Jump to content


Photo

GCOMD32.DLL & HASET32.DLL Some Clarity


  • This topic is locked This topic is locked
9 replies to this topic

#1 risk_reversal

risk_reversal

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 07 July 2009 - 09:38 AM

Hi guys & gals, long time reader first time poster.

I recently ran SuperAntiSpyware (SAS) and it reported the 2 entries in the tilte box as suspicious {trojans]. I run XP Home.

I ran HJT v2.02 (report attached below) but it found nothing. In searching I found that GCOMD32.DLL & HASET32.DLL would/should show up in HJT as Browser Helper Objects (BHO).

I also ran a search on my pc for both these DLLs but could find nothing (did unhide folders). I also has a close look in C:\windows\system & C:\windows\system 32 but could not see either of these files.

I searched the registry and found the following instances to these DLLs (as per below).

[HKEY_CLASSES_ROOT\CLSID\{EF99D588-3D5F-4194-828A-E03870A57A77}\InprocServer32]@="gcomd32.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99D588-3D5F-4194-828A-E03870A57A77}\InprocServer32]@="gcomd32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{E8FD36B2-A25B-47e3-9477-82557F5F5995}\InprocServer32]@="haset32.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E8FD36B2-A25B-47e3-9477-82557F5F5995}\InprocServer32]@="haset32.dll"
"ThreadingModel"="Apartment"

Reason for posting is as follows. After SAS shows results, I tick quarantine but if I run SAS again, then it redetects these entries and asks if I would like to quarantine them again.

[EDIT] I have also found LM.Dat, EKD.Txt and tb.dr in C:\windows\system32 folder which I also gather are trojan based.

Can someone help me out here please

Many thanks

------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:35:58, on 07/07/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PopOops\PopOops.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\HijackThis v2.0.2\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PopOops] C:\PROGRA~1\PopOops\PopOops.exe
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
O8 - Extra context menu item: Open in New &Window (PopOops) - C:\WINDOWS\Web\PopOops.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4140 bytes

Edited by risk_reversal, 08 July 2009 - 06:42 AM.


#2 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 08 July 2009 - 10:41 AM

Hi,
I'm nasdaq and will be helping you.

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Click on Fix Checked when finished and exit HijackThis.

Restart the computer normally.

===

For your added protection please Update your Java.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 14.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
    • J2SE Runtime Environment 6.0 Update 7
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
===

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply with a fresh HijackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#3 risk_reversal

risk_reversal

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 08 July 2009 - 03:03 PM

Hi nasdaq and many thanks for your reply.

I have followed your instructions as regards HJT and ComboFix and have posted new logs below.

I did a quick registry search after ComboFix and the four keys that I referred to above have been deleted. The only file which remains is EKD.txt in system32 folder. I guess I can just manually delete that if I am correct in my assumption that it is part of a trojan prog.

NOTE: I did not bother installing the Recovery Console as I just imaged the partition with Images for Dos. I will also get around to upgrading the Java engine on my daughter's laptop after this episode.

------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:40:14, on 08/07/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PopOops\PopOops.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\HijackThis v2.0.2\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PopOops] C:\PROGRA~1\PopOops\PopOops.exe
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
O8 - Extra context menu item: Open in New &Window (PopOops) - C:\WINDOWS\Web\PopOops.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

End of file - 4145 bytes


-------------------------------------------------------------


ComboFix 09-07-08.01 - EMMA 08/07/2009 20:21.1 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.511.314 [GMT 1:00]
Running from: c:\documents and settings\EMMA\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\windows\Installer\5512c.msi

c:\windows\system32\lm.dat

c:\windows\system32\tb.dr

c:\windows\system32\tmp.reg

c:\windows\system32\drivers\etc\lmhosts . . . . failed to delete


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\Legacy_GOOGLE_ONLINE_SERVICES

((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))

2009-07-07 14:33 . 2008-06-19 16:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys

2009-07-07 10:58 . 2009-07-07 10:58 117760 ----a-w- c:\documents and settings\EMMA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 19:26 . 2007-04-13 00:01 10691837 ------w- c:\windows\Internet Logs\tvDebug.zip

2009-05-30 13:31 . 2009-05-30 13:31 -------- d-----w- c:\program files\NETGEAR

2009-05-30 09:19 . 2009-05-30 09:19 -------- d-----w- c:\program files\HD Tune

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2006-06-08 778240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 79224]

"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-05-31 968696]

"PopOops"="c:\progra~1\PopOops\PopOops.exe" [2004-11-01 45568]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2003-03-31 13312]


c:\documents and settings\All Users\Start Menu\Programs\Startup\

MemTurbo.lnk - c:\program files\Silicon Prairie Software\MemTurbo\memturbo.exe [2006-9-11 221696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

NETGEAR WG511v2 Wireless Assistant.lnk - c:\windows\Installer\{B93D24B3-928D-4805-B379-4AA47CB3794E}\NewShortcut1_1.exe [2009-5-30 2238]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 15:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk

backup=c:\windows\pss\AOL 7.0 Tray Icon.lnkCommon Startup


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"="0x00000000"

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [07/07/2009 15:33 28544]

R0 Ramdisk;Ramdisk [ QSoft ];c:\windows\system32\drivers\RAMDisk.sys [12/09/2006 11:53 8192]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [21/06/2008 14:29 78416]

R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [11/09/2006 14:26 20480]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [03/09/2008 14:07 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [03/09/2008 14:07 55024]

R3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [11/09/2006 09:26 281600]

R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [11/09/2006 09:26 174464]

R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [11/09/2006 09:26 701386]

S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [11/09/2006 09:26 55999]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [03/09/2008 14:07 7408]

S3 WLANRB;NETGEAR Wireless 8 02.11b LAN RB Driver;c:\windows\System32\DRIVERS\MA401RB.sys --> c:\windows\System32\DRIVERS\MA401RB.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALG

*NewlyCreated* - IPNAT

------- Supplementary Scan -------
.
IE: Open in New &Window (PopOops) - c:\windows\Web\PopOops.htm

.**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-08 20:27

Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)

c:\windows\System32\ODBC32.dll

c:\program files\SUPERAntiSpyware\SASWINLO.dll


- - - - - - - > 'lsass.exe'(664)

c:\windows\System32\dssenh.dll


- - - - - - - > 'explorer.exe'(124)

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\System32\msi.dll


------------------------ Other Running Processes ------------------------

.c:\windows\SYSTEM32\ZONELABS\VSMON.EXE

c:\program files\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE

c:\program files\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE

c:\windows\SYSTEM32\ATIEVXX.EXE

c:\windows\WANMPSVC.EXE

c:\program files\ALWIL SOFTWARE\AVAST4\ASHDISP.EXE

c:\program files\POPOOPS\POPOOPS.EXE

c:\program files\NETGEAR\WG511V2\WLANCFG5.EXE

c:\program files\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE

c:\program files\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE


**************************************************************************

Completion time: 2009-07-08 20:29 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-08 19:29


Pre-Run: 10,444,226,560 bytes free

Post-Run: 10,491,207,680 bytes free


117


Cheers

Edited by risk_reversal, 08 July 2009 - 03:11 PM.


#4 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 08 July 2009 - 04:04 PM

For your added protection I strongly suggest you intalll te Recovery console.

When XP OPERATING DISK NOT CURRENTLY AVAILABLE.
http://www.techsuppo...tml#post1366789

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Posted Image
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
===

Run the ComboFix program
Let me know what problelm persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#5 risk_reversal

risk_reversal

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 08 July 2009 - 06:18 PM

Many thanks for your reply nasdaq.

I understand that you must be busy helping other users and very much appreciate your help with this matter. I also do not wish to be antagonistic in any way whatsoever but have a question as regards the XP Recovery Console.

Is installing the Recovery Console required for ComboFix or are you recommending my installing the Recovery Console for purposes of my future security. If the later, then this is not required as the Recovery Console can be accessed via a full XP CD install disk which I have. UBCD4Win can also be used for such purposes. Failing that booting with Linux Live cds provide a wonderful recovery method (Puppy Linux my favourite). My systems are all pretty well secured, they are imaged with Images for Dos and the MBRs are also saved. The only drawback with the children's laptops is that I am not allowed to regularly backup them up [ie image primary/boot partition and save data partitions].

Please do let me know.

Again many thanks for your kind help

Cheers

#6 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 09 July 2009 - 08:38 AM

The only file which remains is EKD.txt in system32 folder. I guess I can just manually delete that if I am correct in my assumption that it is part of a trojan prog.


Yes delete the ekd.txt file.

The recovery console is for your Protection only.
You decide if you need it or not. I think that you have more computer knowledge then most of our clients.

===

Please read this Prevention page with lots of info and tips how to prevent this in the future.
How did I get infected in the first place?
http://spywareinfofo...showtopic=60955
===

Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

p.s. Please do not forget to jpdate Java.
your current version is susceptible to infections.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#7 risk_reversal

risk_reversal

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 09 July 2009 - 09:01 AM

You are most kind nasdaq.

The java is next on my to do list after changing the wireless card on my daughter's laptop (the current one is unreliable).

Many thanks for confirming the deletion of EKD.txt and the uninstall for ComboFix.

May I ask you a final question please.

I noted that ComboFix has also created a folder Qoobox at root. Within that folder there are amongst other things a quarantine folder. Presumably after a while Qoobox can be deleted ie If ComboFix is used again at some future date, the info contained in that folder is not necessary.

Lastly, I did run SAS again and there were no suspicious entries.

I think that you have more computer knowledge then most of our clients

Well I like to build pcs and take laptops apart (a hobby) and think that I could now safely be described as a junior geek. The unfortunate downside to this is that I have all my friends who now call me and want me to fix/upgrade their pcs and laptops.

Again many thanks.

Cheers

Edited by risk_reversal, 09 July 2009 - 09:03 AM.


#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 09 July 2009 - 09:34 AM

Uninstalling combofix with the /u switch will remove everything.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#9 risk_reversal

risk_reversal

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 09 July 2009 - 04:41 PM

Many thanks for your help.

Cheers

#10 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,093 posts

Posted 23 July 2009 - 07:46 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button