Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean


  • This topic is locked This topic is locked
15 replies to this topic

#1 Rob.S

Rob.S

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 29 July 2009 - 12:58 PM

NOD32 is reporting "Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean". I have tried several things to remove it, including mounting the drive on another PC and removing four suspicious files from system32. However after rebooting, Windows reports that unauthorised changes have been made and the system restarts with the same problem.

Thanks for reading.


DDS (Ver_09-06-26.01) - NTFSx86

Run by Becky at 18:48:16.73 on 29/07/2009
Internet Explorer: 7.0.6000.16890
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2038.1147 [GMT 1:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET Smart Security 4.0 *enabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba TEMPRO\TemproTray.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Becky\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Toshiba TEMPRO] c:\program files\toshiba tempro\TemproTray.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\becky\appdata\roaming\mozilla\firefox\profiles\yqftw1sc.default\

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-5-14 731840]
R2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\toshiba tempro\TemproSvc.exe [2009-4-21 116104]

=============== Created Last 30 ================

2009-07-29 14:37 <DIR> --d----- c:\windows\system32\Virus
2009-07-28 23:11 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-07-27 23:12 219,648 a------- c:\windows\PEV.exe
2009-07-27 23:12 161,792 a------- c:\windows\SWREG.exe
2009-07-27 23:12 98,816 a------- c:\windows\sed.exe
2009-07-27 22:49 <DIR> --dsh--- c:\users\becky\appdata\roaming\lowsec
2009-07-25 14:34 <DIR> --d----- c:\programdata\12413154
2009-07-25 14:34 <DIR> --d----- c:\progra~2\12413154
2009-07-25 14:24 <DIR> --d----- c:\programdata\Rosetta Stone
2009-07-25 14:24 <DIR> --d----- c:\program files\Rosetta Stone
2009-07-25 14:24 <DIR> --d----- c:\progra~2\Rosetta Stone
2009-07-25 14:06 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-07-25 13:49 <DIR> --d----- c:\users\becky\appdata\roaming\ESET
2009-07-25 13:47 <DIR> --d----- c:\programdata\ESET
2009-07-25 13:47 <DIR> --d----- c:\program files\ESET
2009-07-16 17:43 <DIR> --d----- c:\program files\iPod
2009-07-16 17:43 <DIR> --d----- c:\program files\iTunes
2009-07-16 17:28 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-16 17:28 156,160 a------- c:\windows\system32\t2embed.dll
2009-07-16 17:28 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-16 17:28 34,304 a------- c:\windows\system32\atmlib.dll
2009-07-16 17:28 24,064 a------- c:\windows\system32\lpk.dll
2009-07-16 17:28 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-06 22:29 <DIR> --d----- c:\users\becky\appdata\roaming\ScummVM

==================== Find3M ====================

2009-07-25 13:48 51,200 a------- c:\windows\inf\infpub.dat
2009-07-25 13:48 86,016 a------- c:\windows\inf\infstrng.dat
2009-07-25 13:48 86,016 a------- c:\windows\inf\infstor.dat
2009-07-18 13:17 827,392 a------- c:\windows\system32\wininet.dll
2009-07-18 13:10 56,320 a------- c:\windows\system32\iesetup.dll
2009-07-18 13:10 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 13:10 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-07-18 13:07 72,704 a------- c:\windows\system32\admparse.dll
2009-07-18 11:00 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-07-18 09:34 48,128 a------- c:\windows\system32\mshtmler.dll
2009-06-20 14:23 129,784 -------- c:\windows\system32\pxafs.dll
2009-06-20 14:23 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-06-20 14:23 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-06-20 14:23 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-06-20 11:14 268,800 a------- c:\windows\system32\es.dll
2009-06-19 23:48 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-19 23:46 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-06-19 23:46 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-06-19 23:46 95,232 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-06-19 23:46 1,244,672 a------- c:\windows\system32\mcmde.dll
2009-06-19 23:46 428,032 a------- c:\windows\system32\EncDec.dll
2009-06-19 23:46 292,352 a------- c:\windows\system32\psisdecd.dll
2009-06-19 23:44 194,560 a------- c:\windows\system32\WebClnt.dll
2009-06-19 23:44 110,080 a------- c:\windows\system32\drivers\mrxdav.sys
2009-06-19 23:44 2,028,032 a------- c:\windows\system32\win32k.sys
2009-06-19 23:44 376,320 a------- c:\windows\system32\winsrv.dll
2009-06-19 23:44 49,664 a------- c:\windows\system32\csrsrv.dll
2009-06-19 23:43 376,832 a------- c:\windows\system32\winhttp.dll
2009-06-19 23:42 297,472 a------- c:\windows\system32\gdi32.dll
2009-06-19 23:42 1,060,920 a------- c:\windows\system32\drivers\ntfs.sys
2009-06-19 23:42 41,984 a------- c:\windows\system32\drivers\monitor.sys
2009-06-19 23:42 211,456 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-06-19 23:42 374,456 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-06-19 23:41 500,736 a------- c:\windows\system32\msdtcprx.dll
2009-06-19 23:41 30,208 a------- c:\windows\system32\xolehlp.dll
2009-06-19 23:41 2,144,256 a------- c:\windows\apppatch\AcGenral.dll
2009-06-19 23:41 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-06-19 23:41 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-06-19 23:41 4,247,552 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-06-19 23:41 537,600 a------- c:\windows\apppatch\AcLayers.dll
2009-06-19 23:41 449,536 a------- c:\windows\apppatch\AcSpecfc.dll
2009-06-19 23:41 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-06-19 23:41 1,687,040 a------- c:\windows\system32\gameux.dll
2009-06-19 23:40 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-06-19 23:40 1,194,496 a------- c:\windows\system32\msxml3.dll
2009-06-19 23:40 2,048 a------- c:\windows\system32\msxml3r.dll
2009-06-19 23:40 414,208 a------- c:\windows\system32\msscp.dll
2009-06-19 23:39 356,864 a------- c:\windows\system32\MediaMetadataHandler.dll
2009-06-19 23:39 396,800 a------- c:\windows\system32\MPSSVC.dll
2009-06-19 23:39 392,192 a------- c:\windows\system32\FirewallAPI.dll
2009-06-19 23:39 86,016 a------- c:\windows\system32\icfupgd.dll
2009-06-19 23:39 63,488 a------- c:\windows\system32\drivers\mpsdrv.sys
2009-06-19 23:39 61,952 a------- c:\windows\system32\cmifw.dll
2009-06-19 23:39 16,896 a------- c:\windows\system32\wfapigp.dll
2009-06-19 23:39 178,688 a------- c:\windows\system32\iphlpsvc.dll
2009-06-19 23:39 23,040 a------- c:\windows\system32\drivers\tunnel.sys
2009-06-19 23:39 15,360 a------- c:\windows\system32\drivers\TUNMP.SYS
2009-06-19 23:39 2,048 a------- c:\windows\system32\tzres.dll
2009-06-19 23:30 174 a--sh--- c:\program files\desktop.ini
2009-06-19 23:20 8,147,968 a------- c:\windows\system32\wmploc.DLL
2009-06-19 23:20 7,680 a------- c:\windows\system32\spwmp.dll
2009-06-19 23:20 4,096 a------- c:\windows\system32\dxmasf.dll
2009-06-19 23:17 696,832 a------- c:\windows\system32\localspl.dll
2009-06-19 23:14 109,624 a------- c:\windows\system32\drivers\ataport.sys
2009-06-19 23:14 45,112 a------- c:\windows\system32\drivers\pciidex.sys
2009-06-19 23:14 21,560 a------- c:\windows\system32\drivers\atapi.sys
2009-06-19 23:14 17,464 a------- c:\windows\system32\drivers\intelide.sys
2009-06-19 23:14 211,000 a------- c:\windows\system32\drivers\volsnap.sys
2009-06-19 23:14 154,624 a------- c:\windows\system32\drivers\nwifi.sys
2009-06-19 23:13 104,448 a------- c:\windows\system32\DWWIN.EXE
2009-06-19 23:12 2,923,520 a------- c:\windows\explorer.exe
2009-06-19 23:09 224,768 a------- c:\windows\system32\drivers\usbport.sys
2009-06-19 23:09 192,000 a------- c:\windows\system32\drivers\usbhub.sys
2009-06-19 23:09 38,400 a------- c:\windows\system32\drivers\usbehci.sys
2009-06-19 23:09 23,040 a------- c:\windows\system32\drivers\usbuhci.sys
2009-06-19 23:09 8,704 a------- c:\windows\system32\hcrstco.dll
2009-06-19 23:09 8,704 a------- c:\windows\system32\hccoin.dll
2009-06-19 23:09 5,888 a------- c:\windows\system32\drivers\usbd.sys
2009-06-19 23:07 803,328 a------- c:\windows\system32\drivers\tcpip.sys
2009-06-19 23:07 216,632 a------- c:\windows\system32\drivers\netio.sys
2009-06-19 23:07 167,424 a------- c:\windows\system32\tcpipcfg.dll
2009-06-19 23:07 24,064 a------- c:\windows\system32\netcfg.exe
2009-06-19 23:07 22,016 a------- c:\windows\system32\netiougc.exe
2009-06-19 23:02 1,585,664 a------- c:\windows\system32\setupapi.dll
2009-06-19 22:58 3,503,584 a------- c:\windows\system32\ntkrnlpa.exe
2009-06-19 22:58 3,469,280 a------- c:\windows\system32\ntoskrnl.exe
2009-06-19 22:58 549,888 a------- c:\windows\system32\rpcss.dll
2009-06-19 22:58 24,576 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-06-19 22:58 654,336 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-06-19 22:58 501,760 a------- c:\windows\system32\wbem\WmiPrvSD.dll
2009-06-19 22:58 247,296 a------- c:\windows\system32\wbem\WmiPrvSE.exe
2009-06-19 22:58 130,560 a------- c:\windows\system32\wbem\WmiDcPrv.dll
2009-06-19 22:58 614,912 a------- c:\windows\system32\wbem\fastprox.dll
2009-06-19 22:58 158,720 a------- c:\windows\system32\sdohlp.dll
2009-06-19 22:58 97,280 a------- c:\windows\system32\iasrecst.dll
2009-06-19 22:58 53,248 a------- c:\windows\system32\iasads.dll
2009-06-19 22:58 37,888 a------- c:\windows\system32\iasdatastore.dll
2009-06-19 22:57 82,432 a------- c:\windows\system32\drivers\sdbus.sys
2009-06-19 22:57 13,312 a------- c:\windows\system32\drivers\sffdisk.sys
2009-06-19 22:57:52 A------- 12,800 c:\windows\system32\drivers\sffp_sd.sys

============= FINISH: 18:51:41.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 07 August 2009 - 03:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 Rob.S

Rob.S
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 07 August 2009 - 04:19 AM

Hi, many thanks for your reply. Here is my latest DDS output:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Becky at 10:15:43.50 on 07/08/2009
Internet Explorer: 7.0.6000.16890
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2038.1215 [GMT 1:00]

AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET Smart Security 4.0 *disabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba TEMPRO\TemproTray.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Becky\Downloads\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Toshiba TEMPRO] c:\program files\toshiba tempro\TemproTray.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\becky\appdata\roaming\mozilla\firefox\profiles\yqftw1sc.default\

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-5-14 731840]
R2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\toshiba tempro\TemproSvc.exe [2009-4-21 116104]

=============== Created Last 30 ================

2009-08-04 19:51 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-08-04 19:04 <DIR> --d----- c:\users\becky\DoctorWeb
2009-08-04 18:53 517 a------- c:\windows\wininit.ini
2009-07-29 19:16 <DIR> --d----- c:\users\becky\appdata\roaming\Malwarebytes
2009-07-29 19:16 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-29 19:16 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-29 19:16 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-29 19:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 19:16 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-29 14:37 <DIR> --d----- c:\windows\system32\Virus
2009-07-27 23:12 219,648 a------- c:\windows\PEV.exe
2009-07-27 23:12 161,792 a------- c:\windows\SWREG.exe
2009-07-27 23:12 98,816 a------- c:\windows\sed.exe
2009-07-27 22:49 <DIR> --dsh--- c:\users\becky\appdata\roaming\lowsec
2009-07-25 14:34 <DIR> --d----- c:\programdata\12413154
2009-07-25 14:34 <DIR> --d----- c:\progra~2\12413154
2009-07-25 14:24 <DIR> --d----- c:\programdata\Rosetta Stone
2009-07-25 14:24 <DIR> --d----- c:\program files\Rosetta Stone
2009-07-25 14:24 <DIR> --d----- c:\progra~2\Rosetta Stone
2009-07-25 14:06 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-07-25 13:49 <DIR> --d----- c:\users\becky\appdata\roaming\ESET
2009-07-25 13:47 <DIR> --d----- c:\programdata\ESET
2009-07-25 13:47 <DIR> --d----- c:\program files\ESET
2009-07-16 17:43 <DIR> --d----- c:\program files\iPod
2009-07-16 17:43 <DIR> --d----- c:\program files\iTunes
2009-07-16 17:28 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-16 17:28 156,160 a------- c:\windows\system32\t2embed.dll
2009-07-16 17:28 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-16 17:28 34,304 a------- c:\windows\system32\atmlib.dll
2009-07-16 17:28 24,064 a------- c:\windows\system32\lpk.dll
2009-07-16 17:28 10,240 a------- c:\windows\system32\dciman32.dll

==================== Find3M ====================

2009-07-25 13:48 51,200 a------- c:\windows\inf\infpub.dat
2009-07-25 13:48 86,016 a------- c:\windows\inf\infstrng.dat
2009-07-25 13:48 86,016 a------- c:\windows\inf\infstor.dat
2009-07-18 13:17 827,392 a------- c:\windows\system32\wininet.dll
2009-07-18 13:10 56,320 a------- c:\windows\system32\iesetup.dll
2009-07-18 13:10 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 13:10 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-07-18 13:07 72,704 a------- c:\windows\system32\admparse.dll
2009-07-18 11:00 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-07-18 09:34 48,128 a------- c:\windows\system32\mshtmler.dll
2009-06-20 14:23 129,784 -------- c:\windows\system32\pxafs.dll
2009-06-20 14:23 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-06-20 14:23 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-06-20 14:23 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-06-20 11:14 268,800 a------- c:\windows\system32\es.dll
2009-06-19 23:48 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-19 23:46 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-06-19 23:46 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-06-19 23:46 95,232 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-06-19 23:46 1,244,672 a------- c:\windows\system32\mcmde.dll
2009-06-19 23:46 428,032 a------- c:\windows\system32\EncDec.dll
2009-06-19 23:46 292,352 a------- c:\windows\system32\psisdecd.dll
2009-06-19 23:44 194,560 a------- c:\windows\system32\WebClnt.dll
2009-06-19 23:44 110,080 a------- c:\windows\system32\drivers\mrxdav.sys
2009-06-19 23:44 2,028,032 a------- c:\windows\system32\win32k.sys
2009-06-19 23:44 376,320 a------- c:\windows\system32\winsrv.dll
2009-06-19 23:44 49,664 a------- c:\windows\system32\csrsrv.dll
2009-06-19 23:43 376,832 a------- c:\windows\system32\winhttp.dll
2009-06-19 23:42 297,472 a------- c:\windows\system32\gdi32.dll
2009-06-19 23:42 1,060,920 a------- c:\windows\system32\drivers\ntfs.sys
2009-06-19 23:42 41,984 a------- c:\windows\system32\drivers\monitor.sys
2009-06-19 23:42 211,456 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-06-19 23:42 374,456 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-06-19 23:41 500,736 a------- c:\windows\system32\msdtcprx.dll
2009-06-19 23:41 30,208 a------- c:\windows\system32\xolehlp.dll
2009-06-19 23:41 2,144,256 a------- c:\windows\apppatch\AcGenral.dll
2009-06-19 23:41 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-06-19 23:41 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-06-19 23:41 4,247,552 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-06-19 23:41 537,600 a------- c:\windows\apppatch\AcLayers.dll
2009-06-19 23:41 449,536 a------- c:\windows\apppatch\AcSpecfc.dll
2009-06-19 23:41 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-06-19 23:41 1,687,040 a------- c:\windows\system32\gameux.dll
2009-06-19 23:40 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-06-19 23:40 1,194,496 a------- c:\windows\system32\msxml3.dll
2009-06-19 23:40 2,048 a------- c:\windows\system32\msxml3r.dll
2009-06-19 23:40 414,208 a------- c:\windows\system32\msscp.dll
2009-06-19 23:39 356,864 a------- c:\windows\system32\MediaMetadataHandler.dll
2009-06-19 23:39 396,800 a------- c:\windows\system32\MPSSVC.dll
2009-06-19 23:39 392,192 a------- c:\windows\system32\FirewallAPI.dll
2009-06-19 23:39 86,016 a------- c:\windows\system32\icfupgd.dll
2009-06-19 23:39 63,488 a------- c:\windows\system32\drivers\mpsdrv.sys
2009-06-19 23:39 61,952 a------- c:\windows\system32\cmifw.dll
2009-06-19 23:39 16,896 a------- c:\windows\system32\wfapigp.dll
2009-06-19 23:39 178,688 a------- c:\windows\system32\iphlpsvc.dll
2009-06-19 23:39 23,040 a------- c:\windows\system32\drivers\tunnel.sys
2009-06-19 23:39 15,360 a------- c:\windows\system32\drivers\TUNMP.SYS
2009-06-19 23:39 2,048 a------- c:\windows\system32\tzres.dll
2009-06-19 23:30 174 a--sh--- c:\program files\desktop.ini
2009-06-19 23:20 8,147,968 a------- c:\windows\system32\wmploc.DLL
2009-06-19 23:20 7,680 a------- c:\windows\system32\spwmp.dll
2009-06-19 23:20 4,096 a------- c:\windows\system32\dxmasf.dll
2009-06-19 23:17 696,832 a------- c:\windows\system32\localspl.dll
2009-06-19 23:14 109,624 a------- c:\windows\system32\drivers\ataport.sys
2009-06-19 23:14 45,112 a------- c:\windows\system32\drivers\pciidex.sys
2009-06-19 23:14 21,560 a------- c:\windows\system32\drivers\atapi.sys
2009-06-19 23:14 17,464 a------- c:\windows\system32\drivers\intelide.sys
2009-06-19 23:14 211,000 a------- c:\windows\system32\drivers\volsnap.sys
2009-06-19 23:14 154,624 a------- c:\windows\system32\drivers\nwifi.sys
2009-06-19 23:13 104,448 a------- c:\windows\system32\DWWIN.EXE
2009-06-19 23:12 2,923,520 a------- c:\windows\explorer.exe
2009-06-19 23:09 224,768 a------- c:\windows\system32\drivers\usbport.sys
2009-06-19 23:09 192,000 a------- c:\windows\system32\drivers\usbhub.sys
2009-06-19 23:09 38,400 a------- c:\windows\system32\drivers\usbehci.sys
2009-06-19 23:09 23,040 a------- c:\windows\system32\drivers\usbuhci.sys
2009-06-19 23:09 8,704 a------- c:\windows\system32\hcrstco.dll
2009-06-19 23:09 8,704 a------- c:\windows\system32\hccoin.dll
2009-06-19 23:09 5,888 a------- c:\windows\system32\drivers\usbd.sys
2009-06-19 23:07 803,328 a------- c:\windows\system32\drivers\tcpip.sys
2009-06-19 23:07 216,632 a------- c:\windows\system32\drivers\netio.sys
2009-06-19 23:07 167,424 a------- c:\windows\system32\tcpipcfg.dll
2009-06-19 23:07 24,064 a------- c:\windows\system32\netcfg.exe
2009-06-19 23:07 22,016 a------- c:\windows\system32\netiougc.exe
2009-06-19 23:02 1,585,664 a------- c:\windows\system32\setupapi.dll
2009-06-19 22:58 3,503,584 a------- c:\windows\system32\ntkrnlpa.exe
2009-06-19 22:58 3,469,280 a------- c:\windows\system32\ntoskrnl.exe
2009-06-19 22:58 549,888 a------- c:\windows\system32\rpcss.dll
2009-06-19 22:58 24,576 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-06-19 22:58 654,336 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-06-19 22:58 501,760 a------- c:\windows\system32\wbem\WmiPrvSD.dll
2009-06-19 22:58 247,296 a------- c:\windows\system32\wbem\WmiPrvSE.exe
2009-06-19 22:58 130,560 a------- c:\windows\system32\wbem\WmiDcPrv.dll
2009-06-19 22:58 614,912 a------- c:\windows\system32\wbem\fastprox.dll
2009-06-19 22:58 158,720 a------- c:\windows\system32\sdohlp.dll
2009-06-19 22:58 97,280 a------- c:\windows\system32\iasrecst.dll
2009-06-19 22:58 53,248 a------- c:\windows\system32\iasads.dll
2009-06-19 22:58 37,888 a------- c:\windows\system32\iasdatastore.dll
2009-06-19 22:57 82,432 a------- c:\windows\system32\drivers\sdbus.sys
2009-06-19 22:57 13,312 a------- c:\windows\system32\drivers\sffdisk.sys
2009-06-19 22:57:52 A------- 12,800 c:\windows\system32\drivers\sffp_sd.sys

============= FINISH: 10:17:12.29 ===============

Attached Files



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:07 PM

Posted 07 August 2009 - 07:07 PM

Hello Rob.S :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.




In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



I see that you have used several different tools to try and clean up your machine which is understandable but please do not run any of them while we are trying to do the cleanup. Often one program may cause troubles with another one. It also appears you have installed ComboFix at some time. Is it still on your system?


Please perform the following:





Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries








Please do not post any logs as an attachment unless asked to do so.


Post the log from GMER and let me know about the ComboFix question in your next reply.


Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Rob.S

Rob.S
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 10 August 2009 - 06:41 AM

Hi thewall, thanks for your help with this.

I did run Combofix as it was recommended as a fix for this on another forum. I have a full backup so I have been trying a lot of things of the past couple of weeks in desperation.

As you instructed I tried running GMER (three times) but got a BSOD each time so I could not produce a log - however before performing a full scan it did tell me the details of a hidden service which had a very similar filename to the other virus files (C:\Windows\System32\drivers\vsfocetdgbwpeu.sys).

I tried disabling the service in GMER, setting the other virus files to delete and rebooting. After this NOD32 quarantined the sys file with the message "probably a variant of Win32/Agent trojan".

To summarise the following have now been removed:

C:\Windows\System32\drivers\vsfocetdgbwpeu.sys
C:\Windows\System32\vsfocebcsqcmas.dll
C:\Windows\System32\vsfoceilfkpimk.dat
C:\Windows\System32\vsfocepoetkocw.dat
C:\Windows\System32\vsfoceskbijumr.dll

After this I was able to run GMER and produce the following log:

GMER 1.0.15.15020 [30vhh2w5.exe] - http://www.gmer.net
Rootkit scan 2009-08-10 12:22:34
Windows 6.0.6000



---- System - GMER 1.0.15 ----

SSDT 85FEC630 ZwAssignProcessToJobObject
SSDT 85FEBA60 ZwOpenProcess
SSDT 85FEBE80 ZwOpenThread
SSDT 85FEC460 ZwSuspendProcess
SSDT 85FEC280 ZwSuspendThread
SSDT 85FEBC90 ZwTerminateProcess
SSDT 85FEC0B0 ZwTerminateThread

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\tdx \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\tdx \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\tdx \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:280] 85FEA790

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob@imagepath \systemroot\system32\drivers\vsfocetdgbwpeu.sys
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob\main@aid 10099
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob\main@sid 1
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocetdgbwpeu.sys
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob\modules@vsfocecmd.dll \systemroot\system32\vsfoceskbijumr.dll
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob\modules@vsfocelog.dat \systemroot\system32\vsfocepoetkocw.dat
Reg HKLM\SYSTEM\ControlSet001\Services\vsfoceuoqowgob\modules@vsfocewsp.dll \systemroot\system32\vsfocebcsqcmas.dll
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob@imagepath \systemroot\system32\drivers\vsfocetdgbwpeu.sys
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\main@aid 10099
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\main@sid 1
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocetdgbwpeu.sys
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\modules@vsfocecmd.dll \systemroot\system32\vsfoceskbijumr.dll
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\modules@vsfocelog.dat \systemroot\system32\vsfocepoetkocw.dat
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\modules@vsfocewsp.dll \systemroot\system32\vsfocebcsqcmas.dll
Reg HKLM\SYSTEM\ControlSet006\Services\vsfoceuoqowgob\modules@vsfoce.dat \systemroot\system32\vsfoceilfkpimk.dat

---- EOF - GMER 1.0.15 ----

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:07 PM

Posted 10 August 2009 - 04:14 PM

Please delete any version of ComboFix.exe you have on your Desktop. After that please download a new copy from the link below and run it.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Rob.S

Rob.S
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 11 August 2009 - 07:43 AM

I have attached my combofix log below.

Many thanks.

Attached Files



#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:07 PM

Posted 11 August 2009 - 06:33 PM

CF sure has been run a lot. That was the 7th time I wish I knew what all it had deleted in the earlier runs but that's a lot of logs to have you dig out. Overall since you took off those last files and driver how is your system running?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Rob.S

Rob.S
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 12 August 2009 - 02:39 AM

When I first ran it a few weeks ago, it deleted about four files but after that it didn't seem to see the 5 problem files deleted above. I downloaded it a few times again over a period as I was hoping it might be updated and see the problem.

Things seem to be good now, there are no noticeable problems and the plethora of new av tools I have acquired report no nasties! :thumbup2:

Thanks very much for your help!

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:07 PM

Posted 12 August 2009 - 08:02 PM

That sounds good. Let me go back over the logs one last time and then I'll have some last things we need to do before we finish up. It will probably be tomorrow before I can get them up.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:07 PM

Posted 15 August 2009 - 08:37 AM

My apologies Rob.S. :thumbup2: I thought I had already reposted to your thread and I realized I had not done so.

If you are still there let's run DDS one more time and let me take a look before we finish up.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 Rob.S

Rob.S
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 19 August 2009 - 08:21 AM

Hi, thanks for getting back to me. Here are the DDS results as requested:



DDS (Ver_09-07-30.01) - NTFSx86
Run by Becky at 14:09:02.69 on 19/08/2009
Internet Explorer: 7.0.6000.16890
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2038.887 [GMT 1:00]

AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: ESET Smart Security 4.0 *disabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba TEMPRO\TemproTray.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Becky\Downloads\dds(3).scr
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Becky\Downloads\dds(3).scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Toshiba TEMPRO] c:\program files\toshiba tempro\TemproTray.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\becky\appdata\roaming\mozilla\firefox\profiles\yqftw1sc.default\

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-5-14 731840]
R2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\toshiba tempro\TemproSvc.exe [2009-4-21 116104]

=============== Created Last 30 ================

2009-08-11 13:33 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-08-11 13:26 216,064 a------- c:\windows\PEV.exe
2009-08-11 13:26 161,792 a------- c:\windows\SWREG.exe
2009-08-11 13:26 98,816 a------- c:\windows\sed.exe
2009-08-10 11:40 190,360,009 a------- c:\windows\MEMORY.DMP
2009-08-04 19:04 <DIR> --d----- c:\users\becky\DoctorWeb
2009-08-04 18:53 817 a------- c:\windows\wininit.ini
2009-07-29 19:16 <DIR> --d----- c:\users\becky\appdata\roaming\Malwarebytes
2009-07-29 19:16 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-29 19:16 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-29 19:16 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-29 19:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 19:16 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-27 22:49 <DIR> --dsh--- c:\users\becky\appdata\roaming\lowsec
2009-07-25 14:34 <DIR> --d----- c:\programdata\12413154
2009-07-25 14:34 <DIR> --d----- c:\progra~2\12413154
2009-07-25 14:24 <DIR> --d----- c:\programdata\Rosetta Stone
2009-07-25 14:24 <DIR> --d----- c:\program files\Rosetta Stone
2009-07-25 14:24 <DIR> --d----- c:\progra~2\Rosetta Stone
2009-07-25 14:06 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-07-25 13:49 <DIR> --d----- c:\users\becky\appdata\roaming\ESET
2009-07-25 13:47 <DIR> --d----- c:\programdata\ESET
2009-07-25 13:47 <DIR> --d----- c:\program files\ESET

==================== Find3M ====================

2009-07-25 13:48 51,200 a------- c:\windows\inf\infpub.dat
2009-07-25 13:48 86,016 a------- c:\windows\inf\infstrng.dat
2009-07-25 13:48 86,016 a------- c:\windows\inf\infstor.dat
2009-07-18 13:17 827,392 a------- c:\windows\system32\wininet.dll
2009-07-18 13:10 56,320 a------- c:\windows\system32\iesetup.dll
2009-07-18 13:10 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 13:10 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-07-18 13:07 72,704 a------- c:\windows\system32\admparse.dll
2009-07-18 11:00 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-07-18 09:34 48,128 a------- c:\windows\system32\mshtmler.dll
2009-06-20 14:23 129,784 -------- c:\windows\system32\pxafs.dll
2009-06-20 14:23 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-06-20 14:23 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-06-20 14:23 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-06-20 11:14 268,800 a------- c:\windows\system32\es.dll
2009-06-19 23:48 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-19 23:46 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-06-19 23:46 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-06-19 23:46 95,232 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-06-19 23:46 1,244,672 a------- c:\windows\system32\mcmde.dll
2009-06-19 23:46 428,032 a------- c:\windows\system32\EncDec.dll
2009-06-19 23:46 292,352 a------- c:\windows\system32\psisdecd.dll
2009-06-19 23:45 205,824 a------- c:\windows\system32\msoeacct.dll
2009-06-19 23:45 87,040 a------- c:\windows\system32\msoert2.dll
2009-06-19 23:45 39,424 a------- c:\windows\system32\ACCTRES.dll
2009-06-19 23:45 704,000 a------- c:\windows\system32\PhotoScreensaver.scr
2009-06-19 23:45 356,352 a------- c:\windows\system32\wbem\wbemcomn.dll
2009-06-19 23:45 24,064 a------- c:\windows\system32\wtsapi32.dll
2009-06-19 23:45 542,720 a------- c:\windows\system32\sysmain.dll
2009-06-19 23:45 502,784 a------- c:\windows\system32\wlansvc.dll
2009-06-19 23:45 297,984 a------- c:\windows\system32\wlansec.dll
2009-06-19 23:45 290,816 a------- c:\windows\system32\wlanmsm.dll
2009-06-19 23:45 67,584 a------- c:\windows\system32\wlanhlp.dll
2009-06-19 23:45 47,104 a------- c:\windows\system32\wlanapi.dll
2009-06-19 23:44 194,560 a------- c:\windows\system32\WebClnt.dll
2009-06-19 23:44 2,028,032 a------- c:\windows\system32\win32k.sys
2009-06-19 23:44 376,320 a------- c:\windows\system32\winsrv.dll
2009-06-19 23:44 49,664 a------- c:\windows\system32\csrsrv.dll
2009-06-19 23:43 376,832 a------- c:\windows\system32\winhttp.dll
2009-06-19 23:42 297,472 a------- c:\windows\system32\gdi32.dll
2009-06-19 23:42 374,456 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-06-19 23:41 500,736 a------- c:\windows\system32\msdtcprx.dll
2009-06-19 23:41 30,208 a------- c:\windows\system32\xolehlp.dll
2009-06-19 23:41 2,144,256 a------- c:\windows\apppatch\AcGenral.dll
2009-06-19 23:41 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-06-19 23:41 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-06-19 23:41 4,247,552 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-06-19 23:41 537,600 a------- c:\windows\apppatch\AcLayers.dll
2009-06-19 23:41 449,536 a------- c:\windows\apppatch\AcSpecfc.dll
2009-06-19 23:41 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-06-19 23:41 1,687,040 a------- c:\windows\system32\gameux.dll
2009-06-19 23:40 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-06-19 23:40 1,194,496 a------- c:\windows\system32\msxml3.dll
2009-06-19 23:40 2,048 a------- c:\windows\system32\msxml3r.dll
2009-06-19 23:40 414,208 a------- c:\windows\system32\msscp.dll
2009-06-19 23:39 356,864 a------- c:\windows\system32\MediaMetadataHandler.dll
2009-06-19 23:39 396,800 a------- c:\windows\system32\MPSSVC.dll
2009-06-19 23:39 392,192 a------- c:\windows\system32\FirewallAPI.dll
2009-06-19 23:39 86,016 a------- c:\windows\system32\icfupgd.dll
2009-06-19 23:39 61,952 a------- c:\windows\system32\cmifw.dll
2009-06-19 23:39 16,896 a------- c:\windows\system32\wfapigp.dll
2009-06-19 23:39 178,688 a------- c:\windows\system32\iphlpsvc.dll
2009-06-19 23:39 2,048 a------- c:\windows\system32\tzres.dll
2009-06-19 23:30 174 a--sh--- c:\program files\desktop.ini
2009-06-19 23:20 8,147,968 a------- c:\windows\system32\wmploc.DLL
2009-06-19 23:20 7,680 a------- c:\windows\system32\spwmp.dll
2009-06-19 23:20 4,096 a------- c:\windows\system32\dxmasf.dll
2009-06-19 23:17 696,832 a------- c:\windows\system32\localspl.dll
2009-06-19 23:13 104,448 a------- c:\windows\system32\DWWIN.EXE
2009-06-19 23:12 2,923,520 a------- c:\windows\explorer.exe
2009-06-19 23:09 8,704 a------- c:\windows\system32\hcrstco.dll
2009-06-19 23:09 8,704 a------- c:\windows\system32\hccoin.dll
2009-06-19 23:07 167,424 a------- c:\windows\system32\tcpipcfg.dll
2009-06-19 23:07 24,064 a------- c:\windows\system32\netcfg.exe
2009-06-19 23:07 22,016 a------- c:\windows\system32\netiougc.exe
2009-06-19 23:02 1,585,664 a------- c:\windows\system32\setupapi.dll
2009-06-19 22:58 3,503,584 a------- c:\windows\system32\ntkrnlpa.exe
2009-06-19 22:58 3,469,280 a------- c:\windows\system32\ntoskrnl.exe
2009-06-19 22:58 549,888 a------- c:\windows\system32\rpcss.dll
2009-06-19 22:58 24,576 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-06-19 22:58 654,336 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-06-19 22:58 501,760 a------- c:\windows\system32\wbem\WmiPrvSD.dll
2009-06-19 22:58 247,296 a------- c:\windows\system32\wbem\WmiPrvSE.exe
2009-06-19 22:58 130,560 a------- c:\windows\system32\wbem\WmiDcPrv.dll
2009-06-19 22:58 614,912 a------- c:\windows\system32\wbem\fastprox.dll
2009-06-19 22:58 158,720 a------- c:\windows\system32\sdohlp.dll
2009-06-19 22:58 97,280 a------- c:\windows\system32\iasrecst.dll
2009-06-19 22:58 53,248 a------- c:\windows\system32\iasads.dll
2009-06-19 22:58 37,888 a------- c:\windows\system32\iasdatastore.dll
2009-06-19 22:55 223,232 a------- c:\windows\system32\WMASF.DLL
2009-06-19 22:55 9,728 a------- c:\windows\system32\LAPRXY.DLL
2009-06-19 22:55 2,048 a------- c:\windows\system32\asferror.dll
2009-06-19 22:54 1,233,408 a------- c:\windows\system32\lsasrv.dll
2009-06-19 22:54 72,704 a------- c:\windows\system32\secur32.dll
2009-06-19 22:54 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-06-19 22:54 25,600 a------- c:\windows\system32\amxread.dll
2009-06-19 22:54 14,848 a------- c:\windows\system32\apilogen.dll
2009-06-19 22:54 7,680 a------- c:\windows\system32\lsass.exe
2009-06-19 22:53 268,288 a------- c:\windows\system32\mcbuilder.exe
2009-06-19 22:53:48 A------- 223,232 c:\windows\system32\SLC.dll

============= FINISH: 14:09:42.18 ===============

Attached Files



#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:07 PM

Posted 19 August 2009 - 12:41 PM

The log looks good and from everything I see you are now clean. :thumbup2:

Let's remove our tools and I have a few last suggestions for you:


We will now uninstall ComboFix:

Go to Start > Run - type in ComboFix /u (case insensitive) >>OK


You can also delete GMER from your Desktop if it is still there.


Don't forget to reenable your antivirus.


Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally, this is very important. It is absolutely essential to keep all of your security programs up to date



If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. :)


thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 Rob.S

Rob.S
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 19 August 2009 - 01:02 PM

Thanks again for your help and time, really appreciate it. I've made a small donation that should be with you now :thumbup2:

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:07 PM

Posted 19 August 2009 - 01:05 PM

Yes, I received it and thank you very much. :thumbup2:
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users