\Win 32: Alureon-Da[Rtk] Rootkit!

[Jobber]

Sorry, can't seem to delete this post.

[Jobber]

I actually had downloaded RootRepeal twice in two separate folders.

I deleted one, and dowloaded the new version at the link you provided, but forgot to reboot the system when I deleted the original. Realizing this, I think I then rebooted

Then I deleted and rebooted for the other; then I deleted and rebooted the new version from the link; then I downloaded RootRepeal again.

Unfortunately, the same thing is happening and I am still getting the exact same message and RootRepeal doesn't seem to want to work and the exact same thing is happening:

OK, I click on the magnifying glass icon, and then a dialog box appear.

One says:

"Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog" with an option in same said dialog box that says "OK".

At the same time, there is another box which says "Initializing please wait."



Well, nothing really happens unless I try to close the dialog box with the message about the Disk Access Level.

This takes several attempts to close, and the dialog box does not close immediately if I either press "OK" or try to close the box with the computer Mouse.

However, if I try and close it several times with the Mouse, the dialog and initializing boxes soon disappear.


Then, the RootRepeal Screen appears.

I then go to Settings tab > Options; I have tried adjusting and running RootRepeal on the Low, Mid, and High Level Disk Access Levels.

Then I go to the Reports tab, and follow the instructions given in the above post.




Then, after following your instructions, the same thing happens each time.



A message in the RootRepeal box appears which says "Initializing, please wait . . . . " and I can see in the lower left hand corner the word "Scanning . . . ".

But nothing happens.



In fact, the computer screen freezes up.

I don't know why RootRepeal doesn't work; I have also tried running RootRepeal in Safety Mode, and the exact same thing happens.

Is perhaps Avast! 4.8 not allowing it to run?? Does Avast! 4.8 run a firewall that blocks programs like RootRepeal from working???

The RootRepeal program seems like a very basic type of computer program.

Should I have RootRepeal's Disk Access Level set at a certain level??

I always get the "Could not read boot sector etc." diaalog box whenever double click on the RootRepeal icon and try to get it started.

I have Windows Home Edition XP.

The only anti-virus programs I currently have are Avast! 4.8, SuperAnti-Spyware Free Edition, and Malwarebytes' Anti-Malware.


Besides RootRepeal, are there any other anti-rootkit programs I could try to running??? 

 

How bad is having this Rootkit on one's computer??

Should I no longer work on this computer?? I have been still using the computer but not a lot.

It seems to run fine, and there isn't a whole lot of spyware websites popping up.

But obviously I want to get rid of the rootkit.




Also, this is the message I know receive from Avast! 4.8 when I click on the Avast! blue ball icon on my computer's Start Screen.

It is slightly different from the message a few days ago in the OP:

Malware Was Found

File Name: c:\windows\temp\gaskyuwapntsetf.tmp

Malware Name: Win32: Alureon-DA[Rtk}

Malware Type: Rootkit

VPS Version: 091006-0, 10/06/2009

I cannot move the Rootkit to chest. 



When I close up Avast!, I an Avast! box appears with this message:

"avast! has detected a virus in the operating memory. Since it is very dangerous to work with the computer while the virus is active", Avast! recommends a BootScan.


I have run the BootScan before, and that doesn't detect the Rootkit and takes a lot of time, so I didn't run the BootScan again.

[mathboyx215]

Download combofix from Here or Here  and save it to your DESKTOP

Disable any antivirus and anti-spyware applications before running combofix.
Double click on combofix.exe and if combofix asks you to install the microsoft windows recover console,click on "yes"


After the recovery console is installed,you should see the following message

Click on yes to continue scanning for malware.

The scan will take atleast 20 to 30 minute to complete.Please don't touch your keyboard or click on the combofix window while it is scanning.Doing so might cause it to stall.
After the scan is finish,please post the log file.It should be in C:\ComboFix.txt

[Jobber]

How do I disable Avast! 4.8 scanner?

I thought Avast! 4.8 always runs and cannot be disabled.

Do I have to uninstall Avast! 4.8 in order to run ComboFix???


I looked at the Avast! Help section (FAQ, etc.); I found no answers.   

[Lisandro]

How do I disable Avast! 4.8 scanner?

Right click the 'a' blue icon and choose the last option to stop the resident protection.

Do I have to uninstall Avast! 4.8 in order to run ComboFix???

No.

[Jobber]

Here is the Log File from my ComboFix scan.

Do you think ComboFix neutralized the Rootkit on my computer??

Here's the Log File; I had to make it in installments because of the character limit per post here:



ComboFix 09-10-07.05 - user 10/08/2009 16:50.1.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2046.1577 [GMT -7:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 091008-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\user\LOCALS~1\Temp\install_flash_player.exe
c:\program files\Mozilla Firefox\extensions\{C87CD666-1AF9-4916-B8AA-4F708F10A75B}
c:\program files\Mozilla Firefox\extensions\{C87CD666-1AF9-4916-B8AA-4F708F10A75B}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{C87CD666-1AF9-4916-B8AA-4F708F10A75B}\chrome\content\overlay.xul
c:\program files\Mozilla Firefox\extensions\{C87CD666-1AF9-4916-B8AA-4F708F10A75B}\install.rdf
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\934fdfg34fgjf23
c:\windows\b4657.dat
c:\windows\bf23567.dat
c:\windows\f23567.dat
c:\windows\msmark2.dat
c:\windows\run.log
c:\windows\sonce122361.dat
c:\windows\sonce122366.dat
c:\windows\sonce122390.dat
c:\windows\sonce123193.dat
c:\windows\sonce123198.dat
c:\windows\sonce123222.dat
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\gasfkyowylftpu.sys
c:\windows\system32\drivers\senekayxtuiqtk.sys
c:\windows\system32\gasfkyalktqfvk.dll
c:\windows\system32\gasfkyalxjdumb.dll
c:\windows\system32\gasfkydqgrqtqs.dat
c:\windows\system32\gasfkydtpbavrb.dat
c:\windows\system32\gasfkyyebeespr.dll
c:\windows\system32\ozinunen.ini
c:\windows\system32\senekalyruevnj.dat
c:\windows\system32\senekanjudpydg.dat
c:\windows\system32\senekapjjjcrnd.dll
c:\windows\system32\senekapspnsboe.dll
c:\windows\system32\senekatenkrgkv.dll
c:\windows\wiaserviv.log
c:\windows\zaponce53173.dat
c:\windows\zaponce53193.dat
c:\windows\zaponce53198.dat
c:\windows\zaponce53222.dat
c:\windows\zaponce53290.dat

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

[Jobber]

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyxyemviqm
-------\Legacy_gasfkyxyemviqm
-------\Service_seneka
-------\Legacy_seneka
-------\Legacy_SFX
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


(((((((((((((((((((((((((   Files Created from 2009-09-09 to 2009-10-09  )))))))))))))))))))))))))))))))
.

2009-10-09 00:05 . 2008-04-14 00:12   50176   -c--a-w-   c:\windows\system32\dllcache\proquota.exe
2009-10-09 00:05 . 2008-04-14 00:12   50176   ----a-w-   c:\windows\system32\proquota.exe
2009-10-03 12:48 . 2009-10-01 17:29   195440   ------w-   c:\windows\system32\MpSigStub.exe
2009-10-02 04:08 . 2009-10-02 04:08   203776   ----a-w-   c:\windows\system32\clrviddc.dll
2009-09-30 21:10 . 2009-09-30 21:12   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-09-29 20:26 . 2009-09-29 20:26   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2009-09-29 19:49 . 2009-09-29 19:49   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2009-09-26 21:51 . 2009-09-26 21:51   --------   d-----w-   c:\program files\JRE
2009-09-24 13:49 . 2009-09-24 13:49   --------   d-----w-   C:\My Music
2009-09-24 13:47 . 2009-09-24 13:47   --------   d-----w-   c:\program files\Common Files\xing shared
2009-09-24 02:16 . 2009-09-24 02:16   --------   d-----w-   c:\documents and settings\user\Application Data\HpUpdate
2009-09-24 02:16 . 2009-09-24 02:16   --------   d-----w-   c:\windows\Hewlett-Packard
2009-09-21 18:50 . 2009-09-21 18:50   --------   d-----w-   c:\program files\iPod
2009-09-21 18:50 . 2009-09-21 18:51   --------   d-----w-   c:\program files\iTunes
2009-09-21 18:50 . 2009-09-21 18:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-21 18:47 . 2009-09-21 18:48   --------   d-----w-   c:\program files\QuickTime
2009-09-09 15:57 . 2009-06-21 21:44   153088   -c----w-   c:\windows\system32\dllcache\triedit.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 00:11 . 2008-05-15 00:44   --------   d-----w-   c:\program files\Steam
2009-10-08 23:46 . 2008-08-04 16:04   --------   d-----w-   c:\documents and settings\user\Application Data\DNA
2009-10-08 22:03 . 2008-08-04 16:04   --------   d-----w-   c:\program files\DNA
2009-10-07 20:35 . 2008-05-16 19:01   139152   ----a-w-   c:\windows\system32\drivers\PnkBstrK.sys
2009-10-07 20:35 . 2008-05-16 19:01   111928   ----a-w-   c:\windows\system32\PnkBstrB.exe
2009-10-01 03:10 . 2008-12-02 03:19   0   ----a-w-   c:\windows\system32\drivers\lvuvc.hs
2009-10-01 03:10 . 2008-12-02 03:19   0   ----a-w-   c:\windows\system32\drivers\logiflt.iad
2009-09-30 16:25 . 2008-11-24 01:19   32560   ----a-w-   c:\documents and settings\Oz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-28 15:25 . 2008-08-04 16:04   --------   d-----w-   c:\documents and settings\user\Application Data\BitTorrent
2009-09-26 21:56 . 2008-04-14 16:34   32560   ----a-w-   c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 21:51 . 2009-02-02 01:51   --------   d-----w-   c:\program files\OpenOffice.org 3
2009-09-24 13:47 . 2008-05-13 16:54   --------   d-----w-   c:\program files\Common Files\Real
2009-09-21 18:50 . 2008-06-30 19:36   --------   d-----w-   c:\program files\Common Files\Apple
2009-09-18 13:18 . 2009-06-12 21:43   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-09-17 05:13 . 2008-11-07 03:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-06 06:28 . 2008-05-16 00:18   --------   d-----w-   c:\program files\GameSpy Arcade
2009-08-31 03:39 . 2008-12-02 03:17   --------   d-----w-   c:\program files\Common Files\LogiShrd
2009-08-31 03:38 . 2009-08-31 03:38   --------   d-----w-   c:\program files\Logitech
2009-08-27 05:08 . 2008-11-07 03:38   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-27 05:08 . 2008-11-07 03:38   --------   d-----w-   c:\program files\Yahoo!
2009-08-17 16:10 . 2009-01-09 20:10   1279456   ----a-w-   c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2009-01-09 20:10   93392   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2009-01-09 20:10   94160   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2009-01-09 20:10   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2009-01-09 20:10   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2009-01-09 20:10   51376   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2009-01-09 20:10   23152   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2009-01-09 20:10   26944   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2009-01-09 20:10   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2009-08-05 09:01 . 2004-10-08 12:01   204800   ----a-w-   c:\windows\system32\mswebdvd.dll
2009-07-25 12:23 . 2009-01-14 03:00   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-10-08 12:01   58880   ----a-w-   c:\windows\system32\atl.dll
2009-07-15 03:03 . 2009-05-16 13:56   32560   ----a-w-   c:\documents and settings\Dan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-14 06:43 . 2004-10-08 12:01   286208   ----a-w-   c:\windows\system32\wmpdxm.dll
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
.

[Jobber]

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative MediaSource Go"="c:\program files\Creative\MediaSource5\Go\CTCMSGoU.exe" [2006-11-09 204800]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-20 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"CTRegRun"="c:\windows\CTRegRun.EXE" [2006-10-06 53248]
"Steam"="c:\program files\Steam\Steam.exe" [2009-06-10 1217784]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-18 1998576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-03-01 180224]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LiveUpdate"="c:\program files\Byteswarm\LiveUpdate\LiveUpdate.exe" [2004-08-28 2150400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-24 198160]
"P17Helper"="SPIRun.dll" - c:\windows\system32\SPIRun.dll [2006-07-03 10752]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-18 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 00:01   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Atari\\ArmA\\arma.exe"=
"c:\\Program Files\\Atari\\ArmA\\arma_server.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Steam\\steamapps\\hamishcsar\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\hamishcsar\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\hamishcsar\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\ROEd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashDisp.exe"=
"c:\\Program Files\\Ubisoft\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Ubisoft\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Ubisoft\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\unreal tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/9/2009 1:10 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/9/2009 1:10 PM 20560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S2 gupdate1c9f4112b37543c;Google Update Service (gupdate1c9f4112b37543c);c:\program files\Google\Update\GoogleUpdate.exe [6/23/2009 7:44 AM 133104]

[Jobber]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 14:44]

2009-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 14:44]

2009-10-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/news/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\lzpy8qfi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/news/
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Notify-hgGxVLDw - hgGxVLDw.dll
AddRemove-Bf1918 3.0 - c:\programme\EA GAMES\Battlefield 1942\Mods\bf1918\Uninstal.exe
AddRemove-EoD 0.80 Full Client - c:\program files\EA GAMES\Battlefield 1942\uninstall_EoD.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 17:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  P17Helper = Rundll32 SPIRun.dll,RunDLLEntry?

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.

[Jobber]

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(964)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-09 17:18 - machine was rebooted
ComboFix-quarantined-files.txt  2009-10-09 00:18

Pre-Run: 318,432,026,624 bytes free
Post-Run: 321,413,472,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

335   --- E O F ---   2009-10-05 17:09

[mathboyx215]

Open malwarebytes and go to the "update" tab and click on check for updates.
After it has done updating,do a quick scan with malwarebytes.
After the scan is complete,remove everything that malwarebytes found.
Then post back a log

[Jobber]

I updated Malawarebytes.

I normally like to run Malawarebytes in Safety Mode because it picks up more of the computer bugs in Safe Mode.

I usually choose getting to Safety Mode by using Run> MSCONFIG> OK >BOOT.INI, and then choosing SAFEBOOT.



I find it a lot easier than tapping the F8 button during Windows Start Up.


However, I now notice there is some sort of strange message that appears after I click on BOOT.INI




The last word in the final line is "optin /fastdetect"



How do I clear this strange message (I have no idea what it means)??

It seems to have "clogged" going to the Options, and is preventing me from choosing the Boot Option of SAFEBOOT.

[mathboyx215]

There is no need to run malwarebytes in safe mode.According to their developers,malwarebytes seems to work better in normal mode then safe mode.

The optin /fastdetect thing has something to do with DEP(Data Execution Prevention)
You can read more about it here:
http://technet.microsoft.com/en-us/sysinternals/bb963892.aspx

[essexboy]

I normally like to run Malawarebytes in Safety Mode because it picks up more of the computer bugs in Safe Mode.

I usually choose getting to Safety Mode by using Run> MSCONFIG> OK >BOOT.INI, and then choosing SAFEBOOT.

This is exceedingly dangerous - if the malware disables your safe mode (and a lot do) you will end up in a loop unable to login.  Then if you do not have the recovery console installed it is time to do a repair install 

[Jobber]

OK, I ran Malwarebytes in standard mode.

Here is the Log File.

I removed the 6 items:



Malwarebytes' Anti-Malware 1.41
Database version: 2927
Windows 5.1.2600 Service Pack 3

10/9/2009 4:05:29 PM
mbam-log-2009-10-09 (16-05-00).txt

Scan type: Quick Scan
Objects scanned: 125376
Time elapsed: 11 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tftp.nfo (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\All Users\Documents\gifnoc.xtx (Trojan.Agent) -> No action taken.
C:\WINDOWS\bf5087.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\dk39fi4fe.dat (Worm.KoobFace) -> No action taken.
C:\WINDOWS\f5087.dat (Worm.KoobFace) -> No action taken.


Additionally, this sixth item which I removed appeared in the list of things to remove, but is not in the Log File:

Vendor                              Category

Disabled. Security...              Registry Data       HKEY_LOCAL_MACHINE\SOFTWARE\Micro...Bad{1) Good:{0}



So, do you think I got rid of most of the bad stuff??