Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast Found BV:Auto Run-T(WRM) C:\autorun.inf


  • This topic is locked This topic is locked
11 replies to this topic

#1 Alpha King

Alpha King

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 23 March 2009 - 06:17 AM

Yesterday I downloaded a file that I believe infected my desktop computer (Bad Dobby! Dobby will have to punish himself most grievously).

Avast did say it was scanning the download for viruses and then allowed me to save it to my desktop. Avast did not catch it until it had finshed downloading then it warned me of a worm. I imediately allowed Avast to deal with it (quarientine it) but almost instantly I lost internet connectivity and windows firewall was shut down. I use a router and my laptop can still connect to the web but I cannot get the desktop to connect through the same connection. I am using the laptop to download/post etc.

Avast was up to date.

I cannot run Kaspersky scan on the desktop as free version is online scan only.

I have done a full Avast scan and it found the autorun.inf on both the C: and F: internal drives on my desktop. Avast quarientined both and I asked it to delete them. On reboot there is not change in the problem. Windows starts with the firewall disabled and I have no internet connectivity. I can manually restart Windows Firewall and have before any scans as instructed on the guide pages.

I reviewed FAQ/guides on the site and noted
1. Unblock MBAM by following the directions in this self help guide

http://www.malwarebytes.org/forums/index.php?showtopic=12709

When I started RootRepeal I get the "Could not find kernel on disk (C:\WINDOWS\system32\ntoskrnl.exe)!"

I hit OK and did a scan under file only and get e report that does not show any of the typical culprits listed in the guide but I do see four .sys files

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/03/23 06:30
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\My Downloads
Status: Could not get file information (Error 0xc0000008)

Path: C:\AUTOEXEC.BAT
Status: Could not get file information (Error 0xc0000008)

Path: C:\boot.ini
Status: Could not get file information (Error 0xc0000008)

Path: C:\Config Manager
Status: Could not get file information (Error 0xc0000008)

Path: C:\CONFIG.SYS
Status: Could not get file information (Error 0xc0000008)

Path: C:\CPIC32
Status: Could not get file information (Error 0xc0000008)

Path: C:\debug1.txt
Status: Could not get file information (Error 0xc0000008)

Path: C:\DFIMB.DAT
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings
Status: Could not get file information (Error 0xc0000008)

Path: C:\Drivers 4 WINXP
Status: Could not get file information (Error 0xc0000008)

Path: C:\ffastun.ffa
Status: Could not get file information (Error 0xc0000008)

Path: C:\ffastun.ffl
Status: Could not get file information (Error 0xc0000008)

Path: C:\ffastun.ffo
Status: Could not get file information (Error 0xc0000008)

Path: C:\ffastun0.ffx
Status: Could not get file information (Error 0xc0000008)

Path: C:\ffastunT.ffl
Status: Could not get file information (Error 0xc0000008)

Path: C:\GetFlashID.txt
Status: Could not get file information (Error 0xc0000008)

Path: C:\GTR
Status: Could not get file information (Error 0xc0000008)

Path: C:\hiberfil.sys
Status: Could not get file information (Error 0xc0000008)

Path: C:\Identities
Status: Could not get file information (Error 0xc0000008)

Path: C:\ie-spyad2
Status: Could not get file information (Error 0xc0000008)

Path: C:\IO.SYS
Status: Could not get file information (Error 0xc0000008)

Path: C:\LM9831Log.txt
Status: Could not get file information (Error 0xc0000008)

Path: C:\LTE0NNW1
Status: Could not get file information (Error 0xc0000008)

Path: C:\lxbs.log
Status: Could not get file information (Error 0xc0000008)

Path: C:\MSDOS.SYS
Status: Could not get file information (Error 0xc0000008)

Path: C:\NTDETECT.COM
Status: Could not get file information (Error 0xc0000008)

Path: C:\ntldr
Status: Could not get file information (Error 0xc0000008)

Path: C:\NVIDIA
Status: Could not get file information (Error 0xc0000008)

Path: C:\PI30CCW1
Status: Could not get file information (Error 0xc0000008)

Path: C:\PlotandPublishLog.CSV
Status: Could not get file information (Error 0xc0000008)

Path: C:\Program Files
Status: Could not get file information (Error 0xc0000008)

Path: C:\QuickTax 2004
Status: Could not get file information (Error 0xc0000008)

Path: C:\QuickTax 2006
Status: Could not get file information (Error 0xc0000008)

Path: C:\RECYCLER
Status: Could not get file information (Error 0xc0000008)

Path: C:\System Volume Information
Status: Could not get file information (Error 0xc0000008)

Path: C:\TakeStock
Status: Could not get file information (Error 0xc0000008)

Path: C:\Temp
Status: Could not get file information (Error 0xc0000008)

Path: C:\unzipped
Status: Could not get file information (Error 0xc0000008)

Path: C:\VUESCAN
Status: Could not get file information (Error 0xc0000008)

Path: C:\WINDOWS
Status: Could not get file information (Error 0xc0000008)

Path: C:\WUTemp
Status: Could not get file information (Error 0xc0000008)



If I scan in RootRepeal under Drivers I see many listings but one is hidden and highlighted in red and does follow the naming pattern being called C:\WINDOWS\system32\drivers\gaopdxwtnippyibgixetoiqnorswuhtpnieipx.sys

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/03/23 06:37
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS
Address: 0xF8556000 Size: 57344 File Visible: -
Status: -

Name: Aavmker4.SYS
Image Path: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Address: 0xF8846000 Size: 19072 File Visible: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF84E7000 Size: 187776 File Visible: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF5F53000 Size: 138496 File Visible: -
Status: -

Name: amdk7.sys
Image Path: C:\WINDOWS\System32\DRIVERS\amdk7.sys
Address: 0xF7EB8000 Size: 37760 File Visible: -
Status: -

Name: aswFsBlk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
Address: 0xF88D6000 Size: 32768 File Visible: -
Status: -

Name: aswMon2.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Address: 0xF421F000 Size: 87296 File Visible: -
Status: -

Name: aswRdr.sys
Image Path: C:\WINDOWS\system32\drivers\aswRdr.sys
Address: 0xF3F8C000 Size: 15136 File Visible: -
Status: -

Name: aswSP.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswSP.SYS
Address: 0xF5E49000 Size: 135168 File Visible: -
Status: -

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xF86E6000 Size: 41664 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF8479000 Size: 96512 File Visible: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF8C89000 Size: 3072 File Visible: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8A70000 Size: 4224 File Visible: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF8946000 Size: 12288 File Visible: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF8796000 Size: 63744 File Visible: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF7E88000 Size: 62976 File Visible: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF8596000 Size: 53248 File Visible: -
Status: -

Name: ctac32k.sys
Image Path: C:\WINDOWS\System32\drivers\ctac32k.sys
Address: 0xF7914000 Size: 65632 File Visible: -
Status: -

Name: ctoss2k.sys
Image Path: C:\WINDOWS\system32\drivers\ctoss2k.sys
Address: 0xF795B000 Size: 96576 File Visible: -
Status: -

Name: ctprxy2k.sys
Image Path: C:\WINDOWS\System32\drivers\ctprxy2k.sys
Address: 0xF8A62000 Size: 5600 File Visible: -
Status: -

Name: ctsfm2k.sys
Image Path: C:\WINDOWS\System32\drivers\ctsfm2k.sys
Address: 0xF793D000 Size: 120288 File Visible: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF8586000 Size: 36352 File Visible: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF8491000 Size: 153344 File Visible: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF8A3C000 Size: 5888 File Visible: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7EA8000 Size: 61440 File Visible: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5E31000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8AAE000 Size: 8192 File Visible: No
Status: -

Name: dvd43llh.sys
Image Path: C:\WINDOWS\System32\DRIVERS\dvd43llh.sys
Address: 0xF8906000 Size: 18816 File Visible: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF5F08000 Size: 12288 File Visible: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8B5D000 Size: 4096 File Visible: -
Status: -

Name: e10kx2k.sys
Image Path: C:\WINDOWS\system32\drivers\e10kx2k.sys
Address: 0xF7997000 Size: 1122432 File Visible: -
Status: -

Name: emupia2k.sys
Image Path: C:\WINDOWS\System32\drivers\emupia2k.sys
Address: 0xF7925000 Size: 98080 File Visible: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF344A000 Size: 143744 File Visible: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF8926000 Size: 27392 File Visible: -
Status: -

Name: fetnd5bv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
Address: 0xF8616000 Size: 42496 File Visible: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF8716000 Size: 44544 File Visible: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF880E000 Size: 20480 File Visible: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF842E000 Size: 129792 File Visible: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8A6C000 Size: 7936 File Visible: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF84B7000 Size: 125056 File Visible: -
Status: -

Name: gameenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\gameenum.sys
Address: 0xF8A0E000 Size: 10624 File Visible: -
Status: -

Name: gaopdxwtnippyibgixetoiqnorswuhtpnieipx.sys
Image Path: C:\WINDOWS\system32\drivers\gaopdxwtnippyibgixetoiqnorswuhtpnieipx.sys
Address: 0xF6009000 Size: 94208 File Visible: -
Status: Hidden from Windows API!

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 81152 File Visible: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xF3974000 Size: 264832 File Visible: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF8636000 Size: 52480 File Visible: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7E98000 Size: 42112 File Visible: -
Status: -

Name: IntelS51.sys
Image Path: C:\WINDOWS\system32\DRIVERS\IntelS51.sys
Address: 0xF7ACD000 Size: 1861984 File Visible: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xF5E6A000 Size: 152832 File Visible: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xF5FF6000 Size: 75264 File Visible: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF8536000 Size: 37248 File Visible: -
Status: -

Name: iviaspi.sys
Image Path: C:\WINDOWS\system32\drivers\iviaspi.sys
Address: 0xF890E000 Size: 20992 File Visible: -
Status: -

Name: ivicd.sys
Image Path: ivicd.sys
Address: 0xF85E6000 Size: 39040 File Visible: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF8936000 Size: 24576 File Visible: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF8A36000 Size: 8192 File Visible: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xF2912000 Size: 172416 File Visible: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF7AAA000 Size: 143360 File Visible: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF8405000 Size: 92288 File Visible: -
Status: -

Name: mbmiodrvr.sys
Image Path: C:\WINDOWS\system32\mbmiodrvr.sys
Address: 0xF8B20000 Size: 2944 File Visible: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF8A72000 Size: 4224 File Visible: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF88FE000 Size: 30080 File Visible: -
Status: -

Name: MODEMCSA.sys
Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Address: 0xF89C6000 Size: 16128 File Visible: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF892E000 Size: 23040 File Visible: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF8566000 Size: 42368 File Visible: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xF403A000 Size: 180608 File Visible: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xF5E90000 Size: 455296 File Visible: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF8826000 Size: 19072 File Visible: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF8676000 Size: 35072 File Visible: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF830D000 Size: 15488 File Visible: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF8331000 Size: 105344 File Visible: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF834B000 Size: 182656 File Visible: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF8A1E000 Size: 10112 File Visible: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xF4455000 Size: 14592 File Visible: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF78C5000 Size: 91520 File Visible: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF86B6000 Size: 40576 File Visible: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF86F6000 Size: 34688 File Visible: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xF5F75000 Size: 162816 File Visible: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF882E000 Size: 30848 File Visible: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF8378000 Size: 574976 File Visible: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8C86000 Size: 2944 File Visible: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF012000 Size: 4276224 File Visible: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
Address: 0xF7CA8000 Size: 1897408 File Visible: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF8546000 Size: 61696 File Visible: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF78DC000 Size: 80128 File Visible: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF87BE000 Size: 19712 File Visible: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF8A78000 Size: 6784 File Visible: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF84D6000 Size: 68224 File Visible: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF87B6000 Size: 28672 File Visible: -
Status: -

Name: Pcouffin.sys
Image Path: C:\WINDOWS\System32\Drivers\Pcouffin.sys
Address: 0xF8686000 Size: 47360 File Visible: -
Status: -

Name: PfModNT.sys
Image Path: C:\WINDOWS\system32\PfModNT.sys
Address: 0xF8A7C000 Size: 4352 File Visible: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF7973000 Size: 147456 File Visible: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF78B4000 Size: 69120 File Visible: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF87FE000 Size: 17792 File Visible: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF85A6000 Size: 45184 File Visible: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF8A02000 Size: 8832 File Visible: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF8646000 Size: 51328 File Visible: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF8656000 Size: 41472 File Visible: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF8666000 Size: 48384 File Visible: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF8806000 Size: 16512 File Visible: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xF5F28000 Size: 175744 File Visible: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF8A74000 Size: 4224 File Visible: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdpdr.sys
Address: 0xF7884000 Size: 196224 File Visible: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF7E78000 Size: 57600 File Visible: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF36CC000 Size: 45056 File Visible: No
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Address: 0xF844E000 Size: 98304 File Visible: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\secdrv.sys
Address: 0xF426D000 Size: 40960 File Visible: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF8A1A000 Size: 15744 File Visible: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF8626000 Size: 64512 File Visible: -
Status: -

Name: sfdrv01.sys
Image Path: sfdrv01.sys
Address: 0xF85D6000 Size: 65536 File Visible: -
Status: -

Name: sfhlp02.sys
Image Path: sfhlp02.sys
Address: 0xF87D6000 Size: 32768 File Visible: -
Status: -

Name: sfsync02.sys
Image Path: sfsync02.sys
Address: 0xF87C6000 Size: 20544 File Visible: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF841C000 Size: 73472 File Visible: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xF3FC0000 Size: 333952 File Visible: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF8A64000 Size: 4352 File Visible: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF4515000 Size: 60800 File Visible: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xF5F9D000 Size: 361600 File Visible: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF893E000 Size: 20480 File Visible: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF8696000 Size: 40704 File Visible: -
Status: -

Name: uagp35.sys
Image Path: uagp35.sys
Address: 0xF85C6000 Size: 44672 File Visible: -
Status: -

Name: udffsrec.sys
Image Path: C:\WINDOWS\system32\drivers\udffsrec.sys
Address: 0xF8A6E000 Size: 4992 File Visible: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF77E0000 Size: 384768 File Visible: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF8A6A000 Size: 8192 File Visible: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF891E000 Size: 30208 File Visible: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF86C6000 Size: 59520 File Visible: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF78F0000 Size: 147456 File Visible: -
Status: -

Name: usbprint.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbprint.sys
Address: 0xF883E000 Size: 25856 File Visible: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF34D9000 Size: 26368 File Visible: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF8916000 Size: 20608 File Visible: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF881E000 Size: 20992 File Visible: -
Status: -

Name: viaagp.sys
Image Path: viaagp.sys
Address: 0xF85B6000 Size: 42240 File Visible: -
Status: -

Name: viaagp1.sys
Image Path: viaagp1.sys
Address: 0xF87CE000 Size: 27904 File Visible: -
Status: -

Name: viaide.sys
Image Path: viaide.sys
Address: 0xF8A3A000 Size: 5376 File Visible: -
Status: -

Name: viasraid.sys
Image Path: viasraid.sys
Address: 0xF8466000 Size: 77056 File Visible: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xF7C94000 Size: 81920 File Visible: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF8576000 Size: 52352 File Visible: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF8726000 Size: 34560 File Visible: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF88B6000 Size: 20480 File Visible: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xF3E93000 Size: 83072 File Visible: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF8A38000 Size: 8192 File Visible: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189184 File Visible: -
Status: -


If I run scans in RootRepeal under SSDT or Hidden Services the program crashes

I right clicked the hidden driver found by Root Reveal and chose wipe and receive an error stating "could not find file on disk".

What can anyone suggest as a next action? Thanks for any help in advance!

DDS scan follows




DDS (Ver_09-03-16.01) - NTFSx86
Run by Travis at 6:05:30.80 on Mon 03/23/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.228 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090321-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Travis.TEMP-GR0GG2J34A\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Jet Detection] c:\program files\creative\sbaudigy\program\ADGJDet.exe
uRun: [Octoshape Streaming Services] "c:\program files\octoshape streaming services\travis\OctoshapeClient.exe" -inv:bootrun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Orb] c:\program files\orb networks\orb\bin\OrbTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [LXBSCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBStime.dll,_RunDLLEntry@16
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\travis~1.tem\startm~1\programs\startup\avvenu~1.lnk - c:\program files\avvenu\agent.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
Trusted Zone: sidestep.com\www
Trusted Zone: turbotax.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104262192453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.86,85.255.112.8
TCP: {BCF15AF8-89F9-4FCC-AB97-40D8E7E25BDE} = 85.255.112.86,85.255.112.8
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} -
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\travis~1.tem\applic~1\mozilla\firefox\profiles\z18bzl3h.everyone\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [2010-2-12 39040]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2005-9-22 77056]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-14 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-14 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2004-12-28 138680]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2004-12-28 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2005-3-3 352920]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);c:\windows\system32\drivers\e10kx2k.sys [2004-12-29 1758336]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [2010-2-12 104832]
S3 USB-100;Linksys EtherFast 10/100 Compact USB Network Adapter;c:\windows\system32\drivers\USB100M.SYS [2004-12-30 27519]

=============== Created Last 30 ================

2009-03-08 14:14 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0
2009-03-07 18:34 <DIR> --d----- c:\program files\QuickTax 2008

==================== Find3M ====================

2009-02-28 00:01 6 a------- c:\windows\fonts\wfonts.key
2009-02-14 12:00 95 a------- c:\documents and settings\travis.temp-gr0gg2j34a\pacman.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-11-19 23:06 87,608 a------- c:\docume~1\travis~1.tem\applic~1\inst.exe
2008-11-19 23:06 47,360 a------- c:\docume~1\travis~1.tem\applic~1\pcouffin.sys
2006-12-16 20:47 36,339 a------- c:\program files\INSTALL.LOG
2006-12-16 20:47 72 a------- c:\program files\UNWISE.INI
2004-03-11 14:27 40,960 a------- c:\program files\Uninstall_CDS.exe
1999-06-25 11:55 149,504 a------- c:\program files\UNWISE.EXE
2008-09-08 07:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090820080909\index.dat

============= FINISH: 6:06:29.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Alpha King

Alpha King
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 24 March 2009 - 09:16 AM

I apologize but I had to move forward on my problem as my family was without a functioning computer that they rely on for schooling. I realize it would have been preferred for me to wait for the input.

I will provide a summary to help others (in particular the techs) and hope someone can direct me to the best place to fix a few of the odd remaining “quirks” from this infection.

I searched further on the “Gaopdx” worm and found discussion of using MBAM and then ComboFix. I downloaded both to my laptop through the same router my desktop is connected to (as the desk top connection was still dead to the same router). I used a thumb drive to move the files to the desktop and tried to install MBAM. MBAM “installed” but I could not load it. I followed each recommendation systematically that I found here http://www.bleepingcomputer.com/forums/lof...hp/t205093.html (see Feb 20 2009, 08:49 PM post)

None of the suggestions to run MBAM (changing extensions and not using the mouse) worked.

I then installed ComboFix. It asked me to install Windows Recovery Console but as a result of the infection the connection was down and this was not possible. I went ahead and ran ComboFix.

ComboFix found and removed quite a few types of Gaopdx and after a couple of restarts during the running of ComboFix the computer is running fine now.

I then ran MBAM short scan and long scan and the computer came up clean in both cases.

The only scars left from the Gaopdx worm is Windows Firewall is always off when the computer reboots. I can select and enable manually but it will be shut down after the next reboot. The other change is Firefox is now identified to only start in safe mode. Internet Explorer is now identified as the main web browser.

I hope this summary is of some help to people and let me know if you would like to see the ComboFix logs posted to this thread.

Thanks again.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:04 PM

Posted 30 March 2009 - 02:50 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 Alpha King

Alpha King
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 01 April 2009 - 08:53 PM

Thanks for taking the time to look at my problem.

First I might owe Avast an apology. When the worm was seen by the program if you choose the more information button it brings you to their website and instructs the following:

The rootkit is detected as Win32:FaRoot [Rtk] and avast! is able to remove it through a boot-time scan. To get rid of this infection, update your VPS to the latest version and schedule a boot-time scan. Then move all related files to the virus chest.

I did not see or do this and the question will remain if this would have corrected the problems to begin with.

I did have some weirdness left over from the infection that has cleared up but I have been cleaning up with quite a few programs and have not been scientific so I am unsure which one did the job. The two in particular is (Malwarebytes, now that I can run it) and Tune up Utilities 2009.

I would welcome you to take a look at the log as requested and let me know if you see anything that concearns you remaining.

Thanks in advance!

Logfile of random's system information tool 1.06 (written by random/random) Run by Travis at 2009-04-01 06:43:32 Microsoft Windows XP Professional Service Pack 3 System drive C: has 62 GB (65%) free of 95 GB Total RAM: 511 MB (14% free)

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:43:58 AM, on 4/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\System32\TUProgSt.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Travis.TEMP-GR0GG2J34A\Desktop\RSIT.exe
C:\Program Files\trend micro\Travis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LXBSCATS] rundll32
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5co...b?1104262192453
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll (file missing)
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service
(LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service
(TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 5698 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job C:\WINDOWS\tasks\MP Scheduled Scan.job C:\WINDOWS\tasks\SyncBack BKUP.job C:\WINDOWS\tasks\Virus Scan.job C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 440056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-03-08 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-03-08 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-03-08 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-03-08 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000] "WinampAgent"=C:\Program Files\Winamp\Winampa.exe [2006-06-21 35328]
"LXBSCATS"=rundll32
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16 []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Jet Detection"=C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
[2001-04-20 28672]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360] "Orb"=C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe [2008-05-13 507904] "swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-03-08 39408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe [2006-05-22 694272]

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe [2005-08-25 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll
[2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\QuickTime\QuickTimePlayer.exe"="C:\Program
Files\QuickTime\QuickTimePlayer.exe:*:Disabled:QuickTime Player"
"C:\Program Files\CC3 Valley of Tears\CC3VoT.exe"="C:\Program Files\CC3 Valley of Tears\CC3VoT.exe:*:Enabled:Microsoft® Close Combat™III: The Russian Front"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network
Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Orb Networks\Orb\bin\Orb.exe"="C:\Program Files\Orb Networks\Orb\bin\Orb.exe:*:Enabled:Orb"
"C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe:*:Enabled:OrbTray"
"C:\Program Files\Orb Networks\Orb\bin\OrbStreamerClient.exe"="C:\Program
Files\Orb Networks\Orb\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\Program Files\Orb Networks\Orb\bin\xmltv.exe"="C:\Program Files\Orb Networks\Orb\bin\xmltv.exe:*:Enabled:OrbTVGuide"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network
Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-12-31 16:16:51 ----D---- C:\Documents and Settings\Travis.TEMP-GR0GG2J34A\Application Data\Adobe
2010-12-31 16:13:51 ----D---- C:\Program Files\Common Files\Vbox
2010-12-31 16:13:44 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe
2010-02-12 16:55:53 ----A---- C:\WINDOWS\uneng.exe
2009-04-01 06:43:34 ----D---- C:\Program Files\trend micro
2009-04-01 06:43:32 ----D---- C:\rsit
2009-03-31 19:53:51 ----D---- C:\WINDOWS\system32\KB905474 2009-03-30 19:25:34 ----A---- C:\WINDOWS\system32\TUProgSt.exe 2009-03-30 19:25:31 ----A---- C:\WINDOWS\system32\uxtuneup.dll 2009-03-30 19:25:29 ----A---- C:\WINDOWS\system32\TuneUpDefragService.exe
2009-03-30 19:25:23 ----D---- C:\Documents and Settings\Travis.TEMP-GR0GG2J34A\Application Data\TuneUp Software 2009-03-30 19:24:35 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\TuneUp Software 2009-03-30 19:24:33 ----D---- C:\Program Files\TuneUp Utilities 2009 2009-03-30 19:23:18 ----SHD---- C:\Documents and Settings\All Users.WINDOWS\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-03-24 22:03:42 ----SHD---- C:\RECYCLER
2009-03-23 22:03:19 ----D---- C:\Documents and Settings\Travis.TEMP-GR0GG2J34A\Application Data\Malwarebytes
2009-03-23 21:49:56 ----A---- C:\ComboFix.txt
2009-03-23 21:35:38 ----A---- C:\WINDOWS\zip.exe
2009-03-23 21:35:38 ----A---- C:\WINDOWS\VFIND.exe
2009-03-23 21:35:38 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-03-23 21:35:38 ----A---- C:\WINDOWS\SWSC.exe
2009-03-23 21:35:38 ----A---- C:\WINDOWS\SWREG.exe
2009-03-23 21:35:38 ----A---- C:\WINDOWS\sed.exe
2009-03-23 21:35:38 ----A---- C:\WINDOWS\NIRCMD.exe
2009-03-23 21:35:38 ----A---- C:\WINDOWS\grep.exe
2009-03-23 21:35:38 ----A---- C:\WINDOWS\fdsv.exe
2009-03-23 21:35:18 ----D---- C:\ComboFix
2009-03-23 21:33:54 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-23 21:33:54 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-03-23 20:54:20 ----D---- C:\WINDOWS\ERDNT
2009-03-23 20:53:49 ----AD---- C:\Qoobox
2009-03-23 18:00:43 ----D---- C:\WINDOWS\system32\LogFiles
2009-03-23 05:05:42 ----D---- C:\Documents and Settings\Travis.TEMP-GR0GG2J34A\Application Data\WinRAR
2009-03-23 05:05:27 ----D---- C:\Program Files\WinRAR
2009-03-11 10:01:23 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 10:01:07 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-08 14:14:07 ----D---- C:\Program Files\Common Files\AnswerWorks 5.0
2009-03-07 18:34:44 ----D---- C:\Program Files\QuickTax 2008

======List of files/folders modified in the last 1 months======

2010-12-31 16:13:44 ----A---- C:\WINDOWS\ODBCINST.INI
2010-02-12 16:41:48 ----D---- C:\Program Files\InterVideo
2009-04-01 06:43:38 ----D---- C:\WINDOWS\Temp
2009-04-01 06:43:37 ----D---- C:\WINDOWS\Prefetch
2009-04-01 06:43:34 ----D---- C:\Program Files
2009-04-01 06:42:03 ----D---- C:\Program Files\Mozilla Firefox
2009-04-01 06:13:17 ----AH---- C:\WINDOWS\system32\FFASTLOG.TXT
2009-04-01 06:00:43 ----SD---- C:\WINDOWS\Tasks
2009-03-31 22:01:17 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-31 20:25:28 ----D---- C:\Program Files\Lx_cats
2009-03-31 19:53:51 ----D---- C:\WINDOWS\system32 2009-03-30 21:21:22 ----AD---- C:\WINDOWS 2009-03-30 19:45:26 ----D---- C:\WINDOWS\system32\CatRoot2 2009-03-30 19:41:57 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-30 19:41:53 ----D---- C:\WINDOWS\system32\inetsrv 2009-03-30 19:25:36 ----SHD---- C:\WINDOWS\Installer 2009-03-30 19:25:34 ----D---- C:\WINDOWS\system32\config
2009-03-29 08:27:50 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-03-29 08:27:50 ----D---- C:\WINDOWS\system32\drivers
2009-03-29 08:27:49 ----HD---- C:\WINDOWS\inf
2009-03-23 22:01:18 ----D---- C:\Documents and Settings\Travis.TEMP-GR0GG2J34A\Application Data\Google
2009-03-23 21:47:54 ----A---- C:\WINDOWS\system.ini
2009-03-23 21:45:58 ----D---- C:\WINDOWS\AppPatch
2009-03-23 21:45:51 ----D---- C:\Program Files\Common Files
2009-03-11 10:01:27 ----A---- C:\WINDOWS\imsins.BAK
2009-03-11 10:01:25 ----DC---- C:\WINDOWS\system32\dllcache
2009-03-11 08:41:54 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-09 10:02:24 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-08 15:21:41 ----D---- C:\WINDOWS\WinSxS
2009-03-08 15:19:54 ----RSD---- C:\WINDOWS\assembly
2009-03-08 15:19:42 ----D---- C:\Program Files\Common Files\Intuit
2009-03-08 14:11:07 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Intuit
2009-03-08 14:10:29 ----RSD---- C:\WINDOWS\Fonts
2009-03-08 14:07:27 ----D---- C:\Program Files\TurboTax
2009-03-08 12:18:47 ----D---- C:\Program Files\Google
2009-03-08 12:17:07 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
2009-03-07 18:35:16 ----D---- C:\Documents and Settings\Travis.TEMP-GR0GG2J34A\Application Data\Intuit Canada
2009-03-07 18:33:52 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Intuit Canada

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-02-05 26944]
R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys
[2008-04-13 37760]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys
[2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-02-05 51376]
R1 mbmiodrvr;mbmiodrvr; \??\C:\WINDOWS\system32\mbmiodrvr.sys []
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-02-05 94032]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\PfModNT.sys []
R3 aswRdr;aswRdr; \??\C:\WINDOWS\system32\drivers\aswRdr.sys []
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\System32\drivers\ctac32k.sys [2001-11-01 110168]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\System32\drivers\ctprxy2k.sys
[2001-09-11 11036]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\drivers\ctsfm2k.sys [2001-10-18 207572]
R3 dvd43llh;dvd43llh; C:\WINDOWS\System32\DRIVERS\dvd43llh.sys [2006-10-22 18816]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM); C:\WINDOWS\system32\drivers\e10kx2k.sys [2001-11-05 1758336]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\System32\drivers\emupia2k.sys [2001-09-11 154284]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-12-04 43520]
R3 IntelS51;Intel® 536EP Modem; C:\WINDOWS\system32\DRIVERS\IntelS51.sys
[2004-12-10 1903338]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys
[2003-09-11 21060]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
R3 ossrv;Creative OS Services Driver;
C:\WINDOWS\system32\drivers\ctoss2k.sys [2001-09-11 186944]
R3 Pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\Pcouffin.sys
[2008-11-19 47360]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys
[2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys
[2008-04-13 60800]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\FA312nd5.sys [2001-08-17 16074]
S3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-12-04 43520]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 FETNDISB;D-Link DFE-530TX PCI Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\dlkfet5b.sys [2003-01-15 41984]
S3 hidgame;Microsoft Hid to Joystick Port Enabler; C:\WINDOWS\system32\DRIVERS\hidgame.sys [2001-08-17 8576]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys
[2008-04-13 10368]
S3 iviudf;iviudf; C:\WINDOWS\system32\drivers\IviUdf.sys [2004-10-13 104832]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys
[2001-08-17 12160]
S3 msgame;Sidewinder HID to Joystick Port Enabler; C:\WINDOWS\system32\DRIVERS\msgame.sys [2001-08-17 35200]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys
[2008-04-13 61824]
S3 USB-100;Linksys EtherFast 10/100 Compact USB Network Adapter; C:\WINDOWS\system32\DRIVERS\USB100M.SYS [2001-09-13 27519]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
[2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-10-22 69632]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service; C:\WINDOWS\System32\TUProgSt.exe [2009-03-30 603904]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe
[2005-01-28 38912]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe
[2008-04-13 14336]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe
[2006-11-03 13592]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
S1 udffsrec;udffsrec; C:\WINDOWS\system32\drivers\udffsrec.sys [2004-09-29 4992]
S3 aspnet_state;ASP.NET State Service;
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
[2007-10-24 70144]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-08 137200]
S3 lxbs_device;lxbs_device; C:\WINDOWS\system32\lxbscoms.exe [2004-02-20 421888]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\WINDOWS\System32\TuneUpDefragService.exe [2009-03-30 360192]

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:04 PM

Posted 04 April 2009 - 01:30 PM

The rootkit is detected as Win32:FaRoot [Rtk] and avast!....

Since Avast detected a rootkit, I think you should read this warning.

IMPORTANT NOTE: Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised, please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your computer has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed, the computer is secure. In some instances, an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. The malware may leave so many remnants behind that security tools cannot find them. Most experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Where to draw the line? When to recommend a format and reinstall?

I strongly recommend that you reformat your computer. Even if we were able to clean the computer of some of the infections, your computer is not trustworthy and the removal of all affected files may not be successful. Tell me what you want to do.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#6 Alpha King

Alpha King
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 08 April 2009 - 08:22 PM

Thank you so much for your time. I was thinking everything was cleaned up and then on the scheduled weekly Sunday scan (I had manually full scanned many times that week but normaly only full scan on Sundays) Avast found the following:
April 5 2009
C:\System Volume Information\_restore{4EEB3AC6-CDAD-41E6-AFC2-A8BBAC82875F}\RP1650\A0152918.sys

Win32:Alureon-G [Rtk]

This was a surprise and worrying as Alureon had not been found earlier. This time I followed Avast's instructions and scheduled a "Boot time scan". I rebooted the computer and Avast reported the root kit cleaned. I did a full MBAM scan (after updating MBAM) and all came up clean. I have been running daily Avast scans since and nothing showed up again.

I have read through all the links you have provided and really apppreciate the information included. I am torn because I have only done one re-install on this computer and it took me days (I'm resourceful but no computer pro). I do have most/all the install disks. It is our home computer that other than doing taxes and online banking we don't do much else sensitive on it. I also noted this from the links you provided:

If the backdoor merely opens a port to listen and the computer was behind a working firewall or NAT router, then the risk of the backdoor being used is greatly reduced. Therefore there is probably a much lower risk if re-formatting and re-installing is not done.

In this case Windows Firewall was installed and I simply had to manualy activate during the infection (which I always did) and the computer was behind a router.

Reading the above and looking at the scan (I can provide an update if you choose) would you still recomend a reinstall.

Thanks again for your help in time. I really appreciate it.

#7 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:04 PM

Posted 12 April 2009 - 01:53 PM

The problem is that you cannot tell which files have been infected/corrupted. Reformatting would be your best choice. You need a firewall in addition to the Windows Firewall. Does your router have a firewall?
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#8 Alpha King

Alpha King
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 13 April 2009 - 01:18 PM

The Router is a
Belkin F5D8233-4v3 N-Router

This Router was operational and enable Firewall was checked during the whole occurance. And under Firewall reads the following.


Firewall >

Your Router is equipped with a firewall that will protect your network from a wide array of common hacker attacks including Ping of Death (PoD) and Denial of Service (DoS) attacks. You can turn the firewall function off if needed. Turning off the firewall protection will not leave your network completely vulnerable to hacker attacks, but it is recommended that you turn the firewall on whenever possible.

Firewall Enable / Disable > Enable Disable

Thanks again.

#9 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:04 PM

Posted 19 April 2009 - 06:41 PM

It is your decision to reformat or not. I recommend reformat.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#10 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:04 PM

Posted 20 April 2009 - 12:11 PM

I was diagnosed Friday with Trigger thumb which is a condition in which my thumb catches in a bent position. My thumb straightens with a snap — like a trigger being pulled and released. It can cause my finger to become locked in a bent position. It is very painful. I am wearing a brace on my left hand.

I can still type and plan to continue working your log. Please be patient as it does slow me down.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#11 Alpha King

Alpha King
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 23 April 2009 - 06:35 PM

Ouch, hope you are improving with everyday. Sorry for the late reply. I have been traveling and just returned. I am currently preparing for a large exam in June and all my free time is dedicated to this. I will pick up on reformating the drive then.

Thanks again for all your help!
Regards.

#12 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:04 PM

Posted 24 April 2009 - 05:45 PM

Good luck on your exam in June. Hope you do great!


Tips To Protect Your Computer
  • Avoid clicking on links in instant messages.
  • Avoid opening email attachments.
  • Avoid visiting every poker site on the net.
  • Avoid downloading all that free cute junk.
  • Avoid using the peer-to-peer file sharing.
  • Avoid getting those handy toolbar doodads for your browsers.
  • Malware is out there just waiting to pounce on your system if you only pass by where they are lurking which may be at some seemingly innocent web site. Be careful because some of the malware are so vicious that no one can possibly save you once you let them in.
  • Remember that new malware emerges every week of the year. Take responsibility for protecting your system because you are its first and best defense.
Please take the time to read the "Steps To Keep Your Computer Clean And Secure" below.

STEPS TO KEEP YOUR COMPUTER CLEAN AND SECURE:

Please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. After cleaning, you will need to disable the System Restore function For Windows XP.
    Files placed in the System volume information folder are source files for the System Restore function that is available in Windows XP operating system. Files that were healed were moved in their original INFECTED state into this folder and it is necessary to DELETE them by following these steps:
    • Close all open programs. Then right-click My Computer on the Windows' desktop
    • Click on Properties.
    • Click on the System Restore tab.
    • Check Turn off System Restore on all drives.
    • Restart the system.
    • Enable System Restore by going through the first four steps again and uncheck the item mentioned in Step d.
    • You can find instructions on how to disable and enable system restore in the Windows XP System Restore Guide.
  • Make your Internet Explorer more secure: This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it asks you if you want to save the settings, press the Yes button.
    • Click Apply > OK button and then the OK to exit the Internet Properties page.
  • Use a Firewall: - I cannot stress how important it is that you use a Firewall on your computer.  Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls. For more information about firewalls, and why a two-way firewall is better than the Windows XP one-way firewall, please read Understanding and Using Firewalls.
  • Use An Antivirus Software and Keep It Updated: - It is very important that your computer has an antivirus software running on your machine.  This alone can save you a lot of trouble with malware in the future.  It is imperative that you update your antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out. For an article on antivirus programs and a listing of some available ones see the link below:
    Computer Safety On line - Anti-Virus
  • Visit Microsoft's Windows Update Site Frequently: It is important that you visit Microsoft Windows Update regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • You should scan your computer with Spybot S&D on a regular basis just as you would an anti- virus software. A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware from Your Computer
  • You should scan your computer with Ad-Aware 2007/2008 as well as Spybot S&D and your anti-virus program on a regular basis. A tutorial on installing & using this product can be found here:
    Ad-Aware 2008.
  • Update SpywareBlaster (at least weekly): SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firec settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button on the task bar at the bottom of your screen
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then doubleclick it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK.
  • Use an alternative instant messenger program:.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Please read Simple and easy ways to keep your computer safe and secure on the Internet.
  • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built in popup blocker (as an added benefit!) that I have ever seen.
    Another good browser is Opera . Opera 9 comes loaded with the tools to keep you productive and safe. Try it today, it's absolutely free. Some of the Opera features are: Customization, BitTorrent, Content blocker, Add your favorite search engines, Thumbnail preview of tabs, Widgets, Transfer manager, Tabbed browsing, Password manager, Sessions (You can save a collection of open tabs as a session, for later retrieval, or start with the pages you had open when Opera was last closed.), Keyboard Shortcuts, Cookie control, a multitude of languages, Validate code, Toggle graphics and style sheets, and Special features such as Full-screen mode, Kiosk mode.
  • Update all these programs regularly: Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.
Good luck!

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users