER 1.0.15.15087 - GMER - Rootkit Detector and Remover
    Rootkit scan 2009-09-19 13:41:49
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\Cyrus\LOCALS~1\Temp\fxtdqpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT F8AD127E ZwCreateKey
    SSDT F8AD1274 ZwCreateThread
    SSDT F8AD1283 ZwDeleteKey
    SSDT F8AD128D ZwDeleteValueKey
    SSDT F8AD1292 ZwLoadKey
    SSDT F8AD1260 ZwOpenProcess
    SSDT F8AD1265 ZwOpenThread
    SSDT F8AD129C ZwReplaceKey
    SSDT F8AD1297 ZwRestoreKey
    SSDT F8AD1288 ZwSetValueKey
    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA02E0B0]

    Code \??\C:\DOCUME~1\Cyrus\LOCALS~1\Temp\catchme.sys pIofCallDriver

    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\DOCUME~1\Cyrus\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
    ? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

    Device \FileSystem\Fastfat \Fat A89AAD20

    AttachedDevice \FileSystem\Fastfat \Fat mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

    ---- EOF - GMER 1.0.15 ----


    Thanks.

    Cyrus

  8. #8
    Moderator Forum Moderator JohnB151's Avatar
    Join Date
    Mar 2009
    Location
    The Netherlands
    Posts
    951
    Points
    38

    Default

    Hi Cyrus,

    The logs look good indeed.

    Step 1: Remove HijackThis entry

    • Run HijackThis
    • Click on the Scan button
    • Put a check beside the item listed below (if present):

      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.



    Step 2: Run CFScript
    Open Notepad and copy/paste the text in the box into the window:

    Code:
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

    Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to disable your anti virus program please see this:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    After doing that close any open browsers.



    Refering to the picture above, drag CFScript into ComboFix.exe

    ComboFix will start scannning and when it opens its log please close it.

    Remember that the ComboFix log is saved here: C:\ComboFix.txt

    Step 3: Run CCleaner
    CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

    • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
    • Then select the items you wish to clean up.
      • In the Windows Tab:
        • Clean all entries in the Internet Explorer section except Cookies
        • Clean all the entries in the Windows Explorer section
        • Clean all entries in the System section
        • Clean all entries in the Advanced section
        • Clean any others that you choose

      • In the Applications Tab:
        • Clean all except cookies in the Firefox/Mozilla section if you use it
        • Clean all in the Opera section if you use it
        • Clean Sun Java in the Internet Section
        • Clean any others that you choose


    • Click the Run Cleaner button.
    • A pop up box will appear advising this process will permanently delete files from your system.
    • Click OK and it will scan and clean your system.
    • Click exit when done.
    • If it asks you to reboot at the end, click NO


    CCleaner should be run with the above settings for each User Account!

    Step 4: Run Malwarebytes' Anti-Malware
    Please start Malwarebytes' Anti-Malware by clicking the icon on your desktop or launching it from the start menu.

    • Go to the Update tab and click Check for Updates
    • If an update is found, it will download and install the latest version.
    • Once the program has updated, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Close the Notepad file.
    • The log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



    Step 5: Update Java
    Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
    First remove the older versions:

    • Click Start
    • Go to Control Panel
    • Go to Add/Remove Programs
    • Find and click Remove for each version of Java that is present
    • Download JavaRa and unzip it to your desktop.
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.


    Now let's download and install the newest version:

    • Download JRE 6 Update 16 from here: Java SE Downloads - Sun Developer Network (SDN)
    • As Platform select your operating system, agree to the License Agreement and click Continue.
    • Now click on the link under Windows Offline Installation and download the installer to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Then from your desktop double-click on the download to install the newest version.
    • Reboot your computer.



    Step 6: Post logs
    Please post the following in a reply to this topic:

    • Let me know how your computer is running. Tell me about any problems you still have
    • New HJT log
    • ComboFix log
    • MBAM log
    • JavaRa log



    Regards,
    John.

  9. #9
    Member
    Join Date
    Sep 2009
    Posts
    5
    Points
    0

    Default

    Hi John,

    Removed the item using HijackThis mentioned in your previous post.
    I had Java 6 update 14 and since the latest was J6 Update 15 I just updated my existing version. Is that ok or should I remove and re-install?

    So far nothing no infections and no strange behavior by my computer. I ran all three scans and my logs are posted below:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:18:46, on 23/09/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
    C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Program Files\BlackBYTE Free Speech\bin\blackbyte-gui.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\vVX3000.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\MozyHome\mozystat.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\igfxsrvc.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
    O4 - HKLM\..\Run: [blackbyte-gui] C:\Program Files\BlackBYTE Free Speech\bin\blackbyte-gui.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1229377392531
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1229964710359
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
    O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\BlackBYTE Free Speech\bin\blackbyteserv.exe

    --
    End of file - 7779 bytes


    **************************************************************************


    ComboFix 09-09-20.04 - Cyrus 21/09/2009 22:38.2.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.227 [GMT 4:00]
    Running from: c:\documents and settings\Cyrus\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Cyrus\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
    .

    ((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
    .

    2009-09-21 10:57 . 2009-09-21 10:57 -------- d-----w- c:\documents and settings\Cyrus\Application Data\Office Genuine Advantage
    2009-09-20 07:43 . 2009-09-20 07:43 -------- d-----w- c:\documents and settings\Verity\Application Data\Office Genuine Advantage
    2009-09-20 05:30 . 2009-09-20 05:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
    2009-09-20 05:25 . 2009-09-20 05:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
    2009-09-20 05:25 . 2009-09-20 05:48 -------- d-----w- c:\program files\Google
    2009-09-16 04:23 . 2009-09-16 04:23 -------- d-----w- c:\documents and settings\Verity\Application Data\Malwarebytes
    2009-09-12 14:37 . 2009-09-12 14:37 18792 ---ha-w- c:\windows\system32\mlfcache.dat
    2009-09-12 03:56 . 2009-09-12 03:57 -------- d-----w- c:\program files\iPhone Configuration Utility
    2009-09-12 03:53 . 2009-09-12 03:53 -------- d-----w- c:\program files\iPod
    2009-09-12 03:53 . 2009-09-12 03:54 -------- d-----w- c:\program files\iTunes
    2009-09-12 03:53 . 2009-09-12 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-09-12 03:48 . 2009-09-12 03:49 -------- d-----w- c:\program files\QuickTime
    2009-09-11 04:37 . 2009-09-11 04:37 -------- d-----w- c:\program files\Trend Micro
    2009-09-10 07:56 . 2009-09-10 07:56 -------- d-----w- c:\documents and settings\Cyrus\Application Data\Malwarebytes
    2009-09-10 07:56 . 2009-08-03 09:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-10 07:56 . 2009-09-10 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-09-10 07:56 . 2009-09-10 07:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-09-10 07:56 . 2009-08-03 09:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-09-10 05:10 . 2009-09-10 05:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2009-09-10 05:06 . 2009-09-10 05:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2009-09-10 04:06 . 2009-09-10 04:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2009-09-10 04:05 . 2009-09-10 04:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2009-09-10 04:05 . 2009-09-10 05:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
    2009-09-09 05:46 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
    2009-09-02 04:30 . 2009-09-02 04:31 -------- d-----w- c:\program files\NETGEAR ReadyNAS
    2009-08-30 17:37 . 2009-08-30 17:37 -------- d-sh--w- c:\documents and settings\Verity\IECompatCache
    2009-08-29 07:15 . 2009-09-21 14:37 -------- d-----w- c:\documents and settings\Verity\Tracing

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-21 14:33 . 2008-12-15 22:00 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-09-19 17:12 . 2009-08-21 14:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-09-19 08:39 . 2008-12-20 17:26 -------- d-----w- c:\documents and settings\Cyrus\Application Data\Apple Computer
    2009-09-15 15:59 . 2008-12-20 16:29 -------- d-----w- c:\documents and settings\Cyrus\Application Data\Skype
    2009-09-15 15:33 . 2008-12-20 16:30 -------- d-----w- c:\documents and settings\Cyrus\Application Data\skypePM
    2009-09-12 14:34 . 2008-12-30 13:17 -------- d-----w- c:\documents and settings\Verity\Application Data\Apple Computer
    2009-09-12 03:56 . 2009-04-06 13:34 -------- d-----w- c:\program files\Safari
    2009-09-12 03:53 . 2008-12-20 17:24 -------- d-----w- c:\program files\Common Files\Apple
    2009-09-10 03:53 . 2009-03-31 07:45 -------- d-----w- c:\program files\Microsoft Silverlight
    2009-09-03 01:20 . 2008-12-24 06:06 -------- d-----w- c:\documents and settings\Cyrus\Application Data\U3
    2009-08-30 13:20 . 2009-08-27 17:08 664 ----a-w- c:\documents and settings\Verity\Local Settings\Application Data\d3d9caps.tmp
    2009-08-28 15:42 . 2009-04-06 15:05 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
    2009-08-28 15:42 . 2008-12-20 17:24 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2009-08-24 13:38 . 2009-01-01 17:20 -------- d-----w- c:\documents and settings\Verity\Application Data\Skype
    2009-08-24 12:57 . 2009-01-05 09:49 -------- d-----w- c:\documents and settings\Verity\Application Data\skypePM
    2009-08-22 06:45 . 2009-08-22 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
    2009-08-22 06:45 . 2009-08-22 06:45 -------- d-----w- c:\documents and settings\Verity\Application Data\Trusteer
    2009-08-21 12:39 . 2009-07-15 10:30 664 ----a-w- c:\documents and settings\Verity\Local Settings\Application Data\d3d9caps.dat
    2009-08-21 07:02 . 2009-08-21 06:49 -------- d-----w- c:\documents and settings\Verity\Application Data\PeaZip
    2009-08-17 18:28 . 2009-08-16 17:43 -------- d-----w- c:\documents and settings\Cyrus\Application Data\PeaZip
    2009-08-16 17:43 . 2009-08-16 17:42 -------- d-----w- c:\program files\PeaZip
    2009-08-16 09:58 . 2009-08-16 09:58 18824 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-08-11 17:35 . 2009-04-19 05:34 -------- d-----w- c:\program files\epson
    2009-08-05 12:50 . 2009-03-24 18:40 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2009-08-05 09:01 . 2002-08-29 02:41 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-08-03 11:07 . 2009-08-03 11:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
    2009-08-03 11:07 . 2009-08-03 11:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
    2009-08-03 11:07 . 2009-08-03 11:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
    2009-07-17 19:01 . 2002-08-29 02:40 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-12 08:21 . 2004-08-04 07:56 233472 ------w- c:\windows\system32\wmpdxm.dll
    2009-07-03 17:09 . 2006-06-23 07:33 915456 ------w- c:\windows\system32\wininet.dll
    2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
    2009-06-25 08:25 . 2002-09-20 17:49 54272 ----a-w- c:\windows\system32\wdigest.dll
    2009-06-25 08:25 . 2002-08-29 02:41 56832 ----a-w- c:\windows\system32\secur32.dll
    2009-06-25 08:25 . 2002-08-29 02:41 147456 ----a-w- c:\windows\system32\schannel.dll
    2009-06-25 08:25 . 2002-08-29 02:41 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-06-25 08:25 . 2002-08-29 02:41 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2009-06-24 11:18 . 2002-09-20 17:47 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-09-19_08.52.44 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-09-21 18:16 . 2009-09-21 18:16 16384 c:\windows\Temp\Perflib_Perfdata_1d4.dat
    - 2008-12-15 21:05 . 2009-09-16 04:23 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-12-15 21:05 . 2009-09-20 19:55 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2008-12-15 21:05 . 2009-09-16 04:23 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-12-15 21:05 . 2009-09-20 19:55 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2009-09-20 19:55 . 2009-09-20 19:55 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2009-09-20 05:25 . 2009-09-20 05:25 22528 c:\windows\Installer\1b2fca.msi
    + 2009-09-20 05:28 . 2009-09-20 05:28 25214 c:\windows\Installer\{12803180-9CAD-11DE-B804-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
    + 2009-09-20 05:28 . 2009-09-20 05:28 25214 c:\windows\Installer\{12803180-9CAD-11DE-B804-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
    + 2009-09-20 05:28 . 2009-09-20 05:28 25214 c:\windows\Installer\{12803180-9CAD-11DE-B804-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
    + 2009-09-20 05:28 . 2009-09-20 05:28 25214 c:\windows\Installer\{12803180-9CAD-11DE-B804-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
    + 2009-09-20 05:28 . 2009-09-20 05:28 25214 c:\windows\Installer\{12803180-9CAD-11DE-B804-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
    + 2009-09-20 05:28 . 2009-09-20 05:28 25214 c:\windows\Installer\{12803180-9CAD-11DE-B804-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
    + 2009-09-20 05:28 . 2009-09-20 05:28 25214 c:\windows\Installer\{12803180-9CAD-11DE-B804-005056806466}\ARPPRODUCTICON.exe
    + 2009-09-20 05:28 . 2009-09-20 05:28 1258496 c:\windows\Installer\1b2fd0.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
    @="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
    [HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
    2009-05-15 09:04 2833208 ----a-w- c:\program files\MozyHome\mozyshell.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
    @="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
    [HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
    2009-05-15 09:04 2833208 ----a-w- c:\program files\MozyHome\mozyshell.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-08 1994480]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\System32\igfxtray.exe" [2006-03-23 94208]
    "igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2006-03-23 77824]
    "igfxpers"="c:\windows\System32\igfxpers.exe" [2006-03-23 118784]
    "blackbyte-gui"="c:\program files\BlackBYTE Free Speech\bin\blackbyte-gui.exe" [2008-05-23 114176]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-24 209153]
    "VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
    "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-5-15 2871608]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-08 04:29 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Callcentric\\Callcentric Softphone\\Callcentric.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Program Files\\EpsonNet\\EpsonNet Config V3\\ENConfig.exe"=
    "c:\\Program Files\\Epson Software\\Easy Photo Print\\EPQuicker.exe"=
    "c:\\WINDOWS\\twain_32\\escndv\\escndv.exe"=
    "c:\\Program Files\\NETGEAR ReadyNAS\\RAIDar.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*isabled:@xpsp2res.dll,-22009

    R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [07/04/2009 01:09 53752]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [04/12/2008 13:50 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [04/12/2008 13:50 74480]
    R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [24/03/2009 22:40 194817]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/03/2009 22:40 108289]
    R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [24/03/2009 22:40 434945]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [04/12/2008 13:50 7408]
    R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [03/06/2007 15:39 25472]
    R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [31/12/2008 01:35 16896]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20/09/2009 09:25 133104]
    S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [21/12/2008 20:50 33752]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - SASDIFSV

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:34]

    2009-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-20 05:25]

    2009-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-20 05:25]

    2009-09-21 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 11:07]

    2009-09-21 c:\windows\Tasks\User_Feed_Synchronization-{590DC89D-AA86-41C0-9A3C-3F793DAF563D}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 00:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Cyrus\Application Data\Mozilla\Firefox\Profiles\jlhv3i22.default\
    FF - prefs.js: browser.search.selectedEngine - Creative Commons
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-{2B0CDD4D-5C1A-47F7-89E2-9BF604670ABC} - c:\program files\InstallShield Installation Information\{2B0CDD4D-5C1A-47F7-89E2-9BF604670ABC}\setup.exe
    AddRemove-{3E31400D-274E-4647-916C-2CACC3741799} - c:\program files\InstallShield Installation Information\{3E31400D-274E-4647-916C-2CACC3741799}\ENPSETUP.exe
    AddRemove-{DEDB47A3-C988-4A43-A645-E2CEA571E680} - c:\program files\InstallShield Installation Information\{DEDB47A3-C988-4A43-A645-E2CEA571E680}\SETUP.EXE



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2009-09-21 22:46
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(832)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(888)
    c:\program files\Avira\AntiVir Desktop\avsda.dll

    - - - - - - - > 'explorer.exe'(3712)
    c:\windows\system32\WININET.dll
    c:\program files\MozyHome\mozyshell.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\SUPERAntiSpyware\SASSEH.DLL
    c:\program files\Avira\AntiVir Desktop\shlext.dll
    c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
    c:\program files\Epson Software\Easy Photo Print\EPTBL.dll
    c:\program files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    .
    Completion time: 2009-09-21 22:48
    ComboFix-quarantined-files.txt 2009-09-21 18:48
    ComboFix2.txt 2009-09-19 08:54

    Pre-Run: 115,593,125,888 bytes free
    Post-Run: 115,567,329,280 bytes free

    232 --- E O F --- 2009-09-18 06:20



    **************************************************************************

    Malwarebytes' Anti-Malware 1.41
    Database version: 2837
    Windows 5.1.2600 Service Pack 3

    22/09/2009 07:16:14
    mbam-log-2009-09-22 (07-16-14).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 164710
    Time elapsed: 35 minute(s), 4 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Do you think this is the last round? Thanks.

    BR

    Cyrus

  10. #10
    Moderator Forum Moderator JohnB151's Avatar
    Join Date
    Mar 2009
    Location
    The Netherlands
    Posts
    951
    Points
    38

    Default

    Hi Cyrus,

    I had Java 6 update 14 and since the latest was J6 Update 15 I just updated my existing version. Is that ok or should I remove and re-install?
    The current one is JRE Update 16, so you can do the instructions from my last post again if you want to:
    Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
    First remove the older versions:

    • Click Start
    • Go to Control Panel
    • Go to Add/Remove Programs
    • Find and click Remove for each version of Java that is present
    • Download JavaRa and unzip it to your desktop.
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.


    Now let's download and install the newest version:

    • Download JRE 6 Update 16 from here: Java SE Downloads - Sun Developer Network (SDN)
    • As Platform select your operating system, agree to the License Agreement and click Continue.
    • Now click on the link under Windows Offline Installation and download the installer to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Then from your desktop double-click on the download to install the newest version.
    • Reboot your computer.
    This is my normal post for when you are clear - which you now are - or seem to be.
    Please advise of any problems you still have. If you think you're clean please give one more reply so that I can archive this topic.

    Now that you are clean, I got some tips & tricks for you to keep your computer clean and secure. The first few (like removing dangerous tools and Windows Update) have to be done, the others are optional (beginning with SpywareBlaster).

    It may seem like your system will be too much protected with all these things installed, but a lot of programs aren't running always on the background so don't slow down your computer. Please take a look at the following things:

    • Uninstall tools - The following will not only uninstall ComboFix but also clean up some other dangerous tools and backups, clean up the System Restore points and hide the system files.

      • Go to Start
      • Click on Run
      • Type ComboFix /u (Note: This command is case sensitive.)


      After doing that with ComboFix, do this with OTCleanIt to remove the tools not removed by ComboFix.

      • Download OTCleanIt from here to your desktop.
      • Click the OTC icon on your desktop.
      • Click the CleanUp button.
      • If you get any pop ups asking if it is OK let the program proceed.
      • At the end the program will ask to let it reboot the computer. Let it do so.


      You may delete any logs and other tools left on the desktop.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:

      • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.

        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.


      • Next press the Apply button and then the OK to exit the Internet Properties page.


    • Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
    • Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. You can download it here:
      SpywareBlaster
    • Install MVPS HOSTS - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
      For information on how to download and install, please read this tutorial here:
      WinHelp2002
      Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
    • Use an alternative Internet Browser - Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
      Firefox << Most used, I use this one myself.
      Opera
    • Bookmark general cleanup link - It could be that your computer is becoming slower and slower. This is not always the cause of malware. Most of the times it's malware when you're computer is suddenly getting slow or doing strange. When the slowdown increases slowly, check (so now bookmark) this link for tips & tricks:
      What to do if your Computer's running slowly
    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.



    Follow this list and your potential for being infected again will reduce dramatically.

    Stand Up and Be Counted!
    Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints called Malware Complaints. Please register there first! Then follow the instructions here:
    Malware that you were infected with -- malwarecomplaints.info

    >> Here << you can see how you can help us.

    May your God go with you..

    John.

Page 1 of 2 12 LastLast