Hidden Virus hijacking browser and other issues.

[comyna]

Hello. I recently got the Antimalware doctor virus on my PC, and had a **** hard time getting rid of it. Now my computer is almost fully operational...

However, there are still programs running which i have not been able to identify or actually find in the computer. Whilst surfing i am constantly re-directed to ads and other sites, my trusted antivirus program is constantly shutting down and i am not able to update Firefox.

My main problem is a program i have found called 'apndaole'. Even after searching on the net i cannot find out what this is. This, and other programs that are not running correctly, even after re-installation, have the same distorted icon, just lots of random colour pixels, and all of the program descriptions are the same: 'Schlumberger Smart Card CryptoAPI Library.'

I have so far run: Lavasoft adaware, spybot, malwarebytes, superantispyware, IObit security and combofix, but this does not seem to be helping at all, they all say my system is clean. My pc is now running slower and i am worried about my internet privacy.

Please help me! I know very little about the inner workings of computers so please just let me know what more information i can give you to help.

Thank you

PS i am running XP

 

[KSoD]

Spyware Asylum

Go here and follow the guide for the OS you are running. The Full Guide. Post up your logs from Combofix, Malwarebytes Anti-Malware and HiJack This in that order please. Make sure to run them in Safe Mode.

 

[comyna]

OK, Thanks! Here is my Combofix log. Others to follow -



ComboFix 11-04-19.06 - user 20/04/2011 16:22:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3070.2734 [GMT 1:00]
Running from: e:\newantivirus\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\Application Data\Adobe\plugs
c:\documents and settings\user\Application Data\Adobe\shed
c:\documents and settings\user\Application Data\Meol
c:\documents and settings\user\Application Data\Meol\osta.oqx
c:\documents and settings\user\WINDOWS
C:\Install.exe
C:\RECYCLER(2)
c:\recycler(2)\S-1-5-21-725345543-507921405-839522115-1004(2)\INFO2
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-03-20 to 2011-04-20 )))))))))))))))))))))))))))))))
.
.
2011-04-20 15:15 . 2011-04-20 15:15 -------- d-----w- C:\32788R22FWJFW
2011-04-20 14:07 . 2011-04-20 14:25 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-20 14:07 . 2011-04-20 14:25 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-20 14:07 . 2011-04-20 14:25 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-20 14:01 . 2011-04-20 14:01 173419 ----a-w- c:\windows\Explorermgr.exe
2011-04-20 14:00 . 2011-04-20 14:00 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 14:00 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\{9100749F-A31F-45BA-8670-14EB46DBDE69}
2011-04-20 13:59 . 2011-04-20 13:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2011-04-20 13:48 . 2011-04-20 13:48 -------- d-----w- c:\program files\Lavasoft
2011-04-20 13:47 . 2011-04-20 13:47 -------- d-----w- C:\dfc03690a81b4c87b0a421b7001c2f5e
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\documents and settings\user\Application Data\DNA
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\GIMP-2.0
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\Safari
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\AdventureSoft
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- C:\AeriaGames
2011-04-20 13:29 . 2011-04-20 13:29 -------- d-----w- c:\program files\Veoh Networks
2011-04-20 13:23 . 2011-04-20 13:23 -------- d-----w- c:\documents and settings\LocalService\IETldCache
2011-04-20 13:23 . 2011-04-20 13:23 -------- d-----w- c:\documents and settings\NetworkService\IETldCache
2011-04-20 13:21 . 2011-04-20 13:21 -------- d-----w- c:\documents and settings\user\PrivacIE
2011-04-20 13:20 . 2011-04-20 13:20 -------- d-----w- c:\documents and settings\user\IETldCache
2011-04-20 13:12 . 2011-04-20 13:27 -------- dc----w- c:\windows\ie8
2011-04-20 12:46 . 2011-04-20 13:30 -------- dc----w- c:\documents and settings\All Users\Application Data\{6A395471-4AA3-4072-AE1B-9B69A97AD164}(2)
2011-04-12 21:44 . 2011-04-17 01:15 -------- d-----w- C:\MGTools
2011-04-12 21:05 . 2011-04-12 21:06 -------- d-----w- c:\program files\UnHackMe
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-04-12 20:18 . 2011-04-12 20:18 -------- d-----w- c:\program files\IObit
2011-04-12 19:52 . 2011-04-17 01:31 -------- d-----w- c:\program files\rikoofph
2011-04-12 19:52 . 2011-04-12 19:52 173419 ----a-w- c:\windows\system32\null0.4895023822266785.exe
2011-04-12 19:44 . 2011-04-12 19:44 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2011-04-12 19:44 . 2011-04-12 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-12 19:43 . 2011-04-20 13:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-12 19:28 . 2011-04-12 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-12 19:28 . 2011-04-12 19:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-12 19:04 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-12 19:04 . 2011-04-12 19:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-12 19:04 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-05 12:18 . 2011-04-05 12:18 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-04-05 12:18 . 2005-10-14 21:42 46592 ----a-w- c:\windows\system32\hpzll43a.dll
2011-04-05 12:18 . 2005-10-14 21:41 72192 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp43a.dll
2011-04-05 12:07 . 2008-04-13 16:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-04-05 12:07 . 2008-04-13 16:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-04-02 23:46 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\Administrator
2011-04-02 23:40 . 2011-04-02 23:40 331010 ----a-w- c:\windows\system32\null0.01046472694286249.exe
2011-04-02 23:40 . 2011-04-02 23:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-01 20:59 . 2011-04-01 20:59 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-04-01 17:13 . 2011-04-01 17:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-01 15:50 . 2011-04-12 09:30 0 ----a-w- c:\windows\Fbimoyowoh.bin
2011-03-31 10:15 . 2011-03-31 10:16 -------- d-----w- c:\documents and settings\user\Application Data\gtk-2.0
2011-03-31 10:15 . 2011-03-31 10:15 -------- d-----w- c:\documents and settings\user\.thumbnails
2011-03-31 10:11 . 2011-03-31 10:16 -------- d-----w- c:\documents and settings\user\.gimp-2.6
2011-03-31 09:04 . 2011-04-20 14:00 -------- d-----w- c:\documents and settings\user\Application Data\mIRC
2011-03-31 09:04 . 2011-04-20 14:00 -------- d-----w- c:\program files\mIRC
2011-03-30 19:40 . 2011-04-20 13:29 -------- d-----w- c:\program files\Pixia
2011-03-30 19:09 . 2011-03-30 19:40 -------- d-----w- c:\program files\Photobie
2011-03-29 20:12 . 2011-03-29 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ConeXware
2011-03-29 20:12 . 2011-04-20 14:42 -------- d-----w- c:\program files\PowerArchiver
2011-03-27 21:25 . 2011-03-27 21:26 -------- d-----w- c:\program files\iTunes
2011-03-27 21:25 . 2011-03-27 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-13 23:25 . 2011-03-13 23:25 256 ----a-w- c:\documents and settings\user\pool.bin
2011-02-18 15:36 . 2009-11-04 18:53 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 15:36 . 2009-11-04 18:53 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-04-20 14:25 . 2011-04-20 14:07 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-30 1654784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 598430]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 254439]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 03:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-04 18:25 323392 ----a-w- c:\program files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gjeharobif]
c:\windows\usenatuqicacepe.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 14:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k70ccreloc.exe]
c:\documents and settings\user\Application Data\B0A33B1579575DDB22426ADB99D36004\k70ccreloc.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-05-01 01:30 13750272 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-05-01 01:30 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-05-01 01:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 598430 ------w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-05 17:35 17879552 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-03-16 22:24 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tukdtjsr]
c:\windows\system32\tukdtjsr.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tukdtjsrx]
c:\windows\system32\tukdtjsrx.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-10-27 19:46 2075896 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"nlsX86cc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IS360service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [04/11/2009 19:01 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [01/04/2011 08:22 1181328]
S4 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/04/2011 21:18 312152]
S4 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [20/10/2010 18:41 67904]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-01 00:01]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\t48c9v8k.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Rikaichan: {0AA9101C-D3C1-4129-A9B7-D778C6A17F82} - %profile%\extensions\{0AA9101C-D3C1-4129-A9B7-D778C6A17F82}
FF - Ext: Japanese-English Dictionary for rikaichan: {6D898772-AD34-4c16-86BB-9DE787A5DEA0} - %profile%\extensions\{6D898772-AD34-4c16-86BB-9DE787A5DEA0}
FF - Ext: Rikaichan Japanese-English Dictionary File: rikaichan-jpen@polarcloud.com - %profile%\extensions\rikaichan-jpen@polarcloud.com
FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-20 16:28
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\user\Start Menu\Programs\Startup\apndaole.exe 173419 bytes executable
c:\documents and settings\user\Start Menu\Programs\Startup\desktop.ini 84 bytes
C:\apndaole.exe 173419 bytes executable
.
scan completed successfully
hidden files: 3
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-04-20 16:29:49
ComboFix-quarantined-files.txt 2011-04-20 15:29
ComboFix2.txt 2011-04-17 01:29
ComboFix3.txt 2011-04-12 22:01
.
Pre-Run: 572,476,530,688 bytes free
Post-Run: 573,901,295,616 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - D4FF47C6576E73B53B8CB02F87E3F9FD

 

[comyna]

Malwarebytes log:


Malwarebytes' Anti-Malware 1.50.1.1100
Malwarebytes

Database version: 6406

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

20/04/2011 15:10:33
mbam-log-2011-04-20 (15-10-33).txt

Scan type: Quick scan
Objects scanned: 166723
Time elapsed: 7 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




and Hijackthis, unable to retrieve saved log from safe mode, so this is the regular log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:50:02, on 20/04/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
E:\newantivirus\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\Program Files\rikoofph\apndaole.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [F5D7050v3] C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4381 bytes


thanks for your help!

 

[KSoD]

c:\program files\UnHackMe

That doesnt look to legit. Have you run the Microsoft Malicious Software Removal Tool as well?

Malicious Software Removal Tool | Protect Your Computer

c:\program files\rikoofph

That is not any known program i can find.

c:\windows\system32\null0.4895023822266785.exe
c:\windows\system32\null0.01046472694286249.exe

There is a couple problem files right there.

c:\documents and settings\user\Application Data\B0A33B1579575DDB22426ADB99D36004\k70ccreloc.e xe
c:\windows\system32\tukdtjsr.exe
c:\windows\system32\tukdtjsrx.exe

This is cloaked malware. In Safe Mode do this. Start>Edit>regedit.exe, now when the window comes up look for this entry:

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k70ccreloc.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tukdtjsr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tukdtjsrx]


Now delete these entries and THESE ENTRIES ONLY. Making any other changes can cause you serious damage to your Windows Install.

c:\documents and settings\user\Start Menu\Programs\Startup\apndaole.exe

Delete this as well. While your in Safe Mode, make sure to do this as well. Start>Run>cleanmgr, remove all temp files. The malware is spawing itself to new names to hide itself from your scans. Now after you remove those Regitry Entries and delete all temp files and other files, go back into Normal mode, run Combofix again and post its log.

 

[comyna]

Thanks you! shall do quick question though - when you mentioned the files before telling me to use regedit, such as the 'unhackme' and 'rikoofph' files, do you mean i should delete these via the regedit also? what should i do with these if not?

thank you again!

 

[KSoD]

No do not delete those via Regedit. Only delete the entries i posted. If they were to be removed via regedit, i would have said that. That is why i made sure to express only those entries.

The other have to be removed from their location on the hard drive. You have to navigate to them as if you were trying to run them. C being the C:\ Drive and so on. The folder heirachy is already laid out, you just have to follow it. Delete the folder that it mentioned.

 

[comyna]

OK! thanks, just wanted to make sure i will post up the log when i can. Thank youuu!

 

[comyna]

I have followed your advice, and i will post another log in the morning (i must go to bed...). However, before i do so i thought i would just let you know that i was unable to delete the 'rikoofph' file - i got the error message 'unable to delete file - directory is not empty.'

I was also unable to run cleanmgr - every time i tried i immediately got a message saying an error had occurred (one of those where they ask if you want to send a report to microsoft...)

any advice you have on these would be great, thank you! thanks for taking the time out to help me so far too. I shall post the new log in the morning.

 

[KSoD]

Alright now for the first message you will have to get rKill. It comes from Bleeping Computers. That should kill any unknown process. Which should then allow you to delete the folder. If not then we will have to force delete it.

As for the clean manager. We might have to do a system file check on that.