Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > Sinowal Trojan help plz

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Sinowal Trojan help plz

Reply to Message Icon

Name: osubuckeyes13
Date: December 7, 2008 at 14:19:22 Pacific
OS: Windows XP
CPU/Ram: AMD64 512
Product: Dell / VOSTRO1000
Comment:

Hello I am having some problems removing this
sinowal trojan. I have tried avg and symantec
. I have Hijack This so if you need my list just let me know. Thanks for any
help!



Sponsored Link
Ads by Google

Response Number 1
Name: Tzepesch
Date: December 7, 2008 at 14:44:20 Pacific
Reply:

Quote:
"
Name: turpi11
Date: January 1, 2007 at 13:39:35 Pacific
Reply: (edit)


This is an excelent tool. It has removed me this Sinowal also.
You could try this freebie Trojan finder/fixer:
A-SQUARED FREE - JUST DOWN PAGE
http://www.emsisoft.com/en/software...

"
http://www.computing.net/answers/se...

Seems like this solved the problem since there was no reply. :)

--------------------

Thor Byrgesen: The one,
oh the one computers and all electronics just hate.


0

Response Number 2
Name: jabuck
Date: December 7, 2008 at 15:16:03 Pacific
Reply:

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


0

Response Number 3
Name: osubuckeyes13
Date: December 7, 2008 at 21:58:54 Pacific
Reply:

Thank you very much for your replies. I took my hijack this analysis and put it into some analyzer on this forum earlier and deleted one thing it listed as extremely dangerous, it was a part of the svchost.exe i believe... Thanks for you help!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Steven Walker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071124
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071124
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071124
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Steven Walker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41...
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Opti...
O17 - HKLM\System\CCS\Services\Tcpip\..\{1244B13B-D5FB-4DC3-B996-7839F9CD9DED}: NameServer = 76.7.255.188,65.40.202.102
O17 - HKLM\System\CS1\Services\Tcpip\..\{1244B13B-D5FB-4DC3-B996-7839F9CD9DED}: NameServer = 76.7.255.188,65.40.202.102
O17 - HKLM\System\CS2\Services\Tcpip\..\{1244B13B-D5FB-4DC3-B996-7839F9CD9DED}: NameServer = 76.7.255.188,65.40.202.102
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.exe


Malwarebytes log


12/7/2008 11:53:40 PM
mbam-log-2008-12-07 (23-53-40).txt

Scan type: Quick Scan
Objects scanned: 58585
Time elapsed: 11 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Perfect Defender 2009 (Rogue.PerfectDefender) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Perfect Defender 2009\pd.dll (Rogue.PerfectDefender) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoydwdrkd.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSpgrngmom.log (Trojan.TDSS) -> Quarantined and deleted successfully.


0

Response Number 4
Name: jabuck
Date: December 8, 2008 at 03:39:54 Pacific
Reply:

Once you get SDFix downloaded go offline and turn of your antivirus and any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt


0

Response Number 5
Name: osubuckeyes13
Date: December 8, 2008 at 09:09:29 Pacific
Reply:

[b]SDFix: Version 1.240 [/b]
Run by Steven Walker on Mon 12/08/2008 at
10:54 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

[b]Name [/b]:
TDSSserv.sys

[b]Path [/b]:
\\?
\globalroot\systemroot\system32\drivers\TDSSj
wrxoici.sys

TDSSserv.sys - Deleted

Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\removalfil
e.bat - Deleted
C:\WINDOWS\system32\drivers\system32.sys -
Deleted
C:\WINDOWS\SYSTEM32\TDSSWV~1.dat - Deleted

Removing Temp Files

[b]ADS Check [/b]:


[b]Final
Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista -
rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-12-08 11:01:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\
services\sharedaccess\parameters\firewallpoli
cy\standardprofile\authorizedapplications\lis
t]
"%windir%\\system32\\sessmgr.exe"="%windir%\\
system32\\sessmgr.exe:*:enabled:@xpsp2res.dll
,-22019"
"C:\\Program Files\\Common
Files\\AOL\\Loader\\aolload.exe"="C:\\Program
Files\\Common
Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL
Loader"
"C:\\Program
Files\\BitLord2\\BitLord.exe"="C:\\Program
Files\\BitLord2\\BitLord.exe:*:Enabled: "
"C:\\Program
Files\\BitLord\\BitLord.exe"="C:\\Program
Files\\BitLord\\BitLord.exe:*:Enabled:BitLord
"
"C:\\Program
Files\\Yahoo!\\Messenger\\YahooMessenger.exe"
="C:\\Program
Files\\Yahoo!\\Messenger\\YahooMessenger.exe:
*:Enabled:Yahoo! Messenger"
"C:\\Program
Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\P
rogram
Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabl
ed:Yahoo! FT Server"
"C:\\Program
Files\\uTorrent\\uTorrent.exe"="C:\\Program
Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorr
ent"
"D:\\setup\\HPZnet01.exe"="D:\\setup\\HPZnet0
1.exe:*:Enabled:hpznet01.exe"
"D:\\setup\\HPONICIFS01.exe"="D:\\setup\\HPON
ICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\\Program Files\\HP\\Digital
Imaging\\bin\\hpqtra08.exe"="C:\\Program
Files\\HP\\Digital
Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08
.exe"
"C:\\Program Files\\HP\\Digital
Imaging\\bin\\hpqste08.exe"="C:\\Program
Files\\HP\\Digital
Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08
.exe"
"C:\\Program Files\\HP\\Digital
Imaging\\bin\\hpofxm08.exe"="C:\\Program
Files\\HP\\Digital
Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08
.exe"
"C:\\Program Files\\HP\\Digital
Imaging\\bin\\hposfx08.exe"="C:\\Program
Files\\HP\\Digital
Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08
.exe"
"C:\\Program Files\\HP\\Digital
Imaging\\bin\\hposid01.exe"="C:\\Program
Files\\HP\\Digital
Imaging\\bin\\hposid01.exe:*:Enabled:hposid01
.exe"
"C:\\Program Files\\HP\\Digital
Imaging\\bin\\hpqscnvw.exe"="C:\\Program
Files\\HP\\Digital
Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw
.exe"
"C:\\Program Files\\HP\\Digital
Imaging\\bin\\hpqkygrp.exe"="C:\\Program
Files\\HP\\Digital
Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp
.exe"
"C:\\Program Files\\HP\\Digital
Imaging\\bin\\hpqCopy.exe"="C:\\Program
Files\\HP\\Digital
Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.e
xe"
"C:\\Program Files\\HP\\Digital
Imaging\\bin\\hpfccopy.exe"="C:\\Program
Files\\HP\\Digital
Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy
.exe"
"C:\\Program Files\\HP\\Digital
Imaging\\bin\\hpzwiz01.exe"="C:\\Program
Files\\HP\\Digital
Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01
.exe"
"C:\\Program Files\\HP\\Digital
Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program
Files\\HP\\Digital
Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqph
unl.exe"
"C:\\Program Files\\HP\\Digital
Imaging\\Unload\\HpqDIA.exe"="C:\\Program
Files\\HP\\Digital
Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.
exe"
"C:\\Program Files\\HP\\Digital
Imaging\\bin\\hpoews01.exe"="C:\\Program
Files\\HP\\Digital
Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01
.exe"
"C:\\Program Files\\MusicBrainz
Picard\\picard.exe"="C:\\Program
Files\\MusicBrainz
Picard\\picard.exe:*:Enabled:The next
generation MusicBrainz tagger"
"C:\\Program
Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Progr
am
Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:a
vginet.exe"
"C:\\Program
Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Prog
ram
Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:
avgamsvr.exe"
"C:\\Program
Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program
Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avg
cc.exe"
"C:\\Program
Files\\Messenger\\msmsgs.exe"="C:\\Program
Files\\Messenger\\msmsgs.exe:*:Enabled:Window
s Messenger"
"C:\\Program Files\\Common
Files\\Adobe\\Adobe Version Cue
CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Pro
gram Files\\Common Files\\Adobe\\Adobe
Version Cue
CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled
:Adobe Version Cue CS3 Server"
"C:\\Program
Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Progr
am
Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:M
ySpaceIM"
"C:\\WINDOWS\\system32\\spoolsv.exe"="C:\\WIN
DOWS\\system32\\spoolsv.exe:*:Enabled:Spooler
SubSystem App"
"C:\\Program
Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program
Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc
.exe"
"C:\\Program
Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program
Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd
.exe"
"C:\\Program Files\\Dell Network
Assistant\\ezi_hnm2.exe"="C:\\Program
Files\\Dell Network
Assistant\\ezi_hnm2.exe:*:Enabled:Dell
Network Assistant"
"%windir%\\Network
Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res
.dll,-20000"
"C:\\Program
Files\\Bonjour\\mDNSResponder.exe"="C:\\Progr
am
Files\\Bonjour\\mDNSResponder.exe:*:Enabled:B
onjour"
"C:\\Program
Files\\iTunes\\iTunes.exe"="C:\\Program
Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"
="C:\\WINDOWS\\system32\\drivers\\svchost.exe
:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\
services\sharedaccess\parameters\firewallpoli
cy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\
system32\\sessmgr.exe:*:enabled:@xpsp2res.dll
,-22019"
"%windir%\\Network
Diagnostic\\xpnetdiag.exe"="%windir%\\Network
Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res
.dll,-20000"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Mon 12 May 2008 0 A.SH. ---
"C:\Documents and Settings\All
Users\DRM\Cache\Indiv01.tmp"
Thu 8 May 2008 0 A..H. ---
"C:\WINDOWS\SoftwareDistribution\Download\385
cb67dda0ffd4dea8c0d990dc65796\BITA3.tmp"
Tue 29 Jan 2008 8 A..H. ---
"C:\Documents and Settings\All
Users\Application
Data\Gtek\GTUpdate\AUpdate\Channels\ch1\lock.
tmp"
Tue 25 Dec 2007 8 A..H. ---
"C:\Documents and Settings\Steven
Walker\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\loc
k.tmp"
Tue 25 Dec 2007 8 A..H. ---
"C:\Documents and Settings\Steven
Walker\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\loc
k.tmp"
Tue 25 Dec 2007 8 A..H. ---
"C:\Documents and Settings\Steven
Walker\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\loc
k.tmp"
Tue 25 Dec 2007 8 A..H. ---
"C:\Documents and Settings\Steven
Walker\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\loc
k.tmp"
Tue 15 Apr 2008 8 A..H. ---
"C:\Documents and Settings\Steven
Walker\Application
Data\GTek\GTUpdate\AUpdate\Channels\ch_u5\loc
k.tmp"

[b]Finished![/b]


0

Related Posts

See More



Response Number 6
Name: jabuck
Date: December 8, 2008 at 18:29:29 Pacific
Reply:

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 11 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Nortons antivirus, and other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


0

Response Number 7
Name: osubuckeyes13
Date: December 8, 2008 at 22:12:58 Pacific
Reply:

Thanks again for your help! What are your concerns at this point? What should I do from now on? Thanks! Let me know how far away we are from fixing it if you can, thanks!


ComboFix 08-12-07.04 - Steven Walker 2008-12-08 23:58:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.328 [GMT -6:00]
Running from: c:\documents and settings\Steven Walker\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Steven Walker\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\tmp.reg
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET


((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-08 23:50 . 2008-12-08 23:50 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-08 23:50 . 2008-12-08 23:50 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-08 23:37 . 2008-12-08 23:38 <DIR> d-------- c:\documents and settings\Steven Walker\.SunDownloadManager
2008-12-08 15:58 . 2008-12-08 15:58 <DIR> d-------- c:\documents and settings\Steven Walker\Application Data\AVS4YOU
2008-12-08 15:58 . 2008-12-08 15:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2008-12-08 15:57 . 2008-12-08 15:58 <DIR> d-------- c:\program files\Common Files\AVSMedia
2008-12-08 15:57 . 2008-12-08 15:58 <DIR> d-------- c:\program files\AVS4YOU
2008-12-08 15:57 . 2007-02-27 18:36 24,576 --a------ c:\windows\system32\msxml3a.dll
2008-12-08 13:05 . 2008-12-08 13:05 <DIR> d-------- c:\program files\Xilisoft
2008-12-08 13:05 . 2008-12-08 13:05 <DIR> d-------- c:\documents and settings\Steven Walker\Application Data\Xilisoft Corporation
2008-12-08 12:58 . 2008-12-08 12:58 <DIR> d-------- c:\program files\Easiestutils
2008-12-08 10:52 . 2008-12-08 10:52 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2008-12-08 10:47 . 2008-12-08 10:48 <DIR> d-------- c:\windows\ERUNT
2008-12-08 10:43 . 2008-12-08 11:05 <DIR> d-------- C:\SDFix
2008-12-07 23:40 . 2008-12-07 23:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-07 23:40 . 2008-12-07 23:40 <DIR> d-------- c:\documents and settings\Steven Walker\Application Data\Malwarebytes
2008-12-07 23:40 . 2008-12-07 23:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-07 23:40 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-07 23:40 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-07 20:40 . 2008-12-07 20:40 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-07 20:27 . 2008-12-07 20:27 0 --a------ c:\windows\vpc32.INI
2008-12-07 16:06 . 2008-12-07 16:06 <DIR> d-------- c:\program files\Trend Micro
2008-12-07 15:42 . 2008-12-07 15:42 653 --a------ c:\windows\{0240BDFB-2995-4A3F-8C96-18D41282B716}_WiseFW.ini
2008-12-07 12:40 . 2008-12-07 12:40 110,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-07 12:40 . 2008-12-07 12:40 48,768 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-07 12:40 . 2008-12-07 12:40 8,014 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-07 12:40 . 2008-12-07 12:40 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-07 12:39 . 2008-12-09 00:02 <DIR> d-------- c:\program files\Symantec AntiVirus
2008-12-07 12:39 . 2008-12-07 12:40 <DIR> d-------- c:\program files\Symantec
2008-12-07 12:39 . 2008-12-07 12:41 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-12-07 12:39 . 2008-12-07 12:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-11-12 08:25 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 08:24 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-10 12:23 . 2008-11-10 12:23 243,840 --a------ c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 . 2008-11-10 12:23 60,032 --a------ c:\windows\system32\ZuneBusEnum.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 05:50 --------- d-----w c:\program files\Java
2008-12-07 21:45 --------- d-----w c:\program files\NCH Swift Sound
2008-12-07 21:45 --------- d-----w c:\program files\NCH Software
2008-12-07 21:39 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-07 18:37 --------- d-----w c:\program files\Bonjour
2008-12-07 18:36 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-04 22:00 --------- d-----w c:\documents and settings\Steven Walker\Application Data\uTorrent
2008-11-21 20:18 --------- d-----w c:\program files\Zune
2008-10-24 14:02 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 19:23 --------- d-----w c:\documents and settings\Steven Walker\Application Data\Apple Computer
2008-10-14 19:06 --------- d-----w c:\program files\iTunes
2008-10-14 19:06 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-14 19:05 --------- d-----w c:\program files\iPod
2008-10-14 19:05 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-14 19:04 --------- d-----w c:\program files\QuickTime
2008-10-14 19:01 --------- d-----w c:\program files\Apple Software Update
2008-10-14 18:59 --------- d-----w c:\program files\Common Files\Apple
2007-12-25 05:35 6,026,816 ----a-w c:\program files\Firefox Setup 2.0.0.11.exe
2007-12-25 05:18 35,344,304 ----a-w c:\program files\zunesetuppkg-x86.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-24 68856]
"Google Update"="c:\documents and settings\Steven Walker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-11 185896]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.exe" [2007-03-20 1884160]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-07-20 1228800]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-23 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2007-11-24 3456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-12-26 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-07 99376]
S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys []
S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys []
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2007-03-14 116416]
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Steven Walker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071124
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with Xilisoft YouTube Video Converter - c:\program files\Xilisoft\YouTube Video Converter\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {1244B13B-D5FB-4DC3-B996-7839F9CD9DED} = 76.7.255.188,65.40.202.102

c:\windows\system32\gtdownde_110.ocx - O16 -: {E856B973-45FD-4559-8F82-EAB539144667}
hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
c:\windows\Downloaded Program Files\gtdownde_110.inf
FireFox -: Profile - c:\documents and settings\Steven Walker\Application Data\Mozilla\Firefox\Profiles\tcztbvkk.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - c:\documents and settings\Steven Walker\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 00:02:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\STEVEN~1\LOCALS~1\Temp\STS6.tmp 81 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
.
r Running Proce
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\WLTRYSVC.exe
c:\windows\system32\BCMWLTRY.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-12-09 0:09:07 - machine was rebooted [Steven Walker]
ComboFix-quarantined-files.txt 2008-12-09 06:09:03

Pre-Run: 96,496,168,960 bytes free
Post-Run: 96,470,847,488 bytes free

240 --- E O F --- 2008-12-08 02:40:51


0

Response Number 8
Name: osubuckeyes13
Date: December 10, 2008 at 16:46:23 Pacific
Reply:

So is that all I needed to do?


0

Response Number 9
Name: jabuck
Date: December 11, 2008 at 15:14:17 Pacific
Reply:

Sorry for the delay.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Please run Esets online scanner from this link:

ESET

1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( I want to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.


0

Response Number 10
Name: osubuckeyes13
Date: December 12, 2008 at 07:56:36 Pacific
Reply:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3685 (20081212)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=79471882be6d8c40bf0dde22ed93bb9f
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-12-12 08:17:52
# local_time=2008-12-12 02:17:52 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=438038
# found=5
# scan_time=4832
C:\SDFix\backups\backups.zip Win32/Adware.Virtumonde application 7F64CC42EBEE77E89A388D91A11440EA
C:\SDFix\backups\backups.zip »ZIP »backups/removalfile.bat Win32/Adware.Virtumonde application 00000000000000000000000000000000
G:\Ipod\The Offspring - Rise and Fall Rage and Grace (2008)\08 - Offspring - Nothingtown.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 333FAE1410F84D6BB4E470DC01F5052F
G:\Torrents\Rihanna - Good Girl Gone Bad Reloaded (2008)\08-rihanna-sell_me_candy.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 066B065940E2E74C387E1ABC8A062BC3
G:\Torrents\The Offspring - Rise and Fall Rage and Grace (2008)\08 - Offspring - Nothingtown.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 333FAE1410F84D6BB4E470DC01F5052F


0

Response Number 11
Name: jabuck
Date: December 12, 2008 at 20:20:31 Pacific
Reply:

Delete these unless you know what they are.

G:\Ipod\The Offspring - Rise and Fall Rage and Grace (2008)\08 - Offspring - Nothingtown.mp3
G:\Torrents\Rihanna - Good Girl Gone Bad Reloaded (2008)\08-rihanna-sell_me_candy.mp3
G:\Torrents\The Offspring - Rise and Fall Rage and Grace (2008)\08 - Offspring - Nothingtown.mp3

You computer appears to be clean other that the above exceptions.

Navigate to and delete this folder:

C:\SDFix

Empty the recycle bin.

Go to start> run> combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Eset

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


0

Response Number 12
Name: osubuckeyes13
Date: December 12, 2008 at 22:43:13 Pacific
Reply:

Thank you so much for all of your help! The computer is running ok, but it is a bit slow so I will be upgrading my vostro to 1 gig of ram from 512 this should help things. Would you suggest me not using torrents anymore? This seems to be a big part of the problem... Thanks again


0

Response Number 13
Name: jabuck
Date: December 13, 2008 at 18:01:26 Pacific
Reply:

"Would you suggest me not using torrents anymore?" Yes

Glad we could help


0

Response Number 14
Name: osubuckeyes13
Date: December 21, 2008 at 18:54:42 Pacific
Reply:

Hey this stuff hasn't stopped, now i'm getting firefox opening up randomly with advertisements. What can I do... Thanks


0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: Sinowal Trojan help plz
(Sinowal.trojan) help plz www.computing.net/answers/security/sinowaltrojan-help-plz/23953.html

Sinowal Trojan Help Please www.computing.net/answers/security/sinowal-trojan-help-please/23949.html

HELP:Sinowal.Trojan on my laptop www.computing.net/answers/security/helpsinowaltrojan-on-my-laptop/23931.html