Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mebroot (or Sinowal?) Reapperaing Running Windows 2000


  • This topic is locked This topic is locked
25 replies to this topic

#1 tom fordo

tom fordo

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 25 May 2009 - 02:24 PM

There has been a flurry of posts for help with this latest (as at May 2009) version of Mebroot. I have found many similar threads on various forums on this topic, but none have helped. This might be because I'm running Windows 2000 (Ver 5, Build 2195, Service Pack4) - whereas most of the advice relates to XP.

My PC's symptoms seem suddenly quite common. Booting up I am getting - not every time, cunning or what? -a box headed:

"C:\Documents And Settings\All Users\Start Menu\Programs\Startup\Uninstall.exe" - with the message:
"Another program is currently using this file" .

This uninstall.exe is identified as carrying a virus by various A/V packages (see below). However the problem is clearly at 'root' level - something which runs before Windows proper is clearly in control. Delete uninstall.exe and it promptly reappears. There is also the clue of a 'suspicious auto-loading registry entry' - O4 global startup - found by HijackThis.

A favourite recommendation seems to be to use Windows Recovery console to fix the master boot record by running fixmbr and then clear up the mess. With some difficulty I managed to install the Recovery Console, but - as XP users have found - it comes up with the warning that the mbr is 'non-standard' (well of course it is, if it's carrying a virus) and continuing 'may damage' partitions etc.

I feel I can't risk running fixmbr unless someone can reassure me that either there'll be no problem or that any problem will be straightforward to recover from. I do realise thats quite a Big Ask (bearing in mind that my skills/ experience are minimal and I'm not in the league of users who reformat hard disks, re-install Windows, etc.).


Latest: I installed AVG Free A/V and the message on start up has changed to "Access is denied" to the rogue uninstall.exe file


Have read the standard instructions.


DDS (Ver_09-05-14.01) - FAT32x86
Run by Administrator at 22:52:45.88 on Sun 24/05/2009
Internet Explorer: 6.0.2800.1106

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [internat.exe] internat.exe
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [Motive SmartBridge] c:\progra~1\blueyo~1\smartb~1\blueyonder-istnotifier.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [internat.exe] internat.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueyo~1.lnk - c:\program files\blueyonder ist\bin\blueyonder-istconfig.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\uninstall.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146868699418
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38903.1549189815
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\1eoayh2d.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-23 13:17 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-23 12:35 11,952 a------- c:\winnt\system32\avgrsstx.dll
2009-05-23 12:34 108,552 a------- c:\winnt\system32\drivers\avgtdix.sys
2009-05-23 12:34 325,896 a------- c:\winnt\system32\drivers\avgldx86.sys
2009-05-23 12:34 <DIR> --d----- c:\winnt\system32\drivers\Avg
2009-05-23 12:34 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVGTOOLBAR
2009-05-23 12:34 <DIR> --d----- c:\program files\AVG
2009-05-23 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-23 12:08 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVG8
2009-05-22 17:07 <DIR> --d----- c:\program files\SDFix
2009-05-22 15:34 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-05-22 14:44 159,600 a------- c:\winnt\system32\drivers\pctgntdi.sys
2009-05-22 14:43 130,936 a------- c:\winnt\system32\drivers\PCTCore.sys
2009-05-22 14:43 73,840 a------- c:\winnt\system32\drivers\PCTAppEvent.sys
2009-05-22 14:43 64,392 a------- c:\winnt\system32\drivers\pctplsg.sys
2009-05-22 14:43 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-22 14:43 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-22 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-22 14:43 <DIR> --d----- c:\docume~1\admini~1\applic~1\PC Tools
2009-05-22 10:25 <DIR> --dsh--- C:\Recycled
2009-05-22 00:15 130,048 a------- c:\winnt\PEV.exe
2009-05-21 12:46 54,156 a---h--- c:\winnt\QTFont.qfn
2009-05-21 12:46 1,409 a------- c:\winnt\QTFont.for
2009-05-21 00:33 <DIR> --d----- c:\docume~1\admini~1\applic~1\F-Secure
2009-05-21 00:11 1,110,368 ----h--- c:\winnt\ShellIconCache
2009-05-20 22:46 <DIR> --d----- c:\program files\F-Secure Internet Security
2009-05-20 17:16 <DIR> --dshr-- C:\cmdcons
2009-05-20 00:42 <DIR> --d-h--- c:\winnt\PIF
2009-05-19 23:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-05-19 23:03 <DIR> --d----- c:\program files\common files\iS3
2009-05-19 23:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-05-16 20:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fssg
2009-05-16 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\f-secure
2009-05-16 17:32 <DIR> --d----- c:\program files\ESET
2009-05-15 23:27 <DIR> --d----- C:\My Music
2009-05-15 13:43 462,848 a------- c:\winnt\system32\msaatext.dll
2009-05-15 13:43 360,448 a------- c:\winnt\system32\oleacc.dll
2009-05-15 13:43 360,448 a------- c:\winnt\system32\dllcache\oleacc.dll
2009-05-15 13:43 356,352 a------- c:\winnt\system32\oleaccrc.dll
2009-05-15 13:43 356,352 a------- c:\winnt\system32\dllcache\oleaccrc.dll
2009-05-15 11:30 118 a------- c:\winnt\system32\MRT.INI
2009-05-04 13:12 161,792 a------- c:\winnt\SWREG.exe
2009-05-04 13:12 98,816 a------- c:\winnt\sed.exe

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2009-03-03 13:36 2,706,944 a------- c:\winnt\system32\dllcache\MSHTML.DLL
2009-03-03 12:43 1,340,416 a------- c:\winnt\system32\dllcache\SHDOCVW.DLL
2009-02-02 16:13 354 -------- c:\program files\Shortcut to Millennium Patches.lnk
2007-03-08 10:03 1,308,216 -------- c:\program files\HiJackThis_v2.exe
2002-02-19 17:28 36,580,788 -------- c:\program files\sibelius2.exe
2001-05-08 12:00 32,528 -------- c:\winnt\inf\wbfirdma.sys
2008-07-16 15:55 2 a--shr-- c:\winnt\winstart.bat

============= FINISH: 22:53:18.80 ===============

Tom Fordo

Attached Files



BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 07 June 2009 - 02:43 PM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 tom fordo

tom fordo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 08 June 2009 - 04:14 AM

Hi NetSurfer And Others

Still have the problem mentioned in my original post. Have re-run DDS and am including the results. Many thanks for your help.

DDS2.txt:


DDS (Ver_09-05-14.01) - FAT32x86
Run by Administrator at 10:10:03.18 on Mon 08/06/2009
Internet Explorer: 6.0.2800.1106

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [internat.exe] internat.exe
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [Motive SmartBridge] c:\progra~1\blueyo~1\smartb~1\blueyonder-istnotifier.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [internat.exe] internat.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueyo~1.lnk - c:\program files\blueyonder ist\bin\blueyonder-istconfig.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\uninstall.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146868699418
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38903.1549189815
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\1eoayh2d.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-23 13:17 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-23 12:35 11,952 a------- c:\winnt\system32\avgrsstx.dll
2009-05-23 12:34 108,552 a------- c:\winnt\system32\drivers\avgtdix.sys
2009-05-23 12:34 325,896 a------- c:\winnt\system32\drivers\avgldx86.sys
2009-05-23 12:34 <DIR> --d----- c:\winnt\system32\drivers\Avg
2009-05-23 12:34 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVGTOOLBAR
2009-05-23 12:34 <DIR> --d----- c:\program files\AVG
2009-05-23 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-23 12:08 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVG8
2009-05-22 17:07 <DIR> --d----- c:\program files\SDFix
2009-05-22 15:34 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-05-22 14:44 159,600 a------- c:\winnt\system32\drivers\pctgntdi.sys
2009-05-22 14:43 130,936 a------- c:\winnt\system32\drivers\PCTCore.sys
2009-05-22 14:43 73,840 a------- c:\winnt\system32\drivers\PCTAppEvent.sys
2009-05-22 14:43 64,392 a------- c:\winnt\system32\drivers\pctplsg.sys
2009-05-22 14:43 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-22 14:43 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-22 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-22 14:43 <DIR> --d----- c:\docume~1\admini~1\applic~1\PC Tools
2009-05-22 10:25 <DIR> --dsh--- C:\Recycled
2009-05-22 00:15 130,048 a------- c:\winnt\PEV.exe
2009-05-21 00:33 <DIR> --d----- c:\docume~1\admini~1\applic~1\F-Secure
2009-05-21 00:11 1,198,898 ----h--- c:\winnt\ShellIconCache
2009-05-20 22:46 <DIR> --d----- c:\program files\F-Secure Internet Security
2009-05-20 17:16 <DIR> --dshr-- C:\cmdcons
2009-05-20 00:42 <DIR> --d-h--- c:\winnt\PIF
2009-05-19 23:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-05-19 23:03 <DIR> --d----- c:\program files\common files\iS3
2009-05-19 23:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-05-16 20:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fssg
2009-05-16 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\f-secure
2009-05-16 17:32 <DIR> --d----- c:\program files\ESET
2009-05-15 23:27 <DIR> --d----- C:\My Music
2009-05-15 13:43 462,848 a------- c:\winnt\system32\msaatext.dll
2009-05-15 13:43 360,448 a------- c:\winnt\system32\oleacc.dll
2009-05-15 13:43 360,448 a------- c:\winnt\system32\dllcache\oleacc.dll
2009-05-15 13:43 356,352 a------- c:\winnt\system32\oleaccrc.dll
2009-05-15 13:43 356,352 a------- c:\winnt\system32\dllcache\oleaccrc.dll
2009-05-15 11:30 118 a------- c:\winnt\system32\MRT.INI

==================== Find3M ====================

2009-02-02 16:13 354 -------- c:\program files\Shortcut to Millennium Patches.lnk
2007-03-08 10:03 1,308,216 -------- c:\program files\HiJackThis_v2.exe
2002-02-19 17:28 36,580,788 -------- c:\program files\sibelius2.exe
2001-05-08 12:00 32,528 -------- c:\winnt\inf\wbfirdma.sys
2008-07-16 15:55 2 a--shr-- c:\winnt\winstart.bat

============= FINISH: 10:10:22.34 ===============

Attach2.txt is attached

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 PM

Posted 09 June 2009 - 06:57 PM

Hi, tom fordo :thumbup2:

Welcome.

Please read and follow all these instructions very carefully.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

    DDS::
    uRun: [internat.exe] internat.exe
    dRun: [internat.exe] internat.exe
    dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\uninstall.exe


    Posted Image
  • Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new DDS log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 tom fordo

tom fordo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 10 June 2009 - 07:18 AM

Thanks for your response. I hope I've followed your instructions correctly. So this time I am pasting in Combofix.txt and the new dds.txt and I'll attach the attach.txt

ComboFix 09-06-09.06 - Administrator 10/06/2009 12:57.6 - FAT32x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\arcldr.exe
C:\arcsetup.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-05-23 12:17 . 2009-05-23 12:17 -------- d--h--w- C:\$AVG8.VAULT$
2009-05-23 11:35 . 2009-05-23 11:35 11952 ----a-w- c:\winnt\system32\avgrsstx.dll
2009-05-23 11:34 . 2009-05-23 11:35 108552 ----a-w- c:\winnt\system32\drivers\avgtdix.sys
2009-05-23 11:34 . 2009-05-23 11:34 325896 ----a-w- c:\winnt\system32\drivers\avgldx86.sys
2009-05-23 11:34 . 2009-05-23 11:34 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys
2009-05-23 11:34 . 2009-05-23 11:34 -------- d-----w- c:\winnt\system32\drivers\Avg
2009-05-23 11:34 . 2009-05-23 11:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2009-05-23 11:34 . 2009-05-23 11:34 -------- d-----w- c:\program files\AVG
2009-05-23 11:34 . 2009-05-23 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-23 11:08 . 2009-05-23 11:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-05-22 16:07 . 2008-11-06 01:03 -------- d-----w- c:\program files\SDFix
2009-05-22 14:34 . 2009-05-22 14:34 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-05-22 14:33 . 2009-05-22 14:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2009-05-22 13:44 . 2008-12-11 07:38 159600 ----a-w- c:\winnt\system32\drivers\pctgntdi.sys
2009-05-22 13:43 . 2009-04-03 10:18 130936 ----a-w- c:\winnt\system32\drivers\PCTCore.sys
2009-05-22 13:43 . 2008-12-18 11:16 73840 ----a-w- c:\winnt\system32\drivers\PCTAppEvent.sys
2009-05-22 13:43 . 2009-05-22 13:43 -------- d-----w- c:\program files\Common Files\PC Tools
2009-05-22 13:43 . 2008-12-10 10:36 64392 ----a-w- c:\winnt\system32\drivers\pctplsg.sys
2009-05-22 13:43 . 2009-05-22 13:43 -------- d-----w- c:\program files\Spyware Doctor
2009-05-22 13:43 . 2009-05-22 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-05-22 13:43 . 2009-05-22 13:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-05-20 23:33 . 2009-05-20 23:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\F-Secure
2009-05-20 21:46 . 2009-05-20 21:46 -------- d-----w- c:\program files\F-Secure Internet Security
2009-05-19 23:42 . 2009-05-19 23:42 -------- d--h--w- c:\winnt\PIF
2009-05-19 22:04 . 2009-05-19 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-05-19 22:03 . 2009-05-19 22:03 -------- d-----w- c:\program files\Common Files\iS3
2009-05-19 22:03 . 2009-05-19 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-05-16 19:18 . 2009-05-16 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2009-05-16 19:13 . 2009-05-16 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure
2009-05-16 16:32 . 2009-05-16 16:32 -------- d-----w- c:\program files\ESET
2009-05-15 22:27 . 2009-05-15 22:27 -------- d-----w- C:\My Music
2009-05-15 22:24 . 2009-05-15 22:24 -------- d-----w- c:\program files\Real
2009-05-15 12:43 . 2002-05-15 14:16 360448 ----a-w- c:\winnt\system32\oleacc.dll
2009-05-15 12:43 . 2002-05-15 14:16 360448 ----a-w- c:\winnt\system32\dllcache\oleacc.dll
2009-05-15 12:43 . 2002-05-15 14:16 356352 ----a-w- c:\winnt\system32\oleaccrc.dll
2009-05-15 12:43 . 2002-05-15 14:16 356352 ----a-w- c:\winnt\system32\dllcache\oleaccrc.dll
2009-05-15 12:43 . 2002-05-15 14:16 462848 ----a-w- c:\winnt\system32\msaatext.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 14:32 . 2008-10-27 09:45 38496 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-10-27 09:45 15504 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-03-30 11:32 . 2003-10-27 10:45 83512 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-02 15:13 . 2008-08-31 22:12 354 ------w- c:\program files\Shortcut to Millennium Patches.lnk
2007-03-08 09:03 . 2008-07-11 14:53 1308216 ------w- c:\program files\HiJackThis_v2.exe
2002-02-19 16:28 . 2003-03-05 19:17 36580788 ------w- c:\program files\sibelius2.exe
2008-07-16 14:55 . 2008-07-16 14:55 2 --sha-r- c:\winnt\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2004-09-29 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2004-09-29 40960]
"Motive SmartBridge"="c:\progra~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe" [2005-09-22 438359]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-23 1947928]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"Tweak UI"="TWEAKUI.CPL" - c:\winnt\system32\TWEAKUI.CPL [2000-06-18 106544]
"AtiPTA"="atiptaxx.exe" - c:\winnt\system32\atiptaxx.exe [2001-09-27 245760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" - c:\winnt\system32\internat.exe [2001-05-08 20752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
blueyonder Instant Support Tool.lnk - c:\program files\blueyonder IST\bin\blueyonder-istconfig.exe [2006-7-6 217088]
uninstall.exe [2009-6-10 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-23 11:35 11952 ----a-w- c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

R2 gupdate1c9e942136e8990;Google Update Service (gupdate1c9e942136e8990);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 133104]
R3 Partizan;Partizan;c:\winnt\system32\drivers\Partizan.sys [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\winnt\system32\DRIVERS\RTL8150.SYS [2005-10-07 24447]
S0 pavboot;pavboot;c:\winnt\system32\drivers\pavboot.sys [2008-06-19 28544]
S0 PCTCore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [2009-04-03 130936]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\System32\Drivers\avgldx86.sys [2009-05-23 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\System32\Drivers\avgtdix.sys [2009-05-23 108552]
S1 yswds;YAMAHA SW1000XG WDM Driver;c:\winnt\system32\drivers\yswds.sys [2001-03-27 245220]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-23 298776]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\DRIVERS\NtApm.sys [1999-09-25 9104]
S3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\DRIVERS\openhci.sys [2003-06-19 24784]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\DRIVERS\usbhub20.sys [2003-06-19 49776]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-06-10 c:\winnt\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 20:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1eoayh2d.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 13:00
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(188)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-06-10 13:02
ComboFix-quarantined-files.txt 2009-06-10 12:02
ComboFix2.txt 2009-05-21 23:22

Pre-Run: 3,245,170,688 bytes free
Post-Run: 3,245,981,696 bytes free

153 --- E O F --- 2009-04-15 09:24




DDS (Ver_09-05-14.01) - FAT32x86
Run by Administrator at 13:11:20.12 on Wed 10/06/2009
Internet Explorer: 6.0.2800.1106

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [Motive SmartBridge] c:\progra~1\blueyo~1\smartb~1\blueyonder-istnotifier.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [internat.exe] internat.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueyo~1.lnk - c:\program files\blueyonder ist\bin\blueyonder-istconfig.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\uninstall.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146868699418
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38903.1549189815
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\1eoayh2d.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-06-10 12:55 <DIR> --ds---- C:\ComboFix
2009-05-23 13:17 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-23 12:35 11,952 a------- c:\winnt\system32\avgrsstx.dll
2009-05-23 12:34 108,552 a------- c:\winnt\system32\drivers\avgtdix.sys
2009-05-23 12:34 325,896 a------- c:\winnt\system32\drivers\avgldx86.sys
2009-05-23 12:34 <DIR> --d----- c:\winnt\system32\drivers\Avg
2009-05-23 12:34 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVGTOOLBAR
2009-05-23 12:34 <DIR> --d----- c:\program files\AVG
2009-05-23 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-23 12:08 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVG8
2009-05-22 17:07 <DIR> --d----- c:\program files\SDFix
2009-05-22 15:34 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-05-22 14:44 159,600 a------- c:\winnt\system32\drivers\pctgntdi.sys
2009-05-22 14:43 130,936 a------- c:\winnt\system32\drivers\PCTCore.sys
2009-05-22 14:43 73,840 a------- c:\winnt\system32\drivers\PCTAppEvent.sys
2009-05-22 14:43 64,392 a------- c:\winnt\system32\drivers\pctplsg.sys
2009-05-22 14:43 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-22 14:43 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-22 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-22 14:43 <DIR> --d----- c:\docume~1\admini~1\applic~1\PC Tools
2009-05-22 00:15 155,136 a------- c:\winnt\PEV.exe
2009-05-21 00:33 <DIR> --d----- c:\docume~1\admini~1\applic~1\F-Secure
2009-05-21 00:11 1,199,254 ----h--- c:\winnt\ShellIconCache
2009-05-20 22:46 <DIR> --d----- c:\program files\F-Secure Internet Security
2009-05-20 17:16 <DIR> --dshr-- C:\cmdcons
2009-05-20 00:42 <DIR> --d-h--- c:\winnt\PIF
2009-05-19 23:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-05-19 23:03 <DIR> --d----- c:\program files\common files\iS3
2009-05-19 23:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-05-16 20:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\fssg
2009-05-16 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\f-secure
2009-05-16 17:32 <DIR> --d----- c:\program files\ESET
2009-05-15 23:27 <DIR> --d----- C:\My Music
2009-05-15 13:43 462,848 a------- c:\winnt\system32\msaatext.dll
2009-05-15 13:43 360,448 a------- c:\winnt\system32\oleacc.dll
2009-05-15 13:43 360,448 a------- c:\winnt\system32\dllcache\oleacc.dll
2009-05-15 13:43 356,352 a------- c:\winnt\system32\oleaccrc.dll
2009-05-15 13:43 356,352 a------- c:\winnt\system32\dllcache\oleaccrc.dll
2009-05-15 11:30 118 a------- c:\winnt\system32\MRT.INI

==================== Find3M ====================

2009-02-02 16:13 354 -------- c:\program files\Shortcut to Millennium Patches.lnk
2007-03-08 10:03 1,308,216 -------- c:\program files\HiJackThis_v2.exe
2002-02-19 17:28 36,580,788 -------- c:\program files\sibelius2.exe
2001-05-08 12:00 32,528 -------- c:\winnt\inf\wbfirdma.sys
2008-07-16 15:55 2 a--shr-- c:\winnt\winstart.bat

============= FINISH: 13:12:00.81 ===============


With thanks,

Tom

Attached Files



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 PM

Posted 10 June 2009 - 02:53 PM

Hi, tom fordo :thumbup2:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::
c:\winnt\system32\internat.exe

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"=-


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 14.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u14-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u14-windows-i586.exe and select "Run as an Administrator.")
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 tom fordo

tom fordo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 11 June 2009 - 07:57 AM

Hi JSntgRvr (how are you pronouncing that?)

And thanks again for your advice. I have re-run Combofix with the new script and also the ESET scan under Internet Explorer and both logs are pasted in below. I did also delete all installed Java and installed the latest version as advised.

I notice ESET did not find the mebroot problem, perhaps because AVG prevented it.

Some time back I ran Kaspersky and Panda scans and they also did not find mebroot. AVG, SDfix and Fsecure all find it: AVG and SDfix think they've fixed it by deleting or quarantining the uninstall.exe file but as I said in my o/p, it keeps reappearing.findand

The problem is still there.

New Combofix report:

ComboFix 09-06-09.06 - Administrator 11/06/2009 10:45.7 - FAT32x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\winnt\system32\internat.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\internat.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-05-23 12:17 . 2009-05-23 12:17 -------- d--h--w- C:\$AVG8.VAULT$
2009-05-23 11:35 . 2009-05-23 11:35 11952 ----a-w- c:\winnt\system32\avgrsstx.dll
2009-05-23 11:34 . 2009-05-23 11:35 108552 ----a-w- c:\winnt\system32\drivers\avgtdix.sys
2009-05-23 11:34 . 2009-05-23 11:34 325896 ----a-w- c:\winnt\system32\drivers\avgldx86.sys
2009-05-23 11:34 . 2009-05-23 11:34 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys
2009-05-23 11:34 . 2009-05-23 11:34 -------- d-----w- c:\winnt\system32\drivers\Avg
2009-05-23 11:34 . 2009-05-23 11:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2009-05-23 11:34 . 2009-05-23 11:34 -------- d-----w- c:\program files\AVG
2009-05-23 11:34 . 2009-05-23 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-23 11:08 . 2009-05-23 11:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-05-22 16:07 . 2008-11-06 01:03 -------- d-----w- c:\program files\SDFix
2009-05-22 14:34 . 2009-05-22 14:34 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-05-22 14:33 . 2009-05-22 14:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2009-05-22 13:44 . 2008-12-11 07:38 159600 ----a-w- c:\winnt\system32\drivers\pctgntdi.sys
2009-05-22 13:43 . 2009-04-03 10:18 130936 ----a-w- c:\winnt\system32\drivers\PCTCore.sys
2009-05-22 13:43 . 2008-12-18 11:16 73840 ----a-w- c:\winnt\system32\drivers\PCTAppEvent.sys
2009-05-22 13:43 . 2009-05-22 13:43 -------- d-----w- c:\program files\Common Files\PC Tools
2009-05-22 13:43 . 2008-12-10 10:36 64392 ----a-w- c:\winnt\system32\drivers\pctplsg.sys
2009-05-22 13:43 . 2009-05-22 13:43 -------- d-----w- c:\program files\Spyware Doctor
2009-05-22 13:43 . 2009-05-22 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-05-22 13:43 . 2009-05-22 13:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-05-20 23:33 . 2009-05-20 23:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\F-Secure
2009-05-20 21:46 . 2009-05-20 21:46 -------- d-----w- c:\program files\F-Secure Internet Security
2009-05-19 23:42 . 2009-05-19 23:42 -------- d--h--w- c:\winnt\PIF
2009-05-19 22:04 . 2009-05-19 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-05-19 22:03 . 2009-05-19 22:03 -------- d-----w- c:\program files\Common Files\iS3
2009-05-19 22:03 . 2009-05-19 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-05-16 19:18 . 2009-05-16 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2009-05-16 19:13 . 2009-05-16 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure
2009-05-16 16:32 . 2009-05-16 16:32 -------- d-----w- c:\program files\ESET
2009-05-15 22:27 . 2009-05-15 22:27 -------- d-----w- C:\My Music
2009-05-15 22:24 . 2009-05-15 22:24 -------- d-----w- c:\program files\Real
2009-05-15 12:43 . 2002-05-15 14:16 360448 ----a-w- c:\winnt\system32\oleacc.dll
2009-05-15 12:43 . 2002-05-15 14:16 360448 ----a-w- c:\winnt\system32\dllcache\oleacc.dll
2009-05-15 12:43 . 2002-05-15 14:16 356352 ----a-w- c:\winnt\system32\oleaccrc.dll
2009-05-15 12:43 . 2002-05-15 14:16 356352 ----a-w- c:\winnt\system32\dllcache\oleaccrc.dll
2009-05-15 12:43 . 2002-05-15 14:16 462848 ----a-w- c:\winnt\system32\msaatext.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 06:41 . 2001-05-08 11:00 263440 ------w- c:\winnt\system32\LOCALSPL.DLL
2009-04-24 09:54 . 2001-05-08 11:00 95504 ------w- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 13:38 . 2009-04-22 13:38 437008 ----a-w- c:\winnt\system32\rpcrt4.dll
2009-04-21 14:15 . 2009-04-21 14:15 576512 ----a-w- c:\winnt\system32\WININET.DLL
2009-04-17 05:04 . 2001-05-08 11:00 1645072 ------w- c:\winnt\system32\WIN32K.SYS
2009-04-06 14:32 . 2008-10-27 09:45 38496 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-10-27 09:45 15504 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-03-30 11:32 . 2003-10-27 10:45 83512 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-02 15:13 . 2008-08-31 22:12 354 ------w- c:\program files\Shortcut to Millennium Patches.lnk
2007-03-08 09:03 . 2008-07-11 14:53 1308216 ------w- c:\program files\HiJackThis_v2.exe
2002-02-19 16:28 . 2003-03-05 19:17 36580788 ------w- c:\program files\sibelius2.exe
2008-07-16 14:55 . 2008-07-16 14:55 2 --sha-r- c:\winnt\winstart.bat
.

((((((((((((((((((((((((((((( SnapShot@2009-06-10_12.00.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2002-08-29 06:14 . 2009-02-19 16:33 34816 c:\winnt\system32\PNGFILT.DLL
+ 2009-04-21 14:14 . 2009-04-21 14:14 34816 c:\winnt\system32\PNGFILT.DLL
+ 2002-08-29 06:14 . 2009-04-21 14:15 12288 c:\winnt\system32\JSPROXY.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 12288 c:\winnt\system32\JSPROXY.DLL
+ 2002-08-29 06:14 . 2009-04-21 14:15 69632 c:\winnt\system32\INSENG.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 69632 c:\winnt\system32\INSENG.DLL
+ 2005-07-13 07:22 . 2009-04-24 09:54 95504 c:\winnt\system32\dllcache\win32spl.dll
- 2002-08-29 06:14 . 2009-02-19 16:33 34816 c:\winnt\system32\dllcache\PNGFILT.DLL
+ 2002-08-29 06:14 . 2009-04-21 14:14 34816 c:\winnt\system32\dllcache\PNGFILT.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 12288 c:\winnt\system32\dllcache\JSPROXY.DLL
+ 2002-08-29 06:14 . 2009-04-21 14:15 12288 c:\winnt\system32\dllcache\JSPROXY.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 69632 c:\winnt\system32\dllcache\INSENG.DLL
+ 2002-08-29 06:14 . 2009-04-21 14:15 69632 c:\winnt\system32\dllcache\INSENG.DLL
+ 2009-06-11 08:38 . 2009-06-11 08:38 38240 c:\winnt\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2009-05-15 10:34 . 2009-05-15 10:34 38240 c:\winnt\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-04-03 17:01 . 2009-04-03 17:01 71504 c:\winnt\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\XL12CNVP.DLL
+ 2009-04-03 16:57 . 2009-04-03 16:57 21320 c:\winnt\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\WRD12EXE.EXE
+ 2009-06-09 09:42 . 2009-06-11 09:58 311296 c:\winnt\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-19 16:33 . 2009-02-19 16:33 462336 c:\winnt\system32\URLMON.DLL
+ 2009-05-01 10:28 . 2009-05-01 10:28 462336 c:\winnt\system32\URLMON.DLL
+ 2005-07-13 07:22 . 2005-07-13 07:22 138000 c:\winnt\system32\spool\drivers\w32x86\3\faxui.dll
- 2005-07-13 07:22 . 2005-01-12 19:39 138000 c:\winnt\system32\spool\drivers\w32x86\3\faxui.dll
+ 2009-04-21 15:10 . 2009-04-21 15:10 402944 c:\winnt\system32\SHLWAPI.DLL
- 2009-02-19 18:01 . 2009-02-19 18:01 402944 c:\winnt\system32\SHLWAPI.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 498176 c:\winnt\system32\MSTIME.DLL
+ 2002-08-29 06:14 . 2009-04-21 14:14 498176 c:\winnt\system32\MSTIME.DLL
- 2002-08-29 06:14 . 2009-02-19 18:02 132096 c:\winnt\system32\MSRATING.DLL
+ 2002-08-29 06:14 . 2009-04-21 15:10 132096 c:\winnt\system32\MSRATING.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 236032 c:\winnt\system32\IEPEERS.DLL
+ 2009-04-21 14:14 . 2009-04-21 14:14 236032 c:\winnt\system32\IEPEERS.DLL
+ 2002-07-20 18:15 . 2009-06-11 08:41 310784 c:\winnt\system32\FNTCACHE.DAT
- 2002-07-20 18:15 . 2009-03-29 11:01 310784 c:\winnt\system32\FNTCACHE.DAT
- 2005-07-13 07:22 . 2005-01-12 19:39 138000 c:\winnt\system32\faxui.dll
+ 2005-07-13 07:22 . 2005-07-13 07:22 138000 c:\winnt\system32\faxui.dll
+ 2002-08-29 06:14 . 2009-04-21 14:14 192512 c:\winnt\system32\DXTRANS.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 192512 c:\winnt\system32\DXTRANS.DLL
+ 2002-08-29 06:14 . 2009-04-21 14:14 351744 c:\winnt\system32\DXTMSFT.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 351744 c:\winnt\system32\DXTMSFT.DLL
+ 2002-08-29 06:14 . 2009-04-21 14:15 576512 c:\winnt\system32\dllcache\WININET.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 576512 c:\winnt\system32\dllcache\WININET.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 462336 c:\winnt\system32\dllcache\URLMON.DLL
+ 2002-08-29 06:14 . 2009-05-01 10:28 462336 c:\winnt\system32\dllcache\URLMON.DLL
+ 2002-08-29 06:14 . 2009-04-21 15:10 402944 c:\winnt\system32\dllcache\SHLWAPI.DLL
- 2002-08-29 06:14 . 2009-02-19 18:01 402944 c:\winnt\system32\dllcache\SHLWAPI.DLL
+ 2004-04-18 20:11 . 2009-04-22 13:38 437008 c:\winnt\system32\dllcache\rpcrt4.dll
+ 2002-08-29 06:14 . 2009-04-21 14:14 498176 c:\winnt\system32\dllcache\MSTIME.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 498176 c:\winnt\system32\dllcache\MSTIME.DLL
+ 2002-08-29 06:14 . 2009-04-21 15:10 132096 c:\winnt\system32\dllcache\MSRATING.DLL
- 2002-08-29 06:14 . 2009-02-19 18:02 132096 c:\winnt\system32\dllcache\MSRATING.DLL
+ 2005-04-08 03:54 . 2009-05-07 06:41 263440 c:\winnt\system32\dllcache\localspl.dll
+ 2002-08-29 06:14 . 2009-04-21 14:14 236032 c:\winnt\system32\dllcache\IEPEERS.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 236032 c:\winnt\system32\dllcache\IEPEERS.DLL
- 2005-07-13 07:22 . 2005-01-12 19:39 138000 c:\winnt\system32\dllcache\faxui.dll
+ 2005-07-13 07:22 . 2005-07-13 07:22 138000 c:\winnt\system32\dllcache\faxui.dll
+ 2002-08-29 06:14 . 2009-04-21 14:14 192512 c:\winnt\system32\dllcache\DXTRANS.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 192512 c:\winnt\system32\dllcache\DXTRANS.DLL
- 2002-08-29 06:14 . 2009-02-19 16:33 351744 c:\winnt\system32\dllcache\DXTMSFT.DLL
+ 2002-08-29 06:14 . 2009-04-21 14:14 351744 c:\winnt\system32\dllcache\DXTMSFT.DLL
- 2002-08-29 06:14 . 2009-02-19 18:02 143360 c:\winnt\system32\dllcache\CDFVIEW.DLL
+ 2002-08-29 06:14 . 2009-04-21 15:10 143360 c:\winnt\system32\dllcache\CDFVIEW.DLL
+ 2002-08-29 06:14 . 2009-04-21 15:10 143360 c:\winnt\system32\CDFVIEW.DLL
- 2002-08-29 06:14 . 2009-02-19 18:02 143360 c:\winnt\system32\CDFVIEW.DLL
+ 2005-07-13 07:22 . 2005-07-13 07:22 138000 c:\winnt\Driver Cache\i386\faxui.dll
- 2005-07-13 07:22 . 2005-01-12 19:39 138000 c:\winnt\Driver Cache\i386\faxui.dll
+ 2009-04-21 15:10 . 2009-04-21 15:10 1340416 c:\winnt\system32\SHDOCVW.DLL
- 2009-03-03 11:43 . 2009-03-03 11:43 1340416 c:\winnt\system32\SHDOCVW.DLL
+ 2009-04-21 14:14 . 2009-04-21 14:14 2707456 c:\winnt\system32\MSHTML.DLL
+ 2005-01-12 14:04 . 2009-04-17 05:04 1645072 c:\winnt\system32\dllcache\win32k.sys
- 2002-08-29 06:14 . 2009-03-03 11:43 1340416 c:\winnt\system32\dllcache\SHDOCVW.DLL
+ 2002-08-29 06:14 . 2009-04-21 15:10 1340416 c:\winnt\system32\dllcache\SHDOCVW.DLL
+ 2002-08-29 06:14 . 2009-04-21 14:14 2707456 c:\winnt\system32\dllcache\MSHTML.DLL
- 2001-05-08 11:00 . 2008-12-20 16:04 1054208 c:\winnt\system32\dllcache\DANIM.DLL
+ 2001-05-08 11:00 . 2009-02-20 00:30 1054208 c:\winnt\system32\dllcache\DANIM.DLL
- 2002-08-29 06:14 . 2009-02-19 18:01 1018368 c:\winnt\system32\dllcache\BROWSEUI.DLL
+ 2002-08-29 06:14 . 2009-04-21 15:10 1018368 c:\winnt\system32\dllcache\BROWSEUI.DLL
+ 2001-05-08 11:00 . 2009-02-20 00:30 1054208 c:\winnt\system32\DANIM.DLL
- 2001-05-08 11:00 . 2008-12-20 16:04 1054208 c:\winnt\system32\DANIM.DLL
- 2009-02-19 18:01 . 2009-02-19 18:01 1018368 c:\winnt\system32\BROWSEUI.DLL
+ 2009-04-21 15:10 . 2009-04-21 15:10 1018368 c:\winnt\system32\BROWSEUI.DLL
+ 2009-04-03 16:57 . 2009-04-03 16:57 4671320 c:\winnt\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\WRD12CNV.DLL
+ 2005-10-06 08:33 . 2009-04-17 05:04 1645072 c:\winnt\Driver Cache\i386\win32k.sys
+ 2005-07-21 08:24 . 2009-06-01 16:51 23635392 c:\winnt\system32\MRT.exe
+ 2009-04-03 17:01 . 2009-04-03 17:01 15108448 c:\winnt\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\XL12CNV.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2004-09-29 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2004-09-29 40960]
"Motive SmartBridge"="c:\progra~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe" [2005-09-22 438359]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-23 1947928]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"Tweak UI"="TWEAKUI.CPL" - c:\winnt\system32\TWEAKUI.CPL [2000-06-18 106544]
"AtiPTA"="atiptaxx.exe" - c:\winnt\system32\atiptaxx.exe [2001-09-27 245760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
blueyonder Instant Support Tool.lnk - c:\program files\blueyonder IST\bin\blueyonder-istconfig.exe [2006-7-6 217088]
uninstall.exe [2009-6-11 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-23 11:35 11952 ----a-w- c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

R2 gupdate1c9e942136e8990;Google Update Service (gupdate1c9e942136e8990);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 133104]
R3 Partizan;Partizan;c:\winnt\system32\drivers\Partizan.sys [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\winnt\system32\DRIVERS\RTL8150.SYS [2005-10-07 24447]
S0 pavboot;pavboot;c:\winnt\system32\drivers\pavboot.sys [2008-06-19 28544]
S0 PCTCore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [2009-04-03 130936]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\System32\Drivers\avgldx86.sys [2009-05-23 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\System32\Drivers\avgtdix.sys [2009-05-23 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-23 298776]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\DRIVERS\NtApm.sys [1999-09-25 9104]
S3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\DRIVERS\openhci.sys [2003-06-19 24784]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\DRIVERS\usbhub20.sys [2003-06-19 49776]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-06-11 c:\winnt\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 20:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1eoayh2d.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 10:58
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(188)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(608)
c:\winnt\AppPatch\AcLayers.DLL
c:\progra~1\BLUEYO~1\SMARTB~1\SBHook.dll
c:\winnt\system32\SHDOCVW.DLL
.
Completion time: 2009-06-11 11:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 10:01
ComboFix2.txt 2009-05-21 23:22

Pre-Run: 3,065,659,392 bytes free
Post-Run: 3,071,418,368 bytes free

246 --- E O F --- 2009-06-11 08:39


ESET SCan report:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=6.00.2800.1106
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=b3c820034565f64fa7dd0a1127271903
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-11 11:05:52
# local_time=2009-06-11 12:05:52 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.0.2195 NT Service Pack 4
# compatibility_mode=1026 61 83 100 16398608892736
# scanned=45389
# found=1
# cleaned=1
# scan_time=2749
C:\Program Files\Audiograbber\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000


Thanks again

Tom

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 PM

Posted 11 June 2009 - 10:36 AM

Hi, tom fordo :thumbup2:

Please download MBR.EXE by GMER. Save the file in your Root directory, C:\, then bring your computer to a Command prompt.

Go to Start -> Run, type CMD and click OK. At the prompt type the following and press Enter after each command:

cd C:\
MBR.EXE -t


The program will check the Master Boot Record and will produce a report. Post the contents of that report i your next reply.

Type Exit at the Command prompt and press Enter to return back to Windows.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 tom fordo

tom fordo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 12 June 2009 - 04:36 AM

The mbr.log was:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x8157A1AC]<<
kernel: MBR read successfully
user & kernel MBR OK

thanks again

Tom

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 PM

Posted 12 June 2009 - 09:13 AM

Hi, tom fordo :thumbup2:

Lets go deeper:

Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 tom fordo

tom fordo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 12 June 2009 - 04:30 PM

Hi Again.

I follwed your instructions.. the program did indeed find rootkit activity and prompted me to scan straight away. The reults are shown below. I noticed that this scan had only looked at Disk c: - in fact, most of my hard disk is D;, where I store my own music and photos. I manually ran the scan again looking at D; but the results came out what appears at a quick glance to be an identical log. I can send this if you think it would help.

As you will see, the scan did seem to find a 'hidden rootkit.

Regards,

Tom

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-12 17:13:28
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xBFF7E514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xBFF6D282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xBFF7ED00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xBFF7EFB8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xBFF7D3FA]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xBFF7E7D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xBFF6CF32]

---- Kernel code sections - GMER 1.0.15 ----

PAGE CLASSPNP.SYS!ClassInitialize + 14A EB424B2A 4 Bytes [56, 17, 58, 81]
PAGE CLASSPNP.SYS!ClassInitialize + 151 EB424B31 4 Bytes [5C, 17, 58, 81]
PAGE CLASSPNP.SYS!ClassInitialize + 15C EB424B3C 4 Bytes [AC, D1, 57, 81] {LODSB ; RCL DWORD [EDI-0x7f], 0x1}
PAGE CLASSPNP.SYS!ClassInitialize + 163 EB424B43 4 Bytes [62, 17, 58, 81]
PAGE CLASSPNP.SYS!ClassInitialize + 16E EB424B4E 4 Bytes [68, 17, 58, 81]
PAGE ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1308] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Cdrom \Device\CdRom0 81581756
Device \Driver\Cdrom \Device\CdRom1 81581756

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Disk \Device\Harddisk0\DR0 81581756

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [8:208] 815C08D0
Thread System [8:212] 815ADBE0
Thread System [8:216] 815F5DF0
Thread System [8:220] 8158E110

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) [AUTO] Schedule <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 PM

Posted 12 June 2009 - 06:34 PM

The rootkit is Microsoft Task Manager. I am asking colleagues about these results. Will let you know soon.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 PM

Posted 13 June 2009 - 11:43 AM

Hi, tom fordo :thumbup2:

Go to Start -> Run, type CMD and click OK. At the prompt type the following and press Enter after each command:

cd C:\
MBR.EXE -f


The program will check the Master Boot Record and will remove Mebroot. It should also produce a report. Post the contents of that report i your next reply.

Type Exit at the Command prompt and press Enter to return back to Windows.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 tom fordo

tom fordo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 13 June 2009 - 02:31 PM

Hi JSntgRvr,

Sadly that isn't going to work.
I've re-run mbr with the -f switch and the log is included below.

All seemed well. I used AVG to quarantine the existing
C:\Documents And Settings\All Users\Start Menu\Programs\StartUp\Uninstall.exe and rebooted Windows.

As ever, this file has been recreated and and I still get the 'Access has been blocked' message which, as noted in my o/p, replaced the earlier 'file in use' message once I'd installed avg.

Tom

mbr.log:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:03 PM

Posted 13 June 2009 - 03:10 PM

Hi, tom fordo :thumbup2:

Lets find the location of the files in question:

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, open the Search folder and click on the Runme.bat. It should produce a report. Post its contents in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users