Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Defeat Win32.TDSS.RTK SKYNET Rootkit


  • This topic is locked This topic is locked
3 replies to this topic

#1 Dr.Manhattan

Dr.Manhattan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 06 July 2009 - 07:05 PM

Hey All, Dr M. Here,

A few weeks ago, my internet browser began redirecting the first link I clicked on in google-search to random sites in russia (URLs would end with .ru). Usually I closed the site before the page could load so nothing could get transferred; however, yesterday, the site was allowed to load fully and a rootkit-trojan infected my computer.

Using Spybot SD, I found that the rootkit was the Win32.TDSS.RTK with the SKYNET variant. After "cleaning" the trojan with Spybot SD, I ran another scan which came up with several more instances of the trojan (different name, all starting with skynet[xxxxx].dll). I've been looking all over the internet for solutions and found most use the GMER-scan and Avenger2-clean method.

I have ran GMER already and am posting the log. If you could help me, I'd be eternally grateful!

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-06 20:00:46
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 89C00250 ZwEnumerateKey
Code 89C00218 ZwFlushInstructionCache
Code 89C00286 IofCallDriver
Code 89C002BE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 89C0028B
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 89C002C3
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 89C0021C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 89C00254
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B9BC48AC 5 Bytes JMP 8A6351C8
? System32\Drivers\abwe41bw.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Jeremy Goodman\Desktop\gmer.exe[408] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003B000A
.text C:\WINDOWS\Explorer.EXE[1084] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B7000A
.text C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe[1236] ntdll.dll!LdrLoadDll 7C9163C3 3 Bytes JMP 0092000A
.text C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe[1236] ntdll.dll!LdrLoadDll + 4 7C9163C7 1 Byte [84]
.text C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE[1244] ntdll.dll!LdrLoadDll 7C9163C3 3 Bytes JMP 0092000A
.text ...
.text C:\Program Files\Veoh Networks\Veoh\VeohClient.exe[2036] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[2044] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003C000A
.text C:\WINDOWS\System32\CTsvcCDA.exe[2128] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0069000A
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[2496] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003C000A
.text C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe[2776] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CD000A
.text e:\matlab701\bin\win32\matlab.exe[2800] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 01F8000A
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6BEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6BEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6BEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6BF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6BF61E] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6D429A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A89A1E8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 8A6341E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{69D99775-5EE4-4380-B922-B85B65148192} 8A58E790
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A90B1E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A90B1E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A90B1E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A90B1E8
Device \Driver\usbuhci \Device\USBPDO-1 8A6341E8
Device \Driver\usbuhci \Device\USBPDO-2 8A6341E8
Device \Driver\usbehci \Device\USBPDO-3 8A6121E8
Device \Driver\usbuhci \Device\USBPDO-4 8A6341E8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{D9E8705C-FDA0-4103-A010-65BA66CA66B7} 8A58E790
Device \Driver\usbuhci \Device\USBPDO-5 8A6341E8
Device \Driver\usbuhci \Device\USBPDO-6 8A6341E8
Device \Driver\PCI_NTPNP3230 \Device\00000057 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A89C1E8
Device \Driver\usbehci \Device\USBPDO-7 8A6121E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A89C1E8
Device \Driver\Cdrom \Device\CdRom0 8A6051E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{ACDDD55B-0DB3-4362-994E-E7D59F1B6DE8} 8A58E790
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A89C1E8
Device \Driver\Cdrom \Device\CdRom1 8A6051E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A58E790
Device \Driver\NetBT \Device\NetbiosSmb 8A58E790

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 8A6341E8
Device \Driver\usbuhci \Device\USBFDO-1 8A6341E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88A46790
Device \Driver\usbuhci \Device\USBFDO-2 8A6341E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88A46790
Device \Driver\usbehci \Device\USBFDO-3 8A6121E8
Device \Driver\usbuhci \Device\USBFDO-4 8A6341E8
Device \Driver\Ftdisk \Device\FtControl 8A89C1E8
Device \Driver\usbuhci \Device\USBFDO-5 8A6341E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2A4363CD-30C1-441F-AF62-0E9F8EF86B23} 8A58E790
Device \Driver\usbuhci \Device\USBFDO-6 8A6341E8
Device \Driver\usbehci \Device\USBFDO-7 8A6121E8
Device \Driver\abwe41bw \Device\Scsi\abwe41bw1 8A5AA790
Device \Driver\abwe41bw \Device\Scsi\abwe41bw1Port6Path0Target0Lun0 8A5AA790
Device \FileSystem\Fastfat \Fat 8874A790
Device \FileSystem\Fastfat \Fat B4C1B297

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 889E6790

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETmyxvdplv.sys (*** hidden *** ) [SYSTEM] SKYNETqoliltar <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar@imagepath \systemroot\system32\drivers\SKYNETmyxvdplv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETmyxvdplv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\modules@SKYNETcmd.dll \systemroot\system32\SKYNETbdurirji.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\modules@SKYNETlog.dat \systemroot\system32\SKYNETjfxdqefn.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\modules@SKYNETwsp.dll \systemroot\system32\SKYNETiuteppay.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETqoliltar\modules@SKYNET.dat \systemroot\system32\SKYNETmuvqeldp.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAE 0x23 0xCE 0xA4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Documents and Settings\Jeremy Goodman\My Documents\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF4 0x3B 0xC4 0x36 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x20 0x13 0xE2 0x04 ...
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar@imagepath \systemroot\system32\drivers\SKYNETmyxvdplv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\main
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\main\delete
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\main\injector
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\main\tasks
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\modules
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETmyxvdplv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\modules@SKYNETcmd.dll \systemroot\system32\SKYNETbdurirji.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\modules@SKYNETlog.dat \systemroot\system32\SKYNETjfxdqefn.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\modules@SKYNETwsp.dll \systemroot\system32\SKYNETiuteppay.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETqoliltar\modules@SKYNET.dat \systemroot\system32\SKYNETmuvqeldp.dat
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAE 0x23 0xCE 0xA4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Documents and Settings\Jeremy Goodman\My Documents\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF4 0x3B 0xC4 0x36 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x20 0x13 0xE2 0x04 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAE 0x23 0xCE 0xA4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Documents and Settings\Jeremy Goodman\My Documents\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF4 0x3B 0xC4 0x36 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x71 0x7E 0xC8 0xA5 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\SKYNETmyxvdplv.sys 68608 bytes executable
File C:\WINDOWS\system32\SKYNETbdurirji.dll 44032 bytes executable
File C:\WINDOWS\system32\SKYNETiuteppay.dll 20992 bytes executable
File C:\WINDOWS\system32\SKYNETjfxdqefn.dat 243759 bytes
File C:\WINDOWS\system32\SKYNETmuvqeldp.dat 93 bytes
File C:\WINDOWS\Temp\SKYNETappethxvbc.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETjqlskgnddj.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETwtaswtohps.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETxtpuyqdrid.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETxvpmpaxlxx.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETyfwxjrxdke.tmp 18944 bytes executable

--------------------------

Thank you in advance for all your help!


Cheers,

Dr. M.

Attached Files



BC AdBot (Login to Remove)

 


#2 Dr.Manhattan

Dr.Manhattan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 07 July 2009 - 03:09 PM

Hey all, Dr M again

So I followed some guides from other parts of this site. I guess my rootkit problem was relatively minor (apparently AVG found the main file when it first came onto the system so it couldn't start spreading)

I used combo fix to remove the rootkit followed by findAWF to search for redudant files (Found NONE)

I scanned the system using Combofix again - here is the logfile (also in attachment):

ComboFix 09-07-07.06 - Jeremy Goodman 07/07/2009 15:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1487 [GMT -4:00]
Running from: c:\documents and settings\Jeremy Goodman\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-07 05:02 . 2009-07-07 05:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-07 04:51 . 2009-07-07 04:51 -------- d-----w- c:\documents and settings\Jeremy Goodman\Application Data\Malwarebytes
2009-07-07 04:51 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-07 04:51 . 2009-07-07 04:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-07 04:51 . 2009-07-07 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-07 04:51 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-06 23:10 . 2008-05-31 03:09 731136 ----a-w- C:\avenger.exe
2009-07-06 03:51 . 2009-07-06 04:29 -------- d-----w- c:\program files\Lavasoft
2009-07-02 14:29 . 2009-06-28 16:22 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-02 14:29 . 2009-06-28 16:22 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-02 14:29 . 2009-06-28 16:22 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-02 14:29 . 2009-06-28 16:22 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-02 14:29 . 2009-06-28 16:22 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-02 14:29 . 2009-06-28 16:22 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-02 14:29 . 2009-06-28 16:22 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-02 14:29 . 2009-06-28 16:22 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-02 14:29 . 2009-06-28 16:20 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-02 14:29 . 2009-06-28 16:20 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 18:58 . 2007-12-08 02:35 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000005-00000000-00000000-00001102-00000004-20021102}.dat
2009-07-07 18:58 . 2007-12-08 02:35 384 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000000-00001102-00000004-20021102}.dat
2009-07-06 04:29 . 2008-11-22 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-06 03:51 . 2008-05-10 22:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-02 14:29 . 2009-03-13 12:48 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 16:22 . 2009-03-13 12:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-28 16:22 . 2008-03-31 22:40 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-18 04:54 . 2007-12-23 17:19 -------- d-----w- c:\program files\SpeedFan
2009-06-14 15:56 . 2007-12-08 04:00 72784 ----a-w- c:\documents and settings\Jeremy Goodman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-14 07:00 . 2008-05-22 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-18 19:19 . 2007-12-10 07:39 -------- d-----w- c:\documents and settings\Jeremy Goodman\Application Data\Bioshock
2009-05-18 17:58 . 2009-05-18 17:57 -------- d-----w- c:\documents and settings\Jeremy Goodman\Application Data\Crayon Physics Deluxe
2009-05-18 00:01 . 2007-12-08 05:05 -------- d-----w- c:\documents and settings\Jeremy Goodman\Application Data\uTorrent
2009-05-14 20:41 . 2008-03-11 03:14 -------- d-----w- c:\documents and settings\Jeremy Goodman\Application Data\Move Networks
2009-05-07 15:32 . 2001-08-23 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 12:59 . 2009-03-13 12:48 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 04:56 . 2001-08-23 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2001-08-23 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2007-12-08 03:14 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AlcoholAutomount"="c:\documents and settings\Jeremy Goodman\My Documents\Alcohol 120\axcmd.exe" [2007-07-02 220544]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2004-01-08 37888]
"DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-02-28 144896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-25 8527872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-25 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Acrobat Assistant 7.0"="e:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-10-06 24576]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-10-25 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-3-22 25214]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-28 16:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"e:\\Electronic Arts\\Crytek\\Crysis SP demo\\Bin32\\Crysis.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"e:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"e:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"e:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"e:\\Valve\\steamapps\\corpsmantimmah@yahoo.com\\team fortress 2\\hl2.exe"=
"e:\\Valve\\steamapps\\corpsmantimmah@yahoo.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"e:\\MATLAB701\\bin\\win32\\MATLAB.exe"=
"e:\\Program Files\\eMule\\emule.exe"=
"e:\\Program Files\\Grim Fandango\\Grim Launcher.exe"=
"e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Valve\\steamapps\\corpsmantimmah@yahoo.com\\age of chivalry\\hl2.exe"=
"e:\\Valve\\steamapps\\corpsmantimmah@yahoo.com\\insurgency\\hl2.exe"=
"e:\\Valve\\steamapps\\corpsmantimmah@yahoo.com\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Valve\\steamapps\\corpsmantimmah@yahoo.com\\day of defeat source\\hl2.exe"=
"e:\\Valve\\steamapps\\common\\bioshock demo\\Builds\\Release\\Bioshock.exe"=
"e:\\Valve\\steamapps\\common\\empire total war demo\\Empire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"e:\\Valve\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"e:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Valve\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"e:\\Valve\\Steam.exe"=
"e:\\Valve\\steamapps\\common\\crayon physics deluxe demo\\launcher.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/13/2009 8:48 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/13/2009 8:48 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/13/2009 8:48 AM 298776]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;e:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [3/10/2008 12:04 AM 65536]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [12/7/2007 10:27 PM 15840]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 mff;mff;c:\windows\system32\drivers\mff.sys --> c:\windows\system32\drivers\mff.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/7/2009 12:51 AM 38160]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
.
Contents of the 'Scheduled Tasks' folder

2009-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Jeremy Goodman\Application Data\Mozilla\Firefox\Profiles\jbj2mkfe.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Jeremy Goodman\Application Data\Mozilla\Firefox\Profiles\jbj2mkfe.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPinfotl.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 15:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1352)
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(2304)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-07 15:06
ComboFix-quarantined-files.txt 2009-07-07 19:06

Pre-Run: 2,666,725,376 bytes free
Post-Run: 2,632,720,384 bytes free

202 --- E O F --- 2009-06-18 01:32

-------------------------------------------------------------------------------------------

I have also scanned the computer using GMER and HijackThis, the following is the log files from both (also in the attachments):

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-07 16:02:20
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xBA6BE0D0]
SSDT sptd.sys ZwEnumerateKey [0xBA6C3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C4340]
SSDT sptd.sys ZwOpenKey [0xBA6BE0B0]
SSDT sptd.sys ZwQueryKey [0xBA6C4418]
SSDT sptd.sys ZwQueryValueKey [0xBA6C4298]
SSDT sptd.sys ZwSetValueKey [0xBA6C44AA]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B917C8AC 5 Bytes JMP 8A70C770
? System32\Drivers\alwrpis1.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Veoh Networks\Veoh\VeohClient.exe[680] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6BEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6BEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6BEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6BF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6BF61E] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6D429A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A90A1E8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 8A704790
Device \Driver\NetBT \Device\NetBT_Tcpip_{69D99775-5EE4-4380-B922-B85B65148192} 88968790
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A89B1E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A89B1E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A89B1E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A89B1E8
Device \Driver\usbuhci \Device\USBPDO-1 8A704790
Device \Driver\usbuhci \Device\USBPDO-2 8A704790
Device \Driver\usbehci \Device\USBPDO-3 8A65B1E8
Device \Driver\usbuhci \Device\USBPDO-4 8A704790

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{D9E8705C-FDA0-4103-A010-65BA66CA66B7} 88968790
Device \Driver\usbuhci \Device\USBPDO-5 8A704790
Device \Driver\usbuhci \Device\USBPDO-6 8A704790
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A90C1E8
Device \Driver\usbehci \Device\USBPDO-7 8A65B1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A90C1E8
Device \Driver\Cdrom \Device\CdRom0 8A642790
Device \Driver\PCI_NTPNP4798 \Device\00000059 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A90C1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{ACDDD55B-0DB3-4362-994E-E7D59F1B6DE8} 88968790
Device \Driver\Cdrom \Device\CdRom1 8A642790
Device \Driver\NetBT \Device\NetBt_Wins_Export 88968790
Device \Driver\NetBT \Device\NetbiosSmb 88968790

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 8A704790
Device \Driver\usbuhci \Device\USBFDO-1 8A704790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A703508
Device \Driver\usbuhci \Device\USBFDO-2 8A704790
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A703508
Device \Driver\usbehci \Device\USBFDO-3 8A65B1E8
Device \Driver\usbuhci \Device\USBFDO-4 8A704790
Device \Driver\Ftdisk \Device\FtControl 8A90C1E8
Device \Driver\usbuhci \Device\USBFDO-5 8A704790
Device \Driver\NetBT \Device\NetBT_Tcpip_{2A4363CD-30C1-441F-AF62-0E9F8EF86B23} 88968790
Device \Driver\usbuhci \Device\USBFDO-6 8A704790
Device \Driver\usbehci \Device\USBFDO-7 8A65B1E8
Device \Driver\alwrpis1 \Device\Scsi\alwrpis11 8A515608
Device \Driver\alwrpis1 \Device\Scsi\alwrpis11Port6Path0Target0Lun0 8A515608
Device \FileSystem\Fastfat \Fat 88782790
Device \FileSystem\Fastfat \Fat B4391297

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8893B790

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAE 0x23 0xCE 0xA4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Documents and Settings\Jeremy Goodman\My Documents\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF4 0x3B 0xC4 0x36 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x80 0x9D 0xEA 0xD5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAE 0x23 0xCE 0xA4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Documents and Settings\Jeremy Goodman\My Documents\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF4 0x3B 0xC4 0x36 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x80 0x9D 0xEA 0xD5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAE 0x23 0xCE 0xA4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Documents and Settings\Jeremy Goodman\My Documents\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF4 0x3B 0xC4 0x36 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x71 0x7E 0xC8 0xA5 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR


------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:13 PM, on 7/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\System32\CTsvcCDA.exe
E:\MATLAB701\webserver\bin\win32\matlabserver.exe
E:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
E:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeremy Goodman\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Documents and Settings\Jeremy Goodman\My Documents\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197082014701
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197084871936
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sslvpn.pitt.edu/dana-cached/setup/J...perSetupSP1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - E:\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - E:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Documents and Settings\Jeremy Goodman\My Documents\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)

--
End of file - 9973 bytes

-----------------------------------------

I've scanned with spybot SD and nothing has shown up from the Win32.tdss.rtk rootkit or associated trojans. I hope combofix cleared it all :D

Thank you for your help, BC!


Cheers!

Dr. M.

Attached Files



#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 AM

Posted 14 July 2009 - 08:58 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:16 AM

Posted 19 July 2009 - 12:03 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users