Viruses, Spyware and...

Viruses, Spyware and other Nasties RSS

2 trojans reappear

•

Join Date: Jul 2004

Posts: 95

Reputation: geoss is an unknown quantity at this point

Solved Threads: 1

geoss

Offline

Junior Poster in Training

Re: 2 trojans reappear

#11

Dec 4th, 2008

Hi,
when combo fix was running a memo came up that I did not have "Windows recovery Console" on my machine-do i want to download..........I said "No".....and the scan continued.
Here is the F-scan and the combo fix.......thanks

12/04/08 11:05:00 [Info]: BlackLight Engine 2.2.1092 initialized
12/04/08 11:05:00 [Info]: OS: 5.1 build 2600 (Service Pack 3)
12/04/08 11:05:00 [Note]: 7019 4
12/04/08 11:05:00 [Note]: 7005 0
12/04/08 11:05:05 [Note]: 7006 0
12/04/08 11:05:05 [Note]: 7011 1568
12/04/08 11:05:06 [Note]: 7035 0
12/04/08 11:05:06 [Note]: 7026 0
12/04/08 11:05:06 [Note]: 7026 0
12/04/08 11:05:08 [Note]: FSRAW library version 1.7.1024
12/04/08 12:49:31 [Note]: 7007 0

ComboFix 08-12-03.04 - George 2008-12-04 12:57:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.522 [GMT -5:00]
Running from: c:\documents and settings\George.GEORGE-6JXTPIR4\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tn3
c:\temp\vtmp2
c:\temp\vtmp2\ktnv33.log
c:\windows\system32\amrdinav.ini
c:\windows\system32\grouppolicy\machine\scripts\scripts.ini
c:\windows\Tasks\djbmupyn.job

----- BITS: Possible infected sites -----

hxxp://auf-jeder.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-04 09:48 . 2008-12-04 09:48 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-04 09:48 . 2008-12-04 09:48 <DIR> d-------- c:\program files\Adobe Media Player
2008-12-03 18:40 . 2008-07-14 05:09 212,728 --a------ c:\windows\CMDLIC.DLL
2008-12-03 18:40 . 2008-07-14 05:09 205,560 --a------ c:\windows\UNBOC.EXE
2008-12-03 18:40 . 2008-04-13 19:12 22,528 --a------ c:\windows\system32\wsock32.dlb
2008-12-03 18:39 . 2008-12-03 21:14 <DIR> d-------- c:\program files\Comodo
2008-12-03 06:14 . 2008-12-03 06:21 <DIR> d-------- c:\program files\SpeedBit Video Accelerator
2008-12-03 06:14 . 2008-12-03 06:14 172,032 --a------ c:\windows\system32\AniGIF.ocx
2008-12-02 20:13 . 2008-12-02 20:13 <DIR> d-------- c:\program files\Windows Defender
2008-11-30 18:12 . 2008-11-30 18:12 <DIR> d-------- c:\windows\system32\unknown
2008-11-28 06:58 . 2008-04-13 19:12 26,112 --a------ c:\windows\system32\stu2.exe
2008-11-26 20:09 . 2008-11-26 20:09 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-26 20:07 . 2008-11-26 20:50 <DIR> d-------- c:\program files\Sony Ericsson
2008-11-22 13:21 . 2008-09-12 11:12 69,168 --a------ c:\windows\system32\drivers\sbapifs.sys
2008-11-22 13:21 . 2008-09-12 11:12 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2008-11-22 13:14 . 2008-11-22 13:14 <DIR> d-------- c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Sunbelt
2008-11-22 13:14 . 2008-11-22 13:14 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Sunbelt
2008-11-22 13:13 . 2008-10-09 10:21 202,928 --a------ c:\windows\system32\drivers\sbtis.sys
2008-11-22 13:12 . 2008-11-22 13:12 <DIR> d-------- c:\program files\Sunbelt Software
2008-11-22 11:37 . 2008-11-22 11:19 26,112 --a------ c:\windows\system32\iiffEvWP.dll.vir
2008-11-22 08:10 . 2008-11-22 08:10 <DIR> d-------- c:\program files\Webroot
2008-11-22 08:10 . 2008-11-22 08:10 <DIR> d-------- c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Webroot
2008-11-15 13:29 . 2008-11-15 13:29 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-11-15 13:29 . 2007-09-04 11:56 164,352 --a------ c:\windows\system32\unrar.dll
2008-11-15 08:21 . 2008-11-15 08:21 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-15 08:21 . 2008-11-15 08:21 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-15 08:02 . 2008-11-15 08:04 <DIR> d-------- c:\program files\WhatsRunning
2008-11-13 05:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 05:34 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-09 15:37 . 2008-10-03 12:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-09 15:37 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-09 15:37 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-09 15:37 . 2008-08-26 02:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-09 15:37 . 2008-08-26 02:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-09 15:37 . 2008-08-26 02:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-09 15:37 . 2008-08-26 02:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-09 15:37 . 2008-08-26 02:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-09 15:37 . 2008-08-25 03:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-09 00:00 . 2008-12-04 07:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-09 00:00 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-09 00:00 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-08 15:01 . 2008-11-08 15:01 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-11-08 14:55 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll
2008-11-05 11:46 . 2008-11-05 12:03 <DIR> d-------- c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 22:10 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2008-12-03 00:07 --------- d-----w c:\program files\Trojan Remover
2008-12-02 10:18 --------- d-----w c:\program files\MSECACHE
2008-11-28 11:58 10,752 ----a-w c:\windows\system32\userinit.exe
2008-11-19 11:28 --------- d-----w c:\program files\IrfanView
2008-11-02 20:12 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2008-10-30 02:23 124 ----a-w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\netstat.bat
2008-10-28 21:28 65,320 ----a-w c:\windows\system32\sbbd.exe
2008-10-26 14:57 --------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Image Zone Express
2008-10-26 03:11 --------- d-----w c:\program files\MSXML 4.0
2008-10-24 20:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 09:09 92,464 ----a-w c:\windows\system32\drivers\SBREDrv.sys
2008-10-20 09:56 0 ----a-w C:\jfidoj.exe
2008-10-19 16:00 34,816 ----a-w c:\windows\system32\BGData.bin
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-12 17:50 --------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Lavasoft
2008-10-11 17:10 --------- d-----w c:\program files\CCleaner
2008-10-11 16:46 --------- d-----w c:\documents and settings\Default User.WINDOWS\Application Data\DivX
2008-10-10 22:26 --------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Uniblue
2008-10-10 11:29 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Matrox
2008-10-08 10:46 --------- d-----w c:\program files\Free Window Registry Repair
2008-10-06 20:02 --------- d-----w c:\program files\QuickTime
2008-10-06 20:00 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-05-30 18:37 97,916 ----a-w c:\program files\dxupdate.cab
2008-05-30 18:36 4,165,878 ----a-w c:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 18:36 13,267,416 ----a-w c:\program files\dxnt.cab
2008-05-30 18:36 1,805,306 ----a-w c:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 18:36 1,803,408 ----a-w c:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 18:34 528,392 ----a-w c:\program files\DXSETUP.exe
2008-02-04 17:02 228,207 ----a-w c:\program files\address book.WAB
2008-02-03 18:48 54,784 --sha-w c:\program files\Thumbs.db
2007-08-01 21:12 1,156,096 ----a-w c:\program files\iview400_setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2008-10-28 955688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\60bded7d

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc7unj0erbg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox PowerDesk SE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\prunnet
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 14:49 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox Powerdesk]
--a------ 2008-10-13 17:28 684032 c:\windows\system32\PDesk\pdesk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-07-21 15:39 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\DRIVERS\avgntmgr.sys [2008-10-22 22336]
R1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2008-10-22 45376]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-11-22 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-11-22 202928]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;"c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe" [2008-10-28 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-11-22 69168]
S1 streamm;streamm; []
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 SBRE;SBRE;\??\c:\windows\System32\drivers\SBREdrv.sys [2008-10-23 92464]
S3 UtilNT;UtilNT;\??\c:\windows\system32\drivers\UtilNT.sys [2008-10-09 5533]
.
Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart\ErrorSmart.exe []

2008-12-02 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart []
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)
MSConfigStartUp-MGA_CD_Install - F:\mgasetup.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 13:02:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-12-04 13:07:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-04 18:06:55

Pre-Run: 10,620,186,624 bytes free
Post-Run: 11,501,821,952 bytes free

206 --- E O F --- 2008-12-03 23:28:19

•

Join Date: Nov 2008

Posts: 814

Reputation: cohen is an unknown quantity at this point

Solved Threads: 42

cohen

Offline

Practically a Posting Shark

Re: 2 trojans reappear

#12

Dec 4th, 2008

OK,

Pls run Malware Bytes and Update it as well... and run it again.

Post the Malware Bytes log and also run hijackthis again and post a fresh log.

Thanks,

Cohen

Cohen's Site www.cohenl.com

Do not PM me for support!!!

•

Join Date: May 2005

Posts: 3,204

Reputation: gerbil will become famous soon enough

Solved Threads: 188

gerbil

Offline

Nearly a Senior Poster

Re: 2 trojans reappear

#13

Dec 4th, 2008

Hi, geoss. Recovery Console takes up about 350Mb on your C: drive. It is a very worthwhile thing to have, especially if you do not have an installation cd.
Combofix warns about its absence and offers the facility of installing it cos sometimes combofix [or the user] goes haywire. 1/100 the odds....
Right. What is inside this folder, nothing? c:\windows\system32\unknown
This file is your ORIGINAL userinit.exe: c:\windows\system32\stu2.exe
-it was renamed to this by the malware. First, check that it is the MS file from its properties... vsn5.1.2600.2180, size 24,576 bytes, in Version tab, original filename should be USERINIT.EXE
-if this is all correct, rename it to userinit.exe
Right, you have a worm and a net traffic interceptor which was hidden by a rootkit.
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Help with Code Tags

(Toggle Plain Text)

Killall::

File::
c:\windows\system32\iiffEvWP.dll.vir
C:\jfidoj.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc7unj0erbg]

Good. Now drag the CFScript.txt icon onto the Combofix icon on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

Your Java is way out of date. Keep it updated for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.11 is current....
I use manual updates, check it when M$ comes around each month with security updates.
Now update and run MBAM, post that log plus a fresh hijackthis log, please.

Last edited by gerbil; Dec 4th, 2008 at 9:27 pm.

Deep, deep in the woods, but walking about.

•

Join Date: Jul 2004

Posts: 95

Reputation: geoss is an unknown quantity at this point

Solved Threads: 1

geoss

Offline

Junior Poster in Training

Re: 2 trojans reappear

#14

Dec 4th, 2008

Hi,
I am not sure I went to the right place, but I found the file "Stu2" in C: Win: System32,,,, and this was file version it said: 5.1.2600.5512 (xpsp.080413-2113) Size: 25.5 KB (26,112 bytes)
When you say to rename it to "userinit.exe" do I right click the file and click on Rename? Then type in userinit.exe?

I will be doing the scan and sending..thanks
George

Here is the ComboFix results. I did wanna say that I ran Trojan Remover program about 2 hours ago or so.....anyway:

ComboFix 08-12-04.04 - George 2008-12-04 22:44:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.559 [GMT -5:00]
Running from: c:\documents and settings\George.GEORGE-6JXTPIR4\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\George.GEORGE-6JXTPIR4\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\jfidoj.exe
c:\windows\system32\iiffEvWP.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\jfidoj.exe
c:\windows\system32\iiffEvWP.dll.vir

----- BITS: Possible infected sites -----

hxxp://79.143.177.12
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 22:08 . 2008-09-12 11:12 69,168 --a------ c:\windows\system32\drivers\sbapifs.sys
2008-12-04 22:08 . 2008-09-12 11:12 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2008-12-04 22:06 . 2008-12-04 22:06 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Sunbelt
2008-12-04 22:05 . 2008-12-04 22:05 <DIR> d-------- c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Sunbelt
2008-12-04 22:04 . 2008-12-04 22:04 <DIR> d-------- c:\program files\Sunbelt Software
2008-12-04 22:04 . 2008-10-09 10:21 202,928 --a------ c:\windows\system32\drivers\sbtis.sys
2008-12-04 14:51 . 2008-01-04 20:34 23,920 --a------ c:\windows\system32\drivers\sskbfd.sys
2008-12-03 18:40 . 2008-07-14 05:09 212,728 --a------ c:\windows\CMDLIC.DLL
2008-12-03 18:40 . 2008-07-14 05:09 205,560 --a------ c:\windows\UNBOC.EXE
2008-12-03 18:40 . 2008-04-13 19:12 22,528 --a------ c:\windows\system32\wsock32.dlb
2008-12-03 18:39 . 2008-12-03 21:14 <DIR> d-------- c:\program files\Comodo
2008-12-03 06:14 . 2008-12-03 06:21 <DIR> d-------- c:\program files\SpeedBit Video Accelerator
2008-12-03 06:14 . 2008-12-03 06:14 172,032 --a------ c:\windows\system32\AniGIF.ocx
2008-11-30 18:12 . 2008-11-30 18:12 <DIR> d-------- c:\windows\system32\unknown
2008-11-28 06:58 . 2008-12-04 22:34 26,112 --a------ c:\windows\system32\stu2.exe
2008-11-26 20:09 . 2008-11-26 20:09 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-26 20:07 . 2008-11-26 20:50 <DIR> d-------- c:\program files\Sony Ericsson
2008-11-22 08:10 . 2008-12-04 18:58 <DIR> d-------- c:\program files\Webroot
2008-11-15 13:29 . 2008-11-15 13:29 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-11-15 13:29 . 2007-09-04 11:56 164,352 --a------ c:\windows\system32\unrar.dll
2008-11-15 08:21 . 2008-11-15 08:21 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-15 08:21 . 2008-11-15 08:21 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-15 08:02 . 2008-11-15 08:04 <DIR> d-------- c:\program files\WhatsRunning
2008-11-13 05:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 05:34 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-09 15:37 . 2008-10-03 12:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-09 15:37 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-09 15:37 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-09 15:37 . 2008-08-26 02:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-09 15:37 . 2008-08-26 02:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-09 15:37 . 2008-08-26 02:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-09 15:37 . 2008-08-26 02:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-09 15:37 . 2008-08-26 02:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-09 15:37 . 2008-08-25 03:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-09 00:00 . 2008-12-04 07:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-09 00:00 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-09 00:00 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-08 15:01 . 2008-11-08 15:01 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-11-05 11:46 . 2008-11-05 12:03 <DIR> d-------- c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 02:54 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2008-12-04 22:46 --------- d-----w c:\program files\Trojan Remover
2008-12-02 10:18 --------- d-----w c:\program files\MSECACHE
2008-11-19 11:28 --------- d-----w c:\program files\IrfanView
2008-11-02 20:12 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2008-10-30 02:23 124 ----a-w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\netstat.bat
2008-10-28 21:28 65,320 ----a-w c:\windows\system32\sbbd.exe
2008-10-26 14:57 --------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Image Zone Express
2008-10-26 03:11 --------- d-----w c:\program files\MSXML 4.0
2008-10-24 20:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 09:09 92,464 ----a-w c:\windows\system32\drivers\SBREDrv.sys
2008-10-19 16:00 34,816 ----a-w c:\windows\system32\BGData.bin
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-12 17:50 --------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Lavasoft
2008-10-11 17:10 --------- d-----w c:\program files\CCleaner
2008-10-11 16:46 --------- d-----w c:\documents and settings\Default User.WINDOWS\Application Data\DivX
2008-10-10 22:26 --------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Uniblue
2008-10-10 11:29 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Matrox
2008-10-08 10:46 --------- d-----w c:\program files\Free Window Registry Repair
2008-10-06 20:02 --------- d-----w c:\program files\QuickTime
2008-10-06 20:00 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-05-30 18:37 97,916 ----a-w c:\program files\dxupdate.cab
2008-05-30 18:36 4,165,878 ----a-w c:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 18:36 13,267,416 ----a-w c:\program files\dxnt.cab
2008-05-30 18:36 1,805,306 ----a-w c:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 18:36 1,803,408 ----a-w c:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 18:34 528,392 ----a-w c:\program files\DXSETUP.exe
2008-02-04 17:02 228,207 ----a-w c:\program files\address book.WAB
2008-02-03 18:48 54,784 --sha-w c:\program files\Thumbs.db
2007-08-01 21:12 1,156,096 ----a-w c:\program files\iview400_setup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-04_13.05.30.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-05 01:16:46 1,887,080 ----a-w c:\windows\Downloaded Program Files\CONFLICT.3\FP_AX_CAB_INSTALLER.exe
+ 2008-10-05 01:16:46 1,887,080 ----a-w c:\windows\Downloaded Program Files\CONFLICT.4\FP_AX_CAB_INSTALLER.exe
+ 2008-10-05 01:16:46 1,887,080 ----a-w c:\windows\Downloaded Program Files\CONFLICT.5\FP_AX_CAB_INSTALLER.exe
+ 2008-10-05 01:16:46 1,887,080 ----a-w c:\windows\Downloaded Program Files\CONFLICT.6\FP_AX_CAB_INSTALLER.exe
- 2008-11-22 18:13:04 297,086 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\ARPPRODUCTICON.exe
+ 2008-12-05 03:04:30 297,086 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\ARPPRODUCTICON.exe
- 2008-11-22 18:13:04 335,872 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\NewShortcut2_339C927BB4B547F9804FDF51F01D2D57.exe
+ 2008-12-05 03:04:30 335,872 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\NewShortcut2_339C927BB4B547F9804FDF51F01D2D57.exe
- 2008-11-22 18:13:04 335,872 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\NewShortcut21_339C927BB4B547F9804FDF51F01D2D57.exe
+ 2008-12-05 03:04:30 335,872 ----a-r c:\windows\Installer\{CEF980E6-BC32-49FA-85D8-6742173D8E5D}\NewShortcut21_339C927BB4B547F9804FDF51F01D2D57.exe
- 2008-11-29 20:30:12 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-05 02:36:58 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-29 20:30:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-05 02:36:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 00:12:38 26,112 -c--a-w c:\windows\system32\dllcache\userinit.exe
- 2008-12-04 14:46:42 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-12-05 03:13:34 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2008-11-28 11:58:19 10,752 ----a-w c:\windows\system32\userinit.exe
+ 2008-04-14 00:12:38 26,112 ----a-w c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2008-10-28 955688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 14:49 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox Powerdesk]
--a------ 2008-10-13 17:28 684032 c:\windows\system32\PDesk\pdesk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-07-21 15:39 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\DRIVERS\avgntmgr.sys [2008-10-22 22336]
R1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2008-10-22 45376]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-12-04 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-12-04 202928]
R2 SBAMSvc;VIPRE Antivirus + Antispyware;"c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe" [2008-10-28 886056]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-12-04 69168]
S1 streamm;streamm; []
S3 SBRE;SBRE;\??\c:\windows\System32\drivers\SBREdrv.sys [2008-10-23 92464]
S3 UtilNT;UtilNT;\??\c:\windows\system32\drivers\UtilNT.sys [2008-10-09 5533]
.
Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart\ErrorSmart.exe []

2008-12-02 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 22:48:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3100)
c:\program files\Sunbelt Software\VIPRE\oehook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-12-04 22:53:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 03:53:07
ComboFix2.txt 2008-12-04 18:07:11

Pre-Run: 11,404,541,952 bytes free
Post-Run: 11,579,846,656 bytes free

213 --- E O F --- 2008-12-03 23:28:19

Last edited by geoss; Dec 4th, 2008 at 11:59 pm.

•

Join Date: Jul 2008

Posts: 2,806

Reputation: jholland1964 is a name known to all

Solved Threads: 160

jholland1964 jholland1964 is offline

Offline

Posting Maven

Re: 2 trojans reappear

#15

Dec 5th, 2008

•

-------\Legacy_TDSSSERV.SYS

Antivirus XP 2008 and tdssserv.sys trojan

•

Join Date: May 2005

Posts: 3,204

Reputation: gerbil will become famous soon enough

Solved Threads: 188

gerbil

Offline

Nearly a Senior Poster

Re: 2 trojans reappear

#16

Dec 5th, 2008

Geoss, yes, that version number 5.1.2600.5512 (xpsp.080413-2113) is for SP3. If you go back to system32\stu2.exe, in its properties > Version tab, you would also see its Original filename. It should be USERINIT.EXE - what is its filesize, to the exact byte?
Is the same information in system32\userinit.exe? What is its filesize, to the byte?
Now, we have to be careful here because the genuine file is protected by Windows File Protection System, and a counterfeit copy should have been automatically replaced. But the malware may have caused its own reworked version of userinit.exe to be placed into the cache also. It can do that by simply deleting the genuine copy in the cache. So:
-do you have this file: C:\Windows\Driver Cache\i386\SP3.cab
Let me know.

Deep, deep in the woods, but walking about.

•

Join Date: Apr 2005

Posts: 15,965

Reputation: jbennet is a name known to all

Solved Threads: 505

jbennet

Offline

Moderator

Re: 2 trojans reappear

#17

Dec 5th, 2008

•

Now, we have to be careful here because the genuine file is protected by Windows File Protection System, and a counterfeit copy should have been automatically replaced. But the malware may have caused its own reworked version of userinit.exe to be placed into the cache also. It can do that by simply deleting the genuine copy in the cache. So:
-do you have this file: C:\Windows\Driver Cache\i386\SP3.cab
Let me know.

If you put in an XP cd with SP3 integrated while running SFC, it will check against the version from there

If i am helpful, please give me reputation points.

•

Join Date: May 2005

Posts: 3,204

Reputation: gerbil will become famous soon enough

Solved Threads: 188

gerbil

Offline

Nearly a Senior Poster

Re: 2 trojans reappear

#18

Dec 5th, 2008

Hi, jb... I am wondering what the exact situation is with stu2.exe and userinit.exe. If userinit.exe is corrupted Combofix should have said so.
An XP cd with SP3 would make things so simple. But atm I hesitate to just use COPY to replace userinit.exe with stu2.exe. Geoss could still start into safe mode, though, if it failed.

Geoss, please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixui.bat to your desktop; dclick it to run.

Help with Code Tags

(Toggle Plain Text)

COPY /Y c:\windows\system32\stu2.exe c:\windows\system32\userinit.exe

Restart your sys, and say how things are.

Last edited by gerbil; Dec 5th, 2008 at 10:04 am.

Deep, deep in the woods, but walking about.

•

Join Date: Jul 2004

Posts: 95

Reputation: geoss is an unknown quantity at this point

Solved Threads: 1

geoss

Offline

Junior Poster in Training

Re: 2 trojans reappear

#19

Dec 5th, 2008

Hi,
I'll answer the first response first.

1. Yes, I do have the SP.3 cab (23,294 Kb) also have SP2.cab(21,724 kb)

2. In System 32 under properties the userinit.exe is 26, 112 bytes

3. In USERINIT.EXE in STU2, the size is 26, 112 bytes

will wait for reply to see if I should do the other things you said and post.
George

P.S. I did save the fixui.bat to the desktop, and when I double clicked, it flashed for a second a MS Dos type of screen, then returned to normal screen....don't know if it did anything????

Last edited by geoss; Dec 5th, 2008 at 7:29 pm.

•

Join Date: May 2005

Posts: 3,204

Reputation: gerbil will become famous soon enough

Solved Threads: 188

gerbil

Offline

Nearly a Senior Poster

Re: 2 trojans reappear

#20

Dec 6th, 2008

Ok, Geoss.. SP2 userinit.exe filesize is 24576 bytes. But your SP3 userinit.exe filesize should be 26112 bytes. Check that the same file exists in your system32\dllcache directory [you will need to go to Tools > Folder options > View, and uncheck Hide Protected Operating System files..
Yes, when you ran that batch file all you would have sen is a small black cmd.exe window flash briefly. It copied stu2.exe into userinit.exe. So all is good.
This will give you a chance to see the cmd window as stu2.exe is deleted:
Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixui.bat to your desktop; dclick it to run.

Help with Code Tags

(Toggle Plain Text)