Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something uninstalled Vista SP1


  • This topic is locked This topic is locked
15 replies to this topic

#1 DaveR

DaveR

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 03 February 2009 - 10:11 PM

Something uninstalled Vista SP1 and deleted all prior restore points, so........ must be infected right?

Thanks for your help. Here is my log. :thumbup2:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:57 PM, on 2/3/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\wsqmcons.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...r_installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 9303 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:11 PM

Posted 08 February 2009 - 10:48 PM

Hello, DaveR
:thumbup2: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to run a Scan with DDS
  • Please download DDS, and save it to your desktop, from one of the following mirrors:
  • Disable any type of "Script Blockers" or "Script Protection" installed on your system.
  • Double click Posted Image on your desktop.
  • If prompted by any script blocking tools, please allow any actions taken by DDS.
  • Two reports will open. Please reply with the generated reports:
    • DDS.txt <-- Copy and paste into your next post
    • Attach.txt <-- Attach to your next post
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • DDS.txt
  • Attach.txt
  • GMER's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 DaveR

DaveR
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 09 February 2009 - 07:23 PM

DDS (Ver_09-02-01.01) - NTFSx86
Run by Robbins Family at 19:19:00.71 on Mon 02/09/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.719 [GMT -5:00]

AV: ThreatFire *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskeng.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Disney\Disney Online\ToontownOnline\ToontownLauncher.exe
C:\Program Files\Disney\Disney Online\ToontownOnline\Toontown.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Robbins Family\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 52\axcmd.exe" /automount
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~3.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} - hxxp://www.pcpitstop.com/antivirus/PitPav.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-2 28544]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-11-25 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-11-25 39200]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-5-31 810320]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2008-11-25 33056]

=============== Created Last 30 ================

2009-02-02 23:16 401,720 a------- c:\program files\hijackthis.exe
2009-02-02 23:09 <DIR> --d----- c:\program files\CCleaner
2009-02-02 22:10 <DIR> --d----- c:\program files\a-squared Free
2009-02-02 22:03 <DIR> --d----- c:\program files\PCPitstop
2009-02-02 08:20 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-02-02 08:20 <DIR> --d----- c:\program files\Panda Security
2009-02-02 07:12 <DIR> --d----- C:\hegames
2009-02-01 20:25 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-02-01 03:02 11,776 a------- c:\windows\system32\msshooks.dll
2009-01-31 21:36 <DIR> --d----- c:\program files\mkv2vob
2009-01-31 21:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-31 06:27 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-01-31 00:03 <DIR> --d----- C:\PerfLogs
2009-01-30 21:50 <DIR> --d----- C:\games
2009-01-13 23:20 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-11 21:16 <DIR> --d----- c:\program files\common files\ChessBase

==================== Find3M ====================

2009-02-03 22:00 9,304 a------- c:\program files\hijackthis.log
2009-01-31 00:12 174 a--sh--- c:\program files\desktop.ini
2009-01-31 00:11 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-31 00:11 86,016 a------- c:\windows\inf\infstor.dat
2009-01-31 00:11 51,200 a------- c:\windows\inf\infpub.dat
2009-01-31 00:03 665,600 a------- c:\windows\inf\drvindex.dat
2009-01-30 23:49 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-01-30 23:49 82,432 a------- c:\windows\system32\axaltocm.dll
2008-11-20 20:16 107,888 a------- c:\windows\system32\CmdLineExt.dll
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-06-26 17:35 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-06-26 17:35 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-06-26 17:35 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 19:21:04.38 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 5/23/2008 9:25:11 PM
System Uptime: 2/8/2009 6:48:16 AM (37 hours ago)

Motherboard: ASUSTeK Computer INC. | | A8N-SLI Premium
Processor: Dual Core AMD Opteron™ Processor 165 | Socket 939 | 1809/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 89.708 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
F: is Removable
G: is CDROM (CDFS)
H: is Removable
M: is FIXED (NTFS) - 466 GiB total, 282.545 GiB free.

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: ACPI\PNPB006\3&2411E6FE&0
Manufacturer:
Name:
PNP Device ID: ACPI\PNPB006\3&2411E6FE&0
Service:

==== System Restore Points ===================

RP351: 1/30/2009 11:38:25 PM - Windows Vista Service Pack 1
RP352: 1/31/2009 9:36:17 PM - Installed mkv2vob
RP353: 2/1/2009 3:00:10 AM - Windows Update
RP354: 2/1/2009 3:02:32 AM - Windows Backup
RP355: 2/1/2009 9:02:43 AM - Windows Backup
RP356: 2/1/2009 11:20:56 PM - Scheduled Checkpoint
RP357: 2/2/2009 4:40:09 PM - Windows Update
RP358: 2/3/2009 11:11:34 AM - Scheduled Checkpoint
RP359: 2/3/2009 11:24:50 PM - Scheduled Checkpoint
RP360: 2/5/2009 12:00:06 AM - Scheduled Checkpoint
RP361: 2/5/2009 6:58:50 PM - Scheduled Checkpoint
RP362: 2/5/2009 8:25:47 PM - Windows Update
RP363: 2/7/2009 12:00:04 AM - Scheduled Checkpoint
RP364: 2/8/2009 12:00:08 AM - Scheduled Checkpoint
RP365: 2/9/2009 12:00:03 AM - Scheduled Checkpoint

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
3DVIA player 4.1
a-squared Free 4.0
Acrobat.com
Adobe AIR
Adobe Flash Player ActiveX
Adobe Reader 9
Apple Mobile Device Support
Apple Software Update
AviSynth 2.5
Bonjour
CCleaner (remove only)
Chessmaster Grandmaster Edition
Disney Toontown Online
Drivers Install For Linksys Easylink Advisor
FATE from WildGames (remove only)
ffdshow [rev 1324] [2007-07-01]
Fritz11
HijackThis 2.0.2
Internet Chess
ISO Recorder
iTunes
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
JumpStart Advanced 1st Grade
JumpStart Art for Fun
King's Bounty. The Legend (Remove Only)
Learn to Play Chess with Fritz and Chesster 2
Learn to Play Chess with Fritz and Chesster 3
Linksys EasyLink Advisor 1.6 (0032)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C Runtime
Microsoft Visual C++ 2005 Redistributable
mkv2vob
MobileMe Control Panel
NVIDIA Drivers
Panda ActiveScan 2.0
PCPitstop Panda AntiVirus Scan (remove only)
PowerISO
QuickTime
RarZilla Free Unrar 2.53
Realtek AC'97 Audio
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Spybot - Search & Destroy
System Requirements Lab
ThreatFire 3.5
TVersity Codec Pack 1.1
TVersity Media Server 0.9.11.4 beta
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office InfoPath 2007 Help (KB957243)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959141)
Videora iPod Converter 3.07

==== Event Viewer Messages From Past Week ========

2/2/2009 10:10:44 PM, Error: Service Control Manager [7030] - The a-squared Free Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
2/3/2009 6:41:26 AM, Error: Service Control Manager [7034] - The TVersityMediaServer service terminated unexpectedly. It has done this 1 time(s).
2/5/2009 5:13:48 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt

==== End Of File ===========================

#4 DaveR

DaveR
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 09 February 2009 - 08:40 PM

Can't get GMER to run.
So, I ran unhackme and malware was found (AFX rootkit), tried removing it, but only seemed to disable usb ports 1 by 1??????? Keyboard stopped working, then rebooted and mouse stopped working.
Reboots continued to find problems, so I did sytem restore to where I started. I can repost logs if necessary. Sorry if I screwed up what you were trying to help with. BTW, I still couldn't get GMER to run after unhackme did its thing.

I'm rerunning spybot S & D to see if it detects rootkit (which it didn't previously). All restore points prior to last week are gone (as mentioned before).

Also, mchInjDrv.sys identified as problem, the significance of which I suspect you are aware of (if it even is significant).

Thanks so much for any help! :thumbup2:

Edited by DaveR, 09 February 2009 - 11:56 PM.


#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:11 PM

Posted 10 February 2009 - 06:09 PM

Hello :thumbup2:

Please turn off ThreatFire, rename GMER.EXE to something else random such as BlahBlah.exe, and try again.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 DaveR

DaveR
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 10 February 2009 - 11:04 PM

I disabled and then uninstalled threatfire from computer without any luck. Also disabled spybot and unhackme. Tried few random names for gmer also, but it still won't run????
Do you have another suggestion?

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:11 PM

Posted 10 February 2009 - 11:39 PM

Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop.
  • Extract the file to your Desktop (you may then delete the zip file).
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe.
  • Click Next.
  • Highlight the radio button to acceppt the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish (you may now also delete the folder with the extracted files from the zip archive)
You successfully installed Avira AntiRootkit!
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select: Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run
  • Click View report and copy the entire contents into your next reply.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 DaveR

DaveR
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 11 February 2009 - 08:42 PM

OK. I ran it but it finishes instantly!!!? Clearly not checking anything. Here is the report; (BTW I ran it several times and tried in safe mode with no luck)

Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started Wednesday, February 11, 2009 - 20:38:48 PM
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 232.88 GB
- Working disk free size : 87.07 GB (37 %)
--------------------------------------------------------------------------------------------------------

Scan task finished. No hidden objects detected!

--------------------------------------------------------------------------------------------------------
Files: 0/0
Registry items: 0/0
Processes: 0/0
Scan time: 00:00:00
--------------------------------------------------------------------------------------------------------
Active processes:
========================================================================================================
- Scan finished Wednesday, February 11, 2009 - 20:38:48 PM
========================================================================================================

Edited by DaveR, 11 February 2009 - 08:43 PM.


#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:11 PM

Posted 13 February 2009 - 05:38 PM

Hello, DaveR
Wow! That's a bit strange. Not entirely sure why it's not working :thumbup2:

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 DaveR

DaveR
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 13 February 2009 - 11:45 PM

okay, here's the log file. Thanks so much again for your help.


ComboFix 09-02-12.03 - Robbins Family 2009-02-13 23:25:31.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.1223 [GMT -5:00]
Running from: c:\users\Robbins Family\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-11 20:25 . 2009-02-11 20:25 <DIR> d-------- c:\program files\Avira GmbH
2009-02-10 23:13 . 2009-02-10 23:13 <DIR> d-------- c:\users\All Users\Avira
2009-02-10 23:13 . 2009-02-10 23:13 <DIR> d-------- c:\programdata\Avira
2009-02-10 23:13 . 2009-02-10 23:13 <DIR> d-------- c:\program files\Avira
2009-02-10 14:49 . 2009-01-14 22:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-10 14:49 . 2009-01-15 01:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-09 22:05 . 2009-02-11 20:38 <DIR> d-------- c:\program files\UnHackMe
2009-02-09 22:05 . 2009-02-09 22:05 (2) -rahs-ot- c:\windows\winstart.bat
2009-02-02 23:16 . 2009-02-02 23:16 401,720 --a------ c:\program files\hijackthis.exe
2009-02-02 23:09 . 2009-02-02 23:10 <DIR> d-------- c:\program files\CCleaner
2009-02-02 22:10 . 2009-02-02 23:06 <DIR> d-------- c:\program files\a-squared Free
2009-02-02 22:03 . 2009-02-02 22:03 <DIR> d-------- c:\program files\PCPitstop
2009-02-02 08:20 . 2009-02-02 08:20 <DIR> d-------- c:\program files\Panda Security
2009-02-02 08:20 . 2008-06-19 16:24 28,544 --a------ c:\windows\System32\drivers\pavboot.sys
2009-02-02 07:12 . 2009-02-05 08:46 <DIR> d-------- C:\hegames
2009-02-01 20:25 . 2009-02-01 20:25 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-02-01 03:02 . 2008-05-27 00:17 11,776 --a------ c:\windows\System32\msshooks.dll
2009-01-31 21:36 . 2009-01-31 21:36 <DIR> d-------- c:\program files\mkv2vob
2009-01-31 21:35 . 2009-01-31 21:35 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-31 06:27 . 2008-04-26 03:26 891,448 --a------ c:\windows\System32\drivers\tcpip.sys
2009-01-31 00:03 . 2009-01-31 00:03 <DIR> d-------- C:\PerfLogs
2009-01-30 21:50 . 2009-01-30 22:30 <DIR> d-------- C:\games
2009-01-26 21:29 . 2009-01-28 08:00 <DIR> d-------- c:\users\Robbins Family\AppData\Roaming\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 01:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-11 03:55 --------- d---a-w c:\programdata\TEMP
2009-02-11 03:55 --------- d-----w c:\program files\ThreatFire
2009-02-11 02:37 --------- d-----w c:\programdata\Microsoft Help
2009-02-11 02:36 --------- d-----w c:\program files\Windows Mail
2009-02-10 04:38 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-02-04 03:00 9,304 ----a-w c:\program files\hijackthis.log
2009-01-31 05:12 174 --sha-w c:\program files\desktop.ini
2009-01-31 05:04 --------- d-----w c:\program files\Windows Sidebar
2009-01-31 05:04 --------- d-----w c:\program files\Windows Photo Gallery
2009-01-31 05:04 --------- d-----w c:\program files\Windows Journal
2009-01-31 05:04 --------- d-----w c:\program files\Windows Defender
2009-01-31 05:04 --------- d-----w c:\program files\Windows Collaboration
2009-01-31 05:04 --------- d-----w c:\program files\Windows Calendar
2009-01-31 04:49 82,432 ----a-w c:\windows\System32\axaltocm.dll
2009-01-31 04:49 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2009-01-12 03:53 --------- d-----w c:\users\Robbins Family\AppData\Roaming\ChessBase
2009-01-12 02:16 --------- d-----w c:\program files\Common Files\ChessBase
2009-01-12 02:13 --------- d-----w c:\program files\ChessBase
2009-01-03 23:11 --------- d-----w c:\program files\Sony
2008-12-25 16:20 --------- d-----w c:\program files\Viva Media
2008-12-16 02:42 288,768 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-21 01:16 107,888 ----a-w c:\windows\System32\CmdLineExt.dll
2008-06-26 22:35 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-06-26 22:35 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-06-26 22:35 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SoundMan"="SOUNDMAN.EXE" [2007-03-09 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{0C70FC4F-D642-49B7-B3AC-B715ABCFDE85}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{FF9B2646-55C7-4F81-A3B7-F6BC0407B61E}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3BC3C744-DBC9-40F1-BF6B-25D2D4B3744F}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AEB9E189-69A0-485B-AC64-5975D2C356E6}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C8D330C1-EF4B-494A-A795-55827C7178AB}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D39EDBCB-432F-41BC-9125-DC8FE8CD640F}"= Disabled:UDP:c:\program files\TVersity\Media Server\TVersity.exe:TVersity Media Server
"{9905C48B-A989-4683-8697-04AA2D92A382}"= Disabled:TCP:c:\program files\TVersity\Media Server\TVersity.exe:TVersity Media Server
"{90BD19E9-678B-41DB-A3B3-DC11B25A2BCF}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{5590DCF9-301F-4006-AC34-553FE464D07A}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D70993A8-C659-4560-93CF-05D7630F0D5D}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{ECE027A4-0A4E-4B40-801C-2F597E3AF0D8}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [2009-02-02 28544]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-05-31 810320]
S3 FLIRSKBRC;FLIRSKBRC;c:\users\ROBBIN~1\AppData\Local\Temp\FLIRSKBRC.exe --> c:\users\ROBBIN~1\AppData\Local\Temp\FLIRSKBRC.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53df48c4-8919-11dd-9423-0015f2d327b2}]
\shell\AutoRun\command - G:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\windows\Tasks\User_Feed_Synchronization-{3ED7C3EC-8C5E-4A56-88B0-7EDF8BBB5B72}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 23:28:11
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-13 23:29:57
ComboFix-quarantined-files.txt 2009-02-14 04:29:55

Pre-Run: 107,265,437,696 bytes free
Post-Run: 107,809,968,128 bytes free

131 --- E O F --- 2009-02-13 07:04:27

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:11 PM

Posted 14 February 2009 - 05:23 PM

Hello, DaveR
How are things running?

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.1223 [GMT -5:00]


SP1 was never uninstalled... what told you it was?

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    driver::
    FLIRSKBRC
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ComboFix.txt
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 DaveR

DaveR
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 14 February 2009 - 11:27 PM

Here's the combofix file. I unfortunately had BSOD during reboot process. Windows suggested I boot to Vista disk for repair, but I did a simple power down and reboot, and everything seemed to go fine.
With regards to Vista SP1, maybe I'm wrong, but I thought that was installed many months ago. What made me suspicious is it loaded a couple weeks ago and all prior restore points were removed, which I believe some malware does. Am I wrong thinking something reverted my system back to pre sp1 state to do its damage and erased restore points, or did I not have sp1 before as I thought?? Anyway here's the combofix file and the ESET file will follow soon.
Thanks again.

ComboFix 09-02-12.03 - Robbins Family 2009-02-14 23:02:26.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.1262 [GMT -5:00]
Running from: c:\users\Robbins Family\Desktop\ComboFix.exe
Command switches used :: c:\users\Robbins Family\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-13 23:46 . 2009-02-13 23:48 77,106,320 --a------ c:\windows\System32\ZOFZ
2009-02-11 20:25 . 2009-02-11 20:25 <DIR> d-------- c:\program files\Avira GmbH
2009-02-10 23:13 . 2009-02-10 23:13 <DIR> d-------- c:\users\All Users\Avira
2009-02-10 23:13 . 2009-02-10 23:13 <DIR> d-------- c:\programdata\Avira
2009-02-10 23:13 . 2009-02-10 23:13 <DIR> d-------- c:\program files\Avira
2009-02-10 14:49 . 2009-01-14 22:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-10 14:49 . 2009-01-15 01:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-09 22:05 . 2009-02-11 20:38 <DIR> d-------- c:\program files\UnHackMe
2009-02-09 22:05 . 2009-02-09 22:05 (2) -rahs-ot- c:\windows\winstart.bat
2009-02-02 23:16 . 2009-02-02 23:16 401,720 --a------ c:\program files\hijackthis.exe
2009-02-02 23:09 . 2009-02-02 23:10 <DIR> d-------- c:\program files\CCleaner
2009-02-02 22:10 . 2009-02-02 23:06 <DIR> d-------- c:\program files\a-squared Free
2009-02-02 22:03 . 2009-02-02 22:03 <DIR> d-------- c:\program files\PCPitstop
2009-02-02 08:20 . 2009-02-02 08:20 <DIR> d-------- c:\program files\Panda Security
2009-02-02 08:20 . 2008-06-19 16:24 28,544 --a------ c:\windows\System32\drivers\pavboot.sys
2009-02-02 07:12 . 2009-02-05 08:46 <DIR> d-------- C:\hegames
2009-02-01 20:25 . 2009-02-01 20:25 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-02-01 03:02 . 2008-05-27 00:17 11,776 --a------ c:\windows\System32\msshooks.dll
2009-01-31 21:36 . 2009-01-31 21:36 <DIR> d-------- c:\program files\mkv2vob
2009-01-31 21:35 . 2009-01-31 21:35 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-31 06:27 . 2008-04-26 03:26 891,448 --a------ c:\windows\System32\drivers\tcpip.sys
2009-01-31 00:03 . 2009-01-31 00:03 <DIR> d-------- C:\PerfLogs
2009-01-30 21:50 . 2009-02-14 16:06 <DIR> d-------- C:\games
2009-01-26 21:29 . 2009-01-28 08:00 <DIR> d-------- c:\users\Robbins Family\AppData\Roaming\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 17:00 --------- d-----w c:\programdata\NVIDIA
2009-02-12 01:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-11 03:55 --------- d---a-w c:\programdata\TEMP
2009-02-11 03:55 --------- d-----w c:\program files\ThreatFire
2009-02-11 02:37 --------- d-----w c:\programdata\Microsoft Help
2009-02-11 02:36 --------- d-----w c:\program files\Windows Mail
2009-02-10 04:38 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-02-04 03:00 9,304 ----a-w c:\program files\hijackthis.log
2009-01-31 05:12 174 --sha-w c:\program files\desktop.ini
2009-01-31 05:04 --------- d-----w c:\program files\Windows Sidebar
2009-01-31 05:04 --------- d-----w c:\program files\Windows Photo Gallery
2009-01-31 05:04 --------- d-----w c:\program files\Windows Journal
2009-01-31 05:04 --------- d-----w c:\program files\Windows Defender
2009-01-31 05:04 --------- d-----w c:\program files\Windows Collaboration
2009-01-31 05:04 --------- d-----w c:\program files\Windows Calendar
2009-01-31 04:49 82,432 ----a-w c:\windows\System32\axaltocm.dll
2009-01-31 04:49 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2009-01-12 03:53 --------- d-----w c:\users\Robbins Family\AppData\Roaming\ChessBase
2009-01-12 02:16 --------- d-----w c:\program files\Common Files\ChessBase
2009-01-12 02:13 --------- d-----w c:\program files\ChessBase
2009-01-07 16:28 453,152 ----a-w c:\windows\System32\NVUNINST.EXE
2009-01-03 23:11 --------- d-----w c:\program files\Sony
2008-12-25 16:20 --------- d-----w c:\program files\Viva Media
2008-12-16 02:42 288,768 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-21 01:16 107,888 ----a-w c:\windows\System32\CmdLineExt.dll
2008-06-26 22:35 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-06-26 22:35 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-06-26 22:35 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-13_23.28.40.86 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-15 04:01:51 6,258,688 ----a-w c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-02-15 04:04:27 6,258,688 ----a-w c:\windows\ERDNT\subs\schema.dat
- 2009-01-31 05:11:11 51,200 ----a-w c:\windows\inf\infpub.dat
+ 2009-02-14 16:36:02 51,200 ----a-w c:\windows\inf\infpub.dat
- 2009-01-31 05:11:11 86,016 ----a-w c:\windows\inf\infstor.dat
+ 2009-02-14 16:36:00 86,016 ----a-w c:\windows\inf\infstor.dat
- 2009-01-31 05:11:11 86,016 ----a-w c:\windows\inf\infstrng.dat
+ 2009-02-14 16:36:02 86,016 ----a-w c:\windows\inf\infstrng.dat
- 2009-02-12 23:46:37 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-15 04:12:22 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-02-14 04:28:00 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-15 04:12:21 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-15 04:12:21 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-02-12 23:44:58 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-15 03:59:03 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-12 23:44:58 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-15 03:59:03 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-12 23:44:58 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-15 03:59:03 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-16 18:01:00 7,465,312 ----a-w c:\windows\System32\drivers\nvlddmkm.sys
+ 2009-01-15 13:19:00 7,740,320 ----a-w c:\windows\System32\drivers\nvlddmkm.sys
+ 2009-01-15 13:19:00 795,104 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\dpinst.exe
+ 2009-01-15 13:19:00 663,552 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvapi.dll
+ 2009-01-15 13:19:00 135,168 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvcod.dll
+ 2009-01-15 13:19:00 13,683,232 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvcpl.dll
+ 2009-01-15 13:19:00 801,312 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvcplui.exe
+ 2009-01-15 13:19:00 1,560,576 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvcuda.dll
+ 2009-01-15 13:19:00 6,070,272 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvd3dum.dll
+ 2009-01-15 13:19:00 4,717,088 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvdisps.dll
+ 2009-01-15 13:19:00 3,496,480 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvgames.dll
+ 2009-01-15 13:19:00 7,740,320 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvlddmkm.sys
+ 2009-01-15 13:19:00 236,064 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvmccs.dll
+ 2009-01-15 13:19:00 45,056 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvmccsrs.dll
+ 2009-01-15 13:19:00 195,104 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvmccss.dll
+ 2009-01-15 13:19:00 92,704 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvmctray.dll
+ 2009-01-15 13:19:00 1,292,832 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvmobls.dll
+ 2009-01-15 13:19:00 9,617,408 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvoglv32.dll
+ 2009-01-15 13:19:00 641,568 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvsvc.dll
+ 2009-01-15 13:19:00 1,286,144 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvsvs.dll
+ 2009-01-15 13:19:00 453,152 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvudisp.exe
+ 2009-01-15 13:19:00 3,803,680 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvvitvs.dll
+ 2009-01-15 13:19:00 207,392 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvvsvc.exe
+ 2009-01-15 13:19:00 2,731,008 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvwgf2um.dll
+ 2009-01-15 13:19:00 2,751,008 ----a-w c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_2e303a96\nvwss.dll
- 2008-05-16 18:01:00 442,368 ------w c:\windows\System32\nvapi.dll
+ 2009-01-15 13:19:00 663,552 ----a-w c:\windows\System32\nvapi.dll
- 2008-05-16 18:01:00 114,688 ------w c:\windows\System32\nvcod.dll
+ 2009-01-15 13:19:00 135,168 ----a-w c:\windows\System32\nvcod.dll
+ 2009-01-15 13:19:00 135,168 ----a-w c:\windows\System32\nvcod137.dll
- 2008-05-16 18:01:00 13,535,776 ------w c:\windows\System32\nvcpl.dll
+ 2009-01-15 13:19:00 13,683,232 ----a-w c:\windows\System32\nvcpl.dll
- 2008-05-16 18:01:00 768,544 ------w c:\windows\System32\nvcplui.exe
+ 2009-01-15 13:19:00 801,312 ----a-w c:\windows\System32\nvcplui.exe
+ 2009-01-15 13:19:00 1,560,576 ----a-w c:\windows\System32\nvcuda.dll
- 2008-05-16 18:01:00 5,689,344 ------w c:\windows\System32\nvd3dum.dll
+ 2009-01-15 13:19:00 6,070,272 ----a-w c:\windows\System32\nvd3dum.dll
- 2008-05-16 18:01:00 6,588,960 ------w c:\windows\System32\nvdisps.dll
+ 2009-01-15 13:19:00 4,717,088 ----a-w c:\windows\System32\nvdisps.dll
- 2008-05-16 18:01:00 3,398,176 ------w c:\windows\System32\nvgames.dll
+ 2009-01-15 13:19:00 3,496,480 ----a-w c:\windows\System32\nvgames.dll
- 2008-05-16 18:01:00 236,064 ------w c:\windows\System32\nvmccs.dll
+ 2009-01-15 13:19:00 236,064 ----a-w c:\windows\System32\nvmccs.dll
- 2008-05-16 18:01:00 45,056 ------w c:\windows\System32\nvmccsrs.dll
+ 2009-01-15 13:19:00 45,056 ----a-w c:\windows\System32\nvmccsrs.dll
- 2008-05-16 18:01:00 195,104 ------w c:\windows\System32\nvmccss.dll
+ 2009-01-15 13:19:00 195,104 ----a-w c:\windows\System32\nvmccss.dll
- 2008-05-16 18:01:00 92,704 ------w c:\windows\System32\nvmctray.dll
+ 2009-01-15 13:19:00 92,704 ----a-w c:\windows\System32\nvmctray.dll
- 2008-05-16 18:01:00 1,264,160 ------w c:\windows\System32\nvmobls.dll
+ 2009-01-15 13:19:00 1,292,832 ----a-w c:\windows\System32\nvmobls.dll
- 2008-05-16 18:01:00 9,039,872 ------w c:\windows\System32\nvoglv32.dll
+ 2009-01-15 13:19:00 9,617,408 ----a-w c:\windows\System32\nvoglv32.dll
- 2008-05-16 18:01:00 526,880 ------w c:\windows\System32\nvsvc.dll
+ 2009-01-15 13:19:00 641,568 ----a-w c:\windows\System32\nvsvc.dll
+ 2009-01-15 13:19:00 1,286,144 ----a-w c:\windows\System32\nvsvs.dll
- 2008-05-16 18:01:00 446,464 ------w c:\windows\System32\nvudisp.exe
+ 2009-01-15 13:19:00 453,152 ----a-w c:\windows\System32\nvudisp.exe
- 2008-05-16 18:01:00 3,783,200 ------w c:\windows\System32\nvvitvs.dll
+ 2009-01-15 13:19:00 3,803,680 ----a-w c:\windows\System32\nvvitvs.dll
- 2008-05-16 18:01:00 118,784 ------w c:\windows\System32\nvvsvc.exe
+ 2009-01-15 13:19:00 207,392 ----a-w c:\windows\System32\nvvsvc.exe
- 2008-05-16 18:01:00 2,360,832 ------w c:\windows\System32\nvwgf2um.dll
+ 2009-01-15 13:19:00 2,731,008 ----a-w c:\windows\System32\nvwgf2um.dll
- 2008-05-16 18:01:00 2,636,320 ------w c:\windows\System32\nvwss.dll
+ 2009-01-15 13:19:00 2,751,008 ----a-w c:\windows\System32\nvwss.dll
- 2009-02-13 04:40:32 101,144 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-14 18:57:31 101,144 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-13 04:40:32 595,446 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-14 18:57:31 595,446 ----a-w c:\windows\System32\perfh009.dat
- 2009-02-11 03:56:09 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-02-15 04:04:27 6,258,688 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-02-12 23:46:59 8,918 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-30636881-682793767-922033197-1000_UserData.bin
+ 2009-02-14 17:01:43 9,538 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-30636881-682793767-922033197-1000_UserData.bin
- 2009-02-12 23:46:58 55,790 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-14 17:01:43 56,294 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-12 23:46:57 36,912 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-14 17:01:41 38,014 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-02-11 02:37:25 174,677,782 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-02-15 00:10:02 175,818,812 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-01-19 07:34:44 6,656 ----a-w c:\windows\winsxs\x86_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.0.6001.18177_none_33e53ce1da2ca44a\McrMgr.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13683232]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 92704]
"SoundMan"="SOUNDMAN.EXE" [2007-03-09 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{0C70FC4F-D642-49B7-B3AC-B715ABCFDE85}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{FF9B2646-55C7-4F81-A3B7-F6BC0407B61E}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3BC3C744-DBC9-40F1-BF6B-25D2D4B3744F}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AEB9E189-69A0-485B-AC64-5975D2C356E6}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C8D330C1-EF4B-494A-A795-55827C7178AB}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D39EDBCB-432F-41BC-9125-DC8FE8CD640F}"= Disabled:UDP:c:\program files\TVersity\Media Server\TVersity.exe:TVersity Media Server
"{9905C48B-A989-4683-8697-04AA2D92A382}"= Disabled:TCP:c:\program files\TVersity\Media Server\TVersity.exe:TVersity Media Server
"{90BD19E9-678B-41DB-A3B3-DC11B25A2BCF}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{5590DCF9-301F-4006-AC34-553FE464D07A}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D70993A8-C659-4560-93CF-05D7630F0D5D}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{ECE027A4-0A4E-4B40-801C-2F597E3AF0D8}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [2009-02-02 28544]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-05-31 810320]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53df48c4-8919-11dd-9423-0015f2d327b2}]
\shell\AutoRun\command - G:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\User_Feed_Synchronization-{3ED7C3EC-8C5E-4A56-88B0-7EDF8BBB5B72}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 23:12:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Robbins Family\AppData\Roaming\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\DB\{12C3ACBF-6BCC-4CA2-BCA9-D2AF39DF80D9}.xml
c:\users\Robbins Family\AppData\Roaming\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\DB\{7EFCDC1D-51A3-44B4-A9D4-0ADD0F5C60B8}.xml
c:\users\Robbins Family\AppData\Roaming\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\DB\{FA3F216F-14CB-4336-BB54-C5E05C0D2AF8}.xml

scan completed successfully
hidden files: 3

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\System32\taskmgr.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-02-14 23:17:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-15 04:17:24
ComboFix2.txt 2009-02-14 04:29:58

Pre-Run: 118,433,656,832 bytes free
Post-Run: 118,203,842,560 bytes free

290 --- E O F --- 2009-02-13 07:04:27

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:11 PM

Posted 16 February 2009 - 04:26 PM

Hello, DaveR

Am I wrong thinking something reverted my system back to pre sp1 state to do its damage and erased restore points, or did I not have sp1 before as I thought??

Nope. Maybe restore points were gone, but you still have SP1. Once the malware's running, there'd be little point in reverting anyway. SP1 doesn't prevent certain programs from running, it prevents holes from being explioited to run programs against the user's will.

But we'll see what ESET says.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 DaveR

DaveR
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 16 February 2009 - 07:23 PM

Ok. Not to belabor the point, but, SP1 was installed on my system several months ago, and then it was installed again a few weeks back. When I look at the Vista update log, there's no mention of it being installed previously. Why was it "reinstalled" or am I just being stupid/paranoid?
Well, anyway, here's the ESET log.



# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3856 (20090216)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=242700b8e503864fab10c343292f18d4
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-16 11:38:36
# local_time=2009-02-16 06:38:36 (-0500, Eastern Standard Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=444175
# found=0
# scan_time=37393

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:11 PM

Posted 17 February 2009 - 04:55 PM

Hello, DaveR

Why was it "reinstalled" or am I just being stupid/paranoid?

I don't believe it ever "reinstalled." I suspect you may have seen an "update for SP1" which may have lead you to that conclusion. But 'far as I know you can't remove SP1 without rolling it back with System Restore.

Congratulations! You now appear clean! :thumbup2:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users