Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Soglueda.A infection - Windows XP

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 13th, 2011, 9:32 pm

DDS (Ver_10-12-12.02) - NTFSx86
Run by User at 20:15:43.31 on Thu 01/13/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.255 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
E:\instructions\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [InstallIQUpdater] "c:\program files\w3i\installiqupdater\InstallIQUpdater.exe" /silent /autorun
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [UpdatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [<NO NAME>]  
dRun: [<NO NAME>]  
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: microsoft.com\www.update
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 3112092955
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microso ... 3121114453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\8yl4eucn.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: WebNotes Toolbar: webnotestoolbar@webnotes.net - %profile%\extensions\webnotestoolbar@webnotes.net
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Bloody Red: {2458abc0-f443-11dd-87af-0800200c9a66} - %profile%\extensions\{2458abc0-f443-11dd-87af-0800200c9a66}
FF - Ext: Oskar: {5b175400-2368-11de-8c30-0800200c9a66} - %profile%\extensions\{5b175400-2368-11de-8c30-0800200c9a66}
FF - Ext: FastestFox: smarterwiki@wikiatic.com - %profile%\extensions\smarterwiki@wikiatic.com
FF - Ext: Long URL Please: longurlplease@darragh.curran - %profile%\extensions\longurlplease@darragh.curran
FF - Ext: Full Fullscreen: {bfe3406c-6f31-4789-86d5-efa50e12c9eb} - %profile%\extensions\{bfe3406c-6f31-4789-86d5-efa50e12c9eb}
FF - Ext: Yet Another Smooth Scrolling: yetanothersmoothscrolling@kataho - %profile%\extensions\yetanothersmoothscrolling@kataho
FF - Ext: Locationbar&#178;: locationbar2@design-noir.de - %profile%\extensions\locationbar2@design-noir.de
FF - Ext: Omnibar: omnibar@ajitk.com - %profile%\extensions\omnibar@ajitk.com
FF - Ext: Mouse Gestures Redox: {FFA36170-80B1-4535-B0E3-A4569E497DD0} - %profile%\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}
FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Ext: Download Manager Tweak: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB} - %profile%\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
FF - Ext: Test Pilot: testpilot@labs.mozilla.com - %profile%\extensions\testpilot@labs.mozilla.com
FF - Ext: View Source Chart: {68836a21-fc7d-4ea1-a065-7efabd99d414} - %profile%\extensions\{68836a21-fc7d-4ea1-a065-7efabd99d414}

============= SERVICES / DRIVERS ===============

S3 ASTRA32;ASTRA32;c:\windows\system32\drivers\astra32.sys [2005-6-2 24544]
S3 EL98x;3Com EtherLink 10/100 PCI;c:\windows\system32\drivers\el98xn5.sys [2005-6-2 70174]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-8-29 14336]

=============== Created Last 30 ================

2011-01-12 15:49:47 2855 ----a-w- c:\windows\system32\services.PIF
2011-01-12 03:21:20 -------- d-sha-r- C:\cmdcons
2011-01-12 03:17:53 98816 ----a-w- c:\windows\sed.exe
2011-01-12 03:17:53 89088 ----a-w- c:\windows\MBR.exe
2011-01-12 03:17:53 256512 ----a-w- c:\windows\PEV.exe
2011-01-12 03:17:53 161792 ----a-w- c:\windows\SWREG.exe
2011-01-09 22:33:12 -------- d-----w- c:\program files\trend micro
2011-01-09 17:49:06 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-06 03:06:51 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-01-06 03:03:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-01-06 02:37:57 52296 ------w- c:\windows\system32\drivers\PROCMON20.SYS
2011-01-05 03:06:29 388096 ----a-r- c:\docume~1\user\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-31 03:02:20 -------- d-----w- c:\windows\system32\appmgmt
2010-12-30 18:28:53 -------- d-----w- c:\windows\ShellNew
2010-12-30 18:28:52 -------- d-----w- c:\program files\AutoHotkey
2010-12-26 21:30:47 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-26 21:29:16 45568 -c----w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2011-01-09 17:48:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-01 21:03:25 176128 ----a-w- c:\windows\system32\winmm.dll
2010-12-03 06:07:00 12315136 ----a-w- c:\windows\system32\ffmpeg.exe
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-24 15:18:29 16384 ----a-w- c:\windows\system32\lgfwunis.exe
2010-10-24 15:12:25 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-10-24 15:12:22 505128 ----a-w- c:\windows\system32\msvcp71.dll
2010-10-24 15:12:22 353576 ----a-w- c:\windows\system32\msvcr71.dll

============= FINISH: 20:16:34.18 ===============




attach.txt



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/28/2006 10:06:43 AM
System Uptime: 1/13/2011 8:11:45 PM (0 hours ago)

Motherboard: Compaq | | 07E4h
Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | XU1 PROCESSOR | 1994/400mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 35 GiB total, 20.095 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP49: 10/14/2010 9:37:41 PM - System Checkpoint
RP50: 10/14/2010 9:24:09 PM - Software Distribution Service 3.0
RP51: 10/15/2010 2:55:59 PM - Software Distribution Service 3.0
RP52: 10/15/2010 2:57:42 PM - Software Distribution Service 3.0
RP53: 10/15/2010 3:02:50 PM - Software Distribution Service 3.0
RP54: 10/15/2010 3:15:20 PM - Software Distribution Service 3.0
RP55: 10/15/2010 3:18:12 PM - Software Distribution Service 3.0
RP56: 10/15/2010 9:13:02 PM - Software Distribution Service 3.0
RP57: 10/16/2010 4:26:02 PM - Software Distribution Service 3.0
RP58: 10/17/2010 11:36:24 AM - Software Distribution Service 3.0
RP59: 10/17/2010 3:47:46 PM - Installed Java(TM) 6 Update 22
RP60: 10/17/2010 9:32:48 PM - Software Distribution Service 3.0
RP61: 10/19/2010 3:09:00 PM - Software Distribution Service 3.0
RP62: 10/19/2010 7:47:48 PM - Software Distribution Service 3.0
RP63: 10/20/2010 3:00:16 AM - Software Distribution Service 3.0
RP64: 10/20/2010 9:08:18 PM - Installed BOINC
RP65: 10/21/2010 6:20:43 PM - Software Distribution Service 3.0
RP66: 10/22/2010 3:00:21 AM - Software Distribution Service 3.0
RP67: 10/22/2010 10:03:17 PM - Software Distribution Service 3.0
RP68: 10/23/2010 10:10:28 AM - Software Distribution Service 3.0
RP69: 10/23/2010 10:50:04 PM - Software Distribution Service 3.0
RP70: 10/24/2010 11:06:58 AM - Installed Suite
RP71: 10/24/2010 1:05:49 PM - Software Distribution Service 3.0
RP72: 10/24/2010 2:50:14 PM - Software Distribution Service 3.0
RP73: 10/26/2010 3:20:33 PM - Software Distribution Service 3.0
RP74: 10/26/2010 3:24:58 PM - Software Distribution Service 3.0
RP75: 10/27/2010 3:00:19 AM - Software Distribution Service 3.0
RP76: 10/28/2010 3:00:18 AM - Software Distribution Service 3.0
RP77: 10/29/2010 7:53:21 PM - System Checkpoint
RP78: 10/30/2010 3:00:15 AM - Software Distribution Service 3.0
RP79: 10/31/2010 3:00:18 AM - Software Distribution Service 3.0
RP80: 11/1/2010 3:00:16 AM - Software Distribution Service 3.0
RP81: 11/6/2010 4:18:57 PM - Software Distribution Service 3.0
RP82: 11/7/2010 2:00:17 AM - Software Distribution Service 3.0
RP83: 11/7/2010 3:00:15 AM - Software Distribution Service 3.0
RP84: 11/8/2010 3:00:16 AM - Software Distribution Service 3.0
RP85: 11/9/2010 7:18:58 PM - System Checkpoint
RP86: 11/9/2010 9:24:46 PM - Software Distribution Service 3.0
RP87: 11/11/2010 4:45:20 PM - System Checkpoint
RP88: 11/12/2010 3:00:20 AM - Software Distribution Service 3.0
RP89: 11/13/2010 3:00:17 AM - Software Distribution Service 3.0
RP90: 11/14/2010 3:17:26 AM - System Checkpoint
RP91: 11/15/2010 4:17:26 AM - System Checkpoint
RP92: 11/16/2010 5:17:26 AM - System Checkpoint
RP93: 11/17/2010 6:17:26 AM - System Checkpoint
RP94: 11/18/2010 6:17:26 AM - System Checkpoint
RP95: 11/19/2010 8:17:26 AM - System Checkpoint
RP96: 12/5/2010 10:54:56 AM - Software Distribution Service 3.0
RP97: 12/6/2010 3:00:18 AM - Software Distribution Service 3.0
RP98: 12/7/2010 3:00:15 AM - Software Distribution Service 3.0
RP99: 12/8/2010 3:57:10 AM - System Checkpoint
RP100: 12/9/2010 5:57:10 AM - System Checkpoint
RP101: 12/10/2010 6:57:10 AM - System Checkpoint
RP102: 12/11/2010 6:57:10 AM - System Checkpoint
RP103: 12/12/2010 6:57:10 AM - System Checkpoint
RP104: 12/26/2010 4:23:36 PM - Software Distribution Service 3.0
RP105: 12/27/2010 10:53:03 AM - Software Distribution Service 3.0
RP106: 12/30/2010 1:04:29 PM - Software Distribution Service 3.0
RP107: 12/30/2010 10:02:12 PM - Removed BOINC
RP108: 12/31/2010 12:17:46 PM - Software Distribution Service 3.0
RP109: 12/31/2010 4:11:23 PM - Software Distribution Service 3.0
RP110: 1/1/2011 4:02:23 PM - Software Distribution Service 3.0
RP111: 1/1/2011 4:24:43 PM - Restore Operation
RP112: 1/3/2011 6:50:28 AM - Software Distribution Service 3.0
RP113: 1/3/2011 6:51:50 AM - Software Distribution Service 3.0
RP114: 1/4/2011 10:06:26 PM - Installed HiJackThis
RP115: 1/5/2011 8:54:59 PM - Software Distribution Service 3.0
RP116: 1/5/2011 9:00:15 PM - Installed Kaspersky Anti-Virus 2011.
RP117: 1/5/2011 9:30:09 PM - Removed Kaspersky Anti-Virus 2011.
RP118: 1/9/2011 12:02:30 PM - Software Distribution Service 3.0
RP119: 1/9/2011 12:47:52 PM - Removed Java(TM) 6 Update 21
RP120: 1/9/2011 12:48:42 PM - Installed Java(TM) 6 Update 23
RP121: 1/11/2011 10:12:13 PM - Software Distribution Service 3.0
RP122: 1/12/2011 10:26:35 AM - Software Distribution Service 3.0
RP123: 1/13/2011 8:13:57 PM - Software Distribution Service 3.0

==== Installed Programs ======================

7-Zip 4.65
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
Apple Application Support
Apple Software Update
AutoHotkey 1.0.91.01
CodeBlocks
Easy CD Creator 5 Basic
ERUNT 1.1j
Free File Viewer 2010
GIMP 2.6.11
Google Chrome
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
InstallIQ Updater
Intel(R) Extreme Graphics Driver
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 23
Just Great Software EditPad Lite 6.6.4
Leopard
LG CyberLink LabelPrint
LG CyberLink Power2Go
LG CyberLink PowerBackup
LG CyberLink PowerDVD
LG CyberLink PowerProducer
LG CyberLink YouCam
LG ODD Auto Firmware Update
LG Power Tools
LightScribe System Software
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework Client Profile
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Mozilla Firefox (3.6.13)
Notepad++
Paint.NET v3.5.5
PowerDVD
QuickTime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982664)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
Wordlist Wizard

==== Event Viewer Messages From Past Week ========

1/9/2011 12:02:56 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007054f: Security Update for Windows XP (KB956572).
1/9/2011 12:02:43 PM, error: NtServicePack [4373] - Windows XP KB956572 installation failed.
An internal error occurred.
1/13/2011 8:14:28 PM, error: NtServicePack [4373] - Windows XP KB956572 installation failed.
An internal error occurred.
1/12/2011 10:28:07 AM, error: NtServicePack [4373] - Windows XP KB956572 installation failed.
An internal error occurred.
1/11/2011 10:39:10 PM, error: PlugPlayManager [11] - The device Root\LEGACY_PROCMON20\0000 disappeared from the system without first being prepared for removal.
1/11/2011 10:13:27 PM, error: NtServicePack [4373] - Windows XP KB956572 installation failed.
An internal error occurred.

==== End Of File ===========================



McAfee thinks ComboFix is a trojan. I assume it's not?
it was named
ARTEMIS!
and then a random string of numbers.


Somewhere in that log it mentions the removal of PROCMON. I think one of your tools removed it. Process Monitor must seem like malware, since it gets so much information.

I hadn't noticed services.pif before.
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm
Advertisement
Register to Remove

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 13th, 2011, 9:50 pm

it was named ARTEMIS!ED2E9EE14758
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 14th, 2011, 3:01 am

Good day crazyfirex,

Let me go through all these logs, I'll return as soon as possible. It may be very late Friday or on Saturday as I have some meetings to attend to.

As for the tools we have you use, many Anti Virus companies will flag them do to certain characteristics, be assured they are safe. We will also clean them up as soon as we are done.
Process Monitor by Sysinternals is also safe, and likely flagged do to how it works as well. You should have a way to add that to an exceptions list in McAfee.

Be back as soon as possible.

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 14th, 2011, 12:40 pm

Good day crazyfire,

Please copy these instructions for ease of reference.


Add/Remove out of date programs
  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the following.
Adobe Reader 9.4.0
Java(TM) 6 Update 22




--------------------------------------------------------------------

Backup with ERUNT

  • Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
  • Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  • Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  • Now click on "OK". A registry backup has now been created.



--------------------------------------------------------------------
ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
        KILLALL::
        SysRst::
        SRPeek::
        c:\windows\system32\services.exe
        Rootkit::
        c:\windows\system32\winm.dll
        

  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!

  5. When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.

Post
C:\ComboFix.txt
How are things running now?
Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 15th, 2011, 11:06 am

ComboFix 11-01-11.01 - User 01/14/2011 21:30:30.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.237 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ .cmd . . . . Failed to delete
c:\windows\system32\winm.dll . . . . Failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-12-15 to 2011-01-15 )))))))))))))))))))))))))))))))
.

2011-01-12 15:49 . 2011-01-12 15:49 2855 ----a-w- c:\windows\system32\services.PIF
2011-01-12 03:15 . 2011-01-12 03:15 -------- d-----w- c:\program files\ERUNT
2011-01-09 22:33 . 2011-01-09 22:36 -------- d-----w- c:\program files\trend micro
2011-01-09 22:33 . 2011-01-09 22:33 -------- d-----w- C:\rsit
2011-01-09 17:49 . 2011-01-09 17:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-06 03:06 . 2011-01-06 03:06 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-01-06 03:03 . 2011-01-06 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-01-06 02:37 . 2011-01-06 02:37 52296 ------w- c:\windows\system32\drivers\PROCMON20.SYS
2011-01-05 03:06 . 2011-01-05 03:06 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-30 18:28 . 2010-12-30 18:28 -------- d-----w- c:\windows\ShellNew
2010-12-30 18:28 . 2010-12-30 18:28 -------- d-----w- c:\program files\AutoHotkey
2010-12-26 21:30 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-26 21:29 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-15 02:37 . 2009-02-06 11:11 355347 ----a-w- c:\windows\system32\ .cmd
2011-01-09 17:48 . 2010-08-31 17:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-01 21:03 . 2002-08-29 12:00 176128 ----a-w- c:\windows\system32\winmm.dll
2010-12-03 06:07 . 2010-12-05 21:04 12315136 ----a-w- c:\windows\system32\ffmpeg.exe
2010-11-18 18:12 . 2005-06-03 00:56 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2002-08-29 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2010-06-24 18:56 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2002-08-29 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2002-08-29 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2002-08-29 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-24 15:18 . 2010-10-24 15:17 16384 ----a-w- c:\windows\system32\lgfwunis.exe
2010-10-24 15:12 . 2010-10-24 15:12 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-10-24 15:12 . 2010-10-24 15:12 505128 ----a-w- c:\windows\system32\msvcp71.dll
2010-10-24 15:12 . 2010-10-24 15:12 353576 ----a-w- c:\windows\system32\msvcr71.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

[7] 65DF52F5B8B6E9BBD183505225C37315 110592 c:\windows\system32\dllcache\services.exe
[7] 65DF52F5B8B6E9BBD183505225C37315 110592 \RP122\A0020327.exe
.
------- Sigcheck -------

[7] 2011-01-12 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
[7] 2009-02-06 . 37561F8D4160D62DA86D24AE41FAE8DE . 110592 . . [5.1.2600.3520] . . c:\windows\$NtServicePackUninstall$\services.exe
[7] 2009-02-06 . 37561F8D4160D62DA86D24AE41FAE8DE . 110592 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe
[7] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
[7] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe
[-] 2009-02-06 11:11 . !HASH: COULD NOT OPEN FILE !!!!! . 355347 . . [------] . . c:\windows\system32\services.exe
[7] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe
[7] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\$hf_mig$\KB956572\SP2QFE\services.exe
[7] 2009-02-06 . 4712531AB7A01B7EE059853CA17D39BD . 110592 . . [5.1.2600.3520] . . c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe
[7] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB956572_0$\services.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2010-07-07 1008128]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-22 136176]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-08-20 2363392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 20:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-06-21 23:44 126976 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-06-21 23:48 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Promon.exe]
2001-09-13 15:00 61440 ----a-w- c:\windows\system32\PROMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FreeFileViewer\\FFVCheckForUpdates.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

S3 ASTRA32;ASTRA32;c:\windows\system32\drivers\astra32.sys [6/2/2005 5:21 PM 24544]
S3 EL98x;3Com EtherLink 10/100 PCI;c:\windows\system32\drivers\el98xn5.sys [6/2/2005 8:13 PM 70174]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/29/2002 7:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 17:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2011-01-15 c:\windows\Tasks\Free File Viewer Update Checker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2010-08-30 20:37]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2860770303-1274164593-2249697719-1003Core.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-22 15:39]

2011-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2860770303-1274164593-2249697719-1003UA.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-22 15:39]
.
.
------- Supplementary Scan -------
.
Trusted Zone: microsoft.com\www.update
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: WebNotes Toolbar: webnotestoolbar@webnotes.net - %profile%\extensions\webnotestoolbar@webnotes.net
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Bloody Red: {2458abc0-f443-11dd-87af-0800200c9a66} - %profile%\extensions\{2458abc0-f443-11dd-87af-0800200c9a66}
FF - Ext: Oskar: {5b175400-2368-11de-8c30-0800200c9a66} - %profile%\extensions\{5b175400-2368-11de-8c30-0800200c9a66}
FF - Ext: FastestFox: smarterwiki@wikiatic.com - %profile%\extensions\smarterwiki@wikiatic.com
FF - Ext: Long URL Please: longurlplease@darragh.curran - %profile%\extensions\longurlplease@darragh.curran
FF - Ext: Full Fullscreen: {bfe3406c-6f31-4789-86d5-efa50e12c9eb} - %profile%\extensions\{bfe3406c-6f31-4789-86d5-efa50e12c9eb}
FF - Ext: Yet Another Smooth Scrolling: yetanothersmoothscrolling@kataho - %profile%\extensions\yetanothersmoothscrolling@kataho
FF - Ext: Locationbar&#178;: locationbar2@design-noir.de - %profile%\extensions\locationbar2@design-noir.de
FF - Ext: Omnibar: omnibar@ajitk.com - %profile%\extensions\omnibar@ajitk.com
FF - Ext: Mouse Gestures Redox: {FFA36170-80B1-4535-B0E3-A4569E497DD0} - %profile%\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}
FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Ext: Download Manager Tweak: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB} - %profile%\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
FF - Ext: Test Pilot: testpilot@labs.mozilla.com - %profile%\extensions\testpilot@labs.mozilla.com
FF - Ext: View Source Chart: {68836a21-fc7d-4ea1-a065-7efabd99d414} - %profile%\extensions\{68836a21-fc7d-4ea1-a065-7efabd99d414}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 21:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\svchost.exe  110592 bytes executable
c:\windows\system32\winm.dll 64512 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\winm.dll

- - - - - - - > 'explorer.exe'(3192)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\winm.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(664)
c:\windows\system32\winm.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\svchost.exe 
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\CyberLink\Power2Go\CLMLSvc.exe
c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe
c:\program files\lg_fwupdate\fwupdate.exe
c:\program files\Common Files\Java\Java Update\jusched.exe
c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2011-01-14 21:43:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-15 02:43
ComboFix2.txt 2011-01-12 15:31

Pre-Run: 21,777,473,536 bytes free
Post-Run: 21,766,402,048 bytes free

- - End Of File - - F747AEC348420BD449A20A9A94DF5A82




Symptoms persist.
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 15th, 2011, 7:37 pm

Good day crazyfirex,

Thank you for the log. I'll be back as soon as possible. Something needs looked into further.

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 16th, 2011, 1:37 pm

Good day crazyfirex,

I'm currently working on the fix, and will be back as soon as possible.
One question, do you use Windows Remote Management at all?
My response may be tomorrow if not late tonight, weather is causing my connection to be intermittent. Should be clear tonight though. Just to let you know why I may have a delay.
Thank you,

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 16th, 2011, 1:50 pm

since this computer is totally offline, I never use it. (EDIT:it meaning WRM, not the computer) Unless WMI is a part of WRM? I (infrequently) use scripts powered by WMI to end processes in a single click. However, I am more than willing to disable WRM, if that helps in any way. I can hack together something with AHK to serve the same purpose.
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 16th, 2011, 2:30 pm

Hi

The WRM is already disabled. If the scripts still work you should be fine. Back asap, as stated above.

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 16th, 2011, 3:42 pm

Hi crazyfirex,

We need to see where a couple files are located.
Please get a copy of the following put on this systems desktop.

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
        :filefind
        *svchost.exe*
        *winm.dll*
        


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

**Be patient, it may take some time to scan**

Post
SystemLook.txt

Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 18th, 2011, 3:08 pm

I will run that very soon.
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 18th, 2011, 4:29 pm

SystemLook 04.09.10 by jpshortstuff
Log created at 14:34 on 18/01/2011 by User
Administrator - Elevation successful

========== filefind ==========

Searching for "*svchost.exe*"
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe -----c- 14336 bytes [21:11 29/08/2010] [07:56 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\ERDNT\cache\svchost.exe --a---- 14336 bytes [15:30 12/01/2011] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe --a---- 132096 bytes [23:16 29/07/2008] [23:16 29/07/2008] D34612C5D02D026535B3095D620626AE
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config --a---- 1951 bytes [20:49 09/05/2008] [20:49 09/05/2008] 757BC33428B870035A16FD96B9DDB7FA
C:\WINDOWS\ServicePackFiles\i386\svchost.exe ------- 14336 bytes [18:54 24/06/2010] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe --a---- 14336 bytes [12:00 29/08/2002] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe  --a---- 110592 bytes [12:00 29/08/2002] [11:11 06/02/2009] 65DF52F5B8B6E9BBD183505225C37315

Searching for "*winm.dll*"
C:\Qoobox\Quarantine\C\WINDOWS\system32\winm.dll.vir --a---- 64512 bytes [11:11 06/02/2009] [11:11 06/02/2009] 51F1B700E39308C2AA07DE65572D2957
C:\WINDOWS\system32\winm.dll --a---- 64512 bytes [11:11 06/02/2009] [02:37 15/01/2011] (Unable to calculate MD5)

-= EOF =-


2 things:
what's QooBox?
I have some screenshots of the 2 svchost files. Want them? One of them has a date modified the same as " .cmd" and is named "svchost.exe "(trailing space)
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 18th, 2011, 11:12 pm

Good evening crazyfirex,

Thanks for the log.
As to your question on that "box"- is a place files are quarantined by the CF we ran. It will go when we clean up. The files there can't do anything.

Be back asap. Inquiring on the subject with a colleague.

Thanks

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 19th, 2011, 3:06 am

Good day crazyfirex,

Can you plug in that USB drive please and leave it attached unless when attaching it it keeps the SAME Drive Letter; we need it that way to get that autorun fixed.
Please tell me the USB Drive letter it has when plugged in so I can put in the new fix. I need it to have the same drive letter when I have you run the script, or it won't delete that file off there.

Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 19th, 2011, 11:07 pm

The drive letter is always E:\
however, I can manually delete the file with explorer or cmd. (despite the sh attribs). Unless your script will prevent anything from ever creating an E:\dllrun.exe file, I don't see the use, as it is recreated on restart of computer/replug of flash drive. (I tried more than once before creating this thread)

Please forgive any percieved harshness of this reply. I recognize I am not the expert, and simply could not phrase my information in a better way.
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware