Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repeated system error popups, Vista, botted and rootkits reported


  • This topic is locked This topic is locked
23 replies to this topic

#1 ThinkKnot

ThinkKnot

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 18 April 2009 - 06:56 AM

I installed various scanners including Sophos, Spybot S&D, AVG, Malwarebytes, rubotted, etc. Various trojans and other malwares were reported and cleaned, but they keep coming back. Not sure of the malware names as I didn't write them down. I'm suspecting a rootkit, since one of the programs, perhaps Dr.cureit reported such one time. I have run the scanners in both safe and normal mode w/and without networking. The system had originally acted up by repeated system error, 'explorer will now close' etc. for each program I tried to run while in normal mode. Scanning in safe mode made the system usable, but it still exhibits slow downs intermittently as well as hangs or slow right click forcing restart of explorer manually with taskmgr or Process Explorer (sysinternals).

Something is still hiding I suspect. Tried so much I'm weary and nervous.

A number of scanners are installed, but only AVG has resident sheild turned on. S&D also has a sheild on since I'm not sure if that one causes problems or not when run concurrently with AVG. Malwarebytes, Sophos, SuperAntiSpyware, Drcureit, Bitdefender are present but only for on-demand scans and are not in any realtime or protect modes.

Below the dds log are a couple others I ran as well.

I won't proceed with anything else scanwise or installing, i.e. I'm keeping the system in the state that matches attached logs, etc.
Hope you can help. Thanks in advance.

ThinKnot

aka Rem



DDS (Ver_09-03-16.01) - NTFSx86
Run by remi at 7:19:24.91 on Sat 04/18/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3070.1758 [GMT -4:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated)
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\IPSSVC.EXE
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Intel\AMT\atchksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\dllhost.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\vssvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Users\remi\Downloads\ProcessExplorer[1]\procexp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Users\remi\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [<NO NAME>]
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\procex~1.lnk - c:\users\remi\downloads\processexplorer[1]\procexp.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
Trusted Zone: westernunion.com\wumt
DPF: {43E3F87D-DE7F-4087-BD4F-0DC854981158} - hxxp://download.microsoft.com/download/7/3/8/7384c441-3721-41ee-ae15-b678888f00dd/clearadj.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\remi\appdata\roaming\mozilla\firefox\profiles\w5gniiu5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-4-11 12552]
R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2009-1-3 220696]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-11 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-11 108552]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2007-2-19 13744]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2009-4-13 85312]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWR32V.SYS [2009-1-3 11552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-11 298264]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2009-4-11 582992]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2008-12-9 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-12-9 98304]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-4-12 1153368]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-7-9 55936]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2009-1-3 1464856]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-9-16 3664384]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2009-4-11 206608]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
S1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-28 48192]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-28 253952]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-8-12 111112]
S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-2-8 66848]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2009-4-11 206608]
S3 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-6-6 520192]
S4 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S4 BXMNVC;BXMNVC;c:\users\remi\appdata\local\temp\bxmnvc.exe --> c:\users\remi\appdata\local\temp\BXMNVC.exe [?]
S4 gupdate1c98f6ca77505d0;Google Update Service (gupdate1c98f6ca77505d0);c:\program files\google\update\GoogleUpdate.exe [2009-2-15 133104]
S4 OAPKGWXR;OAPKGWXR;c:\users\remi\appdata\local\temp\oapkgwxr.exe --> c:\users\remi\appdata\local\temp\OAPKGWXR.exe [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-4-13 20288]
S4 WQ_USBHWA;WiQuest Host Wire Adapter driver;c:\windows\system32\drivers\WQ_hwa.sys [2007-8-24 160568]
S4 WQ_USBLOAD;WiQuest WUSB Loader driver;c:\windows\system32\drivers\WQ_ldr.sys [2007-8-24 33464]
S4 WQ_USBRCI;WiQuest UltraWideBand driver;c:\windows\system32\drivers\WQ_rci.sys [2007-8-24 76088]

=============== Created Last 30 ================

2009-04-18 06:47 318,976 a------- c:\windows\system32\CF17558.exe
2009-04-18 06:47 <DIR> --d----- C:\ComboFix
2009-04-17 12:58 318,976 a------- c:\windows\system32\CF4584.exe
2009-04-17 12:55 318,976 a------- c:\windows\system32\CF3974.exe
2009-04-17 12:48 318,976 a------- c:\windows\system32\CF2690.exe
2009-04-17 12:46 318,976 a------- c:\windows\system32\CF2321.exe
2009-04-13 23:34 130,088 a------- c:\windows\system32\sdccoinstaller.dll
2009-04-13 23:34 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-04-13 23:34 23,552 a------- c:\windows\system32\SophosBootTasks.exe
2009-04-13 23:33 <DIR> --d----- c:\programdata\Sophos
2009-04-13 23:33 <DIR> --d----- c:\progra~2\Sophos
2009-04-13 23:32 20,288 a------- c:\windows\system32\drivers\SophosBootDriver.sys
2009-04-13 23:32 85,312 a------- c:\windows\system32\drivers\savonaccess.sys
2009-04-12 22:24 <DIR> --d----- c:\program files\Safer Networking
2009-04-12 21:58 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-04-12 21:58 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-12 21:58 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-04-12 11:45 815 a------- C:\rtsr_eml_sr.dat
2009-04-12 11:45 141 a------- C:\dwl.dat
2009-04-12 11:03 <DIR> --d----- c:\program files\Free RAR Extract Frog
2009-04-12 08:21 16 a------- C:\asdict.dat
2009-04-11 23:41 206,608 a------- c:\windows\system32\drivers\TMPassthru.sys
2009-04-11 00:37 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-11 00:24 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-11 00:24 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-11 00:24 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-04-11 00:24 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-11 00:24 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-11 00:24 <DIR> --d----- c:\programdata\avg8
2009-04-11 00:24 <DIR> --d----- c:\program files\AVG
2009-04-11 00:24 <DIR> --d----- c:\progra~2\avg8
2009-04-09 22:15 <DIR> --d----- c:\users\remi\DoctorWeb
2009-04-09 07:36 57 a------- c:\windows\HSASTROL.INI
2009-04-09 07:29 63 a------- c:\windows\WINHELP.BMK
2009-04-09 07:21 8 a------- c:\windows\SERIAL0.PRN
2009-04-09 07:15 <DIR> --d----- C:\WinAstro
2009-04-09 01:56 <DIR> --d----- c:\users\remi\appdata\roaming\Uniblue
2009-04-07 23:53 <DIR> --d----- C:\Files to test
2009-04-07 14:03 132 a------- C:\httpdwl.dat
2009-04-07 11:49 32 a------- c:\windows\system32\thxcfg.ini
2009-04-07 11:49 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-05 01:05 26 a------- c:\windows\ExplorerXP.INI
2009-04-04 23:30 4,596 a------- c:\windows\system32\tmp.reg
2009-04-04 15:49 272,386,968 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-04-04 10:41 <DIR> --d----- c:\users\remi\DRIVEIMAGEXML
2009-04-03 18:10 <DIR> --d----- C:\fsaua.data
2009-04-03 10:31 <DIR> --d----- c:\users\remi\DownloadDirector
2009-04-03 08:48 <DIR> --d----- c:\users\remi\.profriend
2009-04-02 16:16 <DIR> --d----- c:\users\remi\.housecall6.6
2009-04-02 09:02 <DIR> --d----- C:\Intel
2009-04-01 22:54 <DIR> --d----- c:\program files\HD Tune
2009-03-31 13:08 1,905 a------- c:\windows\diagwrn.xml
2009-03-31 13:08 1,905 a------- c:\windows\diagerr.xml
2009-03-29 07:42 <DIR> --d----- c:\users\remi\appdata\roaming\WinPatrol
2009-03-29 07:42 <DIR> --d----- c:\program files\BillP Studios
2009-03-28 14:27 <DIR> --d----- c:\windows\system32\log
2009-03-28 14:01 <DIR> --d----- C:\SDFix
2009-03-28 13:14 <DIR> --d----- c:\program files\Trend Micro
2009-03-28 10:04 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-03-28 10:04 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-03-28 10:04 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-28 10:04 <DIR> --d----- c:\users\remi\appdata\roaming\SUPERAntiSpyware.com
2009-03-24 22:40 524,288 a--sh--- C:\ntuser.dat{52522f8a-18e0-11de-8d98-001c26fb0d17}.TMContainer00000000000000000002.regtrans-ms
2009-03-24 22:40 524,288 a--sh--- C:\ntuser.dat{52522f8a-18e0-11de-8d98-001c26fb0d17}.TMContainer00000000000000000001.regtrans-ms
2009-03-24 22:40 65,536 a--sh--- C:\ntuser.dat{52522f8a-18e0-11de-8d98-001c26fb0d17}.TM.blf
2009-03-24 22:40 5,120 a---h--- C:\ntuser.dat.LOG1
2009-03-24 22:40 0 a---h--- C:\ntuser.dat.LOG2
2009-03-24 22:40 262,144 a------- C:\ntuser.dat
2009-03-24 21:09 <DIR> --d----- c:\programdata\NVIDIA
2009-03-24 21:06 81,896 a------- c:\programdata\nvModes.dat
2009-03-24 21:06 81,896 a------- c:\progra~2\nvModes.dat
2009-03-24 21:04 <DIR> --d----- c:\users\remi\{e7567cc0-fae0-4e01-b7e5-20661aec4b70}
2009-03-24 17:53 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-03-24 17:53 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-03-24 17:51 33,536 a------- c:\windows\system32\drivers\tvtfilter.sys
2009-03-24 17:13 30,144 a------- c:\windows\system32\drivers\psadd.sys
2009-03-24 14:27 334,720 a------- c:\windows\system32\RootkitRevealer.exe
2009-03-22 14:06 <DIR> --d----- c:\program files\common files\Real
2009-03-22 13:35 <DIR> --d----- c:\program files\Rhapsody
2009-03-22 09:24 <DIR> --d----- c:\program files\ThreatExpert Memory Scanner
2009-03-22 08:45 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2009-04-12 18:33 81,984 a------- c:\windows\system32\bdod.bin
2009-04-11 23:41 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-11 23:41 86,016 a------- c:\windows\inf\infstor.dat
2009-04-11 23:41 51,200 a------- c:\windows\inf\infpub.dat
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-04 09:51 25 a------- C:\KILLEXP.BAT
2009-03-08 07:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 07:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 07:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 07:33 109,056 a------- c:\windows\system32\iesysprep.dll
2009-03-08 07:33 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-03-08 07:33 132,608 a------- c:\windows\system32\ieUnatt.exe
2009-03-08 07:33 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 07:33 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 07:33 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-03-08 07:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 07:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 07:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 07:32 66,560 a------- c:\windows\system32\wextract.exe
2009-03-08 07:32 169,472 a------- c:\windows\system32\iexpress.exe
2009-03-08 07:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 07:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 07:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 07:22 156,160 a------- c:\windows\system32\msls31.dll
2009-02-08 23:10 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-05 03:57 192,512 a------- c:\windows\system32\txmlutil.dll
2009-01-28 14:34 193,648 a---h--- c:\windows\system32\mlfcache.dat
2009-01-26 13:50 34 a------- C:\RkitReavler.bat
2009-01-10 20:59 80,432 a------- c:\users\remi\appdata\roaming\nvModes.dat
2009-01-03 17:22 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2003-10-17 14:02 8,826,932 a------- c:\program files\WINWORD.EXE
2002-09-30 09:10 5,599,281 a------- c:\program files\MSO9xxx.DLL

============= FINISH: 7:19:58.74 ===============


GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-18 06:45:23
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8262CCD0
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8262C0E8
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8262C3D8
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82618AA4
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8261801C
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8262C1C0
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8262CB40
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8262C6D4
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8262D100
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8262D36C

---- Kernel code sections - GMER 1.0.15 ----

? C:\Windows\system32\Drivers\PROCEXP111.SYS The system cannot find the file specified. !
? C:\Users\remi\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000053 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp bdftdif.sys
AttachedDevice \Driver\tdx \Device\Udp bdftdif.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001c26fb0d17
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001c26fb0d17@00123798b07b 0x7C 0xD5 0x8F 0x0E ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001c26fb0d17@00076175b3b9 0x23 0xC2 0xB5 0xE2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001c26fb0d17
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001c26fb0d17@00123798b07b 0xDF 0xE6 0x87 0xC8 ...
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\001c26fb0d17
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\001c26fb0d17@00123798b07b 0xDF 0xE6 0x87 0xC8 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl (size mismatch) 82552/32464 bytes
File C:\Windows\System32\wfp\wfpdiag.etl (size mismatch) 65536/0 bytes

---- EOF - GMER 1.0.15 ----
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.1 by Gmer, http://www.gmer.net

error : atapi IRP not found !
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 1 !

=====================================

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 03 May 2009 - 12:51 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 ThinkKnot

ThinkKnot
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 06 May 2009 - 03:43 PM

Hi EB,
I created new dds and HJT, but the board won't accept anything when I hit add reply with pasted information.
I'll keep trying.

This reply is to see if i can just type and sucessfully add the reply.

remi

#4 ThinkKnot

ThinkKnot
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 06 May 2009 - 03:45 PM

That worked, it took the reply without me pasting the logs.
Is there a character limit or something?

I'll try again with another reply to post the logs via paste.


remi

#5 ThinkKnot

ThinkKnot
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 06 May 2009 - 03:46 PM

Hi EB, just pasting text reply:

Hi EB,
Thanks for your assistance. I understand the delay, etc.

I was however forced into additional steps to be able to still function
while awaiting my turn in the queue. So, since I have installed/updated
AVs, run cleanlers, etc. etc. tell me what you would like to have me due next.

So I've posted new DDS log, followed by a new attach.txt and then a new HJT log too.

I'm still very concerned that there is something hiding. Occasionally I'll
get a report of trojan this or that that one of the AVs pick up, rootkits have come
up in the past, but I don't know if they're handled or still waiting to spring to life again...


I'm familiar with the filesystem and windows so if you want to save typing long
instructions you can net it out vs. detailed steps if you like.

I'll let you know if any instruction is unclear.

I subscribed to the topic to facillitate my response.

Thanks again.

#6 ThinkKnot

ThinkKnot
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 06 May 2009 - 03:48 PM

Hi EB

Ok, pasted some text. that worked. the above is my reply.

Now I'll try pasting the logs one at a time.

remi


First the dds.tx:


DDS (Ver_09-03-16.01) - NTFSx86
Run by remi at 15:44:42.54 on Wed 05/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3070.1406 [GMT -4:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated)
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\IPSSVC.EXE
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Intel\AMT\atchksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\dllhost.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Users\remi\Downloads\ProcessExplorer[1]\procexp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Opera\Opera.exe
C:\Windows\System32\notepad.exe
C:\Users\remi\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\procex~1.lnk - c:\users\remi\downloads\processexplorer[1]\procexp.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
Trusted Zone: westernunion.com\wumt
DPF: {43E3F87D-DE7F-4087-BD4F-0DC854981158} - hxxp://download.microsoft.com/download/7/3/8/7384c441-3721-41ee-ae15-b678888f00dd/clearadj.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {F87C9C51-965B-481B-967C-90E122648152} = 216.66.108.34
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\remi\appdata\roaming\mozilla\firefox\profiles\w5gniiu5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-4-11 12552]
R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2009-1-3 220696]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-20 114768]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-11 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-11 108552]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2007-2-19 13744]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2009-4-13 85312]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWR32V.SYS [2009-1-3 11552]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-20 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-4-20 51792]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-11 298776]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2009-4-11 582992]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2008-12-9 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-12-9 98304]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-4-12 1153368]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2009-1-3 1464856]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-9-16 3664384]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2009-4-11 206608]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
S1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-28 48192]
S2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-7-9 55936]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-28 253952]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2009-1-20 172032]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2009-4-11 206608]
S3 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-6-6 520192]
S4 BXMNVC;BXMNVC;c:\users\remi\appdata\local\temp\bxmnvc.exe --> c:\users\remi\appdata\local\temp\BXMNVC.exe [?]
S4 gupdate1c98f6ca77505d0;Google Update Service (gupdate1c98f6ca77505d0);c:\program files\google\update\GoogleUpdate.exe [2009-2-15 133104]
S4 OAPKGWXR;OAPKGWXR;c:\users\remi\appdata\local\temp\oapkgwxr.exe --> c:\users\remi\appdata\local\temp\OAPKGWXR.exe [?]
S4 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-2-8 66848]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-4-13 20288]

=============== Created Last 30 ================

2009-05-03 11:45 <DIR> --d----- C:\LINKSYSROUTERCONFIGBACKUPS
2009-05-03 05:36 <DIR> --d----- c:\users\remi\appdata\roaming\BitDefender
2009-05-03 05:35 <DIR> --d----- c:\programdata\BitDefender
2009-05-03 05:35 <DIR> --d----- c:\progra~2\BitDefender
2009-05-01 10:10 2,855 a------- c:\windows\COMMAND.PIF
2009-05-01 01:28 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-25 09:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-25 09:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 15:08 <DIR> --d----- c:\users\remi\appdata\roaming\MAGIX
2009-04-24 15:08 <DIR> --d----- c:\programdata\MAGIX
2009-04-24 15:08 <DIR> --d----- c:\progra~2\MAGIX
2009-04-24 15:08 120,200 a------- c:\windows\system32\DLLDEV32i.dll
2009-04-24 15:08 <DIR> --d----- c:\programdata\Xara
2009-04-24 15:08 <DIR> --d----- c:\program files\Xara
2009-04-24 15:08 <DIR> --d----- c:\progra~2\Xara
2009-04-24 15:07 700,416 a------- c:\windows\system32\mgxoschk.dll
2009-04-24 15:07 6,211 a------- c:\windows\mgxoschk.ini
2009-04-24 15:07 <DIR> --d----- c:\windows\system32\MAGIX
2009-04-23 12:15 151 a------- C:\Nightsongs.url
2009-04-22 23:11 <DIR> --d----- c:\users\remi\appdata\roaming\FreeCommander
2009-04-22 21:38 <DIR> --d----- c:\program files\FreeCommander
2009-04-21 15:17 528,571 a----r-- C:\Blue (close-up).jpg
2009-04-21 11:42 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-20 19:45 28 a------- c:\windows\ODBC.INI
2009-04-20 11:27 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-04-18 06:47 318,976 a------- c:\windows\system32\CF17558.exe
2009-04-18 06:47 <DIR> --d----- C:\ComboFix
2009-04-17 12:58 318,976 a------- c:\windows\system32\CF4584.exe
2009-04-17 12:55 318,976 a------- c:\windows\system32\CF3974.exe
2009-04-17 12:48 318,976 a------- c:\windows\system32\CF2690.exe
2009-04-17 12:46 318,976 a------- c:\windows\system32\CF2321.exe
2009-04-13 23:34 130,088 a---h--- c:\windows\system32\7fb93929.stf
2009-04-13 23:34 130,088 a------- c:\windows\system32\sdccoinstaller.dll
2009-04-13 23:34 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-04-13 23:34 23,552 a------- c:\windows\system32\SophosBootTasks.exe
2009-04-13 23:33 <DIR> --d----- c:\programdata\Sophos
2009-04-13 23:33 <DIR> --d----- c:\progra~2\Sophos
2009-04-13 23:32 20,288 a------- c:\windows\system32\drivers\SophosBootDriver.sys
2009-04-13 23:32 85,312 a------- c:\windows\system32\drivers\savonaccess.sys
2009-04-12 22:24 <DIR> --d----- c:\program files\Safer Networking
2009-04-12 21:58 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-04-12 21:58 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-12 21:58 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-04-12 11:45 815 a------- C:\rtsr_eml_sr.dat
2009-04-12 11:45 141 a------- C:\dwl.dat
2009-04-12 11:03 <DIR> --d----- c:\program files\Free RAR Extract Frog
2009-04-12 08:21 16 a------- C:\asdict.dat
2009-04-11 23:41 206,608 a------- c:\windows\system32\drivers\TMPassthru.sys
2009-04-11 00:37 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-11 00:24 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-11 00:24 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-11 00:24 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-04-11 00:24 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-11 00:24 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-11 00:24 <DIR> --d----- c:\programdata\avg8
2009-04-11 00:24 <DIR> --d----- c:\program files\AVG
2009-04-11 00:24 <DIR> --d----- c:\progra~2\avg8
2009-04-09 22:15 <DIR> --d----- c:\users\remi\DoctorWeb
2009-04-09 07:36 57 a------- c:\windows\HSASTROL.INI
2009-04-09 07:29 63 a------- c:\windows\WINHELP.BMK
2009-04-09 07:21 8 a------- c:\windows\SERIAL0.PRN
2009-04-09 07:15 <DIR> --d----- C:\WinAstro
2009-04-09 01:56 <DIR> --d----- c:\users\remi\appdata\roaming\Uniblue
2009-04-07 23:53 <DIR> --d----- C:\Files to test
2009-04-07 14:03 132 a------- C:\httpdwl.dat
2009-04-07 11:49 32 a------- c:\windows\system32\thxcfg.ini
2009-04-07 11:49 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2009-05-06 06:50 81,984 a------- c:\windows\system32\bdod.bin
2009-04-29 13:49 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-29 13:49 86,016 a------- c:\windows\inf\infstor.dat
2009-04-29 13:49 51,200 a------- c:\windows\inf\infpub.dat
2009-04-04 23:49 4,596 a------- c:\windows\system32\tmp.reg
2009-04-04 15:49 272,386,968 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-04-04 09:51 25 a------- C:\KILLEXP.BAT
2009-03-26 06:55 81,896 a------- c:\programdata\nvModes.dat
2009-03-26 06:55 81,896 a------- c:\progra~2\nvModes.dat
2009-03-24 22:40 262,144 a------- C:\ntuser.dat
2009-03-24 17:51 33,536 a------- c:\windows\system32\drivers\tvtfilter.sys
2009-03-24 17:44 118,520 a------- c:\windows\system32\pxinsi64.exe
2009-03-24 17:44 116,472 a------- c:\windows\system32\pxcpyi64.exe
2009-03-24 17:13 30,144 a------- c:\windows\system32\drivers\psadd.sys
2009-03-16 23:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 23:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 23:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-08 07:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 07:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 07:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 07:33 109,056 a------- c:\windows\system32\iesysprep.dll
2009-03-08 07:33 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-03-08 07:33 132,608 a------- c:\windows\system32\ieUnatt.exe
2009-03-08 07:33 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 07:33 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 07:33 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-03-08 07:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 07:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 07:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 07:32 66,560 a------- c:\windows\system32\wextract.exe
2009-03-08 07:32 169,472 a------- c:\windows\system32\iexpress.exe
2009-03-08 07:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 07:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 07:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 07:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-03 00:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-03 00:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-03 00:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-03 00:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-03 00:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 00:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-03 00:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-03 00:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 23:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 22:38 17,408 a------- c:\windows\system32\iashost.exe
2009-02-13 04:49 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 04:49 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-02-08 23:10 2,033,152 a------- c:\windows\system32\win32k.sys
2009-01-10 20:59 80,432 a------- c:\users\remi\appdata\roaming\nvModes.dat
2009-01-03 17:22 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2003-10-17 14:02 8,826,932 a------- c:\program files\WINWORD.EXE
2002-09-30 09:10 5,599,281 a------- c:\program files\MSO9xxx.DLL

============= FINISH: 15:45:36.43 ===============

#7 ThinkKnot

ThinkKnot
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 06 May 2009 - 03:51 PM

Hi EB,

Now uploading Attach.txt

and trying to paste HJT

All logs, are from today 5-6-09

remi





Here's the HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:36 PM, on 5/6/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Users\remi\Downloads\ProcessExplorer[1]\procexp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Opera\Opera.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\remi\Desktop\HijackThis 2.0.0.2\11HiJackThis.exe

F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: procexp.exe - Shortcut.lnk = C:\Users\remi\Downloads\ProcessExplorer[1]\procexp.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F87C9C51-965B-481B-967C-90E122648152}: NameServer = 216.66.108.34
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8750 bytes

Attached Files



#8 ThinkKnot

ThinkKnot
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 06 May 2009 - 03:53 PM

Hi EB,
OK.
Finally got it all posted.
So, you've got todays dds.txt, attach.txt uploaded as file, and an HJT from today too.

Hope that helps.

Look forward to your instructions.

remi

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 07 May 2009 - 03:12 PM

Hello.

Run two more scanners for me.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
  • If you receive no notice, click on the Scan button near the bottom.
  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.If GMER doesn't work in Normal Mode try running it in Safe Mode
Note: Do Not run any program while GMER is running

Important!:Please do not select the Show all checkbox during the scan.

Re-run dds and post a new DDS log.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 ThinkKnot

ThinkKnot
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 10 May 2009 - 12:22 PM

Hi EB,

Nothing found in MB or Gmr. Had to run Gmr in safe mode since normal mode always results in BSOD.

Here's the logs.

Sorry it took awhile to get this done, had to configure backup pc, do backups, etc. and was swamped till Saturday.

Remi

Malwarebytes' Anti-Malware 1.36
Database version: 2104
Windows 6.0.6001 Service Pack 1

5/10/2009 10:22:37 AM
mbam-log-2009-05-10 (10-22-37).txt

Scan type: Quick Scan
Objects scanned: 77348
Time elapsed: 11 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-------------------------------------------------

#11 ThinkKnot

ThinkKnot
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 10 May 2009 - 12:24 PM

I think this shows nothing found, but not sure about using Gmer....

----------------------------------------------
Gmer log next:


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-10 11:58:08
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8282ACD0
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8282A0E8
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8282A3D8
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82816AA4
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8281601C
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8282A1C0
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8282AB40
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8282A6D4
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8282B100
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8282B36C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000054 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001c26fb0d17
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001c26fb0d17@00123798b07b 0x7C 0xD5 0x8F 0x0E ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001c26fb0d17@00076175b3b9 0x23 0xC2 0xB5 0xE2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001c26fb0d17
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001c26fb0d17@00123798b07b 0xDF 0xE6 0x87 0xC8 ...
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\001c26fb0d17
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\001c26fb0d17@00123798b07b 0xDF 0xE6 0x87 0xC8 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR

---- EOF - GMER 1.0.15 ----







--------------------------------------------------

And, here's the current dds:



DDS (Ver_09-03-16.01) - NTFSx86 MINIMAL
Run by remi at 11:59:34.28 on Sun 05/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3070.2449 [GMT -4:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated)
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\vds.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\remi\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\procex~1.lnk - c:\users\remi\downloads\processexplorer[1]\procexp.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
Trusted Zone: westernunion.com\wumt
DPF: {43E3F87D-DE7F-4087-BD4F-0DC854981158} - hxxp://download.microsoft.com/download/7/3/8/7384c441-3721-41ee-ae15-b678888f00dd/clearadj.CAB
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {F87C9C51-965B-481B-967C-90E122648152} = 216.66.108.34
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\remi\appdata\roaming\mozilla\firefox\profiles\w5gniiu5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-4-11 12552]
R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2009-1-3 220696]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-12-9 98304]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-20 114768]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-11 325896]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-11 108552]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2007-2-19 13744]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2009-4-13 85312]
S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWR32V.SYS [2009-1-3 11552]
S1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-28 48192]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-20 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-4-20 51792]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-11 298776]
S2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2009-4-11 582992]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2008-12-9 69632]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-4-12 1153368]
S2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-7-9 55936]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-28 253952]
S2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2009-1-3 1464856]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2009-1-20 172032]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-9-16 3664384]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2009-4-11 206608]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2009-4-11 206608]
S3 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-6-6 520192]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
S4 BXMNVC;BXMNVC;c:\users\remi\appdata\local\temp\bxmnvc.exe --> c:\users\remi\appdata\local\temp\BXMNVC.exe [?]
S4 gupdate1c98f6ca77505d0;Google Update Service (gupdate1c98f6ca77505d0);c:\program files\google\update\GoogleUpdate.exe [2009-2-15 133104]
S4 OAPKGWXR;OAPKGWXR;c:\users\remi\appdata\local\temp\oapkgwxr.exe --> c:\users\remi\appdata\local\temp\OAPKGWXR.exe [?]
S4 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-2-8 66848]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-4-13 20288]

=============== Created Last 30 ================

2009-05-03 11:45 <DIR> --d----- C:\LINKSYSROUTERCONFIGBACKUPS
2009-05-03 05:36 <DIR> --d----- c:\users\remi\appdata\roaming\BitDefender
2009-05-03 05:35 <DIR> --d----- c:\programdata\BitDefender
2009-05-03 05:35 <DIR> --d----- c:\progra~2\BitDefender
2009-05-01 10:10 2,855 a------- c:\windows\COMMAND.PIF
2009-05-01 01:28 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-25 09:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-25 09:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 15:08 <DIR> --d----- c:\users\remi\appdata\roaming\MAGIX
2009-04-24 15:08 <DIR> --d----- c:\programdata\MAGIX
2009-04-24 15:08 <DIR> --d----- c:\progra~2\MAGIX
2009-04-24 15:08 120,200 a------- c:\windows\system32\DLLDEV32i.dll
2009-04-24 15:08 <DIR> --d----- c:\programdata\Xara
2009-04-24 15:08 <DIR> --d----- c:\program files\Xara
2009-04-24 15:08 <DIR> --d----- c:\progra~2\Xara
2009-04-24 15:07 700,416 a------- c:\windows\system32\mgxoschk.dll
2009-04-24 15:07 6,211 a------- c:\windows\mgxoschk.ini
2009-04-24 15:07 <DIR> --d----- c:\windows\system32\MAGIX
2009-04-23 12:15 151 a------- C:\Nightsongs.url
2009-04-22 23:11 <DIR> --d----- c:\users\remi\appdata\roaming\FreeCommander
2009-04-22 21:38 <DIR> --d----- c:\program files\FreeCommander
2009-04-21 15:17 528,571 a----r-- C:\Blue (close-up).jpg
2009-04-21 11:42 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-20 19:45 28 a------- c:\windows\ODBC.INI
2009-04-20 11:27 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-04-18 06:47 318,976 a------- c:\windows\system32\CF17558.exe
2009-04-18 06:47 <DIR> --d----- C:\ComboFix
2009-04-17 12:58 318,976 a------- c:\windows\system32\CF4584.exe
2009-04-17 12:55 318,976 a------- c:\windows\system32\CF3974.exe
2009-04-17 12:48 318,976 a------- c:\windows\system32\CF2690.exe
2009-04-17 12:46 318,976 a------- c:\windows\system32\CF2321.exe
2009-04-13 23:34 130,088 a---h--- c:\windows\system32\7fb93929.stf
2009-04-13 23:34 130,088 a------- c:\windows\system32\sdccoinstaller.dll
2009-04-13 23:34 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-04-13 23:34 23,552 a------- c:\windows\system32\SophosBootTasks.exe
2009-04-13 23:33 <DIR> --d----- c:\programdata\Sophos
2009-04-13 23:33 <DIR> --d----- c:\progra~2\Sophos
2009-04-13 23:32 20,288 a------- c:\windows\system32\drivers\SophosBootDriver.sys
2009-04-13 23:32 85,312 a------- c:\windows\system32\drivers\savonaccess.sys
2009-04-12 22:24 <DIR> --d----- c:\program files\Safer Networking
2009-04-12 21:58 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-04-12 21:58 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-12 21:58 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-04-12 11:45 815 a------- C:\rtsr_eml_sr.dat
2009-04-12 11:45 141 a------- C:\dwl.dat
2009-04-12 11:03 <DIR> --d----- c:\program files\Free RAR Extract Frog
2009-04-12 08:21 16 a------- C:\asdict.dat
2009-04-11 23:41 206,608 a------- c:\windows\system32\drivers\TMPassthru.sys
2009-04-11 00:37 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-11 00:24 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-11 00:24 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-11 00:24 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-04-11 00:24 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-11 00:24 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-11 00:24 <DIR> --d----- c:\programdata\avg8
2009-04-11 00:24 <DIR> --d----- c:\program files\AVG
2009-04-11 00:24 <DIR> --d----- c:\progra~2\avg8

==================== Find3M ====================

2009-05-08 17:21 81,984 a------- c:\windows\system32\bdod.bin
2009-04-29 13:49 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-29 13:49 86,016 a------- c:\windows\inf\infstor.dat
2009-04-29 13:49 51,200 a------- c:\windows\inf\infpub.dat
2009-04-12 11:45 132 a------- C:\httpdwl.dat
2009-04-04 23:49 4,596 a------- c:\windows\system32\tmp.reg
2009-04-04 15:49 272,386,968 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-04-04 09:51 25 a------- C:\KILLEXP.BAT
2009-03-26 06:55 81,896 a------- c:\programdata\nvModes.dat
2009-03-26 06:55 81,896 a------- c:\progra~2\nvModes.dat
2009-03-24 22:40 262,144 a------- C:\ntuser.dat
2009-03-24 17:51 33,536 a------- c:\windows\system32\drivers\tvtfilter.sys
2009-03-24 17:44 118,520 a------- c:\windows\system32\pxinsi64.exe
2009-03-24 17:44 116,472 a------- c:\windows\system32\pxcpyi64.exe
2009-03-24 17:13 30,144 a------- c:\windows\system32\drivers\psadd.sys
2009-03-16 23:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 23:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 23:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-08 07:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 07:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 07:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 07:33 109,056 a------- c:\windows\system32\iesysprep.dll
2009-03-08 07:33 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-03-08 07:33 132,608 a------- c:\windows\system32\ieUnatt.exe
2009-03-08 07:33 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 07:33 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 07:33 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-03-08 07:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 07:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 07:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 07:32 66,560 a------- c:\windows\system32\wextract.exe
2009-03-08 07:32 169,472 a------- c:\windows\system32\iexpress.exe
2009-03-08 07:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 07:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 07:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 07:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-03 00:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-03 00:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-03 00:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-03 00:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-03 00:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 00:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-03 00:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-03 00:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 23:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 22:38 17,408 a------- c:\windows\system32\iashost.exe
2009-02-13 04:49 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 04:49 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-01-10 20:59 80,432 a------- c:\users\remi\appdata\roaming\nvModes.dat
2009-01-03 17:22 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2003-10-17 14:02 8,826,932 a------- c:\program files\WINWORD.EXE
2002-09-30 09:10 5,599,281 a------- c:\program files\MSO9xxx.DLL

============= FINISH: 11:59:49.32 ===============

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 10 May 2009 - 05:46 PM

Hello.

Let's see what's left.

Update Java to Version 6 Update 13

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

I believe you have no more symptoms?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 15 May 2009 - 07:47 PM

Hello.

Are you still with me?

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 ThinkKnot

ThinkKnot
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 15 May 2009 - 11:32 PM

Hi EB,
Yes I am.
I have been offline all week - medical troubles, couldn't crack the laptop once.
I was afraid I'd be a closed topic, thx for checking.

If ok, this weekend I'll tackle the next steps and post logs etc.

thinKnot

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 PM

Posted 16 May 2009 - 09:55 AM

Okay.

Hope all is well.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users