Need help removing malware

3 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

Need help removing malware26th November 2008, 3:40 pm

I haven't been able to id this malware that infected my machine last night. Started by getting a fake looking Windows Security pop up referring to a Spyware:ISpynow infection, and to click a button to get removal tools. Didn't click - just closed the pop up. Chrome stopped working - could no longer find any pages I attempted to browse to. IE seems to be working, however when I do searches with Google or Live Search the results seem to be hijacked. Clicking on them goes to various bogus (or maybe just random) sites. Tried installing the latest mbam - won't run. I see imbam-setup.exe in my process list but nothing happens. Have been able to run SUPERAntiSpyware, although not all the time. It found Trojan.Dropper/SVCHost-Fake and have it quarantined. Browsing C:\Documents and Settings\\Application Data\Google with Win Explorer and found two bogus files "ijdkq12234484.exe" and "spclrp.dll" - moved them to \temp for now.

Any help would be greatly appreciated.

Thanks!

HijackThis log to follow...

Need help removing malware - HijackThis Log Part 126th November 2008, 3:46 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:21 AM, on 11/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Avtec, Inc\CPS\FileZilla Server\FileZilla Server.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\MicroTouch\MT7\TwService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
D:\Xfer\mbam-setup.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\_VR32W.EXE
C:\Program Files\HijackThis\HijackThis.exe

Need help removing malware - HijackThis Log Part 226th November 2008, 3:48 pm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/notebookaccessories
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 206.74.184.13 av_subversion # Avtec subversion repository\
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 5.0\SetHook.exe
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [Console Monitor] "C:\Program Files\Avtec, Inc\Scout\ConsoleMonitor.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

Re: Need help removing malware26th November 2008, 3:52 pm

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O15 - Trusted Zone: *.line6.net
O15 - Trusted IP range: http://172.16.0.5
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.07.02&unknown&unknown&http://www.remington.com/products/firearms/3-D/model_700_BDL/
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201836061640
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201836050843
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avtec VPGate - Avtec, Inc. - C:\Program Files\Avtec, Inc\VPGate\VPGate.exe
O23 - Service: Axon Service (AxonService) - Unknown owner - C:\Program Files\NCH Swift Sound\Axon\axon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Avtec Business Layer (BusinessService.exe) - Avtec, Inc. - C:\Program Files\Avtec, Inc\Scout\BusinessService.exe
O23 - Service: Avtec Console Manager (ConsoleMgrSvc.exe) - Avtec, Inc. - C:\Program Files\Avtec, Inc\Scout\ConsoleMgrSvc.exe
O23 - Service: Avtec Control Layer (ControlService.exe) - Avtec, Inc. - C:\Program Files\Avtec, Inc\Scout\ControlService.exe
O23 - Service: Avtec Centralized Project Storage (CPSSvc.exe) - Avtec, Inc. - C:\Program Files\Avtec, Inc\CPS\CPSSvc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\Avtec, Inc\CPS\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Avtec Media Workstation 1900-316-42xx (MediaWkstnSvc.exe) - Avtec, Inc. - C:\Program Files\Avtec, Inc\Scout\MediaWkstnSvc.exe
O23 - Service: MSS Simulator (MSS) - Avtec, Inc. - D:\My Projects\Avtec\Visual Studio 2005\Newport\Avtec SVN Repository\FrontEndApps\bin\Debug\mss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: MT7 Serial Search Service (TwDrvService) - 3M Touch Systems, Inc. - C:\Program Files\MicroTouch\MT7\TwService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
O23 - Service: XobniService - Xobni Corporation - C:\Program Files\Xobni\XobniService.exe

--
End of file - 18994 bytes

Re: Need help removing malware26th November 2008, 4:29 pm

Hello.
Moving them to temp was probably a good idea, it should have disabled it.

Please download combofix from here, use the top links - combofix.exe
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will this next prompt that asks if you want to continue the malware scan, select yes
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Need help removing malware DXwU4

ComboFix Won't Execute26th November 2008, 5:06 pm

Thanks for the fast reply.

I downloaded and attempted to run ComboFix, however it doesn't show. I see hourglass for a few seconds then nothing. Same thing happens when I try to run mbam-setup. I see them both in Task Mgr/Process list:

Need help removing malware TaskMgr-1

Re: Need help removing malware26th November 2008, 5:08 pm

Hello.
Maybe the malware stopping it.

Please download it from this mirror.
http://www.sendspace.com/file/wguo75

ComboFix - Log Dump Part 126th November 2008, 5:50 pm

Success...here's the log dump:

ComboFix 08-11-26.03 - Kurt 2008-11-26 12:31:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1569 [GMT -5:00]
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kurt\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\_000019_.tmp.dll
c:\windows\system32\drivers\TDSSmxjt.sys
c:\windows\system32\msvcsv60.dll
c:\windows\system32\TDSSarxx.dll
c:\windows\system32\TDSSdxcp.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSmtye.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnvuo.dll
c:\windows\system32\TDSSottt.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvoqm.dll
c:\windows\system32\TDSSxhyf.log
C:\xcrashdump.dat
E:\Autorun.inf

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 22:46 . 2008-11-25 22:46 80,384 --a------ c:\documents and settings\Kurt\nah_tvmn.exe
2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\TortoiseSVN
2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\Common Files\TortoiseOverlays
2008-11-18 16:09 . 2008-11-18 16:09 d-------- c:\documents and settings\Kurt\Application Data\Vusion
2008-11-09 11:38 . 2008-11-09 11:38 d-------- c:\program files\Common Files\Adobe AIR
2008-10-29 12:49 . 2004-04-13 13:48 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2008-10-29 12:47 . 2008-10-29 12:50 d-------- c:\documents and settings\All Users\Application Data\Cakewalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 06:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec,_Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec, Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Apple Computer
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Ahead
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\AdobeUM
2008-11-26 03:46 502,272 ----a-w c:\windows\system32\winlogon.exe
2008-11-26 03:46 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-26 00:33 5,157,888 ----a-w c:\windows\system32\drivers\vrcore.sys
2008-11-25 13:22 --------- d-----w c:\documents and settings\Kurt\Application Data\TortoiseSVN
2008-11-19 13:18 --------- d-----w c:\program files\Google
2008-11-14 20:44 --------- d-----w c:\program files\Avtec, Inc
2008-11-08 23:07 --------- d-----w c:\documents and settings\Kurt\Application Data\Cakewalk
2008-10-30 11:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 18:18 --------- d-----w c:\program files\Cakewalk
2008-10-21 23:32 --------- d-----w c:\program files\Activision
2008-10-18 20:16 --------- d-----w c:\program files\Lexicon
2008-10-10 18:44 --------- d-----w c:\program files\Apple Software Update
2008-10-10 18:40 --------- d-----w c:\program files\iTunes
2008-10-10 18:40 --------- d-----w c:\program files\iPod
2008-10-10 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-10 18:39 --------- d-----w c:\program files\Bonjour
2008-10-10 18:38 --------- d-----w c:\program files\QuickTime
2008-10-02 19:57 --------- d-----w c:\program files\Common Files\Aladdin Shared
2008-10-02 19:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-01 23:38 22,328 ------w c:\documents and settings\Kurt\Application Data\PnkBstrK.sys
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET328.tmp
2004-08-04 21:00 1,431,144 ----a-w c:\windows\inf\SET39B.tmp
.

------- Sigcheck -------

2008-11-25 22:46 502272 9b1bd82bd0761b5ba986af66d2809c30 c:\windows\system32\winlogon.exe

2008-11-25 22:46 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"nah_Shell"="c:\documents and settings\Kurt\nah_tvmn.exe" [2008-11-25 80384]

Re: Need help removing malware26th November 2008, 5:50 pm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Console Monitor"="c:\program files\Avtec" [X]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-27 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-27 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-06 202032]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Vrmon"="c:\program files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe" [2005-06-27 249916]
"VrSchedule"="c:\program files\PCSecurityShield\ShieldAntivirus\Vrres.exe" [2004-03-11 266304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-11-26 1349120]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2006-09-27 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\Kurt\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
Qshelf.lnk - c:\program files\Microsoft Reference\Bookshelf 98\qshelf98.exe [2006-12-10 123904]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-12-23 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 05:37 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\My Projects\\Avtec\\Visual Studio 2005\\Newport\\Avtec SVN Repository\\FrontEndApps\\bin\\Debug\\BusinessService.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Avtec, Inc\\Scout\\BusinessService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Avtec, Inc\\VPGate\\Endpoints\\NXU2.exe"=
"c:\\Documents and Settings\\Kurt\\Application Data\\Vusion\\WARPVideoStreamer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
"5060:UDP"= 5060:UDP:Axon Sip Incoming Calls (UDP)
"81:TCP"= 81:TCP:Axon Web Server
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [2007-04-20 13184]
R2 aksfridge;HASP Fridge;c:\windows\system32\DRIVERS\aksfridge.sys [2008-10-02 350720]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run []
R2 TwDrvService;MT7 Serial Search Service;c:\program files\MicroTouch\MT7\TwService.exe /Service [2007-02-22 36864]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-04-02 24652]
R2 XobniService;XobniService;"c:\program files\Xobni\XobniService.exe" [2008-05-05 33280]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952]
R3 L6DP;L6DP;c:\windows\system32\Drivers\l6dp.sys [2003-06-27 29312]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 TwBus;MicroTouch Serial Bus Enumerator;c:\windows\system32\DRIVERS\TwBus.sys [2007-02-22 12240]
S3 akshhl;Aladdin HASP HL Key;c:\windows\system32\DRIVERS\akshhl.sys [2008-10-02 46336]
S3 Avtec VPGate;Avtec VPGate;c:\program files\Avtec, Inc\VPGate\VPGate.exe [2007-08-07 371200]
S3 AxonService;Axon Service;"c:\program files\NCH Swift Sound\Axon\axon.exe" -service [2008-07-10 438276]
S3 BusinessService.exe;Avtec Business Layer;c:\program files\Avtec, Inc\Scout\BusinessService.exe [2008-10-28 327680]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\Drivers\CEUSBAUD.sys [2003-11-01 17920]
S3 ConsoleMgrSvc.exe;Avtec Console Manager;c:\program files\Avtec, Inc\Scout\ConsoleMgrSvc.exe [2007-04-25 233472]
S3 ControlService.exe;Avtec Control Layer;c:\program files\Avtec, Inc\Scout\ControlService.exe [2008-10-28 225280]
S3 CPSSvc.exe;Avtec Centralized Project Storage;c:\program files\Avtec, Inc\CPS\CPSSvc.exe [2007-04-02 172032]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys [2004-05-19 142169]
S3 L6POD;L6 PODxt Service;c:\windows\system32\Drivers\L6POD.sys [2003-06-27 114048]
S3 MediaWkstnSvc.exe;Avtec Media Workstation 1900-316-42xx;c:\program files\Avtec, Inc\Scout\MediaWkstnSvc.exe [2007-04-25 126976]
S3 MSS;MSS Simulator;d:\my projects\Avtec\Visual Studio 2005\Newport\Avtec SVN Repository\FrontEndApps\bin\Debug\mss.exe [2007-03-15 69632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\Drivers\PDEXLOCK.sys [2006-12-14 12288]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2008-05-10 360448]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-05-10 18944]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-05-10 33792]
S3 TwTouch;MicroTouch touch screen;c:\windows\system32\DRIVERS\TwTouch.sys [2007-02-22 84945]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-26 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 20:40]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-HPsetm - c:\documents and settings\Kurt\Application Data\Google\ijdkq13324484.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 12:41:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???0???????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmxjt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1332)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2008-11-26 12:43:30
ComboFix-quarantined-files.txt 2008-11-26 17:42:56

Pre-Run: 11,383,189,504 bytes free
Post-Run: 11,718,623,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

288 --- E O F --- 2007-07-21 13:12:46

Re: Need help removing malware26th November 2008, 6:00 pm

Hello.
Before we go any further, we need to replace a patched file, but we have to locate a clean copy.

Now open a new notepad file.
Input this into the notepad file:

For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %windir%\system32\winlogon.exe'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
start notepad report.txt & exit
Save this as look.bat, save it to your desktop.
Double click look.bat to run it.
Copy and paste report.txt back here.

Re: Need help removing malware26th November 2008, 6:27 pm

"C:\WINDOWS\system32\winlogon.exe" 502272 11/25/2008 10:46 PM

Re: Need help removing malware26th November 2008, 6:33 pm

Darn.
Do you have your XP CD available?

Re: Need help removing malware26th November 2008, 6:44 pm

System Recovery DVD
Microsoft Windows XP Professional Service Pack 2
Discs 1 & 2

Never opened.

Re: Need help removing malware26th November 2008, 6:49 pm

Well we need to use them.

We need to use the MS windows XP SP2 CD.
Put the CD into your machine, and let me know what letter it uses.
Press Start and open My Computer, which letter does it use?

Re: Need help removing malware26th November 2008, 6:53 pm

Inserted disc 1. Logical drive F:
Contains the I386 folder.

Re: Need help removing malware26th November 2008, 7:06 pm

Okay, thank you.

Now open a new notepad file.
Input this into the notepad file:

Driver::
Viewpoint Manager Service

File::
c:\documents and settings\Kurt\nah_tvmn.exe

Folder::
c:\program files\Viewpoint

FCopy::
F:\i386\winlogon.exe | c:\windows\system32\winlogon.exe
F:\i386\termsrv.dll | c:\windows\system32\termsrv.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nah_Shell"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll,schannel.dll,digest.dll,msnsspc.dll"
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Need help removing malware Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Re: Need help removing malware26th November 2008, 7:49 pm

Ran ComboFix again with CFscript. Had a BSOD when while it was rebooting. Here's the ComboFix log dump:

ComboFix 08-11-26.03 - Kurt 2008-11-26 14:11:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1292 [GMT -5:00]
Running from: d:\downloads\c0mb0-fix.exe
Command switches used :: d:\downloads\CFscript.txt
* Created a new restore point
* Resident AV is active

FILE ::
c:\documents and settings\Kurt\nah_tvmn.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kurt\nah_tvmn.exe
c:\program files\Viewpoint
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Viewpoint\Common\VistaBoot.sdll
c:\program files\Viewpoint\Viewpoint Manager\CPtask.xml
c:\program files\Viewpoint\Viewpoint Manager\VETscriptInterpreter.dll
c:\program files\Viewpoint\Viewpoint Manager\ViewCP.cpl
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\s.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_av.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_cp.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_up.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bg.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bottom.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab_bg.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_off.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_on.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_off.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_on.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vwpt_logo.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\options.ini
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\viewpoint.ico
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\vmctrl.html
c:\program files\Viewpoint\Viewpoint Manager\ViewCPexe.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgrCore.dll
c:\program files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305001C.dll
c:\program files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
c:\program files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\TortoiseSVN
2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\Common Files\TortoiseOverlays
2008-11-18 16:09 . 2008-11-18 16:09 d-------- c:\documents and settings\Kurt\Application Data\Vusion
2008-11-09 11:38 . 2008-11-09 11:38 d-------- c:\program files\Common Files\Adobe AIR
2008-10-29 12:49 . 2004-04-13 13:48 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2008-10-29 12:47 . 2008-10-29 12:50 d-------- c:\documents and settings\All Users\Application Data\Cakewalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 06:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec,_Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec, Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Apple Computer
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Ahead
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\AdobeUM
2008-11-26 03:46 502,272 ----a-w c:\windows\system32\winlogon.exe
2008-11-26 03:46 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-26 00:33 5,157,888 ----a-w c:\windows\system32\drivers\vrcore.sys
2008-11-25 13:22 --------- d-----w c:\documents and settings\Kurt\Application Data\TortoiseSVN
2008-11-19 13:18 --------- d-----w c:\program files\Google
2008-11-14 20:44 --------- d-----w c:\program files\Avtec, Inc
2008-11-08 23:07 --------- d-----w c:\documents and settings\Kurt\Application Data\Cakewalk
2008-10-30 11:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 18:18 --------- d-----w c:\program files\Cakewalk
2008-10-21 23:32 --------- d-----w c:\program files\Activision
2008-10-18 20:16 --------- d-----w c:\program files\Lexicon
2008-10-10 18:44 --------- d-----w c:\program files\Apple Software Update
2008-10-10 18:40 --------- d-----w c:\program files\iTunes
2008-10-10 18:40 --------- d-----w c:\program files\iPod
2008-10-10 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-10 18:39 --------- d-----w c:\program files\Bonjour
2008-10-10 18:38 --------- d-----w c:\program files\QuickTime
2008-10-02 19:57 --------- d-----w c:\program files\Common Files\Aladdin Shared
2008-10-02 19:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-01 23:38 22,328 ------w c:\documents and settings\Kurt\Application Data\PnkBstrK.sys
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET328.tmp
2004-08-04 21:00 1,431,144 ----a-w c:\windows\inf\SET39B.tmp
.

------- Sigcheck -------

2008-11-25 22:46 502272 9b1bd82bd0761b5ba986af66d2809c30 c:\windows\system32\winlogon.exe

2008-11-25 22:46 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( snapshot@2008-11-26_12.42.26.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-11-26 17:29:51 17,290 ----a-w c:\windows\system32\tablet.dat
+ 2008-11-26 19:29:37 17,290 ----a-w c:\windows\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

Re: Need help removing malware26th November 2008, 7:50 pm

ComboFix log dump continued....

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Console Monitor"="c:\program files\Avtec" [X]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-27 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-27 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-06 202032]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Vrmon"="c:\program files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe" [2005-06-27 249916]
"VrSchedule"="c:\program files\PCSecurityShield\ShieldAntivirus\Vrres.exe" [2004-03-11 266304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-11-26 1349120]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2006-09-27 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\Kurt\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
Qshelf.lnk - c:\program files\Microsoft Reference\Bookshelf 98\qshelf98.exe [2006-12-10 123904]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-12-23 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 05:37 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\My Projects\\Avtec\\Visual Studio 2005\\Newport\\Avtec SVN Repository\\FrontEndApps\\bin\\Debug\\BusinessService.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Avtec, Inc\\Scout\\BusinessService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Avtec, Inc\\VPGate\\Endpoints\\NXU2.exe"=
"c:\\Documents and Settings\\Kurt\\Application Data\\Vusion\\WARPVideoStreamer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
"5060:UDP"= 5060:UDP:Axon Sip Incoming Calls (UDP)
"81:TCP"= 81:TCP:Axon Web Server
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [2007-04-20 13184]
R2 aksfridge;HASP Fridge;c:\windows\system32\DRIVERS\aksfridge.sys [2008-10-02 350720]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run []
R2 TwDrvService;MT7 Serial Search Service;c:\program files\MicroTouch\MT7\TwService.exe /Service [2007-02-22 36864]
R2 XobniService;XobniService;"c:\program files\Xobni\XobniService.exe" [2008-05-05 33280]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952]
R3 L6DP;L6DP;c:\windows\system32\Drivers\l6dp.sys [2003-06-27 29312]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 TwBus;MicroTouch Serial Bus Enumerator;c:\windows\system32\DRIVERS\TwBus.sys [2007-02-22 12240]
S3 akshhl;Aladdin HASP HL Key;c:\windows\system32\DRIVERS\akshhl.sys [2008-10-02 46336]
S3 Avtec VPGate;Avtec VPGate;c:\program files\Avtec, Inc\VPGate\VPGate.exe [2007-08-07 371200]
S3 AxonService;Axon Service;"c:\program files\NCH Swift Sound\Axon\axon.exe" -service [2008-07-10 438276]
S3 BusinessService.exe;Avtec Business Layer;c:\program files\Avtec, Inc\Scout\BusinessService.exe [2008-10-28 327680]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\Drivers\CEUSBAUD.sys [2003-11-01 17920]
S3 ConsoleMgrSvc.exe;Avtec Console Manager;c:\program files\Avtec, Inc\Scout\ConsoleMgrSvc.exe [2007-04-25 233472]
S3 ControlService.exe;Avtec Control Layer;c:\program files\Avtec, Inc\Scout\ControlService.exe [2008-10-28 225280]
S3 CPSSvc.exe;Avtec Centralized Project Storage;c:\program files\Avtec, Inc\CPS\CPSSvc.exe [2007-04-02 172032]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys [2004-05-19 142169]
S3 L6POD;L6 PODxt Service;c:\windows\system32\Drivers\L6POD.sys [2003-06-27 114048]
S3 MediaWkstnSvc.exe;Avtec Media Workstation 1900-316-42xx;c:\program files\Avtec, Inc\Scout\MediaWkstnSvc.exe [2007-04-25 126976]
S3 MSS;MSS Simulator;d:\my projects\Avtec\Visual Studio 2005\Newport\Avtec SVN Repository\FrontEndApps\bin\Debug\mss.exe [2007-03-15 69632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\Drivers\PDEXLOCK.sys [2006-12-14 12288]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2008-05-10 360448]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-05-10 18944]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-05-10 33792]
S3 TwTouch;MicroTouch touch screen;c:\windows\system32\DRIVERS\TwTouch.sys [2007-02-22 84945]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-26 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 20:40]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 14:30:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???Pd??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1324)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\msdtc.exe
c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Avtec, Inc\CPS\FileZilla Server\FileZilla server.exe
c:\windows\system32\hasplms.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Photodex\ProShowProducer\scsiaccess.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\Tablet.exe
c:\program files\MicroTouch\MT7\TwService.exe
c:\program files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Avtec, Inc\Scout\ConsoleMonitor.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Completion time: 2008-11-26 14:38:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-26 19:38:56

Pre-Run: 11,632,496,640 bytes free
Post-Run: 11,468,439,552 bytes free

337 --- E O F --- 2007-07-21 13:12:46

Re: Need help removing malware26th November 2008, 8:01 pm

Was the XP SP2 CD in when you ran the CFScript?
It still says winlogon is infected.

Re: Need help removing malware26th November 2008, 8:08 pm

Yeah I saw that. The CD was in - I only popped it out during the reboot and then popped it back in. Can I manually copy winlogon.exe and termsrv.dll over to my system32 folder, or should I try running ComboFix again?

Re: Need help removing malware26th November 2008, 8:10 pm

Please download a clean copy of them from here.
http://www.sendspace.com/file/7lyd7f

Unzip them to your desktop and run this bat script.
Please make sure they are on your desktop, or this will fail.

Now open a new notepad file.
Input this into the notepad file:

@echo off
copy /y c:\documents and settings\Kurt\Desktop\winlogon.exe C:\windows\system32\winlogon.exe
copy /y c:\documents and settings\Kurt\Desktop\termsrv.dll C:\windows\system32\termsrv.dll
del Copy.bat
exit
Save this as Copy.bat, save it to your desktop.
Double click Copy.bat to run it.

Re: Need help removing malware26th November 2008, 8:21 pm

Ok, done.

Re: Need help removing malware26th November 2008, 8:22 pm

Good.
Please re-run combofix now.

Re: Need help removing malware26th November 2008, 8:33 pm

ComboFix 08-11-26.03 - Kurt 2008-11-26 15:24:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1438 [GMT -5:00]
Running from: c:\documents and settings\Kurt\Desktop\c0mb0-fix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\TortoiseSVN
2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\Common Files\TortoiseOverlays
2008-11-18 16:09 . 2008-11-18 16:09 d-------- c:\documents and settings\Kurt\Application Data\Vusion
2008-11-09 11:38 . 2008-11-09 11:38 d-------- c:\program files\Common Files\Adobe AIR
2008-10-29 12:49 . 2004-04-13 13:48 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2008-10-29 12:47 . 2008-10-29 12:50 d-------- c:\documents and settings\All Users\Application Data\Cakewalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 06:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec,_Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec, Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Apple Computer
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Ahead
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\AdobeUM
2008-11-26 03:46 502,272 ----a-w c:\windows\system32\winlogon.exe
2008-11-26 03:46 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-26 00:33 5,157,888 ----a-w c:\windows\system32\drivers\vrcore.sys
2008-11-25 13:22 --------- d-----w c:\documents and settings\Kurt\Application Data\TortoiseSVN
2008-11-19 13:18 --------- d-----w c:\program files\Google
2008-11-14 20:44 --------- d-----w c:\program files\Avtec, Inc
2008-11-08 23:07 --------- d-----w c:\documents and settings\Kurt\Application Data\Cakewalk
2008-10-30 11:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 18:18 --------- d-----w c:\program files\Cakewalk
2008-10-21 23:32 --------- d-----w c:\program files\Activision
2008-10-18 20:16 --------- d-----w c:\program files\Lexicon
2008-10-10 18:44 --------- d-----w c:\program files\Apple Software Update
2008-10-10 18:40 --------- d-----w c:\program files\iTunes
2008-10-10 18:40 --------- d-----w c:\program files\iPod
2008-10-10 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-10 18:39 --------- d-----w c:\program files\Bonjour
2008-10-10 18:38 --------- d-----w c:\program files\QuickTime
2008-10-02 19:57 --------- d-----w c:\program files\Common Files\Aladdin Shared
2008-10-02 19:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-01 23:38 22,328 ------w c:\documents and settings\Kurt\Application Data\PnkBstrK.sys
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET328.tmp
2004-08-04 21:00 1,431,144 ----a-w c:\windows\inf\SET39B.tmp
.

------- Sigcheck -------

2008-11-25 22:46 502272 9b1bd82bd0761b5ba986af66d2809c30 c:\windows\system32\winlogon.exe

2008-11-25 22:46 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( snapshot@2008-11-26_12.42.26.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-11-26 17:29:51 17,290 ----a-w c:\windows\system32\tablet.dat
+ 2008-11-26 19:29:37 17,290 ----a-w c:\windows\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

Re: Need help removing malware26th November 2008, 8:33 pm

Part 2....

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Console Monitor"="c:\program files\Avtec" [X]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-27 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-27 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-06 202032]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Vrmon"="c:\program files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe" [2005-06-27 249916]
"VrSchedule"="c:\program files\PCSecurityShield\ShieldAntivirus\Vrres.exe" [2004-03-11 266304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-11-26 1349120]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2006-09-27 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\Kurt\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
Qshelf.lnk - c:\program files\Microsoft Reference\Bookshelf 98\qshelf98.exe [2006-12-10 123904]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-12-23 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 05:37 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\My Projects\\Avtec\\Visual Studio 2005\\Newport\\Avtec SVN Repository\\FrontEndApps\\bin\\Debug\\BusinessService.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Avtec, Inc\\Scout\\BusinessService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Avtec, Inc\\VPGate\\Endpoints\\NXU2.exe"=
"c:\\Documents and Settings\\Kurt\\Application Data\\Vusion\\WARPVideoStreamer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
"5060:UDP"= 5060:UDP:Axon Sip Incoming Calls (UDP)
"81:TCP"= 81:TCP:Axon Web Server
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [2007-04-20 13184]
R2 aksfridge;HASP Fridge;c:\windows\system32\DRIVERS\aksfridge.sys [2008-10-02 350720]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run []
R2 TwDrvService;MT7 Serial Search Service;c:\program files\MicroTouch\MT7\TwService.exe /Service [2007-02-22 36864]
R2 XobniService;XobniService;"c:\program files\Xobni\XobniService.exe" [2008-05-05 33280]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952]
R3 L6DP;L6DP;c:\windows\system32\Drivers\l6dp.sys [2003-06-27 29312]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 TwBus;MicroTouch Serial Bus Enumerator;c:\windows\system32\DRIVERS\TwBus.sys [2007-02-22 12240]
S3 akshhl;Aladdin HASP HL Key;c:\windows\system32\DRIVERS\akshhl.sys [2008-10-02 46336]
S3 Avtec VPGate;Avtec VPGate;c:\program files\Avtec, Inc\VPGate\VPGate.exe [2007-08-07 371200]
S3 AxonService;Axon Service;"c:\program files\NCH Swift Sound\Axon\axon.exe" -service [2008-07-10 438276]
S3 BusinessService.exe;Avtec Business Layer;c:\program files\Avtec, Inc\Scout\BusinessService.exe [2008-10-28 327680]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\Drivers\CEUSBAUD.sys [2003-11-01 17920]
S3 ConsoleMgrSvc.exe;Avtec Console Manager;c:\program files\Avtec, Inc\Scout\ConsoleMgrSvc.exe [2007-04-25 233472]
S3 ControlService.exe;Avtec Control Layer;c:\program files\Avtec, Inc\Scout\ControlService.exe [2008-10-28 225280]
S3 CPSSvc.exe;Avtec Centralized Project Storage;c:\program files\Avtec, Inc\CPS\CPSSvc.exe [2007-04-02 172032]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys [2004-05-19 142169]
S3 L6POD;L6 PODxt Service;c:\windows\system32\Drivers\L6POD.sys [2003-06-27 114048]
S3 MediaWkstnSvc.exe;Avtec Media Workstation 1900-316-42xx;c:\program files\Avtec, Inc\Scout\MediaWkstnSvc.exe [2007-04-25 126976]
S3 MSS;MSS Simulator;d:\my projects\Avtec\Visual Studio 2005\Newport\Avtec SVN Repository\FrontEndApps\bin\Debug\mss.exe [2007-03-15 69632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\Drivers\PDEXLOCK.sys [2006-12-14 12288]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2008-05-10 360448]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-05-10 18944]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-05-10 33792]
S3 TwTouch;MicroTouch touch screen;c:\windows\system32\DRIVERS\TwTouch.sys [2007-02-22 84945]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-26 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 20:40]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 15:28:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???Pd??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1324)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2008-11-26 15:30:21
ComboFix-quarantined-files.txt 2008-11-26 20:29:45
ComboFix2.txt 2008-11-26 19:39:01

Pre-Run: 11,575,107,584 bytes free
Post-Run: 11,555,975,168 bytes free

249 --- E O F --- 2007-07-21 13:12:46

Re: Need help removing malware26th November 2008, 8:51 pm

Hmmmm.
I thinking this is either a false alert, or something is still active on your machine.

Lets try this manually.
Put your XP SP2 CD back in and access the i386 yourself.
Find a copy of winlogon.exe and right click > and select Copy

Press Start > Open My computer.
Open the C drive.
Then open the Windows folder.
Then open the system32 folder.
Now right click anywhere and select Paste, select yes to the overwrite warning.

Please re-run combofix again.

Re: Need help removing malware26th November 2008, 9:07 pm

Getting an error on copy. This is immediately after a reboot, before running any programs (other than the startup services).

"Error Copying File or Folder

Cannot copy winlogon: It is being used by another person or program.
Close any programs that might using the file and try again."

Re: Need help removing malware26th November 2008, 9:12 pm

Now open a new notepad file.
Input this into the notepad file:

FCopy::
F:\i386\winlogon.exe | c:\windows\system32\winlogon.exe
F:\i386\termsrv.dll | c:\windows\system32\termsrv.dll

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Need help removing malware Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.
====

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.

Re: Need help removing malware26th November 2008, 10:47 pm

Ok, I ran Combofix again, feeding it CFscript to copy over the files. The dump is below (still showing infected).

I ran GMER in normal boot mode, but it would eventually exception out and not complete. It ran all the way through in Safe Mode but didn't spit out much in the output:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-26 17:30:06
Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Ahead Software AG)

---- EOF - GMER 1.0.14 ----

Re: Need help removing malware26th November 2008, 10:47 pm

ComboFix 08-11-26.03 - Kurt 2008-11-26 16:22:20.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1416 [GMT -5:00]
Running from: c:\documents and settings\Kurt\Desktop\c0mb0-fix.exe
Command switches used :: c:\documents and settings\Kurt\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\TortoiseSVN
2008-11-25 07:44 . 2008-11-25 07:44 d-------- c:\program files\Common Files\TortoiseOverlays
2008-11-18 16:09 . 2008-11-18 16:09 d-------- c:\documents and settings\Kurt\Application Data\Vusion
2008-11-09 11:38 . 2008-11-09 11:38 d-------- c:\program files\Common Files\Adobe AIR
2008-10-29 12:49 . 2004-04-13 13:48 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2008-10-29 12:47 . 2008-10-29 12:50 d-------- c:\documents and settings\All Users\Application Data\Cakewalk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 06:19 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec,_Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Avtec, Inc
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Apple Computer
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\Ahead
2008-11-26 03:50 --------- d-----w c:\documents and settings\Kurt\Application Data\AdobeUM
2008-11-26 03:46 502,272 ----a-w c:\windows\system32\winlogon.exe
2008-11-26 03:46 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-26 00:33 5,157,888 ----a-w c:\windows\system32\drivers\vrcore.sys
2008-11-25 13:22 --------- d-----w c:\documents and settings\Kurt\Application Data\TortoiseSVN
2008-11-19 13:18 --------- d-----w c:\program files\Google
2008-11-14 20:44 --------- d-----w c:\program files\Avtec, Inc
2008-11-08 23:07 --------- d-----w c:\documents and settings\Kurt\Application Data\Cakewalk
2008-10-30 11:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 18:18 --------- d-----w c:\program files\Cakewalk
2008-10-21 23:32 --------- d-----w c:\program files\Activision
2008-10-18 20:16 --------- d-----w c:\program files\Lexicon
2008-10-10 18:44 --------- d-----w c:\program files\Apple Software Update
2008-10-10 18:40 --------- d-----w c:\program files\iTunes
2008-10-10 18:40 --------- d-----w c:\program files\iPod
2008-10-10 18:40 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-10 18:39 --------- d-----w c:\program files\Bonjour
2008-10-10 18:38 --------- d-----w c:\program files\QuickTime
2008-10-02 19:57 --------- d-----w c:\program files\Common Files\Aladdin Shared
2008-10-02 19:54 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-01 23:38 22,328 ------w c:\documents and settings\Kurt\Application Data\PnkBstrK.sys
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET328.tmp
2004-08-04 21:00 1,431,144 ----a-w c:\windows\inf\SET39B.tmp
.

------- Sigcheck -------

2008-11-25 22:46 502272 9b1bd82bd0761b5ba986af66d2809c30 c:\windows\system32\winlogon.exe

2008-11-25 22:46 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( snapshot@2008-11-26_12.42.26.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-11-26 17:29:51 17,290 ----a-w c:\windows\system32\tablet.dat
+ 2008-11-26 21:15:20 17,290 ----a-w c:\windows\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

Re: Need help removing malware26th November 2008, 10:47 pm

Continued....

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Console Monitor"="c:\program files\Avtec" [X]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-27 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-27 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-06 202032]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Vrmon"="c:\program files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe" [2005-06-27 249916]
"VrSchedule"="c:\program files\PCSecurityShield\ShieldAntivirus\Vrres.exe" [2004-03-11 266304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-11-26 1349120]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2006-09-27 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2004-08-04 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\Kurt\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
Qshelf.lnk - c:\program files\Microsoft Reference\Bookshelf 98\qshelf98.exe [2006-12-10 123904]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-12-23 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 05:37 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\My Projects\\Avtec\\Visual Studio 2005\\Newport\\Avtec SVN Repository\\FrontEndApps\\bin\\Debug\\BusinessService.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Avtec, Inc\\Scout\\BusinessService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Avtec, Inc\\VPGate\\Endpoints\\NXU2.exe"=
"c:\\Documents and Settings\\Kurt\\Application Data\\Vusion\\WARPVideoStreamer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)
"5060:UDP"= 5060:UDP:Axon Sip Incoming Calls (UDP)
"81:TCP"= 81:TCP:Axon Web Server
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [2007-04-20 13184]
R2 aksfridge;HASP Fridge;c:\windows\system32\DRIVERS\aksfridge.sys [2008-10-02 350720]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run []
R2 TwDrvService;MT7 Serial Search Service;c:\program files\MicroTouch\MT7\TwService.exe /Service [2007-02-22 36864]
R2 XobniService;XobniService;"c:\program files\Xobni\XobniService.exe" [2008-05-05 33280]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952]
R3 L6DP;L6DP;c:\windows\system32\Drivers\l6dp.sys [2003-06-27 29312]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 TwBus;MicroTouch Serial Bus Enumerator;c:\windows\system32\DRIVERS\TwBus.sys [2007-02-22 12240]
S3 akshhl;Aladdin HASP HL Key;c:\windows\system32\DRIVERS\akshhl.sys [2008-10-02 46336]
S3 Avtec VPGate;Avtec VPGate;c:\program files\Avtec, Inc\VPGate\VPGate.exe [2007-08-07 371200]
S3 AxonService;Axon Service;"c:\program files\NCH Swift Sound\Axon\axon.exe" -service [2008-07-10 438276]
S3 BusinessService.exe;Avtec Business Layer;c:\program files\Avtec, Inc\Scout\BusinessService.exe [2008-10-28 327680]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\Drivers\CEUSBAUD.sys [2003-11-01 17920]
S3 ConsoleMgrSvc.exe;Avtec Console Manager;c:\program files\Avtec, Inc\Scout\ConsoleMgrSvc.exe [2007-04-25 233472]
S3 ControlService.exe;Avtec Control Layer;c:\program files\Avtec, Inc\Scout\ControlService.exe [2008-10-28 225280]
S3 CPSSvc.exe;Avtec Centralized Project Storage;c:\program files\Avtec, Inc\CPS\CPSSvc.exe [2007-04-02 172032]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys [2004-05-19 142169]
S3 L6POD;L6 PODxt Service;c:\windows\system32\Drivers\L6POD.sys [2003-06-27 114048]
S3 MediaWkstnSvc.exe;Avtec Media Workstation 1900-316-42xx;c:\program files\Avtec, Inc\Scout\MediaWkstnSvc.exe [2007-04-25 126976]
S3 MSS;MSS Simulator;d:\my projects\Avtec\Visual Studio 2005\Newport\Avtec SVN Repository\FrontEndApps\bin\Debug\mss.exe [2007-03-15 69632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\Drivers\PDEXLOCK.sys [2006-12-14 12288]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\Drivers\tascusb2.sys [2008-05-10 360448]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2008-05-10 18944]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2008-05-10 33792]
S3 TwTouch;MicroTouch touch screen;c:\windows\system32\DRIVERS\TwTouch.sys [2007-02-22 84945]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-26 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Kurt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 20:40]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 16:31:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???Pd??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2008-11-26 16:33:25
ComboFix-quarantined-files.txt 2008-11-26 21:32:48
ComboFix2.txt 2008-11-26 20:30:23
ComboFix3.txt 2008-11-26 19:39:01

Pre-Run: 11,513,860,096 bytes free
Post-Run: 11,497,275,392 bytes free

252 --- E O F --- 2007-07-21 13:12:46

Re: Need help removing malware26th November 2008, 11:03 pm

Hello.
Does the machine seem okay?

Re: Need help removing malware26th November 2008, 11:35 pm

Yes, since the first ComboFix run it seems to be working normally, which is hard for me to believe as bad as it seemed. We'll see how it goes for awhile - hopefully it's scoured clean by now.

Belahzur, thanks so much for your help. You saved me a huge amount of time and aggravation. Really appreciate the help!

Re: Need help removing malware26th November 2008, 11:38 pm

Hello again.
I think I made a mistake before.

Put your XP SP2 CD back in the machine in normal mode.
Press Start > Run. When the run command opens, type this in the open field.
cmd
Press enter.

Then when the command prompt opens, type this in:
expand f:\i386\winlogon.ex_ c:\windows\system32\winlogon.exe
Press enter.
Now type this in:
expand f:\i386\termsrv.dl_ c:\windows\system32\termsrv.dll
Press enter.

Please re-run combofix again, I think it might not display the infected alert anymore.

Re: Need help removing malware27th November 2008, 12:12 am

"Can't open input file: f:\i386\winlogon.ex_."

Looking at the i386 folder on the CD, it doesn't look there are any compressed files. I do see the winlogon.exe and termsrv.dll files there.

If it's any help, there is the winlogon.exe in my C:\Windows\System32 folder, dated yesterday, 11/25/2008 10:46pm which is about the time I first noticed problems and suspected malware. There is also a winlogon.old file there dated 8/4/2004 4:00pm of the exact same size. Same with termsrv.dll.

Re: Need help removing malware27th November 2008, 12:18 am

That's maybe where the alert is coming from.
Delete the .old files.

The real dll and exe are the proper size, we are both running XP SP2 so your files are the same as mine, so I think they aren't infected.

Re: Need help removing malware27th November 2008, 12:56 am

I deleted the .old files and ComboFix is still reporting winlogon.exe as infected. Everything seems to be running fine though - I think you're right that it's probably a false positive. Maybe just the file date change is why it's getting tagged.

Re: Need help removing malware27th November 2008, 1:01 am

Okay, let me know if anything changes.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. Big Grin

Re: Need help removing malware27th November 2008, 1:11 am

Belahzur, thanks again. I really appreciate your time and patience with this. Hopefully I won't be back to bug you.

You've been a tremendous help! My Buddy

Re: Need help removing malware27th November 2008, 4:07 pm

A final bit of info - I noticed the following in the ComboFix log dumps:

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

Thinking that SAS is interfering with ComboFix accessing the winlogo.exe file, causing it to be tagged as infected - but it's a false positive. A few quick searches on the net reveals this is a common issue even with other anti-virus programs.

So I feel confident we're good. Solved?

Re: Need help removing malware27th November 2008, 4:10 pm

I think your right, SAS has hooked itself into winlogon, probably to protect it.
But combofix detects this as malware.

If everything is still good for you, then yes.
I will add solved tags to the topic and leave it open for a few days incase you have any questions.

Re: Need help removing malware4th December 2008, 4:05 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

............................................................................................
Please be a GeekPolice fan on Facebook!

Need help removing malware Lambo-11

Have we helped you? Help us! | Doctor by day, ninja by night.

Need help removing malware

descriptionNeed help removing malware26th November 2008, 3:40 pm

descriptionNeed help removing malware - HijackThis Log Part 126th November 2008, 3:46 pm

descriptionNeed help removing malware - HijackThis Log Part 226th November 2008, 3:48 pm

descriptionRe: Need help removing malware26th November 2008, 3:52 pm

descriptionRe: Need help removing malware26th November 2008, 4:29 pm

descriptionComboFix Won't Execute26th November 2008, 5:06 pm

descriptionRe: Need help removing malware26th November 2008, 5:08 pm

descriptionComboFix - Log Dump Part 126th November 2008, 5:50 pm

descriptionRe: Need help removing malware26th November 2008, 5:50 pm

descriptionRe: Need help removing malware26th November 2008, 6:00 pm

descriptionRe: Need help removing malware26th November 2008, 6:27 pm

descriptionRe: Need help removing malware26th November 2008, 6:33 pm

descriptionRe: Need help removing malware26th November 2008, 6:44 pm

descriptionRe: Need help removing malware26th November 2008, 6:49 pm

descriptionRe: Need help removing malware26th November 2008, 6:53 pm

descriptionRe: Need help removing malware26th November 2008, 7:06 pm

descriptionRe: Need help removing malware26th November 2008, 7:49 pm

descriptionRe: Need help removing malware26th November 2008, 7:50 pm

descriptionRe: Need help removing malware26th November 2008, 8:01 pm

descriptionRe: Need help removing malware26th November 2008, 8:08 pm

descriptionRe: Need help removing malware26th November 2008, 8:10 pm

descriptionRe: Need help removing malware26th November 2008, 8:21 pm

descriptionRe: Need help removing malware26th November 2008, 8:22 pm

descriptionRe: Need help removing malware26th November 2008, 8:33 pm

descriptionRe: Need help removing malware26th November 2008, 8:33 pm

descriptionRe: Need help removing malware26th November 2008, 8:51 pm

descriptionRe: Need help removing malware26th November 2008, 9:07 pm

descriptionRe: Need help removing malware26th November 2008, 9:12 pm

descriptionRe: Need help removing malware26th November 2008, 10:47 pm

descriptionRe: Need help removing malware26th November 2008, 10:47 pm

descriptionRe: Need help removing malware26th November 2008, 10:47 pm

descriptionRe: Need help removing malware26th November 2008, 11:03 pm

descriptionRe: Need help removing malware26th November 2008, 11:35 pm

descriptionRe: Need help removing malware26th November 2008, 11:38 pm

descriptionRe: Need help removing malware27th November 2008, 12:12 am

descriptionRe: Need help removing malware27th November 2008, 12:18 am

descriptionRe: Need help removing malware27th November 2008, 12:56 am

descriptionRe: Need help removing malware27th November 2008, 1:01 am

descriptionRe: Need help removing malware27th November 2008, 1:11 am

descriptionRe: Need help removing malware27th November 2008, 4:07 pm

descriptionRe: Need help removing malware27th November 2008, 4:10 pm

descriptionRe: Need help removing malware4th December 2008, 4:05 am

descriptionRe: Need help removing malware

Need help removing malware26th November 2008, 3:40 pm

Need help removing malware - HijackThis Log Part 126th November 2008, 3:46 pm

Need help removing malware - HijackThis Log Part 226th November 2008, 3:48 pm

Re: Need help removing malware26th November 2008, 3:52 pm

Re: Need help removing malware26th November 2008, 4:29 pm

ComboFix Won't Execute26th November 2008, 5:06 pm

Re: Need help removing malware26th November 2008, 5:08 pm

ComboFix - Log Dump Part 126th November 2008, 5:50 pm

Re: Need help removing malware26th November 2008, 5:50 pm

Re: Need help removing malware26th November 2008, 6:00 pm

Re: Need help removing malware26th November 2008, 6:27 pm

Re: Need help removing malware26th November 2008, 6:33 pm

Re: Need help removing malware26th November 2008, 6:44 pm

Re: Need help removing malware26th November 2008, 6:49 pm

Re: Need help removing malware26th November 2008, 6:53 pm

Re: Need help removing malware26th November 2008, 7:06 pm

Re: Need help removing malware26th November 2008, 7:49 pm

Re: Need help removing malware26th November 2008, 7:50 pm

Re: Need help removing malware26th November 2008, 8:01 pm

Re: Need help removing malware26th November 2008, 8:08 pm

Re: Need help removing malware26th November 2008, 8:10 pm

Re: Need help removing malware26th November 2008, 8:21 pm

Re: Need help removing malware26th November 2008, 8:22 pm

Re: Need help removing malware26th November 2008, 8:33 pm

Re: Need help removing malware26th November 2008, 8:33 pm

Re: Need help removing malware26th November 2008, 8:51 pm

Re: Need help removing malware26th November 2008, 9:07 pm

Re: Need help removing malware26th November 2008, 9:12 pm

Re: Need help removing malware26th November 2008, 10:47 pm

Re: Need help removing malware26th November 2008, 10:47 pm

Re: Need help removing malware26th November 2008, 10:47 pm

Re: Need help removing malware26th November 2008, 11:03 pm

Re: Need help removing malware26th November 2008, 11:35 pm

Re: Need help removing malware26th November 2008, 11:38 pm

Re: Need help removing malware27th November 2008, 12:12 am

Re: Need help removing malware27th November 2008, 12:18 am

Re: Need help removing malware27th November 2008, 12:56 am

Re: Need help removing malware27th November 2008, 1:01 am

Re: Need help removing malware27th November 2008, 1:11 am

Re: Need help removing malware27th November 2008, 4:07 pm

Re: Need help removing malware27th November 2008, 4:10 pm

Re: Need help removing malware4th December 2008, 4:05 am

Re: Need help removing malware