Solved I did the eight steps - My machine is still sick

Status
Not open for further replies.
U

UThant

Posts: 55   +0
Any assistance you can provide will be greatly appreciated. I have attached the last log as a zip attachment, as requested - and, as instructed, here are the rest of the logs. Thanks so much in advance for your help - Don Wozniak:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4016

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

4/21/2010 2:31:58 PM
mbam-log-2010-04-21 (14-31-58).txt

Scan type: Quick scan
Objects scanned: 167837
Time elapsed: 6 minute(s), 56 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 11
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
C:\Windows\System32\PereSvc.exe (Trojan.Koblu) -> Unloaded process successfully.
C:\Windows\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
c:\Windows\System32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peresvc (Trojan.Koblu) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\I (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\PereSvc.exe (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\d.bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\ms.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\t1p0_207384498781.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\t1p0_309242508519.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\t1p0_579320685922.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\t1p0_633867881587.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_175803499349.b1k (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_19610067684.b1k (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_276471244028.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_44471318973.b1k (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_56602683827.b1k (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_606811425875.b1k (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_72918994244.b1k (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\6641046.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\7398493.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\8077051.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\9865229.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\so.bin (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\grouppolicy\User\Scripts\Logon\autorun.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\Local Settings\Application Data\Windows Server\dgljlc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe (Trojan.Agent) -> Quarantined and deleted successfully.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-21 15:29:35
Windows 6.0.6002 Service Pack 2
Running: 2fw223l7.exe; Driver: C:\Users\bjones\AppData\Local\Temp\ugtyqfog.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@0007617efc90 0x22 0x1A 0x36 0xE4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@001ccc948464 0xD7 0xD4 0x18 0xD5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@001dbe2a3741 0x82 0x63 0x1D 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@0007e095016f 0x5B 0xDF 0x2E 0x7C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@000761979534 0x86 0x69 0x34 0x56 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@0007617efc90 0x22 0x1A 0x36 0xE4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@001ccc948464 0xD7 0xD4 0x18 0xD5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@001dbe2a3741 0x82 0x63 0x1D 0x2D ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@0007e095016f 0x5B 0xDF 0x2E 0x7C ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@000761979534 0x86 0x69 0x34 0x56 ...

---- EOF - GMER 1.0.15 ----


DDS (Ver_10-03-17.01) - NTFSx86
Run by Bjones at 15:39:59.12 on Wed 04/21/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2045.1177 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Symantec Endpoint Protection *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\Rundll32.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\UI0Detect.exe
C:\Users\bjones\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe -startup
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pidgin.lnk - c:\program files\pidgin\pidgin.exe
uPolicies-system: HideLogonScripts = 0 (0x0)
uPolicies-system: HideLegacyLogonScripts = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://visionsolutions.webex.com/client/T26L/webex/ieatgpc1.cab
Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration

================= FIREFOX ===================

FF - ProfilePath - c:\users\bjones\appdata\roaming\mozilla\firefox\profiles\ojfni43y.default\
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 BtwSvc;BtwSvc;c:\windows\system32\svchost.exe -k netsvcs [2008-6-5 21504]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-9-11 2436536]
R3 b57nd60x;%SvcDispName%;c:\windows\system32\drivers\b57nd60x.sys [2008-6-5 179712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-1 102448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-5 21504]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2006-12-13 20992]
S3 PeerDistSvc;BranchCache;c:\windows\system32\svchost.exe -k PeerDist [2008-6-5 21504]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-7-9 58240]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]
S4 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [2006-11-2 65536]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-4-15 1153368]

=============== Created Last 30 ================

2010-04-21 19:33:13 33280 ----a-w- c:\windows\system32\2261424.exe
2010-04-21 19:33:03 170047 ----a-w- c:\windows\system32\7304041.exe
2010-04-21 19:03:50 93056 ----a-w- C:\ugtyqfog.sys
2010-04-21 18:43:48 33280 ----a-w- c:\windows\system32\364036.exe
2010-04-21 18:43:36 92672 ----a-w- c:\windows\system32\w.exe
2010-04-21 18:43:36 44544 ----a-w- c:\windows\system32\ms.bin
2010-04-21 18:43:36 40960 ----a-w- c:\windows\system32\so.bin
2010-04-21 18:43:36 36864 ----a-w- c:\windows\system32\d.bin
2010-04-21 18:43:35 170047 ----a-w- c:\windows\system32\8119928.exe
2010-04-21 18:42:23 142361531 ----a-w- c:\windows\MEMORY.DMP
2010-04-21 18:37:19 33280 ----a-w- c:\windows\system32\2539286.exe
2010-04-21 18:37:08 170047 ----a-w- c:\windows\system32\9225732.exe
2010-04-21 18:34:43 0 ----a-w- c:\windows\system32\t1p0_197158136798.b1k
2010-04-21 18:20:15 0 d-----w- c:\users\bjones\appdata\roaming\Malwarebytes
2010-04-21 18:19:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-21 18:19:55 0 d-----w- c:\programdata\Malwarebytes
2010-04-21 18:19:54 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 18:19:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 18:17:21 33280 ----a-w- c:\windows\system32\2249369.exe
2010-04-21 16:49:02 33280 ----a-w- c:\windows\system32\3760755.exe
2010-04-21 16:37:22 33280 ----a-w- c:\windows\system32\9612192.exe
2010-04-21 16:17:16 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-21 16:03:08 33280 ----a-w- c:\windows\system32\3861155.exe
2010-04-21 12:42:35 286720 ----a-w- c:\windows\PEV.exe
2010-04-21 12:42:35 186880 ----a-w- c:\windows\SWREG.exe
2010-04-21 12:42:35 123392 ----a-w- c:\windows\sed.exe
2010-04-21 12:42:35 105984 ----a-w- c:\windows\MBR.exe
2010-04-15 12:58:52 0 d-----w- c:\program files\Trend Micro

==================== Find3M ====================

2010-04-21 18:34:28 6396 ----a-w- c:\windows\bthservsdp.dat
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-04 12:56:21 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-04 12:56:15 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-04 12:56:01 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-04 12:56:00 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 550912 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 371200 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 542720 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 371712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2008-06-05 18:31:03 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-02-21 19:50:45 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:42:52.04 ===============
 

Attachments

  • Attach.zip
    4.9 KB · Views: 1
Welcome to TechSpot, Don> I'll help with the malware.

When you leave logs, they must be the complete logs. Neither GMER or DDS are complete. DDS has another separate log.

The preliminary programs we have you run are jut that prelim- and we state that in the thread. Please describe what symptoms the 'sick' computer is having. The errors you are getting would appear to indicate that either the system is crashing or won't startup- it's important that you give us this information.

Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2]. Close any open browsers.
    [3]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [4]. If Combofix asks you to install Recovery Console, please allow it.
    [5]. If Combofix asks you to update the program, always allow.
    [6]. Close any open browsers and Double click on combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix.

Please include the full Combofix report and a description of the problem in your next reply.
 
First Response to your response

Hi, Bobbye, thanks for answering.
As far as the gmer and dds not being complete logs, what I posted is what was produced by the programs. The second log from dds, the attach.txt, was zipped and attached to my initial post as several warnings in dds and in the attach.txt log itself advised me to do.
I downloaded combofix using your link and attempted to run it. Here's what I got:
!!ALERT!! It is not safe to continue!
The contents of the Combofix package has been compromised. Please download a fresh copy from:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Note: You may be infected with a file patching virus 'Virut'

I have not yet gone to get a fresh copy, but I have deleted the one I got from your link.

As far as the symptoms of the machine illness:
1. At startup, I now get a command window which is running a program called winlogo.exe (not winlogon, winlogo). I have never gotten this before.

2. About every three minutes, I am notified by WinPatrol New Program Alert that it has detected a new startup program and asks me to approve it. The program path is C:\Windows\System32\userinit.exe and it references WinLogon/UserInit.

3. Symantec Endpoint Antivirus updates are externally managed for all machines on the network. The virus defs on this machine will not update. They are stuck on the March 29, 2010 signatures. The network's current version is April 21, 2010.

4. And, Windows update is externally managed by WSUS on the network. The Windows Updates refuse to download, much less install.

Let me know if there's anything else you need to know.
Don Wozniak
 
Don, I'd like for you to check for Virut as follows:

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    • c:\windows\system32\userinit.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

If a Virut infection is confirmed, then I will recommend a reformat/reinstall and also give you more information on Virut. But let's check it out first.

Please leave the log in your next reply.
 
It doesn't look good to me

Here's the clipboard from the first file scanned:
VirSCAN.org Scanned Report :
Scanned time : 2010/04/22 10:41:18 (EDT)
Scanner results: 28% Scanner(s) (10/36) found malware!
File Name : userinit.exe
File Size : 49664 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 60bf581936c0825ecc81be7f3e513de4
SHA1 : 65924eb47743664d0913354760212376814b5775
Online report : http://virscan.org/report/8a0b8af898a5eff83e2c8d254ba128b4.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100422080127 2010-04-22 40.13 -
AhnLab V3 2010.04.22.00 2010.04.22 2010-04-22 40.12 -
AntiVir 8.2.1.220 7.10.6.173 2010-04-22 0.27 W32/Virut.Gen
Antiy 2.0.18 20100422.4243894 2010-04-22 0.12 -
Arcavir 2009 201004220442 2010-04-22 0.10 -
Authentium 5.1.1 201004220045 2010-04-22 1.33 -
AVAST! 4.7.4 100422-0 2010-04-22 0.01 Win32:Vitro
AVG 8.5.720 271.1.1/2828 2010-04-22 1.24 -
BitDefender 7.81008.5686488 7.31332 2010-04-22 3.62 Win32.Virtob.Gen.12
ClamAV 0.95.3 10785 2010-04-22 0.02 -
Comodo 3.13.579 4665 2010-04-22 40.12 -
CP Secure 1.3.0.5 2010.04.20 2010-04-20 0.06 -
Dr.Web 5.0.2.3300 2010.04.22 2010-04-22 6.65 Win32.Virut.56
F-Prot 4.4.4.56 20100421 2010-04-21 1.31 -
F-Secure 7.02.73807 2010.04.22.08 2010-04-22 0.88 Virus.Win32.Virut.ce [AVP]
Fortinet 4.0.14 11.702 2010-04-15 40.12 -
GData 21.7/21.3 20100422 2010-04-22 40.13 -
ViRobot 20100421 2010.04.21 2010-04-21 40.12 -
Ikarus T3.1.01.80 2010.04.22.75689 2010-04-22 5.86 -
JiangMin 13.0.900 2010.04.22 2010-04-22 40.12 -
Kaspersky 5.5.10 2010.04.22 2010-04-22 0.97 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2010.4.22.18 2010-04-22 40.13 -
McAfee 5400.1158 5955 2010-04-18 0.02 -
Microsoft 1.5703 2010.04.22 2010-04-22 40.12 -
Norman 6.04.11 6.04.00 2010-04-21 4.01 -
Panda 9.05.01 2010.04.21 2010-04-21 40.13 -
Trend Micro 9.120-1004 7.120.04 2010-04-22 0.03 PE_VIRUX.R
Quick Heal 10.00 2010.04.22 2010-04-22 40.13 -
Rising 20.0 22.44.03.04 2010-04-22 40.13 -
Sophos 3.06.0 4.52 2010-04-22 3.59 W32/Scribble-B
Sunbelt 3.9.2418.2 6206 2010-04-21 40.12 -
Symantec 1.3.0.24 20100421.002 2010-04-21 0.62 W32.Virut.CF
nProtect 20100421.01 8037035 2010-04-21 40.13 -
The Hacker 6.5.2.0 v00267 2010-04-22 14.68 -
VBA32 3.12.12.4 20100422.0906 2010-04-22 3.18 -
VirusBuster 4.5.11.10 10.124.24/2031552 2010-04-22 2.56 Win32.Virut.AB.Gen

This is from explorer.exe:

VirSCAN.org Scanned Report :
Scanned time : 2010/04/22 10:58:51 (EDT)
Scanner results: 31% Scanner(s) (11/36) found malware!
File Name : explorer.exe
File Size : 2951168 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 3b6af34f6b88ce1ba7190b77979660d5
SHA1 : 60a9a81e6eb515c09b7321e39d4d4d89eb89bf23
Online report : http://virscan.org/report/964773df748902b51cb1785bb3b7ca99.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100422080127 2010-04-22 33.34 -
AhnLab V3 2010.04.22.00 2010.04.22 2010-04-22 40.13 -
AntiVir 8.2.1.220 7.10.6.173 2010-04-22 0.27 W32/Virut.Gen
Antiy 2.0.18 20100422.4243894 2010-04-22 0.12 -
Arcavir 2009 201004220442 2010-04-22 0.15 -
Authentium 5.1.1 201004220045 2010-04-22 1.44 -
AVAST! 4.7.4 100422-0 2010-04-22 0.12 Win32:Vitro
AVG 8.5.720 271.1.1/2828 2010-04-22 1.26 -
BitDefender 7.81008.5686488 7.31332 2010-04-22 3.63 Win32.Virtob.Gen.12
ClamAV 0.95.3 10785 2010-04-22 0.35 -
Comodo 3.13.579 4665 2010-04-22 27.42 Virus.Win32.Virut.Ce
CP Secure 1.3.0.5 2010.04.20 2010-04-20 0.48 -
Dr.Web 5.0.2.3300 2010.04.22 2010-04-22 7.04 Win32.Virut.56
F-Prot 4.4.4.56 20100421 2010-04-21 1.40 -
F-Secure 7.02.73807 2010.04.22.08 2010-04-22 4.32 Virus.Win32.Virut.ce [AVP]
Fortinet 4.0.14 11.702 2010-04-15 2.68 -
GData 21.7/21.3 20100422 2010-04-22 40.22 -
ViRobot 20100421 2010.04.21 2010-04-21 16.57 -
Ikarus T3.1.01.80 2010.04.22.75689 2010-04-22 7.29 -
JiangMin 13.0.900 2010.04.22 2010-04-22 40.15 -
Kaspersky 5.5.10 2010.04.22 2010-04-22 0.15 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2010.4.22.18 2010-04-22 40.12 -
McAfee 5400.1158 5955 2010-04-18 0.02 -
Microsoft 1.5703 2010.04.22 2010-04-22 40.12 -
Norman 6.04.11 6.04.00 2010-04-21 4.01 -
Panda 9.05.01 2010.04.21 2010-04-21 40.13 -
Trend Micro 9.120-1004 7.120.04 2010-04-22 0.03 PE_VIRUX.R
Quick Heal 10.00 2010.04.22 2010-04-22 40.14 -
Rising 20.0 22.44.03.04 2010-04-22 40.13 -
Sophos 3.06.0 4.52 2010-04-22 3.60 W32/Scribble-B
Sunbelt 3.9.2418.2 6206 2010-04-21 40.12 -
Symantec 1.3.0.24 20100421.002 2010-04-21 0.52 W32.Virut.CF
nProtect 20100421.01 8037035 2010-04-21 40.13 -
The Hacker 6.5.2.0 v00267 2010-04-22 40.13 -
VBA32 3.12.12.4 20100422.0906 2010-04-22 3.18 -
VirusBuster 4.5.11.10 10.124.24/2031552 2010-04-22 4.33 Win32.Virut.AB.Gen

VirSCAN.org Scanned Report :
Scanned time : 2010/04/22 11:25:09 (EDT)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 21504 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 3794b461c45882e06856f282eef025af
SHA1 : bf15549a7ec01ac505ccac036aba5b9bae688135
Online report : http://virscan.org/report/a739041377173f6e517ad3735c1ecd92.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100422080127 2010-04-22 40.13 -
AhnLab V3 2010.04.22.00 2010.04.22 2010-04-22 40.13 -
AntiVir 8.2.1.220 7.10.6.173 2010-04-22 0.25 -
Antiy 2.0.18 20100422.4243894 2010-04-22 0.12 -
Arcavir 2009 201004220442 2010-04-22 0.03 -
Authentium 5.1.1 201004220045 2010-04-22 1.29 -
AVAST! 4.7.4 100422-0 2010-04-22 0.01 -
AVG 8.5.720 271.1.1/2828 2010-04-22 0.22 -
BitDefender 7.81008.5686488 7.31332 2010-04-22 3.66 -
ClamAV 0.95.3 10785 2010-04-22 0.01 -
Comodo 3.13.579 4665 2010-04-22 40.12 -
CP Secure 1.3.0.5 2010.04.20 2010-04-20 0.04 -
Dr.Web 5.0.2.3300 2010.04.22 2010-04-22 6.82 -
F-Prot 4.4.4.56 20100421 2010-04-21 1.30 -
F-Secure 7.02.73807 2010.04.22.08 2010-04-22 10.68 -
Fortinet 4.0.14 11.702 2010-04-15 40.12 -
GData 21.7/21.3 20100422 2010-04-22 40.13 -
ViRobot 20100421 2010.04.21 2010-04-21 40.13 -
Ikarus T3.1.01.80 2010.04.22.75689 2010-04-22 5.85 -
JiangMin 13.0.900 2010.04.22 2010-04-22 40.12 -
Kaspersky 5.5.10 2010.04.22 2010-04-22 0.08 -
KingSoft 2009.2.5.15 2010.4.22.18 2010-04-22 40.13 -
McAfee 5400.1158 5955 2010-04-18 0.02 -
Microsoft 1.5703 2010.04.22 2010-04-22 40.13 -
Norman 6.04.11 6.04.00 2010-04-21 6.01 -
Panda 9.05.01 2010.04.21 2010-04-21 40.13 -
Trend Micro 9.120-1004 7.120.04 2010-04-22 0.03 -
Quick Heal 10.00 2010.04.22 2010-04-22 40.12 -
Rising 20.0 22.44.03.04 2010-04-22 40.13 -
Sophos 3.06.0 4.52 2010-04-22 3.60 -
Sunbelt 3.9.2418.2 6206 2010-04-21 40.12 -
Symantec 1.3.0.24 20100421.002 2010-04-21 0.05 -
nProtect 20100421.01 8037035 2010-04-21 40.12 -
The Hacker 6.5.2.0 v00267 2010-04-22 40.13 -
VBA32 3.12.12.4 20100422.0906 2010-04-22 2.84 -
VirusBuster 4.5.11.10 10.124.24/2031552 2010-04-22 2.39 -
 
Don, for the future, if you have to go through something like this again, everything you answered to the questions I asked should have been information given in the first post. So often, people just drop logs without comment. The more information we have, the better we can help.

Unfortunately, these isn't much I'm going to be able to do as the system does have Virut.
Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

The 'polymorphic' trait means that as soon as we clean on variant, another one is creator. And because of the file extensions it infects, it is launched every time you open a file with those extensions.

Good explanation here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html


Change all of your passwords and monitor any online transactions.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.
  • Backup all your documents and important items only.
  • DON'T backup any executable files (,exe .scr .html or .htm)
  • DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files

If you back up any documents with the above file extensions, putting them back on the machine or other type of media could reinfect a system.

You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

I'm sorry the news couldn't be better. But it's best to do this right up front instead of compromising any more files or features.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
845
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
S
  • Locked
Inactive Am I infected?
Replies
8
Views
3K
Broni
Broni

Latest posts

Back