Sign in to follow this  
JFMid

Adaware losing the fight

Recommended Posts

Hello All,
Adaware is blocking a trojan but repeated scans "removes" it but then it's really still there :) . Internet wont respond and I had to post this stuff on another station. Followed directions as best as possible and so am attaching logs as indicated from a CD that I burned of the logs.
Any help is greatly appreciated.

Thanks

John

GMER 1.0.15.15530 - [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2010-11-18 13:46:22
Windows 5.1.2600 Service Pack 3 Harddisk0DR0 -> DeviceScsiahcix861Port2Path0Target0Lun0 Hitachi_ rev.GM4O
Running: ogpi9ubp.exe; Driver: C:DOCUME~1JOHNMI~1LOCALS~1Tempkgldqpog.sys


---- System - GMER 1.0.15 ----

SSDT SystemRootsystem32driverssbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xB9D504D0]
SSDT SystemRootsystem32driverssbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xB9D50520]

---- Kernel code sections - GMER 1.0.15 ----

.text C:WINDOWSsystem32DRIVERSati2mtag.sys section is writeable [0xB29B5000, 0x267537, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:Program FilesRealRealPlayerupdaterealsched.exe[324] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:WINDOWSsystem32SearchIndexer.exe[2680] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:WINDOWSsystem32MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[5284] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4D9 C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[5284] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E35272E C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[5284] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3526AF C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[5284] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3526F3 C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[5284] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E35263B C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[5284] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E352675 C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[5284] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352769 C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[5284] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20178A C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[5284] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E352944 C:WINDOWSsystem32IEFRAME.dll (Internet Explorer/Microsoft Corporation)
? C:Documents and SettingsJohn MidligeApplication DataMicrosoftsvchost.exe[5628] IMAGE_DOS_SIGNATURE not found;

---- Devices - GMER 1.0.15 ----

AttachedDevice DriverTcpip DeviceTcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice FileSystemFastfat Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:38 PM, on 11/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesDellDellDockDockLogin.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesLavasoftAd-AwareAAWService.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAMDRAIDXpertbinRAIDXpertService.exe
C:Program FilesAMDRAIDXpertbinRAIDXpert.exe
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesCitrixGoToMyPCg2svc.exe
C:Program FilesCitrixGoToMyPCg2comm.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMaterialiseLicenseFilesLicSrv50.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesCitrixGoToMyPCg2pre.exe
C:Program FilesMicrosoftSearch Enhancement PackSeaPortSeaPort.exe
C:Program FilesDell Support Centerbinsprtsvc.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesCommon FilesPure Networks SharedPlatformnmsrvc.exe
C:WINDOWSsystem32SearchIndexer.exe
C:Program FilesCitrixGoToMyPCg2tray.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:WINDOWSExplorer.EXE
C:Documents and SettingsJohn MidligeApplication DataMicrosoftWindowsshell.exe
C:WINDOWSSystem32svchost.exe
C:Documents and SettingsJohn MidligeApplication DataMicrosoftsvchost.exe
C:DOCUME~1JOHNMI~1LOCALS~1Tempdwm.exe
C:WINDOWSRTHDCPL.EXE
C:Program FilesAlienwareAlienFXAlienwareAlienFXController.exe
C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe
C:Program FilesAdobeReader 9.0ReaderReader_sl.exe
C:360clientTrack360Client.exe
C:Program FilesATI TechnologiesATI.ACECore-StaticMOM.exe
C:Program FilesRealRealPlayerupdaterealsched.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesDellXPS Thermal MonitorThermalApp.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesCommon FilesIntuitQuickBooksQBUpdateqbupdate.exe
C:Program FilesDentrixWebSyncReminder.exe
C:Program FilesATI TechnologiesATI.ACECore-Staticccc.exe
C:Program FilesiPodbiniPodService.exe
C:WINDOWSsystem32WinMsgBalloonServer.exe
C:WINDOWSsystem32WinMsgBalloonClient.exe
C:Program FilesAlienwareAlienFXAlienFXHook32Mngr.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = [url="http://g.msn.com/USCON/1"]http://g.msn.com/USCON/1[/url]
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = [url="http://www.live.com"]http://www.live.com[/url]
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = [url="http://www.yahoo.com/"]http://www.yahoo.com/[/url]
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Page_URL = [url="http://g.msn.com/USCON/1"]http://g.msn.com/USCON/1[/url]
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = [url="http://g.msn.com/USCON/1"]http://g.msn.com/USCON/1[/url]
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = http=127.0.0.1:50370
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:DOCUME~1JOHNMI~1LOCALS~1Tempdwm.exe
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:Documents and SettingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginIErpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:Program FilesMicrosoftSearch Enhancement PackSearch HelperSearchHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre6binssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier5.2.4204.1700swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:Program FilesWindows LiveToolbarwltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:Program FilesWindows LiveToolbarwltcore.dll
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..Run: [AlienFX Controller] "C:Program FilesAlienwareAlienFXAlienwareAlienFXController.exe"
O4 - HKLM..Run: [PDVDDXSrv] "C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe"
O4 - HKLM..Run: [Ad-Watch] C:Program FilesLavasoftAd-AwareAAWTray.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [Adobe ARM] "C:Program FilesCommon FilesAdobeARM1.0AdobeARM.exe"
O4 - HKLM..Run: [360client] C:360clientTrack360Client.exe
O4 - HKLM..Run: [StartCCC] "C:Program FilesATI TechnologiesATI.ACECore-StaticCLIStart.exe" MSRun
O4 - HKLM..Run: [ATICustomerCare] "C:Program FilesATIATICustomerCareATICustomerCare.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [TkBellExe] "C:Program FilesRealRealPlayerupdaterealsched.exe" -osboot
O4 - HKLM..Run: [svchost] C:Documents and SettingsJohn MidligeApplication DataMicrosoftsvchost.exe
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKCU..Run: [XPS Thermal Monitor] C:Program FilesDellXPS Thermal MonitorThermalApp.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [ISUSPM] "C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe" -scheduler
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:Program FilesDellDellDockDellDock.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:Program FilesERUNTAUTOBACK.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:Program FilesCommon FilesIntuitQuickBooksQBUpdateqbupdate.exe
O4 - Global Startup: WebSync Reminder.lnk = C:Program FilesDentrixWebSyncReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3OFFICE11EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~3OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O15 - Trusted Zone: http://*.onlineordering.materialisedental.com (HKLM)
O16 - DPF: Garmin Communicator Plug-In - [url="https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB"]https://static.garmincdn.com/gcp/ie/2.9.2.0...inAxControl.CAB[/url]
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: GoToAssist - C:Program FilesCitrixGoToAssist514G2AWinLogon.dll
O23 - Service: AMD RAIDXpert (AMD_RAIDXpert) - AMD - C:Program FilesAMDRAIDXpertbinRAIDXpertService.exe
O23 - Service: AODService - Unknown owner - C:Program.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:Program FilesDellDellDockDockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:Program FilesCitrixGoToAssist514g2aservice.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:Program FilesCitrixGoToMyPCg2svc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:Program FilesGoogleUpdateGoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:Program FilesLavasoftAd-AwareAAWService.exe
O23 - Service: Materialise Local License Server 5.0 (MatLocalLicenceServer50) - Unknown owner - C:Program FilesCommon FilesMaterialiseLicenseFilesLicSrv50.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:Program FilesCommon FilesPure Networks SharedPlatformnmsrvc.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:Program FilesCommon FilesIntuitQuickBooksFCSIntuit.QuickBooks.FCS.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared10.0SharedCOMRoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared10.0SharedCOMRoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared10.0SharedCOMRoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:DOCUME~1ADMINI~1LOCALS~1TempDX9SessionLauncher.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:Program FilesDell Support Centerbinsprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:Program FilesCommon FilesSureThing Sharedstllssvr.exe

--
End of file - 11819 bytes

Sorry didn't mention that I did run the adaware scan after an update today but was not able to post a log.
Also did the backups as mentioned in step 1.
Erunt and the other whose name escapes me as I'm on another machine. Mine wont respond and wont let me log onto Lavasoft. These trojans and such are getting more sophisticated every day. Now they block you from going to a site that might help kill them. It's unreal. Edited by visitor
merged posts to keep 0 replies

Share this post


Link to post
Share on other sites
Download ComboFix here :

[url="http://download.bleepingcomputer.com/sUBs/ComboFix.exe"][b][color="blue"]Link 1[/color][/b][/url]
[url="http://www.forospyware.com/sUBs/ComboFix.exe"][b][color="blue"]Link 2[/color][/b][/url]


[color="purple"][b]* IMPORTANT !!! Save ComboFix.exe to your Desktop[/b][/color]

[list]
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

[url="http://www.bleepingcomputer.com/forums/topic114351.html"][b]Click me[/b][/url]


[*]Double click on ComboFix.exe & follow the prompts.


[*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
[/list]
[color="blue"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/color]


[center][img]http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif[/img][/center]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

[img]http://img.photobucket.com/albums/v706/ried7/whatnext.png[/img]


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the [b]C:\ComboFix.txt[/b] log in your next reply.

Share this post


Link to post
Share on other sites
ComboFix 10-11-18.04 - John Midlige 11/19/2010 8:44.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3316.2350 [GMT -5:00]
Running from: c:\documents and settings\John Midlige\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\John Midlige\Application Data\Microsoft\stor.cfg
c:\documents and settings\John Midlige\Application Data\Microsoft\svchost.exe
c:\documents and settings\John Midlige\GoToAssistDownloadHelper.exe
C:\Install.exe
c:\windows\jestertb.dll

.
((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-19 12:38 . 2010-11-19 12:38 172 ---ha-w- C:\aaw7boot.cmd
2010-11-18 18:52 . 2010-11-18 18:52 -------- d-----w- c:\program files\Trend Micro
2010-11-18 13:41 . 2010-11-18 13:41 -------- d-----w- C:\_OTM
2010-11-16 16:29 . 2010-11-04 00:57 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-11-16 16:29 . 2010-11-04 00:57 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-11-16 16:21 . 2010-11-16 16:21 -------- d-----w- c:\program files\iPod
2010-11-16 16:21 . 2010-11-16 16:22 -------- d-----w- c:\program files\iTunes
2010-11-11 15:19 . 2010-11-11 15:19 -------- d-----w- c:\program files\Common Files\xing shared
2010-11-11 15:18 . 2010-11-11 15:19 -------- d-----w- c:\program files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-04 00:57 . 2009-11-18 19:55 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-18 16:23 . 2008-04-25 16:16 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-25 16:16 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-25 16:16 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-25 16:16 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2008-04-25 16:16 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2008-04-25 16:16 389120 ----a-w- c:\windows\system32\html.iec
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2008-04-25 16:16 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38 . 2008-04-25 16:16 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2008-04-25 16:16 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-25 16:16 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-25 16:16 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-06-26 17:42 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-25 16:16 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XPS Thermal Monitor"="c:\program files\Dell\XPS Thermal Monitor\ThermalApp.exe" [2008-12-09 303104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 16876032]
"AlienFX Controller"="c:\program files\Alienware\AlienFX\AlienwareAlienFXController.exe" [2008-10-29 79872]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-11-16 928496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"360client"="c:\360client\Track360Client.exe" [2009-04-06 2406400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-04 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-11-11 274608]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]

c:\documents and settings\John Midlige\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]
WebSync Reminder.lnk - c:\program files\Dentrix\WebSyncReminder.exe [2008-10-28 86016]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-21 03:05 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2009-12-15 22:13 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eSync Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eSync Reminder.lnk
backup=c:\windows\pss\eSync Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WebSync Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WebSync Reminder.lnk
backup=c:\windows\pss\WebSync Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-01-30 05:50 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DtxQuickLaunch.exe]
2010-03-10 14:44 89240 ----a-w- c:\program files\Dentrix\DtxQuickLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
2009-07-08 06:53 472112 ----a-w- c:\program files\Pure Networks\Network Magic\nmapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2009-07-07 18:48 647216 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-09-12 11:40 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Materialise Dental\\SimPlant Planner 13.0\\SimPlant Planner.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/21/2009 12:36 AM 184848]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/10/2009 10:09 AM 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [11/16/2010 11:29 AM 21464]
R2 AMD_RAIDXpert;AMD RAIDXpert;c:\program files\AMD\RAIDXpert\bin\RAIDXpertService.exe [10/2/2008 6:26 PM 122880]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 1:05 PM 155648]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1375992]
R2 MatLocalLicenceServer50;Materialise Local License Server 5.0;c:\program files\Common Files\Materialise\LicenseFiles\LicSrv50.exe [9/24/2009 9:08 AM 249856]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [11/16/2010 11:29 AM 69976]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/11/2010 7:56 AM 15264]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [11/18/2009 2:55 PM 98392]
S2 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist --> c:\program files\AMD\OverDrive\AODAssist [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/12/2009 6:41 AM 133104]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/14/2008 10:32 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/14/2008 10:32 AM 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/14/2008 10:31 AM 1120752]
S3 RTLE8023;Realtek 10/100/1000 PCI-E NIC Family NT Driver;c:\windows\system32\drivers\rtenic.sys [6/21/2009 12:36 AM 106880]
S3 RTLE8023x64;Realtek 10/100/1000 PCI-E NIC Family NDIS XP(x64) Driver;c:\windows\system32\drivers\rtenic64.sys [6/21/2009 12:36 AM 137216]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - LAVASOFT_KERNEXPLORER
.
Contents of the 'Scheduled Tasks' folder

2010-11-19 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:28]

2010-11-19 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:28]

2010-11-19 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:28]

2010-11-19 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:28]

2010-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-11-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-12 11:40]

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 11:41]

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 11:41]

2010-11-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1297400538-4046397756-1200451295-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-10-20 23:32]

2010-11-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1297400538-4046397756-1200451295-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-10-20 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: onlineordering.materialisedental.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2010-11-19 08:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\JOHNMI~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AODService]
"ImagePath"="c:\program files\AMD\OverDrive\AODAssist"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
Completion time: 2010-11-19 08:49:15
ComboFix-quarantined-files.txt 2010-11-19 13:49

Pre-Run: 429,064,200,192 bytes free
Post-Run: 429,019,828,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4F3A4044913DEB45433183B9B350D964





A scan by adaware last pm showed no problems but this am when I got to the office it had found the trojan again and had quarantined it.
Thanks for your help so far

Share this post


Link to post
Share on other sites
Sign in to follow this