Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with WebRootKit.TDSS


  • This topic is locked This topic is locked
27 replies to this topic

#1 saskjohnny

saskjohnny

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 18 March 2009 - 01:52 PM

Having had a number of issues with the computer, including it slowing down terribly as well as seeming to re-direct some searches to strange sites, etc... I decided to try to track down what might be wrong. After some tries with online and downloadable virus and spyware programs, I was finally able to get an answer from AdAware that it was (and I believe I typed it right above..) WebRootKit.TDSS... Now I am unsure if it was Win32RootKit.TDSS... If these are both real names, please let me know and I will reinstall AdAware and find out again... My apologies. I told AdAware to remove it, but even though all appeared good, including reboot, etc.. The infection simply reappeared. AdAware was the only program that I could find that would actually install and run, where some would not install at all or others would install but not run... And from my understanding, that is because the infection is able to recognize and stop them. (These included Spyware Search & Destroy and Malwarebytes Anti-Malware).

I am hoping that by posting here, I will be able to track down the right way to clear the computer up. I am not against doing a re-format, but of course, would rather just clean it if possible.

Thank you ahead of time for any help you can provide....

John



DDS (Ver_09-03-16.01) - NTFSx86
Run by Beverly Beekmans at 12:35:10.57 on 18/03/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.85 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Beverly Beekmans\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar =
uDefault_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=0060914
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103471 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7" -"http://www.neopets.com/games/dgs/play_shockwave.phtml?va=&game_id=356&nc_referer=&age=1&hiscore=1650&sp=0&questionSet=&r=9185363&width=480&height=460&quality=high"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\beverl~1\startm~1\programs\startup\picaboo.lnk - c:\program files\picaboo\picaboo\PicabooMain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZU
IE: &Translate English Word - c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar3.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar3.dll/cmtrans.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - hxxp://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159315466312
DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://games.bigfishgames.com/en_wedding-dash-2-rings-around-world-game/online/WeddingDash2Web.1.0.0.11.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/chnz/default/mjolauncher.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://www.gamehouse.com/games/tumblebugs/axhost.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://games.bigfishgames.com/en_zenerchi/online/ZenerchiWeb.1.0.0.10.cab
DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} - hxxp://simcity.ea.com/play/classic/SimCityX.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} - hxxp://games.bigfishgames.com/en_sandscript/online/SandScript.1.0.0.21.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://zone.msn.com/bingame/feed/default/SproutLauncher.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\beverl~1\applic~1\mozilla\firefox\profiles\h1e9z4fm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?o=101447&l=dis&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-15 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-18 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-15 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-15 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-15 298264]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 gel90xne;gel90xne;c:\docume~1\beverl~1\locals~1\temp\gel90xne.sys [2004-11-28 31744]

=============== Created Last 30 ================

2009-03-18 12:10 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-18 12:10 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-18 12:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-18 12:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-18 11:34 22,671 a------- c:\windows\system32\AAWService_2009_03_18_11_34_45.dmp
2009-03-17 21:27 0 a------- c:\windows\system32\AAWService_2009_03_17_21_27_56.dmp
2009-03-17 21:05 0 a------- c:\windows\system32\AAWService_2009_03_17_21_05_19.dmp
2009-03-16 10:28 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-15 11:21 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-15 10:59 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-15 10:59 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-15 10:59 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-15 10:58 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-15 10:58 <DIR> --d----- c:\program files\AVG
2009-03-15 10:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-01 20:13 <DIR> --d----- c:\docume~1\beverl~1\applic~1\TheScruffs
2009-03-01 20:13 <DIR> --dsh--- c:\windows\ftpcache
2009-03-01 20:12 <DIR> --d----- c:\program files\The Scruffs
2009-03-01 00:02 1,409 a------- c:\windows\QTFont.for
2009-03-01 00:02 54,156 a---h--- c:\windows\QTFont.qfn

==================== Find3M ====================

2009-03-13 12:48 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-14 11:22 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-02-14 11:22 17,212 a------t c:\windows\system32\SIntf32.dll
2009-02-14 11:22 12,067 a------t c:\windows\system32\SIntf16.dll
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 05:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 03:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 03:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 23:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 23:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-25 17:04 14,292 a------- c:\docume~1\beverl~1\applic~1\wklnhst.dat
2008-05-19 13:52 32 a----r-- c:\documents and settings\all users\hash.dat
2008-03-03 11:54 81,920 a------- c:\docume~1\beverl~1\applic~1\ezpinst.exe
2008-03-03 11:54 47,360 a------- c:\docume~1\beverl~1\applic~1\pcouffin.sys
2006-09-24 14:41 774,144 a------- c:\program files\RngInterstitial.dll
2007-10-03 21:02 88 ---shr-- c:\windows\system32\EEEE88744C.sys
2007-10-03 21:02 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-26 12:33 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102620081027\index.dat

============= FINISH: 12:36:31.06 ===============

Attached Files


Edited by saskjohnny, 18 March 2009 - 02:01 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 20 March 2009 - 07:33 PM

Hello.

TDSSserv is a nasty rootkit like any other rootkits. Let me know if you decide to format or not. If not, we will continue next post.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 23 March 2009 - 03:24 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 25 March 2009 - 02:35 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 27 March 2009 - 02:23 PM

Hello.

Topic re-opened upon user's request. Post any questions you have. I will answer them as the best as I can. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 saskjohnny

saskjohnny
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 27 March 2009 - 02:36 PM

I have debated the idea of re-formatting the computer.. Of course, one issue I do have is that I am curious if backing up my data is going to cause the rootkit stuff to copy over (like viruses used to pass from computer to computer on floppies, etc). If I make a CD of my data, am I going to end up with the rootkit again once re-formatted? This computer is connected to another in the home and I am also thinking that I could just copy the data to that one quickly, but again, is it risking too much?

From what I have seen about this issue.. it seems that it's POSSIBLE but an EXTREME amount of work to kill off the rootkit, etc.. and that it's never known for sure if it's still 'hiding' there somewhere.

One other question (and I apologize if I have missed this somewhere).. This computer came with a 'restore' function (I think most are like this now.. the drive is partitioned with a factory setup on one that can be re-set onto drive C, etc).. Is this going to be something that will work.. or is the whole physical drive infected?

I am sorry if it is a lot of questions at once.

I just want the computer back to "normal". :thumbup2: Thank you for your willingness to help out here.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 27 March 2009 - 03:39 PM

Hello.

Good questions.

Using a CD to backup data is the safest way. This is what I have to say when backing up your data.

When backing up files and datas there are mainly 2 general guidelines:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Note: Some may want to be safe, wondering if their data files are infected or not so to make sure you should scan those files using an anti-virus scanner and an anti-malware/anti-spyware scanner making sure they are free from malware before transferring it to your new formatted computer. From what I have seen the results were always CLEAN, meaning they were not infected at all.

From what I have seen about this issue.. it seems that it's POSSIBLE but an EXTREME amount of work to kill off the rootkit, etc.. and that it's never known for sure if it's still 'hiding' there somewhere.

Well, I wouldn't sat it takes extremely amount of work, I have dealt with many rootkits and even other nasty infection so I wouldn't think the difficulty is very high but the infection you have is more the question. It's a very nasty infection and compromises your computer, do you feel safe with a computer that was compromised? Please understand that it is NOT that I DON'T want to help you remove this infection, but rather I want you to know the type of infection you currently have and act accordingly.

If your using an IBM, HP, Compaq or Dell machine, you may not have an original XP CD Disk and therefore there is something called the Recovery Partitions. This is another way to "format" the computer. However, everything WILL BE GONE like a format using the Windows XP disk if you do not have one.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 saskjohnny

saskjohnny
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 27 March 2009 - 03:55 PM

I will be more than happy giving it a shot.. and trying to make it work.

I understand that it will be a 'formerly compromised computer' in the end.. but I suppose that I really would like to clean it up without having to re-download/re-install, etc etc .. Of course, if a 'once compromised' means 'always compromised'.. maybe I have the wrong thought pattern.. Because, if it means they still have 'control' in some sense.. even after 'cleaning'.. that would not be good.

I am interested, however, if it is possible to truly clean it up.

Let me know what I need to do to help you discover what may/may not be done, etc. (I did put up the information at the beginning of this topic, but don't entirely know if that helps or what.. :thumbup2:).

Thank you again for your time.. I look forward to hearing from you.. and I do have a lot of patience, and understand it's a busy site.. so I am not expecting some instant miracle :) hehe..

John

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 27 March 2009 - 04:17 PM

Hello.

Well not in that aspect. It can be fixed but then it's mostly YOU. Do you trust the computer still? Information might have been stolen so it's all a matter about how YOU feel about this situation.

Let's try to clean this mess up then.

Download and Run Combofix

Important: Before we start please disabe any anti-virus programs or any real-time protection that is enabled.

Please refer to this page if your unsure how.
  • Please follow the instructions for running Combofix from here
  • Please read the guide carefully and follow every instructions percisly and remeber to install the Recovery Console first.
Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Download the appropriate Windows XP setup boot disk and drag it on Combofix like the image below:
    Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • After you succusfully install the recovery console, will see this window.
    Posted Image
    Please select Yes.
  • Combofix will then run, when combofix it finished, it will create a log for you. Please copy and paste that log in your next reply.
  • Please post that log on your next reply. (the log is located in C:\ComboFix.txt.)
Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with the Combofix log once it's done :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 29 March 2009 - 10:59 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 saskjohnny

saskjohnny
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 30 March 2009 - 01:18 PM

I will absolutely give this a try. I apologize that I didn't get back to you right away there... Simple family stuff going on. My apologies :thumbup2:

I will try to give this a try today/this evening and will post what I can back to you then (or early tomorrow if need be).

Thank you again.

John

#12 saskjohnny

saskjohnny
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 30 March 2009 - 02:05 PM

Well.. I attempted to do what you had suggested.. I did the things that were mentioned, such as shutting down anti-virus and firewalls as well. I downloaded the combofix program (to the desktop as suggested) .. etc etc.. made sure nothing was running.. and tried to run it. It would come up with the box asking if I wanted to run it because it did not have a digital signature.. as it said in the manual it would do. I said 'run' and then it wouldn't do anything.. I gave it time.. nothing.. I tried again with a fresh re-boot.. I tried again and again with trying to be sure everything was surely closed, etc.

The program simply would not get by that first question.. nothing would come up on the screen after that went away.. no windows of any kind.. the hard drive light was not flashing.. etc etc. (Almost like with most anti-virus / anti-spyware programs I previously tried to download, it was like the 'virus' or whatever it is was able to recognize and stop this program).

Any thoughts?

:/

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 30 March 2009 - 02:50 PM

Hello.

Delete Combofix you have, and follow the instructions below and see if it will run this time.

Download and Run ComboFix (Rename Before Saving)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it. Refer to this page if you are unsure how.

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 saskjohnny

saskjohnny
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 30 March 2009 - 03:43 PM

Ok.. here is the outcome from ComboFix (and thank you for helping with getting it to run!)

--

ComboFix 09-03-29.04 - Beverly Beekmans 2009-03-30 14:29:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.210 [GMT -6:00]
Running from: c:\documents and settings\Beverly Beekmans\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\UACrfviqjir.sys
c:\windows\system32\EEEE88744C.sys
c:\windows\system32\UACcagckkyl.dll
c:\windows\system32\UACfmurqptb.dat
c:\windows\system32\UAChxwbuyta.log
c:\windows\system32\UACidudqpux.dll
c:\windows\system32\UACilametqv.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkmxenarw.dll
c:\windows\system32\UAConbgrqpn.dll
c:\windows\system32\UACwgxqtjid.log
c:\windows\system32\UACymqlrsoj.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-27 13:07 . 2009-03-27 13:07 0 --a------ c:\windows\system32\AAWService_2009_03_27_13_07_05.dmp
2009-03-27 12:54 . 2009-03-27 13:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-27 12:50 . 2009-03-27 12:50 0 --a------ c:\windows\system32\AAWService_2009_03_27_12_50_00.dmp
2009-03-23 23:41 . 2009-03-23 23:41 <DIR> d-------- C:\users
2009-03-23 23:38 . 2009-03-24 00:26 <DIR> d-------- c:\program files\RealArcade
2009-03-18 12:10 . 2009-03-18 12:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-18 12:10 . 2009-03-18 12:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-18 12:10 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-18 12:10 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-18 11:34 . 2009-03-18 11:34 22,671 --a------ c:\windows\system32\AAWService_2009_03_18_11_34_45.dmp
2009-03-17 21:27 . 2009-03-17 21:27 0 --a------ c:\windows\system32\AAWService_2009_03_17_21_27_56.dmp
2009-03-17 21:05 . 2009-03-17 21:05 0 --a------ c:\windows\system32\AAWService_2009_03_17_21_05_19.dmp
2009-03-17 20:15 . 2009-03-27 13:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-16 11:18 . 2009-03-16 11:21 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-16 10:37 . 2009-03-16 10:37 <DIR> d-------- c:\program files\Windows Defender
2009-03-16 10:28 . 2009-03-27 13:39 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-15 11:21 . 2009-03-15 11:37 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-15 10:59 . 2009-03-15 10:59 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-15 10:59 . 2009-03-27 08:06 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-15 10:59 . 2009-03-15 10:59 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-15 10:58 . 2009-03-30 09:17 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-15 10:58 . 2009-03-15 10:58 <DIR> d-------- c:\program files\AVG
2009-03-15 10:58 . 2009-03-15 10:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-01 20:13 . 2009-03-01 20:13 <DIR> d--hs---- c:\windows\ftpcache
2009-03-01 20:13 . 2009-03-01 20:13 <DIR> d-------- c:\documents and settings\Beverly Beekmans\Application Data\TheScruffs
2009-03-01 20:12 . 2009-03-01 20:13 <DIR> d-------- c:\program files\The Scruffs
2009-02-22 11:10 . 2009-02-22 11:10 <DIR> d-------- c:\documents and settings\Beverly Beekmans\Application Data\PlayFirst
2009-02-22 11:10 . 2009-02-22 11:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayFirst
2009-02-03 17:53 . 2009-02-03 17:53 <DIR> d-------- c:\windows\system32\Dell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 23:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-16 16:46 --------- d-----w c:\program files\Java
2009-03-13 18:48 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-02 03:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-02 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-02-27 12:46 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-14 17:22 21,840 ----atw c:\windows\system32\SIntfNT.dll
2009-02-14 17:22 17,212 ----atw c:\windows\system32\SIntf32.dll
2009-02-14 17:22 12,067 ----atw c:\windows\system32\SIntf16.dll
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-17 03:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-05 06:54 144,896 ----a-w c:\windows\system32\schannel.dll
2008-12-05 06:54 144,896 ------w c:\windows\system32\dllcache\schannel.dll
2008-10-25 23:04 14,292 ----a-w c:\documents and settings\Beverly Beekmans\Application Data\wklnhst.dat
2008-05-19 19:52 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-03-03 17:54 81,920 ----a-w c:\documents and settings\Beverly Beekmans\Application Data\ezpinst.exe
2008-03-03 17:54 47,360 ----a-w c:\documents and settings\Beverly Beekmans\Application Data\pcouffin.sys
2006-09-24 20:41 774,144 ----a-w c:\program files\RngInterstitial.dll
2007-10-04 03:02 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-26 18:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102620081027\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-11-30 4662776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-27 185896]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-15 1932568]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-13 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-15 10:59 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LDA Games\\Rival Ball\\Rival Ball.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-15 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-15 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-15 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-15 298264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 gel90xne;gel90xne;\??\c:\docume~1\BEVERL~1\LOCALS~1\Temp\gel90xne.sys --> c:\docume~1\BEVERL~1\LOCALS~1\Temp\gel90xne.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZU
IE: &Translate English Word - c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar3.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar3.dll/cmtrans.html
DPF: {74EF5274-F439-2168-B543-14745B625C72} - hxxp://games.bigfishgames.com/en_wedding-dash-2-rings-around-world-game/online/WeddingDash2Web.1.0.0.11.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://www.gamehouse.com/games/tumblebugs/axhost.cab
DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} - hxxp://games.bigfishgames.com/en_sandscript/online/SandScript.1.0.0.21.cab
FF - ProfilePath - c:\documents and settings\Beverly Beekmans\Application Data\Mozilla\Firefox\Profiles\h1e9z4fm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?o=101447&l=dis&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 14:36:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-03-30 14:39:00
ComboFix-quarantined-files.txt 2009-03-30 20:37:43

Pre-Run: 72,283,103,232 bytes free
Post-Run: 72,963,489,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

202 --- E O F --- 2009-03-30 17:59:31

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 30 March 2009 - 03:59 PM

Hello.

Let's remove this leftover on your machine.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    Driver::
    gel90xne
    File::
    c:\docume~1\BEVERL~1\LOCALS~1\Temp\gel90xne.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
  • If you receive no notice, click on the Scan button near the bottom.
  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.If GMER doesn't work in Normal Mode try running it in Safe Mode
Note: Do Not run any program while GMER is running

Important!:Please do not select the Show all checkbox during the scan.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with:
-Combofix log
-GMER log
-MBAM log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users