Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS Log - Rootkit Virus?


  • This topic is locked This topic is locked
2 replies to this topic

#1 copystart

copystart

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 March 2009 - 09:31 PM

I can't turn Avast or other A/V stuff of considering it disabled me access to it all. Says this is not a valid win32 application or something when I try to start them. HijackThis also gets messed up and won't let me run it. GMER had more results than what this log shows but I was asked to post this one.

Here is the DDS log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Kurt Scheuringer at 18:46:36.30 on Thu 03/26/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1567 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090325-0] *On-access scanning enabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
D:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Documents and Settings\Kurt Scheuringer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.eq2players.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=192.168.2.107:5190;https=192.168.2.107:5190
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WhatPulse] c:\program files\whatpulse\WhatPulse.exe
uRun: [Google Update] "c:\documents and settings\kurt scheuringer\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [c:\program files\netmeter\netmeter.exe] c:\program files\netmeter\NetMeter.exe
mRun: [ASUS Probe] c:\program files\asus\probe\AsusProb.exe
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [RAMDef] c:\program files\ram def xt\ramdef.exe -tray
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
Trusted Zone: aol.com\free
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
TCP: {9E10EB17-960F-40D9-8525-3400AAEB551E} = 192.168.2.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kurtsc~1\applic~1\mozilla\firefox\profiles\4q5o762m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.eq2players.com
FF - component: c:\documents and settings\kurt scheuringer\application data\mozilla\firefox\profiles\4q5o762m.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\documents and settings\kurt scheuringer\application data\mozilla\firefox\profiles\4q5o762m.default\extensions\{f8cc37c3-cbeb-4a00-8cbf-26a88693f0c5}\plugins\npagent.dll
FF - plugin: c:\documents and settings\kurt scheuringer\application data\mozilla\firefox\profiles\4q5o762m.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\kurt scheuringer\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\windows\microsoft.net\framework\v3.5\wpf\NPWPF.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 55024]
R1 sK9Ou0s;sK9Ou0s;c:\documents and settings\kurt scheuringer\application data\drivers\srosa2.sys [2009-3-26 7168]
S0 MFX;MFX; [x]
S0 XMS1563K;XMS1563K;c:\windows\system32\drivers\XMS1563K.SYS [2007-5-2 49580]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswfsblk.sys --> c:\windows\system32\drivers\aswFsBlk.sys [?]
S2 gupdate1c8cbe63317895a;Google Update Service (gupdate1c8cbe63317895a);c:\program files\google\update\GoogleUpdate.exe [2008-7-16 133104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\tm_cfw.sys --> c:\windows\system32\drivers\TM_CFW.sys [?]
S4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-11-13 138680]
S4 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-11-13 254040]
S4 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-11-13 352920]
S4 TmPfw;Trend Micro Personal Firewall; [x]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-03-26 18:31 <DIR> --d----- C:\HJ
2009-03-26 11:43 <DIR> --d-h--- c:\docume~1\kurtsc~1\applic~1\m
2009-03-26 10:50 <DIR> --dsh--- C:\Diskeeper
2009-03-26 09:37 <DIR> --d----- c:\program files\common files\Diskeeper Corporation
2009-03-26 09:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation
2009-03-26 09:37 <DIR> --d----- c:\program files\Diskeeper Corporation
2009-03-26 09:34 <DIR> --d-h--- c:\docume~1\kurtsc~1\applic~1\drivers
2009-03-22 22:48 65,536 a------- c:\windows\IFinst27.exe
2009-03-16 23:18 <DIR> --d----- c:\program files\Yahoo!
2009-03-04 20:31 <DIR> --d----- c:\program files\MySQL

==================== Find3M ====================

2009-01-26 21:05 25,536 a------- c:\docume~1\kurtsc~1\applic~1\GDIPFONTCACHEV1.DAT
2008-04-22 13:25 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

Edited by copystart, 26 March 2009 - 09:32 PM.


BC AdBot (Login to Remove)

 


#2 copystart

copystart
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 27 March 2009 - 01:12 PM

Ok fixed my computer with ComboFix. You can close this now, thanks anyway.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:10:51 AM

Posted 29 March 2009 - 11:44 PM

Thanks for informing us.
Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users