BleepingComputer.com: MBR rootkit on external hard drives

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

MBR rootkit on external hard drives

#1 User is offline   nerak 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 23-December 09

Posted 06 January 2010 - 07:30 PM

My elderly laptop suffered three waves of Trojans and rootkits (one of them was TDSS.rootkit) and is now in a state where it will only boot into the Windows Recovery Console. I was about to get a new one anyway, and my data had been backed up to external hard drives, so I will most likely wipe the old machine. But before I transfer any data to the new machine, I want to make sure the external drives are clean. But it appears they may both have an MBR rootkit.

All scans are being run from another old machine that does not appear to be infected, as far as I can tell. What I need help with is cleaning up the external drives. I had run RootRepeal on both and had to restart the computer before I had a chance to post the logs, and upon restarting Windows informed me that D: was "dirty" and proceeded to make some disk repairs. I am including the RootRepeal scans from before and after the restart in case the "before" scan is of any use to anyone.

Thanks in advance,
Karen


DDS (Ver_09-12-01.01) - NTFSx86
Run by Karen at 18:35:00.98 on Mon 01/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.124 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 100104-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\IT Connection Manager\SRUserService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Karen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: del.icio.us Toolbar Helper: {7aa07ae6-01ef-44ec-93ca-9d7cd41ccdb6} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 9.0 Helper: {e31ce47f-c268-41ba-897b-b415e613947d} - c:\program files\microsoft visual studio 9.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: del.icio.us: {981fe6a8-260c-4930-960f-c3bc82746cb0} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Web Test Recorder 9.0: {3c7adade-d1e8-45d2-bdcd-7f8d8b99b2a2} - mscoree.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [PRONoMgr.exe] c:\program files\intel\prosetwireless\ncs\proset\PRONoMgr.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [gemstrmw] c:\windows\system32\gemstrmw.exe /r
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\WINDOW~1.LNK -
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} - hxxp://rcps1.onvoip.net/commpilot/customcontrols/BwOutlook.CAB
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {4BFC73A6-F8AE-42B3-AAEC-792C3CF0B418} - hxxp://sg60.oar.net/VCGSU.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://spaces.msn.com//PhotoUpload/MsnPUpld.cab
DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} - hxxp://fdl.msn.com/public/investor/v13/invinstl.exe
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143695995500
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/amun/default/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} - hxxp://www.costcophotocenter.com/CostcoUpload.cab
DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - hxxp://moneycentral.msn.com/cabs/webinst.exe
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} - hxxp://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\karen\applic~1\mozilla\firefox\profiles\obv2pnm4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-19 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-19 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-19 138680]
R2 SRUserService;IT Connection Manager;c:\program files\it connection manager\SRUserService.exe [2005-5-26 260232]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2009-4-20 335728]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-19 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-19 352920]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [1979-12-31 92550]
S2 gupdate1ca6cc0e5923760;Google Update Service (gupdate1ca6cc0e5923760);c:\program files\google\update\GoogleUpdate.exe [2009-11-23 133104]
S3 GEMPCC;Gemplus GemPC400 PCMCIA Smart Card Reader;c:\windows\system32\drivers\gempcc.sys [2004-10-8 18464]
S3 GPR400;GEMPLUS GPR400 PCMCIA Smart Card Reader;c:\windows\system32\drivers\gpr400.sys [2004-10-8 17408]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\microsoft visual studio 9.0\team tools\performance tools\VSPerfDrv90.sys [2007-9-4 55664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe" /service msvsmon80 --> c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [?]

=============== Created Last 30 ================

2010-01-04 01:21:52 0 dc----w- c:\program files\Trend Micro

==================== Find3M ====================

2009-11-03 04:42:06 195456 -c----w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45:38 916480 -c--a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 -c--a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 -c--a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 -c--a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 -c--a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 -c--a-w- c:\windows\system32\raschap.dll
2009-10-11 12:17:27 411368 -c--a-w- c:\windows\system32\deploytk.dll
2008-09-05 05:34:27 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 18:38:12.10 ===============


RootRepeal log before restarting:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/04 18:45
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAD2A8000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A6F000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9468000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Karen\Cookies\topic281706[1].htm
Status: Locked to the Windows API!

Path: c:\documents and settings\networkservice\ietldcache\index.dat
Status: Allocation size mismatch (API: 45056, Raw: 53248)

Path: c:\documents and settings\karen\local settings\temp\~df4642.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\karen\local settings\temp\~df5321.tmp
Status: Allocation size mismatch (API: 4096, Raw: 16384)

Path: c:\documents and settings\karen\local settings\temp\~df2582.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\karen\local settings\temp\~df2944.tmp
Status: Allocation size mismatch (API: 4096, Raw: 16384)

Path: c:\documents and settings\karen\local settings\temp\~dfcebf.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\karen\local settings\temp\~dfd2a4.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\karen\local settings\temp\~dfd35d.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\networkservice\local settings\temp\cookies\index.dat
Status: Allocation size mismatch (API: 4096, Raw: 16384)

Path: c:\documents and settings\karen\local settings\temporary internet files\content.ie5\2l6nnute\3055-8022_4-10227353[1].html
Status: Allocation size mismatch (API: 16384, Raw: 4096)

Path: c:\documents and settings\karen\local settings\temporary internet files\content.ie5\81a592uj\topic281706[1].htm
Status: Allocation size mismatch (API: 126976, Raw: 151552)

Path: c:\documents and settings\karen\local settings\temporary internet files\content.ie5\9um1x76m\t239348[1].htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: c:\documents and settings\karen\local settings\temporary internet files\content.ie5\aszjnz01\search[1].htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: c:\documents and settings\karen\local settings\temporary internet files\content.ie5\eyns6n0a\3000-2239_4-10019223[1].html
Status: Allocation size mismatch (API: 40960, Raw: 12288)

Path: c:\documents and settings\networkservice\local settings\temp\history\history.ie5\index.dat
Status: Allocation size mismatch (API: 4096, Raw: 16384)

Path: Volume D:\
Status: MBR Rootkit Detected!

Path: Volume D:\, Sector 62
Status: Sector mismatch

Path: D:\ƒ9”;My.ass
Status: Invisible to the Windows API!

Path: D:\ƒ9”;My.ass\…¡ÎüÿÇEè.
Status: Invisible to the Windows API!

Path: D:\ƒ9”;My.ass\ÿéÍ%
Status: Invisible to the Windows API!

Path: Volume F:\
Status: MBR Rootkit Detected!

Path: Volume F:\, Sector 1
Status: Sector mismatch

Path: Volume F:\, Sector 2
Status: Sector mismatch

Path: Volume F:\, Sector 3
Status: Sector mismatch

Path: Volume F:\, Sector 4
Status: Sector mismatch

Path: Volume F:\, Sector 5
Status: Sector mismatch

Path: Volume F:\, Sector 6
Status: Sector mismatch

Path: Volume F:\, Sector 7
Status: Sector mismatch

Path: Volume F:\, Sector 8
Status: Sector mismatch

Path: Volume F:\, Sector 9
Status: Sector mismatch

Path: Volume F:\, Sector 10
Status: Sector mismatch

Path: Volume F:\, Sector 11
Status: Sector mismatch

Path: Volume F:\, Sector 12
Status: Sector mismatch

Path: Volume F:\, Sector 13
Status: Sector mismatch

Path: Volume F:\, Sector 14
Status: Sector mismatch

Path: Volume F:\, Sector 15
Status: Sector mismatch

Path: Volume F:\, Sector 16
Status: Sector mismatch

Path: Volume F:\, Sector 17
Status: Sector mismatch

Path: Volume F:\, Sector 18
Status: Sector mismatch

Path: Volume F:\, Sector 19
Status: Sector mismatch

Path: Volume F:\, Sector 20
Status: Sector mismatch

Path: Volume F:\, Sector 21
Status: Sector mismatch

Path: Volume F:\, Sector 22
Status: Sector mismatch

Path: Volume F:\, Sector 23
Status: Sector mismatch

Path: Volume F:\, Sector 24
Status: Sector mismatch

Path: Volume F:\, Sector 25
Status: Sector mismatch

Path: Volume F:\, Sector 26
Status: Sector mismatch

Path: Volume F:\, Sector 27
Status: Sector mismatch

Path: Volume F:\, Sector 28
Status: Sector mismatch

Path: Volume F:\, Sector 29
Status: Sector mismatch

Path: Volume F:\, Sector 30
Status: Sector mismatch

Path: Volume F:\, Sector 31
Status: Sector mismatch

Path: Volume F:\, Sector 32
Status: Sector mismatch

Path: Volume F:\, Sector 33
Status: Sector mismatch

Path: Volume F:\, Sector 34
Status: Sector mismatch

Path: Volume F:\, Sector 35
Status: Sector mismatch

Path: Volume F:\, Sector 36
Status: Sector mismatch

Path: Volume F:\, Sector 37
Status: Sector mismatch

Path: Volume F:\, Sector 38
Status: Sector mismatch

Path: Volume F:\, Sector 39
Status: Sector mismatch

Path: Volume F:\, Sector 40
Status: Sector mismatch

Path: Volume F:\, Sector 41
Status: Sector mismatch

Path: Volume F:\, Sector 42
Status: Sector mismatch

Path: Volume F:\, Sector 43
Status: Sector mismatch

Path: Volume F:\, Sector 44
Status: Sector mismatch

Path: Volume F:\, Sector 45
Status: Sector mismatch

Path: Volume F:\, Sector 46
Status: Sector mismatch

Path: Volume F:\, Sector 47
Status: Sector mismatch

Path: Volume F:\, Sector 48
Status: Sector mismatch

Path: Volume F:\, Sector 49
Status: Sector mismatch

Path: Volume F:\, Sector 50
Status: Sector mismatch

Path: Volume F:\, Sector 51
Status: Sector mismatch

Path: Volume F:\, Sector 52
Status: Sector mismatch

Path: Volume F:\, Sector 53
Status: Sector mismatch

Path: Volume F:\, Sector 54
Status: Sector mismatch

Path: Volume F:\, Sector 55
Status: Sector mismatch

Path: Volume F:\, Sector 56
Status: Sector mismatch

Path: Volume F:\, Sector 57
Status: Sector mismatch

Path: Volume F:\, Sector 58
Status: Sector mismatch

Path: Volume F:\, Sector 59
Status: Sector mismatch

Path: Volume F:\, Sector 60
Status: Sector mismatch

Path: Volume F:\, Sector 61
Status: Sector mismatch

Path: Volume F:\, Sector 62
Status: Sector mismatch

Path: F:\.Trashes
Status: Visible to the Windows API, but not on disk.

Path: F:\autorun
Status: Visible to the Windows API, but not on disk.

Path: F:\System Volume Information
Status: Visible to the Windows API, but not on disk.

Path: F:\Karen Documents
Status: Visible to the Windows API, but not on disk.

Path: F:\Hdrive
Status: Visible to the Windows API, but not on disk.

Path: F:\New
Status: Visible to the Windows API, but not on disk.

Path: F:\autorun.inf.txt
Status: Visible to the Windows API, but not on disk.

Path: F:\Recycled
Status: Visible to the Windows API, but not on disk.

Path: F:\email copy
Status: Visible to the Windows API, but not on disk.

Path: F:\Ian
Status: Visible to the Windows API, but not on disk.

Path: F:\Kirov Orchestra-Valery Gergiev
Status: Visible to the Windows API, but not on disk.

Path: F:\dissertation
Status: Visible to the Windows API, but not on disk.

Path: F:\40
Status: Visible to the Windows API, but not on disk.

Path: F:\My Music
Status: Visible to the Windows API, but not on disk.

Path: F:\SDRG
Status: Visible to the Windows API, but not on disk.

Path: F:\Chronolog.doc
Status: Visible to the Windows API, but not on disk.

Path: F:\mediation.doc
Status: Visible to the Windows API, but not on disk.

Path: F:\ParadiseBeach_RU_090629.zip
Status: Visible to the Windows API, but not on disk.

Path: F:\temp
Status: Visible to the Windows API, but not on disk.

Path: F:\Robot.Chicken.Star.Wars.Episode.II.PDTV.XviD-aAF.avi
Status: Visible to the Windows API, but not on disk.

Path: F:\Nouvelle Vague
Status: Visible to the Windows API, but not on disk.

Path: F:\Depesha.rar
Status: Visible to the Windows API, but not on disk.

Path: F:\П.Т.В.П
Status: Visible to the Windows API, but not on disk.

Path: F:\Кино
Status: Visible to the Windows API, but not on disk.

Path: F:\Ленинград
Status: Visible to the Windows API, but not on disk.

Path: F:\Photos4Karen
Status: Visible to the Windows API, but not on disk.

Path: F:\UBCD4WinV350.exe
Status: Visible to the Windows API, but not on disk.

Path: F:\UBCD4Win
Status: Visible to the Windows API, but not on disk.

Path: F:\ComboFix.exe
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba88f6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba88f574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba88fa52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba88f14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba88f64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba88f08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba88f0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba88f76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba88f72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba88f8ae

==EOF==


RootRepeal log after restarting:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/05 15:08
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAD3D9000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79C9000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA48C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_32c.dat
Status: Allocation size mismatch (API: 4096, Raw: 16384)

Path: Volume D:\
Status: MBR Rootkit Detected!

Path: Volume D:\, Sector 62
Status: Sector mismatch

Path: D:\p
Status: Invisible to the Windows API!

Path: D:\FOUND.000
Status: Visible to the Windows API, but not on disk.

Path: D:\autorun.inf
Status: Visible to the Windows API, but not on disk.

Path: D:\Install.ini
Status: Visible to the Windows API, but not on disk.

Path: D:\JSTART.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\Launcher.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\Setup.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\WDInstaller.xml
Status: Visible to the Windows API, but not on disk.

Path: D:\WDSetup.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\WDSync.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\WD_Windows_Tools
Status: Visible to the Windows API, but not on disk.

Path: D:\WD_Mac_Tools
Status: Visible to the Windows API, but not on disk.

Path: D:\MioNet
Status: Visible to the Windows API, but not on disk.

Path: D:\Documentation
Status: Visible to the Windows API, but not on disk.

Path: D:\autorun
Status: Visible to the Windows API, but not on disk.

Path: D:\Install.log
Status: Visible to the Windows API, but not on disk.

Path: D:\wdEULA.log
Status: Visible to the Windows API, but not on disk.

Path: D:\wdstatus.log
Status: Visible to the Windows API, but not on disk.

Path: D:\System Volume Information
Status: Visible to the Windows API, but not on disk.

Path: D:\WD Sync Data
Status: Visible to the Windows API, but not on disk.

Path: D:\backup
Status: Visible to the Windows API, but not on disk.

Path: D:\ForGene
Status: Visible to the Windows API, but not on disk.

Path: D:\Recycled
Status: Visible to the Windows API, but not on disk.

Path: D:\p\x¯U€
Status: Invisible to the Windows API!

Path: D:\p\P
Status: Invisible to the Windows API!

Path: Volume F:\
Status: MBR Rootkit Detected!

Path: Volume F:\, Sector 1
Status: Sector mismatch

Path: Volume F:\, Sector 2
Status: Sector mismatch

Path: Volume F:\, Sector 3
Status: Sector mismatch

Path: Volume F:\, Sector 4
Status: Sector mismatch

Path: Volume F:\, Sector 5
Status: Sector mismatch

Path: Volume F:\, Sector 7
Status: Sector mismatch

Path: Volume F:\, Sector 8
Status: Sector mismatch

Path: Volume F:\, Sector 9
Status: Sector mismatch

Path: Volume F:\, Sector 10
Status: Sector mismatch

Path: Volume F:\, Sector 11
Status: Sector mismatch

Path: Volume F:\, Sector 12
Status: Sector mismatch

Path: Volume F:\, Sector 13
Status: Sector mismatch

Path: Volume F:\, Sector 14
Status: Sector mismatch

Path: Volume F:\, Sector 15
Status: Sector mismatch

Path: Volume F:\, Sector 16
Status: Sector mismatch

Path: Volume F:\, Sector 17
Status: Sector mismatch

Path: Volume F:\, Sector 18
Status: Sector mismatch

Path: Volume F:\, Sector 19
Status: Sector mismatch

Path: Volume F:\, Sector 20
Status: Sector mismatch

Path: Volume F:\, Sector 21
Status: Sector mismatch

Path: Volume F:\, Sector 22
Status: Sector mismatch

Path: Volume F:\, Sector 23
Status: Sector mismatch

Path: Volume F:\, Sector 24
Status: Sector mismatch

Path: Volume F:\, Sector 25
Status: Sector mismatch

Path: Volume F:\, Sector 26
Status: Sector mismatch

Path: Volume F:\, Sector 27
Status: Sector mismatch

Path: Volume F:\, Sector 28
Status: Sector mismatch

Path: Volume F:\, Sector 29
Status: Sector mismatch

Path: Volume F:\, Sector 30
Status: Sector mismatch

Path: Volume F:\, Sector 31
Status: Sector mismatch

Path: Volume F:\, Sector 32
Status: Sector mismatch

Path: Volume F:\, Sector 33
Status: Sector mismatch

Path: Volume F:\, Sector 35
Status: Sector mismatch

Path: Volume F:\, Sector 36
Status: Sector mismatch

Path: Volume F:\, Sector 37
Status: Sector mismatch

Path: Volume F:\, Sector 38
Status: Sector mismatch

Path: Volume F:\, Sector 39
Status: Sector mismatch

Path: Volume F:\, Sector 40
Status: Sector mismatch

Path: Volume F:\, Sector 41
Status: Sector mismatch

Path: Volume F:\, Sector 42
Status: Sector mismatch

Path: Volume F:\, Sector 43
Status: Sector mismatch

Path: Volume F:\, Sector 44
Status: Sector mismatch

Path: Volume F:\, Sector 45
Status: Sector mismatch

Path: Volume F:\, Sector 46
Status: Sector mismatch

Path: Volume F:\, Sector 47
Status: Sector mismatch

Path: Volume F:\, Sector 49
Status: Sector mismatch

Path: Volume F:\, Sector 50
Status: Sector mismatch

Path: Volume F:\, Sector 51
Status: Sector mismatch

Path: Volume F:\, Sector 52
Status: Sector mismatch

Path: Volume F:\, Sector 53
Status: Sector mismatch

Path: Volume F:\, Sector 56
Status: Sector mismatch

Path: Volume F:\, Sector 57
Status: Sector mismatch

Path: Volume F:\, Sector 58
Status: Sector mismatch

Path: Volume F:\, Sector 59
Status: Sector mismatch

Path: Volume F:\, Sector 60
Status: Sector mismatch

Path: Volume F:\, Sector 61
Status: Sector mismatch

Path: Volume F:\, Sector 62
Status: Sector mismatch

Path: F:\.Trashes
Status: Visible to the Windows API, but not on disk.

Path: F:\autorun
Status: Visible to the Windows API, but not on disk.

Path: F:\System Volume Information
Status: Visible to the Windows API, but not on disk.

Path: F:\Karen Documents
Status: Visible to the Windows API, but not on disk.

Path: F:\Hdrive
Status: Visible to the Windows API, but not on disk.

Path: F:\New
Status: Visible to the Windows API, but not on disk.

Path: F:\autorun.inf.txt
Status: Visible to the Windows API, but not on disk.

Path: F:\Recycled
Status: Visible to the Windows API, but not on disk.

Path: F:\email copy
Status: Visible to the Windows API, but not on disk.

Path: F:\Ian
Status: Visible to the Windows API, but not on disk.

Path: F:\Kirov Orchestra-Valery Gergiev
Status: Visible to the Windows API, but not on disk.

Path: F:\dissertation
Status: Visible to the Windows API, but not on disk.

Path: F:\40
Status: Visible to the Windows API, but not on disk.

Path: F:\My Music
Status: Visible to the Windows API, but not on disk.

Path: F:\SDRG
Status: Visible to the Windows API, but not on disk.

Path: F:\Chronolog.doc
Status: Visible to the Windows API, but not on disk.

Path: F:\mediation.doc
Status: Visible to the Windows API, but not on disk.

Path: F:\ParadiseBeach_RU_090629.zip
Status: Visible to the Windows API, but not on disk.

Path: F:\temp
Status: Visible to the Windows API, but not on disk.

Path: F:\Robot.Chicken.Star.Wars.Episode.II.PDTV.XviD-aAF.avi
Status: Visible to the Windows API, but not on disk.

Path: F:\Nouvelle Vague
Status: Visible to the Windows API, but not on disk.

Path: F:\Depesha.rar
Status: Visible to the Windows API, but not on disk.

Path: F:\П.Т.В.П
Status: Visible to the Windows API, but not on disk.

Path: F:\Кино
Status: Visible to the Windows API, but not on disk.

Path: F:\Ленинград
Status: Visible to the Windows API, but not on disk.

Path: F:\Photos4Karen
Status: Visible to the Windows API, but not on disk.

Path: F:\UBCD4WinV350.exe
Status: Visible to the Windows API, but not on disk.

Path: F:\UBCD4Win
Status: Visible to the Windows API, but not on disk.

Path: F:\ComboFix.exe
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba95c6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba95c574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba95ca52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba95c14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba95c64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba95c08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba95c0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba95c76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba95c72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba95c8ae

==EOF==


And for good measure (because I saw someone else with an MBR rootkit was asked for one), an MBR log from Gmer and a Gmer scan:


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-04 23:15:30
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Karen\LOCALS~1\Temp\awtdypob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xBA88F6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xBA88F574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xBA88FA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xBA88F14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xBA88F64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xBA88F08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xBA88F0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xBA88F76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xBA88F72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xBA88F8AE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xBA89882E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xBA898678]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xBA8987AC]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\InProcServer32@Assembly Microsoft.Office.Interop.Word, Version=11.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c
Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\InProcServer32@Class Microsoft.Office.Interop.Word.ApplicationClass
Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\InProcServer32@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\InProcServer32\11.0.0.0
Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\InProcServer32\11.0.0.0@Class Microsoft.Office.Interop.Word.ApplicationClass
Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\InProcServer32\11.0.0.0@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\InProcServer32\11.0.0.0@Assembly Microsoft.Office.Interop.Word, Version=11.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c
Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\LocalServer32@ C:\PROGRA~1\MI1933~1\OFFICE11\WINWORD.EXE /Automation
Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\LocalServer32@LocalServer32 ']gAVn-}f(ZXfeAR6.jiWORDFiles>P`os,1@SW=P7v6GPl]Xh /Automation?
Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\ProgID@ Word.Application.11
Reg HKLM\SOFTWARE\Classes\CLSID\{2DA93FC2-192D-002B-F974-1CAF66C808E2}\VersionIndependentProgID@ Word.Application
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32@Class Microsoft.Office.Interop.Publisher.ApplicationClass
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32@Assembly Microsoft.Office.Interop.Publisher, Version=11.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32\11.0.0.0
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32\11.0.0.0@Class Microsoft.Office.Interop.Publisher.ApplicationClass
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32\11.0.0.0@Assembly Microsoft.Office.Interop.Publisher, Version=11.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\InprocServer32\11.0.0.0@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\LocalServer32@ C:\PROGRA~1\MI1933~1\OFFICE11\MSPUB.EXE /Automation
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\LocalServer32@LocalServer32 ']gAVn-}f(ZXfeAR6.jiPubPrimary>dic+V~SM09P_'_@$%)xK /Automation?
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\NotInsertable@
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\ProgID@ Publisher.Application.11
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\Programmable@
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\TypeLib@ {0002123C-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\CLSID\{7068F753-86F0-CAA4-2F34-A44A63EC61C9}\VersionIndependentProgID@ Publisher.Application
Reg HKLM\SOFTWARE\Classes\CLSID\{942D82A5-DA03-640B-5E19-3CBD62700780}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
Reg HKLM\SOFTWARE\Classes\CLSID\{942D82A5-DA03-640B-5E19-3CBD62700780}\InprocServer32@ C:\Program Files\Microsoft AntiSpyware\gcAntiSpywareLibrary.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{942D82A5-DA03-640B-5E19-3CBD62700780}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{942D82A5-DA03-640B-5E19-3CBD62700780}\ProgID@ gcAntiSpywareLibrary.System
Reg HKLM\SOFTWARE\Classes\CLSID\{942D82A5-DA03-640B-5E19-3CBD62700780}\TypeLib@ {6B64D109-9674-4D70-8E63-EE0F9A7C9436}
Reg HKLM\SOFTWARE\Classes\CLSID\{942D82A5-DA03-640B-5E19-3CBD62700780}\VERSION@ 1.0
Reg HKLM\SOFTWARE\Classes\CLSID\{9890B33A-40C2-F9F0-A467-8C93174CDA20}\InProcServer32@ C:\WINDOWS\system32\msxml4.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{9890B33A-40C2-F9F0-A467-8C93174CDA20}\InProcServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{A2E9832F-4060-CF57-1A71-85123E949025}\InprocServer32@ C:\Program Files\Common Files\System\ado\msado15.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{A2E9832F-4060-CF57-1A71-85123E949025}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{A2E9832F-4060-CF57-1A71-85123E949025}\ProgID@ ADODB.Recordset.2.8
Reg HKLM\SOFTWARE\Classes\CLSID\{A2E9832F-4060-CF57-1A71-85123E949025}\VersionIndependentProgID@ ADODB.Recordset
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\AuxUserType\2
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\AuxUserType\2@ MIDI Sequence
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\DataFormats\DefaultSet
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\DataFormats\DefaultSet@ MIDFile
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\DataFormats\GetSet
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\DataFormats\GetSet\0
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\DataFormats\GetSet\0@ Embed Source,1,8,1
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\DataFormats\GetSet\1
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\DataFormats\GetSet\1@ 3,1,32,1
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\DataFormats\GetSet\2
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\DataFormats\GetSet\2@ 8,1,1,1
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\DefaultIcon@ mplay32.exe,5
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}@
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}@
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\Insertable@
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\LocalServer@ mplay32.exe /mid
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\LocalServer32@ mplay32.exe /mid
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\MiscStatus@ 0
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\PersistentHandler@ {098f2470-bae0-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\ProgID@ MIDFile
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\verb\0
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\verb\0@ &Play,0,3
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\verb\1
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\verb\1@ &Edit,0,2
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\verb\2
Reg HKLM\SOFTWARE\Classes\CLSID\{E553DAF6-FCA6-C8B7-70AE-3045F402CE4A}\verb\2@ &Open,0,2

---- Files - GMER 1.0.15 ----

File C:\Program Files\Java\jre1.5.0_08\lib\cmm\CIEXYZ.pf 51236 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\cmm\GRAY.pf 632 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\cmm\LINEAR_RGB.pf 1044 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\cmm\sRGB.pf 150368 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\ext\dnsns.jar 8176 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\ext\localedata.jar 797269 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\ext\sunjce_provider.jar 158417 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\ext\sunpkcs11.jar 175811 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\im\indicim.jar 10233 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\im\thaiim.jar 7945 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\images\cursors 0 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\images\cursors\cursors.properties 1318 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\images\cursors\invalid32x32.gif 153 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\images\cursors\win32_CopyDrop32x32.gif 165 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\images\cursors\win32_CopyNoDrop32x32.gif 153 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\images\cursors\win32_LinkDrop32x32.gif 168 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\images\cursors\win32_LinkNoDrop32x32.gif 153 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\images\cursors\win32_MoveDrop32x32.gif 147 bytes
File C:\Program Files\Java\jre1.5.0_08\lib\images\cursors\win32_MoveNoDrop32x32.gif 153 bytes

---- EOF - GMER 1.0.15 ----



#2 User is offline   Blind Faith 

  • Bleeping Cookie
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Senior
  • Posts: 3,108
  • Joined: 15-October 08
  • Gender:Female
  • Location:I don't know.

Posted 14 January 2010 - 09:21 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro?


If I haven't replied in 48 hours, please feel free to send me a PM.



Member of the Bleeping Computer A.I.I. early response team!


Posted Image

#3 User is offline   nerak 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 23-December 09

Posted 19 January 2010 - 01:54 AM

New DDS scan:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Karen at 22:45:17.02 on Mon 01/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.216 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 100118-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\IT Connection Manager\SRUserService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Karen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: del.icio.us Toolbar Helper: {7aa07ae6-01ef-44ec-93ca-9d7cd41ccdb6} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 9.0 Helper: {e31ce47f-c268-41ba-897b-b415e613947d} - c:\program files\microsoft visual studio 9.0\common7

\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: del.icio.us: {981fe6a8-260c-4930-960f-c3bc82746cb0} - c:\program files\del.icio.us\internet explorer buttons\dlcsIE.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Web Test Recorder 9.0: {3c7adade-d1e8-45d2-bdcd-7f8d8b99b2a2} - mscoree.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [PRONoMgr.exe] c:\program files\intel\prosetwireless\ncs\proset\PRONoMgr.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [gemstrmw] c:\windows\system32\gemstrmw.exe /r
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\WINDOW~1.LNK -
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} - hxxp://rcps1.onvoip.net/commpilot/customcontrols/BwOutlook.CAB
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {4BFC73A6-F8AE-42B3-AAEC-792C3CF0B418} - hxxp://sg60.oar.net/VCGSU.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://spaces.msn.com//PhotoUpload/MsnPUpld.cab
DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} - hxxp://fdl.msn.com/public/investor/v13/invinstl.exe
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143695995500
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/amun/default/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} - hxxp://www.costcophotocenter.com/CostcoUpload.cab
DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - hxxp://moneycentral.msn.com/cabs/webinst.exe
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} - hxxp://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\karen\applic~1\mozilla\firefox\profiles\obv2pnm4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-19 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-19 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-19 138680]
R2 SRUserService;IT Connection Manager;c:\program files\it connection manager\SRUserService.exe [2005-5-26 260232]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2009-4-20 335728]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-19 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-19 352920]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [1979-12-31 92550]
S2 gupdate1ca6cc0e5923760;Google Update Service (gupdate1ca6cc0e5923760);c:\program files\google\update\GoogleUpdate.exe [2009-11-23 133104]
S3 GEMPCC;Gemplus GemPC400 PCMCIA Smart Card Reader;c:\windows\system32\drivers\gempcc.sys [2004-10-8 18464]
S3 GPR400;GEMPLUS GPR400 PCMCIA Smart Card Reader;c:\windows\system32\drivers\gpr400.sys [2004-10-8 17408]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\microsoft visual studio 9.0\team tools\performance tools\VSPerfDrv90.sys [2007-9-4 55664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe" /service msvsmon80 --> c:\program

files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [?]

=============== Created Last 30 ================

2010-01-14 03:33:41 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-04 01:21:52 0 dc----w- c:\program files\Trend Micro

==================== Find3M ====================

2010-01-14 19:12:06 181120 -c----w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45:38 916480 -c--a-w- c:\windows\system32\wininet.dll
2008-09-05 05:34:27 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 22:46:46.05 ===============

Attached File(s)


#4 User is offline   sundavis 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,648
  • Joined: 11-August 07
  • Gender:Not Telling

Posted 19 January 2010 - 12:35 PM

Hi nerak,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

Start RootRepeal from your desktop, and rescan your computer as instructed in this thread .

When done, click Files tap in the bottom right and locate File Path: Volume D:\ and Status: MBR Rootkit Detected!

Right click Volume D:\ , and select Restore and Reboot Immediately as instructed in this thread . Repeat the process with Volume F:\ . After that, rescan the computer and post the contents in your next reply.


Step2
  1. Go to this thread and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Start > Run and copy/paste the following bolded command into run box and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

In your next reply, please post back:

1.RootRepeal log
2.TDSSKiller log Thanks


#5 User is offline   nerak 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 23-December 09

Posted 24 January 2010 - 11:32 PM

RootRepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/19 22:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAE3D8000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A25000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA4F5000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\karen\local settings\temp\~df8105.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\karen\local settings\temporary internet files\content.ie5\index.dat
Status: Allocation size mismatch (API: 2113536, Raw: 2117632)

Path: c:\documents and settings\karen\local settings\temporary internet files\content.ie5\t149k963\solutions[1].htm
Status: Allocation size mismatch (API: 20480, Raw: 4096)

Path: Volume D:\
Status: MBR Rootkit Detected!

Path: Volume D:\, Sector 62
Status: Sector mismatch

Path: D:\FOUND.000
Status: Visible to the Windows API, but not on disk.

Path: D:\autorun.inf
Status: Visible to the Windows API, but not on disk.

Path: D:\Install.ini
Status: Visible to the Windows API, but not on disk.

Path: D:\JSTART.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\Launcher.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\Setup.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\WDInstaller.xml
Status: Visible to the Windows API, but not on disk.

Path: D:\WDSetup.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\WDSync.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\WD_Windows_Tools
Status: Visible to the Windows API, but not on disk.

Path: D:\WD_Mac_Tools
Status: Visible to the Windows API, but not on disk.

Path: D:\MioNet
Status: Visible to the Windows API, but not on disk.

Path: D:\Documentation
Status: Visible to the Windows API, but not on disk.

Path: D:\autorun
Status: Visible to the Windows API, but not on disk.

Path: D:\Install.log
Status: Visible to the Windows API, but not on disk.

Path: D:\wdEULA.log
Status: Visible to the Windows API, but not on disk.

Path: D:\wdstatus.log
Status: Visible to the Windows API, but not on disk.

Path: D:\System Volume Information
Status: Visible to the Windows API, but not on disk.

Path: D:\WD Sync Data
Status: Visible to the Windows API, but not on disk.

Path: D:\backup
Status: Visible to the Windows API, but not on disk.

Path: D:\ForGene
Status: Visible to the Windows API, but not on disk.

Path: D:\Recycled
Status: Visible to the Windows API, but not on disk.

Path: Volume F:\
Status: MBR Rootkit Detected!

Path: Volume F:\, Sector 1
Status: Sector mismatch

Path: Volume F:\, Sector 2
Status: Sector mismatch

Path: Volume F:\, Sector 3
Status: Sector mismatch

Path: Volume F:\, Sector 5
Status: Sector mismatch

Path: Volume F:\, Sector 6
Status: Sector mismatch

Path: Volume F:\, Sector 7
Status: Sector mismatch

Path: Volume F:\, Sector 8
Status: Sector mismatch

Path: Volume F:\, Sector 9
Status: Sector mismatch

Path: Volume F:\, Sector 11
Status: Sector mismatch

Path: Volume F:\, Sector 12
Status: Sector mismatch

Path: Volume F:\, Sector 13
Status: Sector mismatch

Path: Volume F:\, Sector 14
Status: Sector mismatch

Path: Volume F:\, Sector 15
Status: Sector mismatch

Path: Volume F:\, Sector 16
Status: Sector mismatch

Path: Volume F:\, Sector 19
Status: Sector mismatch

Path: Volume F:\, Sector 20
Status: Sector mismatch

Path: Volume F:\, Sector 21
Status: Sector mismatch

Path: Volume F:\, Sector 22
Status: Sector mismatch

Path: Volume F:\, Sector 23
Status: Sector mismatch

Path: Volume F:\, Sector 25
Status: Sector mismatch

Path: Volume F:\, Sector 26
Status: Sector mismatch

Path: Volume F:\, Sector 27
Status: Sector mismatch

Path: Volume F:\, Sector 28
Status: Sector mismatch

Path: Volume F:\, Sector 29
Status: Sector mismatch

Path: Volume F:\, Sector 30
Status: Sector mismatch

Path: Volume F:\, Sector 31
Status: Sector mismatch

Path: Volume F:\, Sector 32
Status: Sector mismatch

Path: Volume F:\, Sector 33
Status: Sector mismatch

Path: Volume F:\, Sector 34
Status: Sector mismatch

Path: Volume F:\, Sector 35
Status: Sector mismatch

Path: Volume F:\, Sector 36
Status: Sector mismatch

Path: Volume F:\, Sector 37
Status: Sector mismatch

Path: Volume F:\, Sector 38
Status: Sector mismatch

Path: Volume F:\, Sector 39
Status: Sector mismatch

Path: Volume F:\, Sector 40
Status: Sector mismatch

Path: Volume F:\, Sector 41
Status: Sector mismatch

Path: Volume F:\, Sector 42
Status: Sector mismatch

Path: Volume F:\, Sector 44
Status: Sector mismatch

Path: Volume F:\, Sector 45
Status: Sector mismatch

Path: Volume F:\, Sector 46
Status: Sector mismatch

Path: Volume F:\, Sector 47
Status: Sector mismatch

Path: Volume F:\, Sector 48
Status: Sector mismatch

Path: Volume F:\, Sector 49
Status: Sector mismatch

Path: Volume F:\, Sector 50
Status: Sector mismatch

Path: Volume F:\, Sector 51
Status: Sector mismatch

Path: Volume F:\, Sector 52
Status: Sector mismatch

Path: Volume F:\, Sector 53
Status: Sector mismatch

Path: Volume F:\, Sector 54
Status: Sector mismatch

Path: Volume F:\, Sector 55
Status: Sector mismatch

Path: Volume F:\, Sector 56
Status: Sector mismatch

Path: Volume F:\, Sector 57
Status: Sector mismatch

Path: Volume F:\, Sector 58
Status: Sector mismatch

Path: Volume F:\, Sector 59
Status: Sector mismatch

Path: Volume F:\, Sector 60
Status: Sector mismatch

Path: Volume F:\, Sector 61
Status: Sector mismatch

Path: Volume F:\, Sector 62
Status: Sector mismatch

Path: F:\.Trashes
Status: Visible to the Windows API, but not on disk.

Path: F:\autorun
Status: Visible to the Windows API, but not on disk.

Path: F:\System Volume Information
Status: Visible to the Windows API, but not on disk.

Path: F:\Karen Documents
Status: Visible to the Windows API, but not on disk.

Path: F:\Hdrive
Status: Visible to the Windows API, but not on disk.

Path: F:\New
Status: Visible to the Windows API, but not on disk.

Path: F:\autorun.inf.txt
Status: Visible to the Windows API, but not on disk.

Path: F:\Recycled
Status: Visible to the Windows API, but not on disk.

Path: F:\email copy
Status: Visible to the Windows API, but not on disk.

Path: F:\Ian
Status: Visible to the Windows API, but not on disk.

Path: F:\Kirov Orchestra-Valery Gergiev
Status: Visible to the Windows API, but not on disk.

Path: F:\dissertation
Status: Visible to the Windows API, but not on disk.

Path: F:\40
Status: Visible to the Windows API, but not on disk.

Path: F:\My Music
Status: Visible to the Windows API, but not on disk.

Path: F:\SDRG
Status: Visible to the Windows API, but not on disk.

Path: F:\Chronolog.doc
Status: Visible to the Windows API, but not on disk.

Path: F:\mediation.doc
Status: Visible to the Windows API, but not on disk.

Path: F:\ParadiseBeach_RU_090629.zip
Status: Visible to the Windows API, but not on disk.

Path: F:\temp
Status: Visible to the Windows API, but not on disk.

Path: F:\Robot.Chicken.Star.Wars.Episode.II.PDTV.XviD-aAF.avi
Status: Visible to the Windows API, but not on disk.

Path: F:\Nouvelle Vague
Status: Visible to the Windows API, but not on disk.

Path: F:\Depesha.rar
Status: Visible to the Windows API, but not on disk.

Path: F:\П.Т.В.П
Status: Visible to the Windows API, but not on disk.

Path: F:\Кино
Status: Visible to the Windows API, but not on disk.

Path: F:\Ленинград
Status: Visible to the Windows API, but not on disk.

Path: F:\Photos4Karen
Status: Visible to the Windows API, but not on disk.

Path: F:\UBCD4WinV350.exe
Status: Visible to the Windows API, but not on disk.

Path: F:\UBCD4Win
Status: Visible to the Windows API, but not on disk.

Path: F:\ComboFix.exe
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba1626b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba162574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba162a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba16214c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba16264e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba16208c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba1620f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba16276e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba16272e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba1628ae

==EOF==


TDSSKiller log:

22:12:09:163 2336 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
22:12:09:163 2336 ================================================================================
22:12:09:163 2336 SystemInfo:

22:12:09:163 2336 OS Version: 5.1.2600 ServicePack: 3.0
22:12:09:163 2336 Product type: Workstation
22:12:09:163 2336 ComputerName: SRA_N1
22:12:09:163 2336 UserName: Karen
22:12:09:163 2336 Windows directory: C:\WINDOWS
22:12:09:163 2336 Processor architecture: Intel x86
22:12:09:163 2336 Number of processors: 1
22:12:09:163 2336 Page size: 0x1000
22:12:09:163 2336 Boot type: Normal boot
22:12:09:163 2336 ================================================================================
22:12:09:163 2336 UnloadDriverW: NtUnloadDriver error 2
22:12:09:163 2336 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
22:12:09:163 2336 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
22:12:09:274 2336 UtilityInit: KLMD drop and load success
22:12:09:274 2336 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
22:12:09:274 2336 UtilityInit: KLMD open success
22:12:09:274 2336 UtilityInit: Initialize success
22:12:09:274 2336
22:12:09:274 2336 Scanning Services ...
22:12:09:274 2336 CreateRegParser: Registry parser init started
22:12:09:274 2336 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
22:12:09:274 2336 CreateRegParser: DisableWow64Redirection error
22:12:09:274 2336 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
22:12:09:274 2336 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
22:12:09:274 2336 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:12:09:274 2336 wfopen_ex: Trying to KLMD file open
22:12:09:274 2336 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
22:12:09:274 2336 wfopen_ex: File opened ok (Flags 2)
22:12:09:274 2336 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 394EE8
22:12:09:274 2336 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
22:12:09:274 2336 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
22:12:09:274 2336 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:12:09:274 2336 wfopen_ex: Trying to KLMD file open
22:12:09:274 2336 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
22:12:09:274 2336 wfopen_ex: File opened ok (Flags 2)
22:12:09:274 2336 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 394DD8
22:12:09:274 2336 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
22:12:09:274 2336 CreateRegParser: EnableWow64Redirection error
22:12:09:274 2336 CreateRegParser: RegParser init completed
22:12:10:025 2336 GetAdvancedServicesInfo: Raw services enum returned 387 services
22:12:10:035 2336 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
22:12:10:035 2336 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
22:12:10:035 2336
22:12:10:035 2336 Scanning Kernel memory ...
22:12:10:035 2336 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
22:12:10:035 2336 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 83BE61E0
22:12:10:035 2336 DetectCureTDL3: KLMD_GetDeviceObjectList returned 7 DevObjects
22:12:10:035 2336
22:12:10:035 2336 DetectCureTDL3: DEVICE_OBJECT: 82A24488
22:12:10:035 2336 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82A24488
22:12:10:035 2336 KLMD_ReadMem: Trying to ReadMemory 0x82A24488[0x38]
22:12:10:035 2336 DetectCureTDL3: DRIVER_OBJECT: 83BE61E0
22:12:10:035 2336 KLMD_ReadMem: Trying to ReadMemory 0x83BE61E0[0xA8]
22:12:10:035 2336 KLMD_ReadMem: Trying to ReadMemory 0xE190A490[0x18]
22:12:10:055 2336 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
22:12:10:055 2336 DetectCureTDL3: IrpHandler (0) addr: F74F5BB0
22:12:10:055 2336 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (2) addr: F74F5BB0
22:12:10:055 2336 DetectCureTDL3: IrpHandler (3) addr: F74EFD1F
22:12:10:055 2336 DetectCureTDL3: IrpHandler (4) addr: F74EFD1F
22:12:10:055 2336 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (9) addr: F74F02E2
22:12:10:055 2336 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (14) addr: F74F03BB
22:12:10:055 2336 DetectCureTDL3: IrpHandler (15) addr: F74F3F28
22:12:10:055 2336 DetectCureTDL3: IrpHandler (16) addr: F74F02E2
22:12:10:055 2336 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (22) addr: F74F1C82
22:12:10:055 2336 DetectCureTDL3: IrpHandler (23) addr: F74F699E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:12:10:055 2336 TDL3_FileDetect: Processing driver: Disk
22:12:10:055 2336 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
22:12:10:055 2336 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
22:12:10:055 2336 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
22:12:10:055 2336
22:12:10:055 2336 DetectCureTDL3: DEVICE_OBJECT: 82A64030
22:12:10:055 2336 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82A64030
22:12:10:055 2336 DetectCureTDL3: DEVICE_OBJECT: 82ACA940
22:12:10:055 2336 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82ACA940
22:12:10:055 2336 KLMD_ReadMem: Trying to ReadMemory 0x82ACA940[0x38]
22:12:10:055 2336 DetectCureTDL3: DRIVER_OBJECT: 839D8B10
22:12:10:055 2336 KLMD_ReadMem: Trying to ReadMemory 0x839D8B10[0xA8]
22:12:10:055 2336 KLMD_ReadMem: Trying to ReadMemory 0xE2B6A148[0x1E]
22:12:10:055 2336 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
22:12:10:055 2336 DetectCureTDL3: IrpHandler (0) addr: BA41F218
22:12:10:055 2336 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (2) addr: BA41F218
22:12:10:055 2336 DetectCureTDL3: IrpHandler (3) addr: BA41F23C
22:12:10:055 2336 DetectCureTDL3: IrpHandler (4) addr: BA41F23C
22:12:10:055 2336 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (14) addr: BA41F180
22:12:10:055 2336 DetectCureTDL3: IrpHandler (15) addr: BA41A9E6
22:12:10:055 2336 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
22:12:10:055 2336 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:12:10:065 2336 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:12:10:065 2336 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:12:10:065 2336 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:12:10:065 2336 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:12:10:065 2336 DetectCureTDL3: IrpHandler (22) addr: BA41E5F0
22:12:10:065 2336 DetectCureTDL3: IrpHandler (23) addr: BA41CA6E
22:12:10:065 2336 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:12:10:065 2336 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:12:10:065 2336 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:12:10:065 2336 KLMD_ReadMem: Trying to ReadMemory 0xBA41BF26[0x400]
22:12:10:065 2336 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
22:12:10:065 2336 TDL3_FileDetect: Processing driver: USBSTOR
22:12:10:065 2336 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:12:10:065 2336 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:12:10:075 2336 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
22:12:10:075 2336
22:12:10:075 2336 DetectCureTDL3: DEVICE_OBJECT: 82A59B60
22:12:10:075 2336 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82A59B60
22:12:10:075 2336 KLMD_ReadMem: Trying to ReadMemory 0x82A59B60[0x38]
22:12:10:075 2336 DetectCureTDL3: DRIVER_OBJECT: 83BE61E0
22:12:10:075 2336 KLMD_ReadMem: Trying to ReadMemory 0x83BE61E0[0xA8]
22:12:10:075 2336 KLMD_ReadMem: Trying to ReadMemory 0xE190A490[0x18]
22:12:10:075 2336 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
22:12:10:075 2336 DetectCureTDL3: IrpHandler (0) addr: F74F5BB0
22:12:10:075 2336 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (2) addr: F74F5BB0
22:12:10:075 2336 DetectCureTDL3: IrpHandler (3) addr: F74EFD1F
22:12:10:075 2336 DetectCureTDL3: IrpHandler (4) addr: F74EFD1F
22:12:10:075 2336 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (9) addr: F74F02E2
22:12:10:075 2336 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (14) addr: F74F03BB
22:12:10:075 2336 DetectCureTDL3: IrpHandler (15) addr: F74F3F28
22:12:10:075 2336 DetectCureTDL3: IrpHandler (16) addr: F74F02E2
22:12:10:075 2336 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (22) addr: F74F1C82
22:12:10:075 2336 DetectCureTDL3: IrpHandler (23) addr: F74F699E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:12:10:075 2336 TDL3_FileDetect: Processing driver: Disk
22:12:10:075 2336 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
22:12:10:075 2336 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
22:12:10:075 2336 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
22:12:10:075 2336
22:12:10:075 2336 DetectCureTDL3: DEVICE_OBJECT: 82A18840
22:12:10:075 2336 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82A18840
22:12:10:075 2336 DetectCureTDL3: DEVICE_OBJECT: 82A0EEA0
22:12:10:075 2336 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82A0EEA0
22:12:10:075 2336 KLMD_ReadMem: Trying to ReadMemory 0x82A0EEA0[0x38]
22:12:10:075 2336 DetectCureTDL3: DRIVER_OBJECT: 839D8B10
22:12:10:075 2336 KLMD_ReadMem: Trying to ReadMemory 0x839D8B10[0xA8]
22:12:10:075 2336 KLMD_ReadMem: Trying to ReadMemory 0xE2B6A148[0x1E]
22:12:10:075 2336 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
22:12:10:075 2336 DetectCureTDL3: IrpHandler (0) addr: BA41F218
22:12:10:075 2336 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (2) addr: BA41F218
22:12:10:075 2336 DetectCureTDL3: IrpHandler (3) addr: BA41F23C
22:12:10:075 2336 DetectCureTDL3: IrpHandler (4) addr: BA41F23C
22:12:10:075 2336 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (14) addr: BA41F180
22:12:10:075 2336 DetectCureTDL3: IrpHandler (15) addr: BA41A9E6
22:12:10:075 2336 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (22) addr: BA41E5F0
22:12:10:075 2336 DetectCureTDL3: IrpHandler (23) addr: BA41CA6E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:12:10:075 2336 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:12:10:075 2336 KLMD_ReadMem: Trying to ReadMemory 0xBA41BF26[0x400]
22:12:10:075 2336 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
22:12:10:075 2336 TDL3_FileDetect: Processing driver: USBSTOR
22:12:10:075 2336 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:12:10:075 2336 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:12:10:075 2336 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
22:12:10:075 2336
22:12:10:075 2336 DetectCureTDL3: DEVICE_OBJECT: 83B59C68
22:12:10:085 2336 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83B59C68
22:12:10:085 2336 KLMD_ReadMem: Trying to ReadMemory 0x83B59C68[0x38]
22:12:10:085 2336 DetectCureTDL3: DRIVER_OBJECT: 83BE61E0
22:12:10:085 2336 KLMD_ReadMem: Trying to ReadMemory 0x83BE61E0[0xA8]
22:12:10:085 2336 KLMD_ReadMem: Trying to ReadMemory 0xE190A490[0x18]
22:12:10:085 2336 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
22:12:10:085 2336 DetectCureTDL3: IrpHandler (0) addr: F74F5BB0
22:12:10:085 2336 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (2) addr: F74F5BB0
22:12:10:085 2336 DetectCureTDL3: IrpHandler (3) addr: F74EFD1F
22:12:10:085 2336 DetectCureTDL3: IrpHandler (4) addr: F74EFD1F
22:12:10:085 2336 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (9) addr: F74F02E2
22:12:10:085 2336 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (14) addr: F74F03BB
22:12:10:085 2336 DetectCureTDL3: IrpHandler (15) addr: F74F3F28
22:12:10:085 2336 DetectCureTDL3: IrpHandler (16) addr: F74F02E2
22:12:10:085 2336 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (22) addr: F74F1C82
22:12:10:085 2336 DetectCureTDL3: IrpHandler (23) addr: F74F699E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:12:10:085 2336 TDL3_FileDetect: Processing driver: Disk
22:12:10:085 2336 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
22:12:10:085 2336 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
22:12:10:085 2336 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
22:12:10:085 2336
22:12:10:085 2336 DetectCureTDL3: DEVICE_OBJECT: 83BCB9F0
22:12:10:085 2336 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83BCB9F0
22:12:10:085 2336 KLMD_ReadMem: Trying to ReadMemory 0x83BCB9F0[0x38]
22:12:10:085 2336 DetectCureTDL3: DRIVER_OBJECT: 83BE61E0
22:12:10:085 2336 KLMD_ReadMem: Trying to ReadMemory 0x83BE61E0[0xA8]
22:12:10:085 2336 KLMD_ReadMem: Trying to ReadMemory 0xE190A490[0x18]
22:12:10:085 2336 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
22:12:10:085 2336 DetectCureTDL3: IrpHandler (0) addr: F74F5BB0
22:12:10:085 2336 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (2) addr: F74F5BB0
22:12:10:085 2336 DetectCureTDL3: IrpHandler (3) addr: F74EFD1F
22:12:10:085 2336 DetectCureTDL3: IrpHandler (4) addr: F74EFD1F
22:12:10:085 2336 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (9) addr: F74F02E2
22:12:10:085 2336 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (14) addr: F74F03BB
22:12:10:085 2336 DetectCureTDL3: IrpHandler (15) addr: F74F3F28
22:12:10:085 2336 DetectCureTDL3: IrpHandler (16) addr: F74F02E2
22:12:10:085 2336 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (22) addr: F74F1C82
22:12:10:085 2336 DetectCureTDL3: IrpHandler (23) addr: F74F699E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:12:10:085 2336 TDL3_FileDetect: Processing driver: Disk
22:12:10:085 2336 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
22:12:10:085 2336 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
22:12:10:085 2336 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
22:12:10:085 2336
22:12:10:085 2336 DetectCureTDL3: DEVICE_OBJECT: 83BCDAB8
22:12:10:085 2336 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83BCDAB8
22:12:10:085 2336 DetectCureTDL3: DEVICE_OBJECT: 83BE4D98
22:12:10:085 2336 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83BE4D98
22:12:10:085 2336 KLMD_ReadMem: Trying to ReadMemory 0x83BE4D98[0x38]
22:12:10:085 2336 DetectCureTDL3: DRIVER_OBJECT: 83BA1388
22:12:10:085 2336 KLMD_ReadMem: Trying to ReadMemory 0x83BA1388[0xA8]
22:12:10:085 2336 KLMD_ReadMem: Trying to ReadMemory 0xE18B5F50[0x1A]
22:12:10:085 2336 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
22:12:10:085 2336 DetectCureTDL3: IrpHandler (0) addr: F74046F2
22:12:10:085 2336 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (2) addr: F74046F2
22:12:10:085 2336 DetectCureTDL3: IrpHandler (3) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (4) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (14) addr: F7404712
22:12:10:085 2336 DetectCureTDL3: IrpHandler (15) addr: F7400852
22:12:10:085 2336 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (22) addr: F740473C
22:12:10:085 2336 DetectCureTDL3: IrpHandler (23) addr: F740B336
22:12:10:085 2336 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
22:12:10:085 2336 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
22:12:10:085 2336 KLMD_ReadMem: Trying to ReadMemory 0xF7401864[0x400]
22:12:10:085 2336 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
22:12:10:085 2336 TDL3_FileDetect: Processing driver: atapi
22:12:10:085 2336 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
22:12:10:085 2336 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
22:12:10:105 2336 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
22:12:10:105 2336
22:12:10:105 2336 Completed
22:12:10:105 2336
22:12:10:105 2336 Results:
22:12:10:105 2336 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
22:12:10:105 2336 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:12:10:105 2336 File objects infected / cured / cured on reboot: 0 / 0 / 0
22:12:10:105 2336
22:12:10:105 2336 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
22:12:10:105 2336 UtilityDeinit: KLMD(ARK) unloaded successfully

#6 User is offline   sundavis 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,648
  • Joined: 11-August 07
  • Gender:Not Telling

Posted 25 January 2010 - 12:33 AM

Hi nerak,


Please rescan your pc with RootRepeal, click Files tap in the bottom right, and delete any Status: Sector mismatch by right click and select Force Delete in D:\ and F:\ and delete the following:

QUOTE
Path: D:\Install.ini
Status: Visible to the Windows API, but not on disk.

Path: D:\JSTART.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\Launcher.exe
Status: Visible to the Windows API, but not on disk.


After that, Right click Volume D:\ and F:\ , and select Restore and Reboot Immediately one at a time.


Step1

Please download mbr.exe and save it to your desktop and cope this file to your D and F drive.

Start button >Run >Type cmd into the run box and press enter, and At the prompt type the following:
  1. D: <----Press Enter, it will bring you to D drive.
  2. At the D:\ command prompt type in mbr.exe - f (be sure to place a space after "mbr.exe") <---Press Enter
  3. Then type Exit <--Press Enter
  4. A log file will be produced and found at the root of the HDD were mbr.exe is saved (eg: D:\mbr.txt)
Please repeat the process with F drive and post the contents in your next reply.

Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.


In your next reply, please post back:

1.RootRepeal log
2.MBR log
3.ComboFix log Thanks

#7 User is offline   nerak 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 23-December 09

Posted 27 January 2010 - 09:19 PM

Hi Sundavis,

I'm not sure I understood these instructions:

"Please rescan your pc with RootRepeal, click Files tap in the bottom right, and delete any Status: Sector mismatch by right click and select Force Delete in D:\ and F:\ and delete the following:"

I did manage to delete the three files that were specified, but if you wanted me to delete things like Volume D:\,Sector 62, with a status of Sector Mismatch, I was unable to do so. Right-clicking on those rows in the Files tab didn't give me a menu. I do get an error when I start RootRepeal: Error - invalid PE image found! I tried downloading a fresh copy of RootRepeal, but I get the same error.

I was able to do everything else. Logs follow:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/27 15:39
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAEDF3000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xAF234000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xABCCC000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_7e8.dat
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\karen\local settings\temp\~df23c8.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\karen\local settings\temp\~df2501.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\karen\local settings\temp\~df9997.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\karen\local settings\temp\~dfacff.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\karen\local settings\temporary internet files\content.ie5\pqaya5rs\ads[1].htm
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: c:\documents and settings\karen\local settings\application data\microsoft\internet explorer\recovery\active\{deec2fc4-0b9c-11df-a19b-000e35279845}.dat
Status: Allocation size mismatch (API: 20480, Raw: 12288)

Path: Volume D:\
Status: MBR Rootkit Detected!

Path: Volume D:\, Sector 62
Status: Sector mismatch

Path: D:\FOUND.000
Status: Visible to the Windows API, but not on disk.

Path: D:\Setup.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\WDInstaller.xml
Status: Visible to the Windows API, but not on disk.

Path: D:\WDSetup.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\WDSync.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\WD_Windows_Tools
Status: Visible to the Windows API, but not on disk.

Path: D:\WD_Mac_Tools
Status: Visible to the Windows API, but not on disk.

Path: D:\MioNet
Status: Visible to the Windows API, but not on disk.

Path: D:\Documentation
Status: Visible to the Windows API, but not on disk.

Path: D:\autorun
Status: Visible to the Windows API, but not on disk.

Path: D:\Install.log
Status: Visible to the Windows API, but not on disk.

Path: D:\wdEULA.log
Status: Visible to the Windows API, but not on disk.

Path: D:\wdstatus.log
Status: Visible to the Windows API, but not on disk.

Path: D:\System Volume Information
Status: Visible to the Windows API, but not on disk.

Path: D:\WD Sync Data
Status: Visible to the Windows API, but not on disk.

Path: D:\backup
Status: Visible to the Windows API, but not on disk.

Path: D:\ForGene
Status: Visible to the Windows API, but not on disk.

Path: D:\Recycled
Status: Visible to the Windows API, but not on disk.

Path: D:\mbr.exe
Status: Visible to the Windows API, but not on disk.

Path: D:\mbr.log
Status: Visible to the Windows API, but not on disk.

Path: Volume F:\
Status: MBR Rootkit Detected!

Path: Volume F:\, Sector 1
Status: Sector mismatch

Path: Volume F:\, Sector 3
Status: Sector mismatch

Path: Volume F:\, Sector 4
Status: Sector mismatch

Path: Volume F:\, Sector 5
Status: Sector mismatch

Path: Volume F:\, Sector 6
Status: Sector mismatch

Path: Volume F:\, Sector 7
Status: Sector mismatch

Path: Volume F:\, Sector 8
Status: Sector mismatch

Path: Volume F:\, Sector 9
Status: Sector mismatch

Path: Volume F:\, Sector 10
Status: Sector mismatch

Path: Volume F:\, Sector 11
Status: Sector mismatch

Path: Volume F:\, Sector 12
Status: Sector mismatch

Path: Volume F:\, Sector 13
Status: Sector mismatch

Path: Volume F:\, Sector 14
Status: Sector mismatch

Path: Volume F:\, Sector 15
Status: Sector mismatch

Path: Volume F:\, Sector 16
Status: Sector mismatch

Path: Volume F:\, Sector 17
Status: Sector mismatch

Path: Volume F:\, Sector 18
Status: Sector mismatch

Path: Volume F:\, Sector 19
Status: Sector mismatch

Path: Volume F:\, Sector 20
Status: Sector mismatch

Path: Volume F:\, Sector 21
Status: Sector mismatch

Path: Volume F:\, Sector 22
Status: Sector mismatch

Path: Volume F:\, Sector 23
Status: Sector mismatch

Path: Volume F:\, Sector 24
Status: Sector mismatch

Path: Volume F:\, Sector 25
Status: Sector mismatch

Path: Volume F:\, Sector 26
Status: Sector mismatch

Path: Volume F:\, Sector 27
Status: Sector mismatch

Path: Volume F:\, Sector 28
Status: Sector mismatch

Path: Volume F:\, Sector 29
Status: Sector mismatch

Path: Volume F:\, Sector 31
Status: Sector mismatch

Path: Volume F:\, Sector 32
Status: Sector mismatch

Path: Volume F:\, Sector 33
Status: Sector mismatch

Path: Volume F:\, Sector 34
Status: Sector mismatch

Path: Volume F:\, Sector 35
Status: Sector mismatch

Path: Volume F:\, Sector 36
Status: Sector mismatch

Path: Volume F:\, Sector 37
Status: Sector mismatch

Path: Volume F:\, Sector 38
Status: Sector mismatch

Path: Volume F:\, Sector 39
Status: Sector mismatch

Path: Volume F:\, Sector 40
Status: Sector mismatch

Path: Volume F:\, Sector 41
Status: Sector mismatch

Path: Volume F:\, Sector 42
Status: Sector mismatch

Path: Volume F:\, Sector 43
Status: Sector mismatch

Path: Volume F:\, Sector 44
Status: Sector mismatch

Path: Volume F:\, Sector 45
Status: Sector mismatch

Path: Volume F:\, Sector 46
Status: Sector mismatch

Path: Volume F:\, Sector 47
Status: Sector mismatch

Path: Volume F:\, Sector 48
Status: Sector mismatch

Path: Volume F:\, Sector 49
Status: Sector mismatch

Path: Volume F:\, Sector 50
Status: Sector mismatch

Path: Volume F:\, Sector 51
Status: Sector mismatch

Path: Volume F:\, Sector 52
Status: Sector mismatch

Path: Volume F:\, Sector 53
Status: Sector mismatch

Path: Volume F:\, Sector 54
Status: Sector mismatch

Path: Volume F:\, Sector 55
Status: Sector mismatch

Path: Volume F:\, Sector 56
Status: Sector mismatch

Path: Volume F:\, Sector 57
Status: Sector mismatch

Path: Volume F:\, Sector 58
Status: Sector mismatch

Path: Volume F:\, Sector 59
Status: Sector mismatch

Path: Volume F:\, Sector 60
Status: Sector mismatch

Path: Volume F:\, Sector 61
Status: Sector mismatch

Path: Volume F:\, Sector 62
Status: Sector mismatch

Path: F:\.Trashes
Status: Visible to the Windows API, but not on disk.

Path: F:\autorun
Status: Visible to the Windows API, but not on disk.

Path: F:\System Volume Information
Status: Visible to the Windows API, but not on disk.

Path: F:\Karen Documents
Status: Visible to the Windows API, but not on disk.

Path: F:\Hdrive
Status: Visible to the Windows API, but not on disk.

Path: F:\New
Status: Visible to the Windows API, but not on disk.

Path: F:\autorun.inf.txt
Status: Visible to the Windows API, but not on disk.

Path: F:\Recycled
Status: Visible to the Windows API, but not on disk.

Path: F:\email copy
Status: Visible to the Windows API, but not on disk.

Path: F:\Ian
Status: Visible to the Windows API, but not on disk.

Path: F:\Kirov Orchestra-Valery Gergiev
Status: Visible to the Windows API, but not on disk.

Path: F:\dissertation
Status: Visible to the Windows API, but not on disk.

Path: F:\40
Status: Visible to the Windows API, but not on disk.

Path: F:\My Music
Status: Visible to the Windows API, but not on disk.

Path: F:\SDRG
Status: Visible to the Windows API, but not on disk.

Path: F:\Chronolog.doc
Status: Visible to the Windows API, but not on disk.

Path: F:\mediation.doc
Status: Visible to the Windows API, but not on disk.

Path: F:\ParadiseBeach_RU_090629.zip
Status: Visible to the Windows API, but not on disk.

Path: F:\temp
Status: Visible to the Windows API, but not on disk.

Path: F:\Robot.Chicken.Star.Wars.Episode.II.PDTV.XviD-aAF.avi
Status: Visible to the Windows API, but not on disk.

Path: F:\Nouvelle Vague
Status: Visible to the Windows API, but not on disk.

Path: F:\Depesha.rar
Status: Visible to the Windows API, but not on disk.

Path: F:\П.Т.В.П
Status: Visible to the Windows API, but not on disk.

Path: F:\Кино
Status: Visible to the Windows API, but not on disk.

Path: F:\Ленинград
Status: Visible to the Windows API, but not on disk.

Path: F:\Photos4Karen
Status: Visible to the Windows API, but not on disk.

Path: F:\UBCD4WinV350.exe
Status: Visible to the Windows API, but not on disk.

Path: F:\UBCD4Win
Status: Visible to the Windows API, but not on disk.

Path: F:\ComboFix.exe
Status: Visible to the Windows API, but not on disk.

Path: F:\mbr.exe
Status: Visible to the Windows API, but not on disk.

Path: F:\mbr.log
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba9d56b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba9d5574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba9d5a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba9d514c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba9d564e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba9d508c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba9d50f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba9d576e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba9d572e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xba9d58ae

==EOF==


MBR scan log for D:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


MBR scan log for F:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


ComboFix log:

ComboFix 10-01-26.02 - Karen 01/26/2010 23:02:09.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.311 [GMT -8:00]
Running from: c:\documents and settings\Karen\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100126-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Downloaded Program Files\Temp
c:\windows\EventSystem.log
c:\windows\system32\_000054_.tmp.dll
c:\windows\system32\comrepl.exe
c:\windows\system32\drivers\fad.sys
D:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-14 03:33 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-04 04:03 . 2010-01-04 04:03 -------- dcsh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-04 01:21 . 2010-01-04 01:21 -------- dc----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 06:13 . 2008-01-31 03:50 -------- dc----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-22 02:35 . 2007-11-02 06:31 -------- dc----w- c:\program files\Microsoft Silverlight
2010-01-14 19:12 . 2009-11-19 04:14 181120 -c----w- c:\windows\system32\MpSigStub.exe
2010-01-14 06:42 . 2004-10-09 08:57 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-07 00:03 . 2006-06-05 04:19 -------- dc----w- c:\program files\Google
2009-12-21 19:14 . 2004-02-06 23:05 916480 -c--a-w- c:\windows\system32\wininet.dll
2009-12-06 20:07 . 2005-06-05 18:26 115984 -c--a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-01 15:14 . 2009-12-01 15:14 -------- dc----w- c:\documents and settings\Karen\Application Data\Malwarebytes
2009-12-01 15:13 . 2009-12-01 15:13 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-01 15:13 . 2009-12-01 15:13 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-24 23:54 . 2009-11-20 06:44 1280480 -c--a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-11-20 06:44 93424 -c--a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:49 . 2009-11-20 06:45 48560 -c--a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-11-20 06:45 23120 -c--a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-11-20 06:45 27408 -c--a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-11-20 06:44 97480 -c--a-w- c:\windows\system32\AvastSS.scr
2009-11-24 04:12 . 2009-11-24 04:12 152576 -c--a-w- c:\documents and settings\Karen\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 04:12 . 2009-11-23 07:00 79488 -c--a-w- c:\documents and settings\Karen\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-21 15:51 . 2002-08-29 10:00 471552 -c--a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 11:13 . 2008-06-12 09:05 18368 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2009-11-20 11:12 . 2008-06-12 09:05 2031040 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\visualstudio\9.0\1033\ResourceCache.dll
2009-11-20 05:31 . 2004-07-09 15:47 115984 -c--a-w- c:\documents and settings\Karen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-11-07 20:58 . 2004-11-30 08:49 44151 -c--a-w- c:\program files\mozilla firefox\components\inspector.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-31 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 86016]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-06 339968]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-12-12 217088]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2003-08-30 24576]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-10 28672]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-04 98304]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2007-11-16 166304]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-24 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-13 20:17 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"quickcare"=c:\program files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Home Server\\Discovery.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [11/19/2009 10:44 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [11/19/2009 10:44 PM 20560]
R2 SRUserService;IT Connection Manager;c:\program files\IT Connection Manager\SRUserService.exe [5/26/2005 8:00 PM 260232]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [4/20/2009 8:37 PM 335728]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\SYSTEM32\DRIVERS\ozscr.sys [12/31/1979 9:00 PM 92550]
S2 gupdate1ca6cc0e5923760;Google Update Service (gupdate1ca6cc0e5923760);c:\program files\Google\Update\GoogleUpdate.exe [11/23/2009 8:44 PM 133104]
S3 GEMPCC;Gemplus GemPC400 PCMCIA Smart Card Reader;c:\windows\SYSTEM32\DRIVERS\gempcc.sys [10/8/2004 4:08 PM 18464]
S3 GPR400;GEMPLUS GPR400 PCMCIA Smart Card Reader;c:\windows\SYSTEM32\DRIVERS\gpr400.sys [10/8/2004 2:50 PM 17408]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [9/4/2007 3:53 PM 55664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 --> c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-25 16:18]

2010-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-24 04:44]

2010-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-24 04:44]

2010-01-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2010-01-27 c:\windows\Tasks\User_Feed_Synchronization-{32DC6D3C-29EB-4510-B479-10F41D74AF21}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} - hxxp://rcps1.onvoip.net/commpilot/customcontrols/BwOutlook.CAB
DPF: {4BFC73A6-F8AE-42B3-AAEC-792C3CF0B418} - hxxp://sg60.oar.net/VCGSU.CAB
FF - ProfilePath - c:\documents and settings\Karen\Application Data\Mozilla\Firefox\Profiles\obv2pnm4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 23:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\LgNotify.dll
.
Completion time: 2010-01-26 23:22:48
ComboFix-quarantined-files.txt 2010-01-27 07:22

Pre-Run: 2,570,792,960 bytes free
Post-Run: 3,338,317,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 5C814AC257E1B0C4491E1508EC8AD3F9

Thanks,
Karen

#8 User is offline   sundavis 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,648
  • Joined: 11-August 07
  • Gender:Not Telling

Posted 27 January 2010 - 11:26 PM

Hi nerak,



QUOTE
Right-clicking on those rows in the Files tab didn't give me a menu.

That's ok. Sector mismatch might be the RP can't read or decipher the sector properly. Sometimes, MBR rootkit will have the same behavior. Therefore, RP reports it.

After mbr was applied to your external drives, it seemed to be fine. We can live with that. Let's scan the remnants with Kas Online Scanner. It will take some time to run the full course, Please be patient and do the following:

Please remove the following outdated javas via Add/Remove Programs and clear the java cache as instructed in this thread .

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1

After that, go into the Control Panel (Classic View) and double-click the Java Icon (looks like a coffee cup) to upgrade your java version.

Step1
  1. Please download Flash_Disinfector and save it to your desktop.
  2. Double click to run it.
  3. You will be prompted to plug in your flash drive. Remember to plug in the flash drive to disinfect as well.
  4. Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  5. When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  6. Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.
Step2

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.
  12. You can refer to this animation
Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.

1.Kas Online Scan Report

Tell me if you have any remaining issues on your pc.

This post has been edited by sundavis: 27 January 2010 - 11:40 PM

#9 User is offline   nerak 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 23-December 09

Posted 01 February 2010 - 10:38 AM

Well, the Kaspersky Online Scan seems to hang at about 20% of the way through. The first time it got 23% through and found a few suspicious files, but I couldn't get the report to come up to show me which ones they were.

I took note of where it hung the next time I tried, and it was on C:\WINDOWS\sprof32.dll, so I tried scanning that particular file, with no problems. Then when I tried scanning C:\WINDOWS, it hung at C:\WINDOWS\SoftwareDistribution\ScanFile\a774ea19-56b0-4706-9a41-452f04bbe281. I scanned C:\WINDOWS\SoftwareDistribution\ without a problem. But when I ran the full scan again it hung at the same place.

Any suggestions?

Karen

#10 User is offline   sundavis 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,648
  • Joined: 11-August 07
  • Gender:Not Telling

Posted 01 February 2010 - 02:02 PM

Hi nerak,



OK. The kas seemed unable to analyze the windows update folders properly. It may stall or hang over there. Let's take the following instead.


Step1

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
  7. Wait for the scan to finish
  8. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  9. Copy and paste that log as a reply to this topic.


I will give you another one, just in case. wink.gif


Please go to F-Secure Online Scanner
  1. Follow the on screen prompts to download activeX. Once that has completed, you'll be presented with types of scans.
  2. Tick 'My Scan' and click 'Show Options'
  3. Under Select File Types, tick All File Types
  4. Under Select Folders for Scanning, tick 'Scan a Folder' and click Select
  5. Select the C:\ drive, otherwise it will scan all drives.
  6. Click OK
  7. Click Start
  8. After it has completed, save the log and copy/paste the results in your next reply.
  9. If you have problems to run F-Secure Online Scanner, You may refer to this thread.


Let me know how things went.

#11 User is offline   nerak 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 23-December 09

Posted 02 February 2010 - 01:10 AM

Success! Here is the ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=6a6035fc7744d248b5765bda0ae4dddd
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-02-02 05:59:26
# local_time=2010-02-01 09:59:26 (-0800, Pacific Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1587417 1587417 0 0
# compatibility_mode=769 16775141 100 98 0 200429483 0 0
# compatibility_mode=4864 16777215 100 0 77434501 77434501 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=318891
# found=6
# cleaned=6
# scan_time=16837
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1485\A0196571.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
D:\backup\Kolibri2\Karen\Memeo\Karen\C_\Documents and Settings\Karen\Desktop\UBCD4WinV350.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
F:\UBCD4WinV350.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
F:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1509\A0202449.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
F:\UBCD4Win\PROGRAMS\sdfix\SDFix.exe Win32/PrcView application (deleted - quarantined) 00000000000000000000000000000000 C
F:\UBCD4Win\PROGRAMS\Crossloop\winvnc.exe Win32/RemoteAdmin.WinVNC application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#12 User is offline   sundavis 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,648
  • Joined: 11-August 07
  • Gender:Not Telling

Posted 02 February 2010 - 01:59 AM

Hi nerak,



As far as listed UBCD4Win as multiple threats in ESET log, it might be a false positive. You need to download it again if you like to burn a new CD.

Other than that, your system appears clean now. thumbup.gif If you have no remaining issues on your pc, let's do some tidy up and you should be good to go.


Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the x and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Download OTC by OldTimer and save it to your desktop.
  1. Double click OTC and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.


Please delete all the tools and logs we have used. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#13 User is offline   sundavis 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,648
  • Joined: 11-August 07
  • Gender:Not Telling

Posted 10 February 2010 - 01:12 AM

Since this issue appears resolved ... this Topic is closed.

Glad we could help.

Everyone else please begin a New Topic.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users