TechSpot

I did the eight steps - My machine is still sick

By UThant
Apr 22, 2010
  1. Any assistance you can provide will be greatly appreciated. I have attached the last log as a zip attachment, as requested - and, as instructed, here are the rest of the logs. Thanks so much in advance for your help - Don Wozniak:

    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 4016

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    4/21/2010 2:31:58 PM
    mbam-log-2010-04-21 (14-31-58).txt

    Scan type: Quick scan
    Objects scanned: 167837
    Time elapsed: 6 minute(s), 56 second(s)

    Memory Processes Infected: 2
    Memory Modules Infected: 1
    Registry Keys Infected: 2
    Registry Values Infected: 11
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 25

    Memory Processes Infected:
    C:\Windows\System32\PereSvc.exe (Trojan.Koblu) -> Unloaded process successfully.
    C:\Windows\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe (Trojan.Agent) -> Unloaded process successfully.

    Memory Modules Infected:
    c:\Windows\System32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peresvc (Trojan.Koblu) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Windows\System32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot.
    C:\Windows\System32\PereSvc.exe (Trojan.Koblu) -> Quarantined and deleted successfully.
    C:\Windows\System32\d.bin (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Windows\System32\ms.bin (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Windows\System32\t1p0_207384498781.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Windows\System32\t1p0_309242508519.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Windows\System32\t1p0_579320685922.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Windows\System32\t1p0_633867881587.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Windows\System32\txpxr_175803499349.b1k (Backdoor.Refpron) -> Quarantined and deleted successfully.
    C:\Windows\System32\txpxr_19610067684.b1k (Trojan.Koblu) -> Quarantined and deleted successfully.
    C:\Windows\System32\txpxr_276471244028.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Windows\System32\txpxr_44471318973.b1k (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Windows\System32\txpxr_56602683827.b1k (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Windows\System32\txpxr_606811425875.b1k (Trojan.Koblu) -> Quarantined and deleted successfully.
    C:\Windows\System32\txpxr_72918994244.b1k (Trojan.Koblu) -> Quarantined and deleted successfully.
    C:\Windows\System32\6641046.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
    C:\Windows\System32\7398493.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
    C:\Windows\System32\8077051.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
    C:\Windows\System32\9865229.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
    C:\Windows\System32\so.bin (Trojan.Koblu) -> Quarantined and deleted successfully.
    C:\Windows\System32\grouppolicy\User\Scripts\Logon\autorun.bat (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Windows\System32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Windows\System32\config\systemprofile\Local Settings\Application Data\Windows Server\dgljlc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Windows\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe (Trojan.Agent) -> Quarantined and deleted successfully.


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-21 15:29:35
    Windows 6.0.6002 Service Pack 2
    Running: 2fw223l7.exe; Driver: C:\Users\bjones\AppData\Local\Temp\ugtyqfog.sys


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@0007617efc90 0x22 0x1A 0x36 0xE4 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@001ccc948464 0xD7 0xD4 0x18 0xD5 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@001dbe2a3741 0x82 0x63 0x1D 0x2D ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@0007e095016f 0x5B 0xDF 0x2E 0x7C ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@000761979534 0x86 0x69 0x34 0x56 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@0007617efc90 0x22 0x1A 0x36 0xE4 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@001ccc948464 0xD7 0xD4 0x18 0xD5 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@001dbe2a3741 0x82 0x63 0x1D 0x2D ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@0007e095016f 0x5B 0xDF 0x2E 0x7C ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@000761979534 0x86 0x69 0x34 0x56 ...

    ---- EOF - GMER 1.0.15 ----


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Bjones at 15:39:59.12 on Wed 04/21/2010
    Internet Explorer: 7.0.6002.18005
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2045.1177 [GMT -4:00]

    AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Symantec Endpoint Protection *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\STacSV.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\System32\Rundll32.exe
    C:\Windows\system32\UI0Detect.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Pidgin\pidgin.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\UI0Detect.exe
    C:\Users\bjones\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
    mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe -startup
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pidgin.lnk - c:\program files\pidgin\pidgin.exe
    uPolicies-system: HideLogonScripts = 0 (0x0)
    uPolicies-system: HideLegacyLogonScripts = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.6.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://visionsolutions.webex.com/client/T26L/webex/ieatgpc1.cab
    Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
    mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\bjones\appdata\roaming\mozilla\firefox\profiles\ojfni43y.default\
    FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ============= SERVICES / DRIVERS ===============

    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
    R2 BtwSvc;BtwSvc;c:\windows\system32\svchost.exe -k netsvcs [2008-6-5 21504]
    R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-9-11 2436536]
    R3 b57nd60x;%SvcDispName%;c:\windows\system32\drivers\b57nd60x.sys [2008-6-5 179712]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-1 102448]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-5 21504]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2006-12-13 20992]
    S3 PeerDistSvc;BranchCache;c:\windows\system32\svchost.exe -k PeerDist [2008-6-5 21504]
    S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-7-9 58240]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
    S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]
    S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]
    S4 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [2006-11-2 65536]
    S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-4-15 1153368]

    =============== Created Last 30 ================

    2010-04-21 19:33:13 33280 ----a-w- c:\windows\system32\2261424.exe
    2010-04-21 19:33:03 170047 ----a-w- c:\windows\system32\7304041.exe
    2010-04-21 19:03:50 93056 ----a-w- C:\ugtyqfog.sys
    2010-04-21 18:43:48 33280 ----a-w- c:\windows\system32\364036.exe
    2010-04-21 18:43:36 92672 ----a-w- c:\windows\system32\w.exe
    2010-04-21 18:43:36 44544 ----a-w- c:\windows\system32\ms.bin
    2010-04-21 18:43:36 40960 ----a-w- c:\windows\system32\so.bin
    2010-04-21 18:43:36 36864 ----a-w- c:\windows\system32\d.bin
    2010-04-21 18:43:35 170047 ----a-w- c:\windows\system32\8119928.exe
    2010-04-21 18:42:23 142361531 ----a-w- c:\windows\MEMORY.DMP
    2010-04-21 18:37:19 33280 ----a-w- c:\windows\system32\2539286.exe
    2010-04-21 18:37:08 170047 ----a-w- c:\windows\system32\9225732.exe
    2010-04-21 18:34:43 0 ----a-w- c:\windows\system32\t1p0_197158136798.b1k
    2010-04-21 18:20:15 0 d-----w- c:\users\bjones\appdata\roaming\Malwarebytes
    2010-04-21 18:19:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-21 18:19:55 0 d-----w- c:\programdata\Malwarebytes
    2010-04-21 18:19:54 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-21 18:19:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-21 18:17:21 33280 ----a-w- c:\windows\system32\2249369.exe
    2010-04-21 16:49:02 33280 ----a-w- c:\windows\system32\3760755.exe
    2010-04-21 16:37:22 33280 ----a-w- c:\windows\system32\9612192.exe
    2010-04-21 16:17:16 0 d-sh--w- C:\$RECYCLE.BIN
    2010-04-21 16:03:08 33280 ----a-w- c:\windows\system32\3861155.exe
    2010-04-21 12:42:35 286720 ----a-w- c:\windows\PEV.exe
    2010-04-21 12:42:35 186880 ----a-w- c:\windows\SWREG.exe
    2010-04-21 12:42:35 123392 ----a-w- c:\windows\sed.exe
    2010-04-21 12:42:35 105984 ----a-w- c:\windows\MBR.exe
    2010-04-15 12:58:52 0 d-----w- c:\program files\Trend Micro

    ==================== Find3M ====================

    2010-04-21 18:34:28 6396 ----a-w- c:\windows\bthservsdp.dat
    2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-02-20 20:53:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2010-02-04 12:56:21 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-02-04 12:56:15 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-02-04 12:56:01 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-02-04 12:56:00 143360 ----a-w- c:\windows\inf\infstor.dat
    2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:21:20 550912 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:21:20 371200 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:21:18 542720 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:21:18 371712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
    2008-06-05 18:31:03 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2007-02-21 19:50:45 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

    ============= FINISH: 15:42:52.04 ===============
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, Don> I'll help with the malware.

    When you leave logs, they must be the complete logs. Neither GMER or DDS are complete. DDS has another separate log.

    The preliminary programs we have you run are jut that prelim- and we state that in the thread. Please describe what symptoms the 'sick' computer is having. The errors you are getting would appear to indicate that either the system is crashing or won't startup- it's important that you give us this information.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2]. Close any open browsers.
      [3]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [4]. If Combofix asks you to install Recovery Console, please allow it.
      [5]. If Combofix asks you to update the program, always allow.
      [6]. Close any open browsers and Double click on combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix.


    Please include the full Combofix report and a description of the problem in your next reply.
     
  3. UThant

    UThant TS Rookie Topic Starter Posts: 55

    First Response to your response

    Hi, Bobbye, thanks for answering.
    As far as the gmer and dds not being complete logs, what I posted is what was produced by the programs. The second log from dds, the attach.txt, was zipped and attached to my initial post as several warnings in dds and in the attach.txt log itself advised me to do.
    I downloaded combofix using your link and attempted to run it. Here's what I got:
    !!ALERT!! It is not safe to continue!
    The contents of the Combofix package has been compromised. Please download a fresh copy from:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
    Note: You may be infected with a file patching virus 'Virut'

    I have not yet gone to get a fresh copy, but I have deleted the one I got from your link.

    As far as the symptoms of the machine illness:
    1. At startup, I now get a command window which is running a program called winlogo.exe (not winlogon, winlogo). I have never gotten this before.

    2. About every three minutes, I am notified by WinPatrol New Program Alert that it has detected a new startup program and asks me to approve it. The program path is C:\Windows\System32\userinit.exe and it references WinLogon/UserInit.

    3. Symantec Endpoint Antivirus updates are externally managed for all machines on the network. The virus defs on this machine will not update. They are stuck on the March 29, 2010 signatures. The network's current version is April 21, 2010.

    4. And, Windows update is externally managed by WSUS on the network. The Windows Updates refuse to download, much less install.

    Let me know if there's anything else you need to know.
    Don Wozniak
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Don, I'd like for you to check for Virut as follows:

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe


    Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

    If a Virut infection is confirmed, then I will recommend a reformat/reinstall and also give you more information on Virut. But let's check it out first.

    Please leave the log in your next reply.
     
  5. UThant

    UThant TS Rookie Topic Starter Posts: 55

    It doesn't look good to me

    Here's the clipboard from the first file scanned:
    VirSCAN.org Scanned Report :
    Scanned time : 2010/04/22 10:41:18 (EDT)
    Scanner results: 28% Scanner(s) (10/36) found malware!
    File Name : userinit.exe
    File Size : 49664 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 60bf581936c0825ecc81be7f3e513de4
    SHA1 : 65924eb47743664d0913354760212376814b5775
    Online report : http://virscan.org/report/8a0b8af898a5eff83e2c8d254ba128b4.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100422080127 2010-04-22 40.13 -
    AhnLab V3 2010.04.22.00 2010.04.22 2010-04-22 40.12 -
    AntiVir 8.2.1.220 7.10.6.173 2010-04-22 0.27 W32/Virut.Gen
    Antiy 2.0.18 20100422.4243894 2010-04-22 0.12 -
    Arcavir 2009 201004220442 2010-04-22 0.10 -
    Authentium 5.1.1 201004220045 2010-04-22 1.33 -
    AVAST! 4.7.4 100422-0 2010-04-22 0.01 Win32:Vitro
    AVG 8.5.720 271.1.1/2828 2010-04-22 1.24 -
    BitDefender 7.81008.5686488 7.31332 2010-04-22 3.62 Win32.Virtob.Gen.12
    ClamAV 0.95.3 10785 2010-04-22 0.02 -
    Comodo 3.13.579 4665 2010-04-22 40.12 -
    CP Secure 1.3.0.5 2010.04.20 2010-04-20 0.06 -
    Dr.Web 5.0.2.3300 2010.04.22 2010-04-22 6.65 Win32.Virut.56
    F-Prot 4.4.4.56 20100421 2010-04-21 1.31 -
    F-Secure 7.02.73807 2010.04.22.08 2010-04-22 0.88 Virus.Win32.Virut.ce [AVP]
    Fortinet 4.0.14 11.702 2010-04-15 40.12 -
    GData 21.7/21.3 20100422 2010-04-22 40.13 -
    ViRobot 20100421 2010.04.21 2010-04-21 40.12 -
    Ikarus T3.1.01.80 2010.04.22.75689 2010-04-22 5.86 -
    JiangMin 13.0.900 2010.04.22 2010-04-22 40.12 -
    Kaspersky 5.5.10 2010.04.22 2010-04-22 0.97 Virus.Win32.Virut.ce
    KingSoft 2009.2.5.15 2010.4.22.18 2010-04-22 40.13 -
    McAfee 5400.1158 5955 2010-04-18 0.02 -
    Microsoft 1.5703 2010.04.22 2010-04-22 40.12 -
    Norman 6.04.11 6.04.00 2010-04-21 4.01 -
    Panda 9.05.01 2010.04.21 2010-04-21 40.13 -
    Trend Micro 9.120-1004 7.120.04 2010-04-22 0.03 PE_VIRUX.R
    Quick Heal 10.00 2010.04.22 2010-04-22 40.13 -
    Rising 20.0 22.44.03.04 2010-04-22 40.13 -
    Sophos 3.06.0 4.52 2010-04-22 3.59 W32/Scribble-B
    Sunbelt 3.9.2418.2 6206 2010-04-21 40.12 -
    Symantec 1.3.0.24 20100421.002 2010-04-21 0.62 W32.Virut.CF
    nProtect 20100421.01 8037035 2010-04-21 40.13 -
    The Hacker 6.5.2.0 v00267 2010-04-22 14.68 -
    VBA32 3.12.12.4 20100422.0906 2010-04-22 3.18 -
    VirusBuster 4.5.11.10 10.124.24/2031552 2010-04-22 2.56 Win32.Virut.AB.Gen

    This is from explorer.exe:

    VirSCAN.org Scanned Report :
    Scanned time : 2010/04/22 10:58:51 (EDT)
    Scanner results: 31% Scanner(s) (11/36) found malware!
    File Name : explorer.exe
    File Size : 2951168 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 3b6af34f6b88ce1ba7190b77979660d5
    SHA1 : 60a9a81e6eb515c09b7321e39d4d4d89eb89bf23
    Online report : http://virscan.org/report/964773df748902b51cb1785bb3b7ca99.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100422080127 2010-04-22 33.34 -
    AhnLab V3 2010.04.22.00 2010.04.22 2010-04-22 40.13 -
    AntiVir 8.2.1.220 7.10.6.173 2010-04-22 0.27 W32/Virut.Gen
    Antiy 2.0.18 20100422.4243894 2010-04-22 0.12 -
    Arcavir 2009 201004220442 2010-04-22 0.15 -
    Authentium 5.1.1 201004220045 2010-04-22 1.44 -
    AVAST! 4.7.4 100422-0 2010-04-22 0.12 Win32:Vitro
    AVG 8.5.720 271.1.1/2828 2010-04-22 1.26 -
    BitDefender 7.81008.5686488 7.31332 2010-04-22 3.63 Win32.Virtob.Gen.12
    ClamAV 0.95.3 10785 2010-04-22 0.35 -
    Comodo 3.13.579 4665 2010-04-22 27.42 Virus.Win32.Virut.Ce
    CP Secure 1.3.0.5 2010.04.20 2010-04-20 0.48 -
    Dr.Web 5.0.2.3300 2010.04.22 2010-04-22 7.04 Win32.Virut.56
    F-Prot 4.4.4.56 20100421 2010-04-21 1.40 -
    F-Secure 7.02.73807 2010.04.22.08 2010-04-22 4.32 Virus.Win32.Virut.ce [AVP]
    Fortinet 4.0.14 11.702 2010-04-15 2.68 -
    GData 21.7/21.3 20100422 2010-04-22 40.22 -
    ViRobot 20100421 2010.04.21 2010-04-21 16.57 -
    Ikarus T3.1.01.80 2010.04.22.75689 2010-04-22 7.29 -
    JiangMin 13.0.900 2010.04.22 2010-04-22 40.15 -
    Kaspersky 5.5.10 2010.04.22 2010-04-22 0.15 Virus.Win32.Virut.ce
    KingSoft 2009.2.5.15 2010.4.22.18 2010-04-22 40.12 -
    McAfee 5400.1158 5955 2010-04-18 0.02 -
    Microsoft 1.5703 2010.04.22 2010-04-22 40.12 -
    Norman 6.04.11 6.04.00 2010-04-21 4.01 -
    Panda 9.05.01 2010.04.21 2010-04-21 40.13 -
    Trend Micro 9.120-1004 7.120.04 2010-04-22 0.03 PE_VIRUX.R
    Quick Heal 10.00 2010.04.22 2010-04-22 40.14 -
    Rising 20.0 22.44.03.04 2010-04-22 40.13 -
    Sophos 3.06.0 4.52 2010-04-22 3.60 W32/Scribble-B
    Sunbelt 3.9.2418.2 6206 2010-04-21 40.12 -
    Symantec 1.3.0.24 20100421.002 2010-04-21 0.52 W32.Virut.CF
    nProtect 20100421.01 8037035 2010-04-21 40.13 -
    The Hacker 6.5.2.0 v00267 2010-04-22 40.13 -
    VBA32 3.12.12.4 20100422.0906 2010-04-22 3.18 -
    VirusBuster 4.5.11.10 10.124.24/2031552 2010-04-22 4.33 Win32.Virut.AB.Gen

    VirSCAN.org Scanned Report :
    Scanned time : 2010/04/22 11:25:09 (EDT)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 21504 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 3794b461c45882e06856f282eef025af
    SHA1 : bf15549a7ec01ac505ccac036aba5b9bae688135
    Online report : http://virscan.org/report/a739041377173f6e517ad3735c1ecd92.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100422080127 2010-04-22 40.13 -
    AhnLab V3 2010.04.22.00 2010.04.22 2010-04-22 40.13 -
    AntiVir 8.2.1.220 7.10.6.173 2010-04-22 0.25 -
    Antiy 2.0.18 20100422.4243894 2010-04-22 0.12 -
    Arcavir 2009 201004220442 2010-04-22 0.03 -
    Authentium 5.1.1 201004220045 2010-04-22 1.29 -
    AVAST! 4.7.4 100422-0 2010-04-22 0.01 -
    AVG 8.5.720 271.1.1/2828 2010-04-22 0.22 -
    BitDefender 7.81008.5686488 7.31332 2010-04-22 3.66 -
    ClamAV 0.95.3 10785 2010-04-22 0.01 -
    Comodo 3.13.579 4665 2010-04-22 40.12 -
    CP Secure 1.3.0.5 2010.04.20 2010-04-20 0.04 -
    Dr.Web 5.0.2.3300 2010.04.22 2010-04-22 6.82 -
    F-Prot 4.4.4.56 20100421 2010-04-21 1.30 -
    F-Secure 7.02.73807 2010.04.22.08 2010-04-22 10.68 -
    Fortinet 4.0.14 11.702 2010-04-15 40.12 -
    GData 21.7/21.3 20100422 2010-04-22 40.13 -
    ViRobot 20100421 2010.04.21 2010-04-21 40.13 -
    Ikarus T3.1.01.80 2010.04.22.75689 2010-04-22 5.85 -
    JiangMin 13.0.900 2010.04.22 2010-04-22 40.12 -
    Kaspersky 5.5.10 2010.04.22 2010-04-22 0.08 -
    KingSoft 2009.2.5.15 2010.4.22.18 2010-04-22 40.13 -
    McAfee 5400.1158 5955 2010-04-18 0.02 -
    Microsoft 1.5703 2010.04.22 2010-04-22 40.13 -
    Norman 6.04.11 6.04.00 2010-04-21 6.01 -
    Panda 9.05.01 2010.04.21 2010-04-21 40.13 -
    Trend Micro 9.120-1004 7.120.04 2010-04-22 0.03 -
    Quick Heal 10.00 2010.04.22 2010-04-22 40.12 -
    Rising 20.0 22.44.03.04 2010-04-22 40.13 -
    Sophos 3.06.0 4.52 2010-04-22 3.60 -
    Sunbelt 3.9.2418.2 6206 2010-04-21 40.12 -
    Symantec 1.3.0.24 20100421.002 2010-04-21 0.05 -
    nProtect 20100421.01 8037035 2010-04-21 40.12 -
    The Hacker 6.5.2.0 v00267 2010-04-22 40.13 -
    VBA32 3.12.12.4 20100422.0906 2010-04-22 2.84 -
    VirusBuster 4.5.11.10 10.124.24/2031552 2010-04-22 2.39 -
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Don, for the future, if you have to go through something like this again, everything you answered to the questions I asked should have been information given in the first post. So often, people just drop logs without comment. The more information we have, the better we can help.

    Unfortunately, these isn't much I'm going to be able to do as the system does have Virut.
    Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

    The 'polymorphic' trait means that as soon as we clean on variant, another one is creator. And because of the file extensions it infects, it is launched every time you open a file with those extensions.

    Good explanation here:
    http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html


    Change all of your passwords and monitor any online transactions.

    Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.
    • Backup all your documents and important items only.
    • DON'T backup any executable files (,exe .scr .html or .htm)
    • DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files

    If you back up any documents with the above file extensions, putting them back on the machine or other type of media could reinfect a system.

    You will find excellent reformat/reinstall instructions here:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

    I'm sorry the news couldn't be better. But it's best to do this right up front instead of compromising any more files or features.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...