• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
risk_reversal

GCOMD32.DLL & HASET32.DLL Some Clarity

10 posts in this topic

Hi guys & gals, long time reader first time poster.

 

I recently ran SuperAntiSpyware (SAS) and it reported the 2 entries in the tilte box as suspicious {trojans]. I run XP Home.

 

I ran HJT v2.02 (report attached below) but it found nothing. In searching I found that GCOMD32.DLL & HASET32.DLL would/should show up in HJT as Browser Helper Objects (BHO).

 

I also ran a search on my pc for both these DLLs but could find nothing (did unhide folders). I also has a close look in C:\windows\system & C:\windows\system 32 but could not see either of these files.

 

I searched the registry and found the following instances to these DLLs (as per below).

 

[HKEY_CLASSES_ROOT\CLSID\{EF99D588-3D5F-4194-828A-E03870A57A77}\InprocServer32]@="gcomd32.dll"

"ThreadingModel"="Apartment"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99D588-3D5F-4194-828A-E03870A57A77}\InprocServer32]@="gcomd32.dll"

"ThreadingModel"="Apartment"

 

[HKEY_CLASSES_ROOT\CLSID\{E8FD36B2-A25B-47e3-9477-82557F5F5995}\InprocServer32]@="haset32.dll"

"ThreadingModel"="Apartment"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E8FD36B2-A25B-47e3-9477-82557F5F5995}\InprocServer32]@="haset32.dll"

"ThreadingModel"="Apartment"

 

Reason for posting is as follows. After SAS shows results, I tick quarantine but if I run SAS again, then it redetects these entries and asks if I would like to quarantine them again.

 

[EDIT] I have also found LM.Dat, EKD.Txt and tb.dr in C:\windows\system32 folder which I also gather are trojan based.

 

Can someone help me out here please

 

Many thanks

 

------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:35:58, on 07/07/2009

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\PopOops\PopOops.exe

C:\Program Files\I8kfanGUI\I8kfanGUI.exe

C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe

C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Atievxx.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\HijackThis v2.0.2\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [PopOops] C:\PROGRA~1\PopOops\PopOops.exe

O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?

O8 - Extra context menu item: Open in New &Window (PopOops) - C:\WINDOWS\Web\PopOops.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

--

End of file - 4140 bytes

Edited by risk_reversal

Share this post


Link to post
Share on other sites

Hi,

I'm nasdaq and will be helping you.

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

 

Click on Fix Checked when finished and exit HijackThis.

 

Restart the computer normally.

 

===

 

For your added protection please Update your Java.

 

Updating Java

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 14.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
    • J2SE Runtime Environment 6.0 Update 7

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.

===

 

Download ComboFix from one of these locations:

 

Link 1

Link 2

Link 3

 

* IMPORTANT !!! Save ComboFix.exe to your Desktop

 

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
     
  • Double click on ComboFix.exe & follow the prompts.
     
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
     
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

 

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

RcAuto1.gif

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

whatnext.png

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply with a fresh HijackThis log.

Share this post


Link to post
Share on other sites

Hi nasdaq and many thanks for your reply.

 

I have followed your instructions as regards HJT and ComboFix and have posted new logs below.

 

I did a quick registry search after ComboFix and the four keys that I referred to above have been deleted. The only file which remains is EKD.txt in system32 folder. I guess I can just manually delete that if I am correct in my assumption that it is part of a trojan prog.

 

NOTE: I did not bother installing the Recovery Console as I just imaged the partition with Images for Dos. I will also get around to upgrading the Java engine on my daughter's laptop after this episode.

 

------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:40:14, on 08/07/2009

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Atievxx.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\PopOops\PopOops.exe

C:\Program Files\I8kfanGUI\I8kfanGUI.exe

C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe

C:\HijackThis v2.0.2\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [PopOops] C:\PROGRA~1\PopOops\PopOops.exe

O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?

O8 - Extra context menu item: Open in New &Window (PopOops) - C:\WINDOWS\Web\PopOops.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

End of file - 4145 bytes

 

-------------------------------------------------------------

 

 

ComboFix 09-07-08.01 - EMMA 08/07/2009 20:21.1 - FAT32x86

 

Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.511.314 [GMT 1:00]

Running from: c:\documents and settings\EMMA\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

c:\windows\Installer\5512c.msi

 

c:\windows\system32\lm.dat

 

c:\windows\system32\tb.dr

 

c:\windows\system32\tmp.reg

 

c:\windows\system32\drivers\etc\lmhosts . . . . failed to delete

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

-------\Legacy_GOOGLE_ONLINE_SERVICES

 

((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))

 

2009-07-07 14:33 . 2008-06-19 16:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys

 

2009-07-07 10:58 . 2009-07-07 10:58 117760 ----a-w- c:\documents and settings\EMMA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-08 19:26 . 2007-04-13 00:01 10691837 ------w- c:\windows\Internet Logs\tvDebug.zip

 

2009-05-30 13:31 . 2009-05-30 13:31 -------- d-----w- c:\program files\NETGEAR

 

2009-05-30 09:19 . 2009-05-30 09:19 -------- d-----w- c:\program files\HD Tune

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

 

"i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2006-06-08 778240]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

 

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 79224]

 

"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-05-31 968696]

 

"PopOops"="c:\progra~1\PopOops\PopOops.exe" [2004-11-01 45568]

 

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

 

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2003-03-31 13312]

 

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

 

MemTurbo.lnk - c:\program files\Silicon Prairie Software\MemTurbo\memturbo.exe [2006-9-11 221696]

 

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

 

NETGEAR WG511v2 Wireless Assistant.lnk - c:\windows\Installer\{B93D24B3-928D-4805-B379-4AA47CB3794E}\NewShortcut1_1.exe [2009-5-30 2238]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

 

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

 

2008-07-23 15:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk]

 

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk

 

backup=c:\windows\pss\AOL 7.0 Tray Icon.lnkCommon Startup

 

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

 

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

 

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

 

"UpdatesDisableNotify"="0x00000000"

 

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [07/07/2009 15:33 28544]

 

R0 Ramdisk;Ramdisk [ QSoft ];c:\windows\system32\drivers\RAMDisk.sys [12/09/2006 11:53 8192]

 

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [21/06/2008 14:29 78416]

 

R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [11/09/2006 14:26 20480]

 

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [03/09/2008 14:07 8944]

 

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [03/09/2008 14:07 55024]

 

R3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [11/09/2006 09:26 281600]

 

R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [11/09/2006 09:26 174464]

 

R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [11/09/2006 09:26 701386]

 

S3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [11/09/2006 09:26 55999]

 

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [03/09/2008 14:07 7408]

 

S3 WLANRB;NETGEAR Wireless 8 02.11b LAN RB Driver;c:\windows\System32\DRIVERS\MA401RB.sys --> c:\windows\System32\DRIVERS\MA401RB.sys [?]

 

--- Other Services/Drivers In Memory ---

 

*NewlyCreated* - ALG

 

*NewlyCreated* - IPNAT

 

------- Supplementary Scan -------

.

IE: Open in New &Window (PopOops) - c:\windows\Web\PopOops.htm

 

.**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

 

Rootkit scan 2009-07-08 20:27

 

Windows 5.1.2600 Service Pack 1 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

 

hidden files: 0

 

**************************************************************************

 

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(600)

 

c:\windows\System32\ODBC32.dll

 

c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

 

- - - - - - - > 'lsass.exe'(664)

 

c:\windows\System32\dssenh.dll

 

 

- - - - - - - > 'explorer.exe'(124)

 

c:\progra~1\WINDOW~2\wmpband.dll

 

c:\windows\System32\msi.dll

 

 

------------------------ Other Running Processes ------------------------

 

.c:\windows\SYSTEM32\ZONELABS\VSMON.EXE

 

c:\program files\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE

 

c:\program files\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE

 

c:\windows\SYSTEM32\ATIEVXX.EXE

 

c:\windows\WANMPSVC.EXE

 

c:\program files\ALWIL SOFTWARE\AVAST4\ASHDISP.EXE

 

c:\program files\POPOOPS\POPOOPS.EXE

 

c:\program files\NETGEAR\WG511V2\WLANCFG5.EXE

 

c:\program files\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE

 

c:\program files\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE

 

 

**************************************************************************

 

Completion time: 2009-07-08 20:29 - machine was rebooted

 

ComboFix-quarantined-files.txt 2009-07-08 19:29

 

 

Pre-Run: 10,444,226,560 bytes free

 

Post-Run: 10,491,207,680 bytes free

 

 

117

 

Cheers

Edited by risk_reversal

Share this post


Link to post
Share on other sites

For your added protection I strongly suggest you intalll te Recovery console.

 

When XP OPERATING DISK NOT CURRENTLY AVAILABLE.

http://www.techsupportforum.com/security-c...tml#post1366789

 

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

 

KB310994.gif

 

Download the file & save it as it's originally named, next to ComboFix.exe.

 

RC1-4.gif

 

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.
     
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
     
  • At the next prompt, click 'Yes' to run the full ComboFix scan.
     
    RC_whatnext.gif
     
  • When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

===

 

Run the ComboFix program

Let me know what problelm persists.

Share this post


Link to post
Share on other sites

Many thanks for your reply nasdaq.

 

I understand that you must be busy helping other users and very much appreciate your help with this matter. I also do not wish to be antagonistic in any way whatsoever but have a question as regards the XP Recovery Console.

 

Is installing the Recovery Console required for ComboFix or are you recommending my installing the Recovery Console for purposes of my future security. If the later, then this is not required as the Recovery Console can be accessed via a full XP CD install disk which I have. UBCD4Win can also be used for such purposes. Failing that booting with Linux Live cds provide a wonderful recovery method (Puppy Linux my favourite). My systems are all pretty well secured, they are imaged with Images for Dos and the MBRs are also saved. The only drawback with the children's laptops is that I am not allowed to regularly backup them up [ie image primary/boot partition and save data partitions].

 

Please do let me know.

 

Again many thanks for your kind help

 

Cheers

Share this post


Link to post
Share on other sites
The only file which remains is EKD.txt in system32 folder. I guess I can just manually delete that if I am correct in my assumption that it is part of a trojan prog.

 

Yes delete the ekd.txt file.

 

The recovery console is for your Protection only.

You decide if you need it or not. I think that you have more computer knowledge then most of our clients.

 

===

 

Please read this Prevention page with lots of info and tips how to prevent this in the future.

How did I get infected in the first place?

http://spywareinfoforum.com/index.php?showtopic=60955

===

 

Time for some housekeeping

  • The following will implement some cleanup procedures as well as reset System Restore points:
     
    Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
     
    ComboFix /u

 

p.s. Please do not forget to jpdate Java.

your current version is susceptible to infections.

Share this post


Link to post
Share on other sites

You are most kind nasdaq.

 

The java is next on my to do list after changing the wireless card on my daughter's laptop (the current one is unreliable).

 

Many thanks for confirming the deletion of EKD.txt and the uninstall for ComboFix.

 

May I ask you a final question please.

 

I noted that ComboFix has also created a folder Qoobox at root. Within that folder there are amongst other things a quarantine folder. Presumably after a while Qoobox can be deleted ie If ComboFix is used again at some future date, the info contained in that folder is not necessary.

 

Lastly, I did run SAS again and there were no suspicious entries.

 

I think that you have more computer knowledge then most of our clients

Well I like to build pcs and take laptops apart (a hobby) and think that I could now safely be described as a junior geek. The unfortunate downside to this is that I have all my friends who now call me and want me to fix/upgrade their pcs and laptops.

 

Again many thanks.

 

Cheers

Edited by risk_reversal

Share this post


Link to post
Share on other sites

Uninstalling combofix with the /u switch will remove everything.

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0